v22.8.0: four-tier pricing — Homelab / Pro / Enterprise on Stripe

Paul C · Paul C · commit c9b23ac2e5d2 · 2026-05-02T09:52:53.000+01:00
* compat::PlatformManifest gains `tier` field. New helpers
  `license_manifest`, `resolve_tier`, `effective_cap`, `has_feature`.
* `/api/platform/status` returns tier, current_nodes, over_cap.
  Drops email field — operators no longer leak it via this endpoint.
* `/api/nodes` (add_node) enforces a SOFT host cap: over-cap joins
  succeed with a warning attached to the response. Never blocks usage.
  Legacy enterprise licences (per-installation max_nodes) are zeroed
  by effective_cap so they're not retroactively capped.
* Plugin gates now require has_feature(\"plugins\") instead of any
  valid licence — so Homelab can't unlock Pro features.
* Heartbeat client: TLS verification re-enabled
  (danger_accept_invalid_certs removed).
* Dashboard header badge shows tier (Homelab / Pro / Enterprise) +
  current/max host count, paints amber when over cap, links to the
  Stripe billing portal.
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "wolfstack"
-version = "22.7.3"
+version = "22.8.0"
 edition = "2024"
 authors = ["Wolf Software Systems Ltd"]
 description = "Server management platform for the Wolf software suite"
diff --git a/src/api/mod.rs b/src/api/mod.rs
@@ -2260,6 +2260,39 @@ pub async fn add_node(req: HttpRequest, state: web::Data<AppState>, body: web::J
         }));
     }
 
+    // Licence host-cap policy: SOFT cap, never hard block.
+    //
+    // Going over your tier's host count gets you a warning attached to
+    // the response (and a banner in the dashboard) but the join still
+    // succeeds. Reconciliation happens server-side via the daily licence
+    // heartbeat. We never block someone from using WolfStack because
+    // they outgrew their tier — that's a sales conversation, not an
+    // outage.
+    let cap_warning: Option<serde_json::Value> = if let Some(dm) = crate::compat::license_manifest() {
+        let tier = crate::compat::resolve_tier(&dm);
+        let cap = crate::compat::effective_cap(tier, dm.max_nodes);
+        if cap > 0 {
+            let current = state.cluster.get_all_nodes().len() as u32;
+            if current + 1 > cap {
+                let upgrade = match tier {
+                    "homelab" => "Upgrade to Pro (£49/mo, 25 hosts) at https://wolfstack.org/enterprise.php",
+                    "pro"     => "Upgrade to Enterprise (unlimited hosts) at https://wolfstack.org/enterprise.php",
+                    _         => "Contact sales@wolf.uk.com to raise the cap",
+                };
+                Some(serde_json::json!({
+                    "message": format!(
+                        "Host added — but your cluster now exceeds the {} tier ({} of {} hosts). {}",
+                        tier, current + 1, cap, upgrade
+                    ),
+                    "tier": tier,
+                    "max_nodes": cap,
+                    "current_nodes": current + 1,
+                    "feature": "host_cap",
+                }))
+            } else { None }
+        } else { None }
+    } else { None };
+
     let node_type = body.node_type.as_deref().unwrap_or("wolfstack");
 
     if node_type == "proxmox" {
@@ -2416,13 +2449,19 @@ pub async fn add_node(req: HttpRequest, state: web::Data<AppState>, body: web::J
         });
     }
 
-    HttpResponse::Ok().json(serde_json::json!({
+    let mut response = serde_json::json!({
         "id": id,
         "address": body.address,
         "port": port,
         "node_type": "wolfstack",
         "cluster_name": cluster_name,
-    }))
+    });
+    if let Some(warning) = cap_warning {
+        if let Some(obj) = response.as_object_mut() {
+            obj.insert("warning".to_string(), warning);
+        }
+    }
+    HttpResponse::Ok().json(response)
 }
 
 /// DELETE /api/nodes/{id} — remove a server
@@ -20898,12 +20937,12 @@ pub async fn plugins_reload(req: HttpRequest, state: web::Data<AppState>) -> Htt
 
 const PLUGIN_INDEX_URL: &str = "https://raw.githubusercontent.com/wolfsoftwaresystemsltd/WolfStack/master/pkg/index.json";
 
