Fair use: Add device tracking for abuse detection

- Add fair use clause to ToS (sections 1, 2, 3) and clarify "no usage telemetry" in privacy policy
- New `device_id.rs`: reads `IOPlatformUUID` via IOKit FFI, salts with `"cmdr:"`, SHA-256 hashes to `v1:<hex>`, cached in `OnceLock`
- Send `deviceId` on every `/validate` call (piggybacks on existing 7-day validation, no new network calls)
- License server tracks device sets in KV (`devices:{seatTransactionId}`), prunes entries >90 days
- Alert email via Resend to `legal@getcmdr.com` when a key crosses 6 devices (suppressed for 30 days after each alert)
- Device tracking runs via `waitUntil` — zero added latency to validation responses
- Analytics Engine dataset `cmdr_device_counts` for retroactive querying
- Extended `SubscriptionResult` with `customerId` for alert customer lookup
- Pure helpers in `device-tracking.ts` with full test coverage
- Updated CLAUDE.md files for both licensing module and license server

Author: vdavid

Cargo.lock

@@ -52,6 +52,8 @@ tauri-plugin-fs = "2.4.4"
 alphanumeric-sort = "1.5"
 chrono = "0.4"
 ed25519-dalek = { version = "2.1", features = ["rand_core"] }
+# Device ID hashing for fair-use license tracking
+sha2 = "0.10.9"
 tauri-plugin-log = "2"
 log = "0.4"
 # Memory allocator: returns memory to OS faster than system malloc, reduces fragmentation

apps/desktop/src-tauri/Cargo.toml

@@ -11,7 +11,8 @@ License keys are self-contained: `base64(JSON payload).base64(Ed25519 signature)
 | `mod.rs` | `LicenseData` struct, `redact_email` helper, re-exports from sub-modules |
 | `verification.rs` | Ed25519 crypto. `LicenseActivationError` typed error enum. Validates key format, verifies signature, caches result in `Mutex`. Split into verify/commit: `verify_license_async` (read-only check + short-code exchange), `commit_license` (persist to disk + update caches). Legacy wrappers: `activate_license` (sync verify+commit), `activate_license_async` (async verify+commit). `get_license_info` (lazy, cached). `VerifyResult` struct wraps `LicenseInfo` + `full_key` + `short_code`. |
 | `app_status.rs` | `AppStatus` enum. 7-day server re-validation, 30-day offline grace period. Commercial use reminder timer. Debug: `CMDR_MOCK_LICENSE` env var overrides everything. |
-| `validation_client.rs` | HTTP client: `POST /validate`, `POST /activate`. Debug → `localhost:8787`, release → `license.getcmdr.com`. Mock mode skips network entirely. Returns `ValidationOutcome` enum (Success/UpstreamError/NetworkError). |
+| `validation_client.rs` | HTTP client: `POST /validate`, `POST /activate`. Debug → `localhost:8787`, release → `license.getcmdr.com`. Mock mode skips network entirely. Returns `ValidationOutcome` enum (Success/UpstreamError/NetworkError). `ValidationRequest` includes an optional `deviceId` for fair-use tracking. |
+| `device_id.rs` | Stable hashed device identifier for fair-use license tracking. Reads `IOPlatformUUID` via IOKit FFI (macOS), salts with `"cmdr:"`, SHA-256 hashes, prefixes with `v1:`. Cached in `OnceLock`. Returns `None` on failure (best-effort, never blocks validation). Linux stub returns `None`. |
 
 ## AppStatus variants
 
@@ -120,5 +121,5 @@ Legacy `activate_license`/`activate_license_async` wrappers still exist for back
 
 ## Dependencies
 
-External: `ed25519-dalek`, `base64`, `reqwest`, `tauri_plugin_store`
+External: `ed25519-dalek`, `base64`, `reqwest`, `tauri_plugin_store`, `sha2`, `core-foundation` (macOS)
 Internal: none

