Entitlement Resolution
Entitlement resolution is where the platform decides whether a command may run. It composes the entitlements that apply to the current scope, bounds them by the signed license, and evaluates one command against the result. The decision is deterministic and ordered. It is fail-closed: when anything is missing or ambiguous, the command is denied.
The effective set
Three sources feed every decision:
- The signed license sets the ceiling. It is the set of entitlements in the active, verified license. The platform never grants anything outside it.
- The platform baseline is the set of entitlements every tenant on the deployment inherits.
- The tenant additions are an optional per-tenant subscription that grants more within what the ceiling already allows.
The resolver composes them as:
effective = (platformBaseline ∪ tenantAdditions) ∩ ceiling
The union merges the baseline and any tenant additions. Features combine, command overrides combine, and a quota takes the larger allowance. The intersection then caps that union to the signed ceiling. Only features the ceiling carries survive, allow rules are capped to the ceiling's allow set, quotas are capped to the ceiling's limits, and denials accumulate. A tenant can be granted more than the baseline, but never more than the signed license permits.
The decision
For one command, the resolver evaluates the effective set in a fixed order. The first match wins.
- Ceiling unavailable. If the signed license is missing, expired, revoked, or otherwise unusable, the command is denied. Nothing is granted without a usable ceiling.
- Unknown feature key. If the command requires a feature key the catalog does not list, it is denied. An undeclared key is never an implicit grant.
- Deny-override. If the command matches a deny rule from the platform baseline or the tenant additions, it is denied. A deny is definitive and cannot be overridden by any grant.
- Outside the ceiling. If the command is not permitted by the signed ceiling, neither by a ceiling feature nor a ceiling allow rule, it is denied.
- Allow-override. If the command matches an allow rule in the effective set, it is allowed, even without a matching feature.
- Feature grant. If every feature key the command requires is present and truthy in the effective set, it is allowed.
- Default deny. Otherwise the command is denied.
Command overrides are matched as patterns, so a single rule can cover a family of commands. Allow and deny rules are layered over the coarse feature grants. A deny rule always wins. See Command Overrides for the rule structure.
The twelve denial reasons
Every denial carries one machine-readable reason, drawn from a single ordered enumeration. The first six are entitlement-decision outcomes. The last six describe a defective contract or license envelope.
| Reason | Meaning |
|---|---|
UNKNOWN_FEATURE_KEY | The command requires a feature key the catalog does not list. |
NOT_ENTITLED | The effective set does not grant the required feature or command. |
QUOTA_EXCEEDED | A quota allowance is exhausted for this scope. |
CEILING_EXCEEDED | The request exceeds the signed-license ceiling and cannot be raised by a baseline or subscription. |
COMMAND_DENIED | A deny rule matched. A deny always wins. |
PARTY_RESOLUTION_FAILED | The issuer, licensee, or installation-owner party could not be resolved. |
MISSING_CONTRACT | The command has no registered contract. |
MISSING_DESCRIPTOR | The contract carries no license descriptor. |
MALFORMED_DESCRIPTOR | The license descriptor failed structural validation. |
LICENSE_MISSING | No license is installed for this installation. |
LICENSE_EXPIRED | The installed license is past its expiry, beyond any grace. |
LICENSE_INVALID | The installed license is structurally or cryptographically invalid. |
A denial surfaces to the caller as a forbidden error carrying its reason plus safe license identifiers only. It never carries the raw license payload or key material.
Fail-closed and deny-overrides
Two rules run through the whole decision.
Fail-closed. A missing source, an unavailable ceiling, an unknown feature key, or any resolution failure yields no grant. The default outcome of an undecided command is deny, so a gap in coverage or configuration cannot accidentally open access.
Deny-overrides. A deny rule from either the platform baseline or a tenant subscription is definitive. It beats every allow rule and feature grant. A deny is the way to refuse a command unconditionally.
The effective license snapshot
What an operator sees of all this is a sanitized status projection, not the decision internals. It reports the effective status (ACTIVE, GRACE, RECOVERY, MISSING, EXPIRED, REVOKED, SUSPENDED, INVALID, or BLOCKED), one summary per licensed product, the customer and installation identifiers, the issuer, the signing-certificate fingerprint, the expiry instant with days remaining, the recovery and grace flags, and any warnings. Entitlement decisions read the full license internally. The projection exposes only enough for an operator to see whether the deployment is licensed, for which products, and when the license expires. The exact wire shape is in the Platform Admin API reference.
Where resolution fits
- Features and The Catalog supply the feature set the resolver checks against.
- Per-tenant Subscriptions are the optional tenant additions composed into the effective set.
- Command Contracts carry the per-command license descriptor the resolver evaluates.
- License, Quota, and Policy covers quota metering and command-level enforcement in depth.