feat: license card in settings (#47)

Adds the user-facing layer on top of the Rust license commands shipped
in #46.

- `licenseService.ts` thin wrapper around the new Tauri commands
- `useLicense` hook follows the project's useReducer pattern (idle,
  loading, ready, validating, error) and exposes `submitKey`,
  `refresh`, and `checkEntitlement` for cross-component use
- `LicenseCard` shows the current edition, the expiry date when set,
  accepts a license key with inline validation feedback, and links to
  the purchase page via `openUrl` from `@tauri-apps/plugin-opener`
- Card is inserted at the top of `SettingsPage` so the edition is the
  first thing users see when looking for license-related actions
- i18n: new `license.*` keys in both `fr.json` and `en.json`
- Bilingual CHANGELOG entries

.forgejo/workflows/check.yml

@@ -0,0 +1,97 @@
+name: PR Check
+
+# Validates Rust + frontend on every branch push and PR.
+# Goal: catch compile errors, type errors, and failing tests BEFORE merge,
+# instead of waiting for the release tag (which is when release.yml runs).
+
+on:
+  push:
+    branches-ignore:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  rust:
+    runs-on: ubuntu
+    container: ubuntu:22.04
+    env:
+      PATH: /root/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+      CARGO_TERM_COLOR: always
+    steps:
+      - name: Install system dependencies, Node.js and Rust
+        run: |
+          apt-get update
+          apt-get install -y --no-install-recommends \
+            curl wget git ca-certificates build-essential pkg-config \
+            libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev libssl-dev
+          # Node.js is required by actions/checkout and actions/cache (they
+          # are JavaScript actions and need `node` in the container PATH).
+          curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
+          apt-get install -y nodejs
+          # Rust toolchain
+          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
+          node --version
+          rustc --version
+          cargo --version
+
+      - name: Checkout
+        uses: https://github.com/actions/checkout@v4
+
+      - name: Cache cargo registry and git
+        uses: https://github.com/actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+          key: ${{ runner.os }}-cargo-registry-${{ hashFiles('src-tauri/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-cargo-registry-
+
+      - name: Cache cargo build target
+        uses: https://github.com/actions/cache@v4
+        with:
+          path: src-tauri/target
+          key: ${{ runner.os }}-cargo-target-${{ hashFiles('src-tauri/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-cargo-target-
+
+      - name: cargo check
+        run: cargo check --manifest-path src-tauri/Cargo.toml --all-targets
+
+      - name: cargo test
+        run: cargo test --manifest-path src-tauri/Cargo.toml --all-targets
+
+  frontend:
+    runs-on: ubuntu
+    container: ubuntu:22.04
+    steps:
+      - name: Install Node.js 20
+        run: |
+          apt-get update
+          apt-get install -y --no-install-recommends curl ca-certificates git
+          curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
+          apt-get install -y nodejs
+          node --version
+          npm --version
+
+      - name: Checkout
+        uses: https://github.com/actions/checkout@v4
+
+      - name: Cache npm cache
+        uses: https://github.com/actions/cache@v4
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-npm-${{ hashFiles('package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-npm-
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build (tsc + vite)
+        run: npm run build
+
+      - name: Tests (vitest)
+        run: npm test

.github/workflows/check.yml

@@ -0,0 +1,68 @@
+name: PR Check
+
+# Mirror of .forgejo/workflows/check.yml using GitHub-native runners.
+# Forgejo is the primary host; this file keeps the GitHub mirror functional.
+
+on:
+  push:
+    branches-ignore:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  rust:
+    runs-on: ubuntu-latest
+    env:
+      CARGO_TERM_COLOR: always
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install system dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends \
+            pkg-config libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev libssl-dev
+
+      - name: Install Rust toolchain (stable)
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Cache cargo
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            src-tauri/target
+          key: ${{ runner.os }}-cargo-${{ hashFiles('src-tauri/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-cargo-
+
+      - name: cargo check
+        run: cargo check --manifest-path src-tauri/Cargo.toml --all-targets
+
+      - name: cargo test
+        run: cargo test --manifest-path src-tauri/Cargo.toml --all-targets
+
+  frontend:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js 20
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build (tsc + vite)
+        run: npm run build
+
+      - name: Tests (vitest)
+        run: npm test

CHANGELOG.fr.md

@@ -2,6 +2,10 @@
 
 ## [Non publié]
 
+### Ajouté
+- CI : nouveau workflow `check.yml` qui exécute `cargo check`/`cargo test` et le build frontend sur chaque push de branche et PR, détectant les erreurs avant le merge plutôt qu'au moment de la release (#60)
+- Carte de licence dans les Paramètres : affiche l'édition actuelle (Gratuite/Base/Premium), accepte une clé de licence et redirige vers la page d'achat (#47)
+
 ## [0.6.7] - 2026-03-29
 