apps/desktop/src-tauri/src/licensing/CLAUDE.md

@@ -0,0 +1,139 @@
+//! Stable, hashed device identifier for fair-use license tracking.
+//!
+//! Generates a one-way hash of the hardware UUID, prefixed with a version tag.
+//! The hash is salted with `"cmdr:"` so it can't be correlated across products.
+//! Result format: `v1:<64-char hex SHA-256>`.
+
+use sha2::{Digest, Sha256};
+use std::sync::OnceLock;
+
+/// Cached device ID (computed once per session).
+static DEVICE_ID: OnceLock<Option<String>> = OnceLock::new();
+
+/// Returns a stable, hashed device identifier, or `None` if the platform UUID can't be read.
+///
+/// The result is cached in memory — the hardware UUID won't change during a session.
+pub fn get_device_id() -> Option<String> {
+    DEVICE_ID.get_or_init(compute_device_id).clone()
+}
+
+fn compute_device_id() -> Option<String> {
+    let uuid = read_platform_uuid()?;
+    let salted = format!("cmdr:{uuid}");
+    let hash = Sha256::digest(salted.as_bytes());
+    Some(format!("v1:{:x}", hash))
+}
+
+/// Read `IOPlatformUUID` from the IOKit registry via FFI.
+#[cfg(target_os = "macos")]
+fn read_platform_uuid() -> Option<String> {
+    use core_foundation::base::TCFType;
+    use core_foundation::string::{CFString, CFStringRef};
+    use std::ffi::c_void;
+
+    #[link(name = "IOKit", kind = "framework")]
+    unsafe extern "C" {
+        fn IOServiceGetMatchingService(main_port: u32, matching: *const c_void) -> u32;
+        fn IOServiceMatching(name: *const std::ffi::c_char) -> *const c_void;
+        fn IORegistryEntryCreateCFProperty(
+            entry: u32,
+            key: CFStringRef,
+            allocator: *const c_void,
+            options: u32,
+        ) -> *const c_void;
+        fn IOObjectRelease(object: u32) -> i32;
+    }
+
+    unsafe {
+        let matching = IOServiceMatching(c"IOPlatformExpertDevice".as_ptr());
+        if matching.is_null() {
+            log::warn!("IOServiceMatching returned null");
+            return None;
+        }
+
+        // kIOMasterPortDefault / kIOMainPortDefault = 0
+        let service = IOServiceGetMatchingService(0, matching);
+        // IOServiceMatching result is consumed by IOServiceGetMatchingService — don't CFRelease it.
+        if service == 0 {
+            log::warn!("IOServiceGetMatchingService found no platform expert");
+            return None;
+        }
+
+        let key = CFString::new("IOPlatformUUID");
+        let cf_value = IORegistryEntryCreateCFProperty(service, key.as_concrete_TypeRef(), std::ptr::null(), 0);
+        IOObjectRelease(service);
+
+        if cf_value.is_null() {
+            log::warn!("IORegistryEntryCreateCFProperty returned null for IOPlatformUUID");
+            return None;
+        }
+
+        let cf_string = CFString::wrap_under_create_rule(cf_value as CFStringRef);
+        Some(cf_string.to_string())
+    }
+}
+
+/// Linux stub — returns `None` for now.
+// TODO: Read `/etc/machine-id`, apply the same salt-and-hash approach as macOS.
+#[cfg(target_os = "linux")]
+fn read_platform_uuid() -> Option<String> {
+    None
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    #[cfg(target_os = "macos")]
+    fn returns_some_on_macos() {
+        let id = get_device_id();
+        assert!(id.is_some(), "get_device_id() should return Some on macOS");
+    }
+
+    #[test]
+    #[cfg(target_os = "macos")]
+    fn matches_expected_format() {
+        let id = get_device_id().expect("should return Some on macOS");
+        assert!(id.starts_with("v1:"), "should start with 'v1:' prefix, got: {id}");
+        let hex_part = &id[3..];
+        assert_eq!(
+            hex_part.len(),
+            64,
+            "hex part should be 64 chars, got: {}",
+            hex_part.len()
+        );
+        assert!(
+            hex_part.chars().all(|c| c.is_ascii_hexdigit()),
+            "hex part should be lowercase hex, got: {hex_part}"
+        );
+    }
+
+    #[test]
+    #[cfg(target_os = "macos")]
+    fn returns_stable_value() {
+        let first = get_device_id();
+        let second = get_device_id();
+        assert_eq!(
+            first, second,
+            "get_device_id() should return the same value on repeated calls"
+        );
+    }
+
+    #[test]
+    fn hash_is_deterministic() {
+        // Verify the hashing logic directly (platform-independent).
+        let uuid = "TEST-UUID-1234";
+        let salted = format!("cmdr:{uuid}");
+        let hash = Sha256::digest(salted.as_bytes());
+        let result = format!("v1:{:x}", hash);
+
+        let salted2 = format!("cmdr:{uuid}");
+        let hash2 = Sha256::digest(salted2.as_bytes());
+        let result2 = format!("v1:{:x}", hash2);
+
+        assert_eq!(result, result2);
+        assert!(result.starts_with("v1:"));
+        assert_eq!(result.len(), 3 + 64); // "v1:" + 64 hex chars
+    }
+}

apps/desktop/src-tauri/src/licensing/device_id.rs

@@ -4,6 +4,7 @@
 //! The public key is embedded at compile time.
 
