Licensing¶
KDBL Context Lake (K-Lake) deployments are licensed offline by source-file capacity (bytes) with an expiry. There is no phone-home — a deployment validates its licence entirely locally, so it works in air-gapped environments.
How it works¶
A licence is a small cryptographically signed document carrying the customer, capacity, expiry, and grace/lockdown windows:
- KDBL issues licences. A licence is signed when it is created and is tamper-evident — any edit to the capacity, expiry, or customer breaks the signature and the licence stops verifying.
- Every K-Lake service can verify a licence but cannot create or alter one. The signature can only be produced by KDBL, so customers cannot self-mint a licence.
kdbl-control(which customers run) can only apply and inspect a licence.
Once applied, the licence is stored in the deployment. Each service re-checks it in the background (changes take effect within ~30s): it re-verifies the signature, sums deployment-wide usage, guards against clock roll-back, and computes the current enforcement stage.
How you get a licence¶
Licences are issued by KDBL. Evaluations and proof-of-concept deployments get a
standard 30-day licence; paid deployments get a licence sized to the purchased
capacity and term. KDBL sends you a licence file (or a KDBL_LICENCE blob to set
before bringing the deployment up). To renew or change capacity, contact KDBL for
a new licence and apply it (see below) — no reinstall is required.
Applying a licence (customer)¶
# Optionally check it first (verifies locally with the built-in public key):
kdbl-control licence inspect acme.kdbl
# Apply it (cluster-admin token; the API verifies the signature before storing):
kdbl-control --api-url http://kdbl-api --api-token <CLUSTER_ADMIN> licence apply acme.kdbl
# Check status any time (tenant-admin or cluster-admin):
kdbl-control --api-url http://kdbl-api --api-token <TOKEN> licence status
Status is also at GET /api/licence and is shown as a banner in the operator UI.
Enforcement¶
Enforcement is fail-closed. The effective stage is the most restrictive of the capacity and expiry tracks:
| Trigger | Stage | Effect |
|---|---|---|
| Within limits | valid |
Normal. |
| > 90% capacity, or < 14 days to expiry | warn |
Allowed; warning surfaced. |
| Capacity reached | block_new_ingestion |
New crawls/sources blocked; reads/search keep working. Never escalates further. |
Expired, within grace_days |
grace |
Allowed; loud warning. |
Expired, within lockdown_days after grace |
block_new_ingestion |
New ingestion blocked; reads still work. |
| Expired past lockdown | block_all |
All operations blocked except the licence status read. |
| No / invalid licence at boot | — | Container refuses to start (see below). |
"Block new ingestion" is enforced both at the API (the crawl / add-source endpoints
return 403) and in the worker (already-queued work stops too). MCP retrieval is
blocked at block_all too.
Fail-closed at boot (no opt-out). Every K-Lake service checks the licence at
startup, reading it from the kdbl-licence Secret (KDBL_LICENCE /
KDBL_LICENCE_FILE):
- Absent or invalid → the service refuses to start. This is unconditional; a deployment cannot run unlicensed.
- Expired → the API still boots (so it can serve
/licencefor live renewal); the data-plane services refuse to start once past lockdown (block_all), but boot fine in grace / block-new.
So a fresh deployment must be provisioned with the kdbl-licence Secret. The
standard install scripts enforce this. Evaluations get a 30-day licence from KDBL —
see How you get a licence above.
Tamper model¶
The licence is cryptographically signed — capacity and expiry can't be edited without invalidating the signature, and only KDBL can issue a valid licence. Runtime enforcement is tamper-resistant, not tamper-proof: it runs on hardware the customer controls, so a determined party with root could patch the software — which is true of all self-hosted licensing, and is a breach of the Commercial Licence Agreement. The defences raise the bar substantially: enforcement fails closed, usage is read from authoritative state, clock roll-back gains nothing, services verify independently, and stage changes are logged.
Renewals and licence handling¶
To renew or resize, KDBL issues you a new licence; apply it with
kdbl-control licence apply (or POST /api/licence) with no restart required.
See licence-key-management.md for guidance on
storing and renewing your licence.