 ### Modifié

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## [Unreleased]
 
+### Added
+- CI: new `check.yml` workflow runs `cargo check`/`cargo test` and the frontend build on every branch push and PR, catching errors before merge instead of waiting for the release tag (#60)
+- License card in Settings page: shows the current edition (Free/Base/Premium), accepts a license key, and links to the purchase page (#47)
+
 ## [0.6.7] - 2026-03-29
 
 ### Changed

CLAUDE.md

@@ -157,9 +157,8 @@ Pour maintenir l'éligibilité aux crédits d'impôt R&D (RS&DE fédéral + CRIC
 
 ## CI/CD
 
-- GitHub Actions (`release.yml`) déclenché par tags `v*`
+- **`check.yml`** (Forgejo Actions + miroir GitHub) — déclenché sur chaque push de branche (sauf `main`) et chaque PR vers `main`. Lance `cargo check`, `cargo test`, `npm run build` (tsc + vite) et `npm test` (vitest). Doit être vert avant tout merge.
-- Build Windows (NSIS `.exe`) + Linux (`.deb`, `.rpm`)
+- **`release.yml`** — déclenché par les tags `v*`. Build Windows (NSIS `.exe`) + Linux (`.deb`, `.rpm`), signe les binaires et publie le JSON d'updater pour les mises à jour automatiques.
-- Signature des binaires + JSON d'updater pour mises à jour automatiques
 
 ---
 

src-tauri/Cargo.toml

@@ -35,4 +35,12 @@ walkdir = "2"
 aes-gcm = "0.10"
 argon2 = "0.5"
 rand = "0.8"
+jsonwebtoken = "9"
+machine-uid = "0.5"
 
+[dev-dependencies]
+# Used in license_commands.rs tests to sign test JWTs. We avoid the `pem`
+# feature because the `LineEnding` re-export path varies between versions
+# of pkcs8/spki; building the PKCS#8 DER manually is stable and trivial
+# for Ed25519.
+ed25519-dalek = { version = "2", features = ["pkcs8", "rand_core"] }

src-tauri/src/commands/entitlements.rs

@@ -0,0 +1,67 @@
+// Centralized feature → tier mapping for license entitlements.
+//
+// This module is the single source of truth for which features are gated by which tier.
+// To change what is gated where, modify FEATURE_TIERS only — never sprinkle edition checks
+// throughout the codebase.
+
+/// Editions, ordered from least to most privileged.
+pub const EDITION_FREE: &str = "free";
+pub const EDITION_BASE: &str = "base";
+pub const EDITION_PREMIUM: &str = "premium";
+
+/// Maps feature name → list of editions allowed to use it.
+/// A feature absent from this list is denied for all editions.
+const FEATURE_TIERS: &[(&str, &[&str])] = &[
+    ("auto-update", &[EDITION_BASE, EDITION_PREMIUM]),
+    ("web-sync", &[EDITION_PREMIUM]),
+    ("cloud-backup", &[EDITION_PREMIUM]),
+    ("advanced-reports", &[EDITION_PREMIUM]),
+];
+
+/// Pure check: does `edition` grant access to `feature`?
+pub fn is_feature_allowed(feature: &str, edition: &str) -> bool {
+    FEATURE_TIERS
+        .iter()
+        .find(|(name, _)| *name == feature)
+        .map(|(_, tiers)| tiers.contains(&edition))
+        .unwrap_or(false)
+}
+
+#[tauri::command]
+pub fn check_entitlement(app: tauri::AppHandle, feature: String) -> Result<bool, String> {
+    let edition = crate::commands::license_commands::current_edition(&app);
+    Ok(is_feature_allowed(&feature, &edition))
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn free_blocks_auto_update() {
+        assert!(!is_feature_allowed("auto-update", EDITION_FREE));
+    }
+
+    #[test]
+    fn base_unlocks_auto_update() {
+        assert!(is_feature_allowed("auto-update", EDITION_BASE));
+    }
+
+    #[test]
+    fn premium_unlocks_everything() {
+        assert!(is_feature_allowed("auto-update", EDITION_PREMIUM));
+        assert!(is_feature_allowed("web-sync", EDITION_PREMIUM));
+        assert!(is_feature_allowed("cloud-backup", EDITION_PREMIUM));
+    }
+
+    #[test]
+    fn base_does_not_unlock_premium_features() {
+        assert!(!is_feature_allowed("web-sync", EDITION_BASE));
+        assert!(!is_feature_allowed("cloud-backup", EDITION_BASE));
+    }
+
+    #[test]
+    fn unknown_feature_denied() {
+        assert!(!is_feature_allowed("nonexistent", EDITION_PREMIUM));
+    }
+}