-/// GET /api/plugins/store — fetch available plugins from the plugin store (Enterprise only)
+/// GET /api/plugins/store — fetch available plugins from the plugin store (Pro+ only)
 pub async fn plugins_store(req: HttpRequest, state: web::Data<AppState>) -> HttpResponse {
     if let Err(resp) = require_auth(&req, &state) { return resp; }
-    if !crate::compat::platform_ready() {
+    if !crate::compat::has_feature("plugins") {
         return HttpResponse::Forbidden().json(serde_json::json!({
-            "error": "Plugin store requires an Enterprise license",
+            "error": "Plugins require a Pro or Enterprise licence — upgrade at https://wolfstack.org/enterprise.php",
             "feature": "plugins"
         }));
     }
@@ -20961,12 +21000,12 @@ pub struct PluginInstallRequest {
     pub url: String,
 }
 
-/// POST /api/plugins/install — install a plugin from URL (Enterprise only)
+/// POST /api/plugins/install — install a plugin from URL (Pro+ only)
 pub async fn plugins_install(req: HttpRequest, state: web::Data<AppState>, body: web::Json<PluginInstallRequest>) -> HttpResponse {
     if let Err(resp) = require_auth(&req, &state) { return resp; }
-    if !crate::compat::platform_ready() {
+    if !crate::compat::has_feature("plugins") {
         return HttpResponse::Forbidden().json(serde_json::json!({
-            "error": "Plugins require an Enterprise license",
+            "error": "Plugins require a Pro or Enterprise licence — upgrade at https://wolfstack.org/enterprise.php",
             "feature": "plugins"
         }));
     }
@@ -21002,11 +21041,11 @@ pub async fn plugins_toggle(req: HttpRequest, state: web::Data<AppState>, path:
     }
 }
 
-/// GET /api/plugins/{id}/file/{path} — serve plugin web assets (JS/CSS) (Enterprise only)
+/// GET /api/plugins/{id}/file/{path} — serve plugin web assets (JS/CSS) (Pro+ only)
 pub async fn plugins_file(_req: HttpRequest, path: web::Path<(String, String)>) -> HttpResponse {
     // No auth required for static assets (they're loaded by the browser)
-    // But plugins are an Enterprise feature — don't serve assets without a license
-    if !crate::compat::platform_ready() {
+    // But plugins are gated to Pro+ — don't serve assets without that feature
+    if !crate::compat::has_feature("plugins") {
         return HttpResponse::Forbidden().finish();
     }
     let (plugin_id, file_path) = path.into_inner();
@@ -21129,10 +21168,21 @@ pub async fn plugin_data_file(req: HttpRequest, state: web::Data<AppState>, path
 
 // ─── Access Token Management ───
 
-/// GET /api/platform/status
+/// GET /api/platform/status — licence status + current host count.
+/// Used by the dashboard tier badge and the Settings → License view.
 pub async fn platform_status(req: HttpRequest, state: web::Data<AppState>) -> HttpResponse {
     if let Err(resp) = require_auth(&req, &state) { return resp; }
-    HttpResponse::Ok().json(crate::compat::runtime_status())
+
+    let mut status = crate::compat::runtime_status();
+    let current_nodes = state.cluster.get_all_nodes().len() as u32;
+    if let Some(obj) = status.as_object_mut() {
+        obj.insert("current_nodes".to_string(), serde_json::json!(current_nodes));
+        // over_cap is informational — usage is never hard-blocked.
+        let cap = obj.get("max_nodes").and_then(|v| v.as_u64()).unwrap_or(0) as u32;
+        let over = cap > 0 && current_nodes > cap;
+        obj.insert("over_cap".to_string(), serde_json::json!(over));
+    }
+    HttpResponse::Ok().json(status)
 }
 