 mod app_status;
+mod device_id;
 mod validation_client;
 mod verification;
 

apps/desktop/src-tauri/src/licensing/mod.rs

@@ -40,6 +40,8 @@ pub enum ValidationOutcome {
 #[serde(rename_all = "camelCase")]
 struct ValidationRequest {
     transaction_id: String,
+    /// Hashed device identifier for fair-use tracking. `None` if the platform UUID couldn't be read.
+    device_id: Option<String>,
 }
 
 /// Response from the /activate endpoint.
@@ -152,6 +154,7 @@ pub async fn validate_with_server(transaction_id: &str) -> ValidationOutcome {
         .post(&url)
         .json(&ValidationRequest {
             transaction_id: transaction_id.to_string(),
+            device_id: super::device_id::get_device_id(),
         })
         .send()
         .await
@@ -193,9 +196,22 @@ mod tests {
     fn test_validation_request_serialization() {
         let request = ValidationRequest {
             transaction_id: "txn_123".to_string(),
+            device_id: None,
         };
         let json = serde_json::to_string(&request).unwrap();
         assert!(json.contains("\"transactionId\":\"txn_123\""));
+        assert!(json.contains("\"deviceId\":null"));
+    }
+
+    #[test]
+    fn test_validation_request_serialization_with_device_id() {
+        let request = ValidationRequest {
+            transaction_id: "txn_456".to_string(),
+            device_id: Some("v1:abc123".to_string()),
+        };
+        let json = serde_json::to_string(&request).unwrap();
+        assert!(json.contains("\"transactionId\":\"txn_456\""));
+        assert!(json.contains("\"deviceId\":\"v1:abc123\""));
     }
 
     #[test]

apps/desktop/src-tauri/src/licensing/validation_client.rs

@@ -12,7 +12,9 @@ license keys, stores short activation codes in KV, and emails keys via Resend.
 | `src/paddle.ts`                             | HMAC-SHA256 webhook verification, `constantTimeEqual`         |
 | `src/paddle-api.ts`                         | Paddle REST client: transaction/subscription/customer fetch   |
 | `src/email.ts`                              | Resend email delivery (HTML + plain text, multi-seat support) |
+| `src/device-tracking.ts`                    | Device set helpers: prune stale devices, alert threshold      |
 | `src/license.test.ts`, `src/paddle.test.ts` | Vitest tests                                                  |
+| `src/device-tracking.test.ts`               | Tests for device tracking helpers                             |
 | `scripts/generate-keys.js`                  | Ed25519 key pair generation (run once at setup)               |
 | `scripts/setup-cf-infra.sh`                 | Cloudflare KV namespace provisioning                          |
 
@@ -74,6 +76,8 @@ App activation: POST /activate → KV.get(shortCode) → return fullKey
 Subscription validation: POST /validate → Paddle API transactions + subscriptions
   → HTTP 200 + ValidationResponse on success or invalid transaction (Paddle 404)
   → HTTP 502 + { error: "upstream_error" } if Paddle API unreachable or returns server error
+  → if deviceId present: track device in KV (devices:{seatTransactionId}), log to Analytics Engine
+  → if device count >= 6 and not recently alerted: send alert email to legal@getcmdr.com
 