 #[derive(Deserialize)]
diff --git a/src/compat/mod.rs b/src/compat/mod.rs
@@ -58,6 +58,8 @@ pub struct PlatformManifest {
     pub max_nodes: u32,
     pub expires: String,
     pub features: Vec<String>,
+    #[serde(default)]
+    pub tier: String,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -111,22 +113,74 @@ pub fn probe_runtime() -> bool {
 }
 
 pub fn runtime_status() -> serde_json::Value {
+    // The dashboard badge needs the customer name and tier; it does NOT
+    // need the email. Omitting the email keeps it out of any
+    // authenticated session that isn't explicitly admin.
     match load_dm() {
-        Some(dm) => serde_json::json!({
-            "valid": true,
-            "customer": dm.customer,
-            "email": dm.email,
-            "max_nodes": dm.max_nodes,
-            "expires": dm.expires,
-            "features": dm.features,
-        }),
+        Some(dm) => {
+            let tier = resolve_tier(&dm);
+            let cap = effective_cap(tier, dm.max_nodes);
+            serde_json::json!({
+                "valid": true,
+                "tier": tier,
+                "customer": dm.customer,
+                "max_nodes": cap,
+                "expires": dm.expires,
+                "features": dm.features,
+            })
+        }
         None => serde_json::json!({
             "valid": false,
+            "tier": "community",
+            "max_nodes": 0,
+            "features": [],
             "message": rt_msg(4),
         }),
     }
 }
 
+/// Normalise the host cap reported to UIs and gates. Enterprise is
+/// always unlimited, regardless of what a legacy per-installation
+/// licence stored in max_nodes.
+pub fn effective_cap(tier: &str, raw_max: u32) -> u32 {
+    match tier {
+        "homelab" | "pro" => raw_max,
+        _ => 0,
+    }
+}
+
+/// Public read-only view of the active licence — None when unlicensed
+/// (Community tier). Used by `/api/nodes` to enforce host caps.
+pub fn license_manifest() -> Option<PlatformManifest> {
+    load_dm()
+}
+
+/// Resolve the licence tier name. Newer licences include `tier` in the
+/// signed payload; older licences are inferred from the `features` list
+/// (the webhook always sets the first feature to the tier slug).
+pub fn resolve_tier(dm: &PlatformManifest) -> &'static str {
+    if !dm.tier.is_empty() {
+        return match dm.tier.as_str() {
+            "homelab" => "homelab",
+            "pro" => "pro",
+            "enterprise" => "enterprise",
+            _ => "enterprise",
+        };
+    }
+    if dm.features.iter().any(|f| f == "homelab") { "homelab" }
+    else if dm.features.iter().any(|f| f == "pro") { "pro" }
+    else { "enterprise" }
+}
+
+/// True when the licence grants access to a named feature
+/// (e.g. "sso", "api_keys", "plugins", "wolfcustom", "wolfhost").
+pub fn has_feature(name: &str) -> bool {
+    match load_dm() {
+        Some(dm) => dm.features.iter().any(|f| f == name),
+        None => false,
+    }
+}
+
 fn ts_ymd() -> String {
     let s = SystemTime::now().duration_since(UNIX_EPOCH).unwrap_or_default().as_secs();
     let (y, m, d) = cd(s / 86400);
@@ -207,12 +261,13 @@ pub async fn report_license_heartbeat(cluster: &crate::agent::ClusterState) {
 }
 
 /// Shared HTTP client for the daily license heartbeat. One pool for
-/// the lifetime of the process.
+/// the lifetime of the process. wolfstack.org has a valid public cert,
+/// so cert verification stays on — the heartbeat carries the licence
+/// record and isn't something we want intercepted.
 static HEARTBEAT_CLIENT: std::sync::LazyLock<reqwest::Client> =
     std::sync::LazyLock::new(|| {
         crate::api::ipv4_only_client_builder()
             .timeout(std::time::Duration::from_secs(15))
-            .danger_accept_invalid_certs(true)
             .build()
             .unwrap_or_else(|_| reqwest::Client::new())
     });
diff --git a/web/js/app.js b/web/js/app.js
@@ -28818,21 +28818,59 @@ async function loadSponsorHeaderBadge() {
     var badgeEl = document.getElementById('sponsor-header-badge');
     if (!badgeEl) return;
 
-    // Check enterprise license first — takes priority over sponsor tier
+    // Check WolfStack licence first — takes priority over sponsor tier
     try {
         var licResp = await fetch(apiUrl('/api/platform/status'));
         if (licResp.ok) {
             var lic = await licResp.json();
             if (lic.valid) {
-                badgeEl.style.background = 'linear-gradient(135deg, #dc2626, #ef4444)';
-                badgeEl.textContent = 'Enterprise';
-                if (textEl) textEl.textContent = lic.customer || 'Enterprise License';
+                var tierLabels = { homelab: 'Homelab', pro: 'Pro', enterprise: 'Enterprise' };
+                var tierGradients = {
+                    homelab: 'linear-gradient(135deg, #2563eb, #3b82f6)',
+                    pro: 'linear-gradient(135deg, #7c3aed, #a855f7)',
+                    enterprise: 'linear-gradient(135deg, #dc2626, #ef4444)'
+                };
+                var tierBg = {
+                    homelab: 'linear-gradient(135deg, rgba(37,99,235,0.12), rgba(59,130,246,0.08))',
+                    pro: 'linear-gradient(135deg, rgba(124,58,237,0.12), rgba(168,85,247,0.08))',
+                    enterprise: 'linear-gradient(135deg, rgba(220,38,38,0.12), rgba(239,68,68,0.08))'
+                };
+                var tierBorder = {
+                    homelab: 'rgba(37,99,235,0.25)',
+                    pro: 'rgba(124,58,237,0.25)',
+                    enterprise: 'rgba(220,38,38,0.25)'
+                };
+                var tier = lic.tier || 'enterprise';
+                var label = tierLabels[tier] || 'Licensed';
+                // When over the host cap we paint the badge amber to flag
+                // it without breaking the operator's flow — usage is never
+                // hard-blocked, this is just a visible "you owe us a chat"
+                // signal.
+                var amberGrad = 'linear-gradient(135deg, #d97706, #f59e0b)';
+                var amberBg   = 'linear-gradient(135deg, rgba(217,119,6,0.14), rgba(245,158,11,0.10))';
+                var amberBorder = 'rgba(217,119,6,0.35)';
+                var overCap = !!lic.over_cap;
+                badgeEl.style.background = overCap ? amberGrad : (tierGradients[tier] || tierGradients.enterprise);
+                badgeEl.textContent = overCap ? (label + ' · over cap') : label;
+                var detail = lic.customer || 'Licensed';
+                if (typeof lic.current_nodes === 'number') {
+                    if (lic.max_nodes && lic.max_nodes > 0) {
+                        detail += ' — ' + lic.current_nodes + '/' + lic.max_nodes + ' hosts';
+                    } else {
+                        detail += ' — ' + lic.current_nodes + ' host' + (lic.current_nodes === 1 ? '' : 's');
+                    }
+                }
+                if (textEl) textEl.textContent = detail;
                 if (linkEl) {
-                    linkEl.style.background = 'linear-gradient(135deg, rgba(220,38,38,0.12), rgba(239,68,68,0.08))';
-                    linkEl.style.borderColor = 'rgba(220,38,38,0.25)';
-                    linkEl.removeAttribute('href');
-                    linkEl.removeAttribute('target');
-                    linkEl.style.cursor = 'default';
+                    linkEl.style.background  = overCap ? amberBg     : (tierBg[tier]     || tierBg.enterprise);
+                    linkEl.style.borderColor = overCap ? amberBorder : (tierBorder[tier] || tierBorder.enterprise);
+                    linkEl.style.cursor = 'pointer';
+                    linkEl.setAttribute('href', 'https://wolfstack.org/enterprise-portal.php');
+                    linkEl.setAttribute('target', '_blank');
+                    linkEl.setAttribute('rel', 'noopener');
+                    linkEl.title = overCap
+                        ? 'Cluster exceeds the ' + tier + ' tier — click to upgrade'
+                        : 'Click to manage your WolfStack subscription';
                 }
                 return; // Skip sponsor check
             }