 Download redirect: GET /download/:version/:arch → log to Analytics Engine → 302 to GitHub Releases
 ```
@@ -110,6 +114,13 @@ status on transient Paddle outages instead of overwriting a valid "active" cache
 `writeDataPoint` is fire-and-forget. Data schema: indexes=[version], blobs=[version, arch, country, continent],
 doubles=[1]. Query via CF Analytics Engine SQL API.
 
+**Device tracking (fair use):** On each `/validate` call with a `deviceId`, the server tracks the device in KV
+(`devices:{seatTransactionId}`) and logs to Analytics Engine (binding: `DEVICE_COUNTS`, dataset: `cmdr_device_counts`).
+Devices older than 90 days are pruned on each write. If 6+ devices are active and no alert was sent in the past 30 days,
+an internal email is sent to `legal@getcmdr.com` via Resend. Device tracking is fire-and-forget and never affects the
+validation response. The KV value stores a `DeviceSet` with device hashes mapped to last-seen timestamps plus an
+optional `lastAlertedAt`. See `docs/specs/fair-use-device-tracking-plan.md` for the full plan.
+
 ## Local development
 
 ### Run locally

apps/license-server/CLAUDE.md

@@ -0,0 +1,78 @@
+import { describe, expect, it, vi } from 'vitest'
+import { pruneStaleDevices, shouldAlert } from './device-tracking'
+
+describe('pruneStaleDevices', () => {
+    it('removes entries older than maxAgeDays', () => {
+        const now = Date.now()
+        const devices: Record<string, string> = {
+            'device-old': new Date(now - 91 * 24 * 60 * 60 * 1000).toISOString(),
+            'device-recent': new Date(now - 10 * 24 * 60 * 60 * 1000).toISOString(),
+        }
+
+        const result = pruneStaleDevices(devices, 90)
+
+        expect(Object.keys(result)).toEqual(['device-recent'])
+    })
+
+    it('keeps entries within maxAgeDays', () => {
+        const now = Date.now()
+        const devices: Record<string, string> = {
+            'device-a': new Date(now - 1 * 24 * 60 * 60 * 1000).toISOString(),
+            'device-b': new Date(now - 45 * 24 * 60 * 60 * 1000).toISOString(),
+            'device-c': new Date(now - 89 * 24 * 60 * 60 * 1000).toISOString(),
+        }
+
+        const result = pruneStaleDevices(devices, 90)
+
+        expect(Object.keys(result)).toHaveLength(3)
+    })
+
+    it('returns empty object when all entries are stale', () => {
+        const now = Date.now()
+        const devices: Record<string, string> = {
+            'device-a': new Date(now - 100 * 24 * 60 * 60 * 1000).toISOString(),
+            'device-b': new Date(now - 200 * 24 * 60 * 60 * 1000).toISOString(),
+        }
+
+        const result = pruneStaleDevices(devices, 90)
+
+        expect(Object.keys(result)).toHaveLength(0)
+    })
+
+    it('handles empty input', () => {
+        const result = pruneStaleDevices({}, 90)
+        expect(Object.keys(result)).toHaveLength(0)
+    })
+})
+
+describe('shouldAlert', () => {
+    it('fires when count >= threshold and no previous alert', () => {
+        expect(shouldAlert(6, undefined, 6)).toBe(true)
+        expect(shouldAlert(10, undefined, 6)).toBe(true)
+    })
+
+    it('fires when count >= threshold and last alert was >30 days ago', () => {
+        const thirtyOneDaysAgo = new Date(Date.now() - 31 * 24 * 60 * 60 * 1000).toISOString()
+        expect(shouldAlert(6, thirtyOneDaysAgo, 6)).toBe(true)
+    })
+
+    it('suppressed when last alert was recent', () => {
+        const fiveDaysAgo = new Date(Date.now() - 5 * 24 * 60 * 60 * 1000).toISOString()
+        expect(shouldAlert(6, fiveDaysAgo, 6)).toBe(false)
+        expect(shouldAlert(10, fiveDaysAgo, 6)).toBe(false)
+    })
+
+    it('suppressed when count < threshold', () => {
+        expect(shouldAlert(5, undefined, 6)).toBe(false)
+        expect(shouldAlert(1, undefined, 6)).toBe(false)
+        expect(shouldAlert(0, undefined, 6)).toBe(false)
+    })
+
+    it('fires at exactly 30 days boundary', () => {
+        // At exactly 30 days (not >30), should be suppressed
+        vi.useFakeTimers()
+        const exactlyThirtyDays = new Date(Date.now() - 30 * 24 * 60 * 60 * 1000).toISOString()
+        expect(shouldAlert(6, exactlyThirtyDays, 6)).toBe(false)
+        vi.useRealTimers()
+    })
+})

apps/license-server/src/device-tracking.test.ts

@@ -0,0 +1,24 @@
+export interface DeviceSet {
+    devices: Record<string, string> // deviceHash → ISO timestamp (last seen)
+    lastAlertedAt?: string // ISO timestamp, for alert suppression
+}
+
+/** Remove device entries older than `maxAgeDays` from the current time. */
+export function pruneStaleDevices(devices: Record<string, string>, maxAgeDays: number): Record<string, string> {
+    const cutoff = Date.now() - maxAgeDays * 24 * 60 * 60 * 1000
+    const result: Record<string, string> = {}
+    for (const [hash, timestamp] of Object.entries(devices)) {
+        if (new Date(timestamp).getTime() >= cutoff) {
+            result[hash] = timestamp
+        }
+    }
+    return result
+}
+
+/** Whether an alert should fire based on device count, threshold, and last alert time. */
+export function shouldAlert(deviceCount: number, lastAlertedAt: string | undefined, threshold: number): boolean {
+    if (deviceCount < threshold) return false
+    if (!lastAlertedAt) return true
+    const daysSinceLastAlert = (Date.now() - new Date(lastAlertedAt).getTime()) / (24 * 60 * 60 * 1000)
+    return daysSinceLastAlert > 30
+}