src-tauri/src/commands/license_commands.rs

@@ -0,0 +1,460 @@
+// License validation, storage and reading for the Base/Premium editions.
+//
+// Architecture:
+// - License key = "SR-BASE-<JWT>" or "SR-PREMIUM-<JWT>", JWT signed Ed25519 by the server
+// - Activation token = separate JWT, also signed by the server, binds the license to a machine
+//   (machine_id claim must match the local machine_id). Without it, a copied license.key would
+//   work on any machine. Activation tokens are issued by the server in a separate flow (Issue #49).
+// - Both files live in app_data_dir/ — license.key and activation.token
+// - get_edition() returns "free" unless BOTH license JWT is valid (signature + exp) AND
+//   either there is no activation token (graceful pre-activation state) OR the activation token
+//   matches the local machine_id.
+//
+// CWE-613: every license JWT MUST carry an `exp` claim. We reject licenses without it.
+
+use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};
+use serde::{Deserialize, Serialize};
+use std::fs;
+use std::path::PathBuf;
+use tauri::Manager;
+
+use super::entitlements::{EDITION_BASE, EDITION_FREE, EDITION_PREMIUM};
+
+// Ed25519 public key for license verification.
+//
+// IMPORTANT: this PEM is a development placeholder taken from RFC 8410 §10.3 test vectors.
+// The matching private key is publicly known, so any license signed with it offers no real
+// protection. Replace this constant with the production public key before shipping a paid
+// release. The corresponding private key MUST live only on the license server (Issue #49).
+const PUBLIC_KEY_PEM: &str = "-----BEGIN PUBLIC KEY-----\n\
+MCowBQYDK2VwAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE=\n\
+-----END PUBLIC KEY-----\n";
+
+const LICENSE_FILE: &str = "license.key";
+const ACTIVATION_FILE: &str = "activation.token";
+
+const KEY_PREFIX_BASE: &str = "SR-BASE-";
+const KEY_PREFIX_PREMIUM: &str = "SR-PREMIUM-";
+
+/// Decoded license metadata exposed to the frontend.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct LicenseInfo {
+    pub edition: String,
+    pub email: String,
+    pub features: Vec<String>,
+    pub machine_limit: u32,
+    pub issued_at: i64,
+    pub expires_at: i64,
+}
+
+/// Claims embedded in the license JWT (signed by the license server).
+#[derive(Debug, Clone, Serialize, Deserialize)]
+struct LicenseClaims {
+    sub: String, // email
+    iss: String,
+    iat: i64,
+    exp: i64, // mandatory — see CWE-613
+    edition: String,
+    #[serde(default)]
+    features: Vec<String>,
+    machine_limit: u32,
+}
+
+/// Claims embedded in the activation token JWT (server-signed, machine-bound).
+#[derive(Debug, Clone, Serialize, Deserialize)]
+struct ActivationClaims {
+    sub: String, // license id or hash
+    iat: i64,
+    exp: i64,
+    machine_id: String,
+}
+
+fn app_data_dir(app: &tauri::AppHandle) -> Result<PathBuf, String> {
+    app.path()
+        .app_data_dir()
+        .map_err(|e| format!("Cannot get app data dir: {}", e))
+}
+
+fn license_path(app: &tauri::AppHandle) -> Result<PathBuf, String> {
+    Ok(app_data_dir(app)?.join(LICENSE_FILE))
+}
+
+fn activation_path(app: &tauri::AppHandle) -> Result<PathBuf, String> {
+    Ok(app_data_dir(app)?.join(ACTIVATION_FILE))
+}
+
+/// Strip the human-readable prefix and return the bare JWT.
+fn strip_prefix(key: &str) -> Result<&str, String> {
+    let trimmed = key.trim();
+    if let Some(jwt) = trimmed.strip_prefix(KEY_PREFIX_BASE) {
+        return Ok(jwt);
+    }
+    if let Some(jwt) = trimmed.strip_prefix(KEY_PREFIX_PREMIUM) {
+        return Ok(jwt);
+    }
+    Err("License key must start with SR-BASE- or SR-PREMIUM-".to_string())
+}
+
+/// Build a `Validation` with `exp` and `iat` mandatory. Assertions are explicit so a future
+/// config change cannot silently disable expiry checking (CWE-613).
+fn strict_validation() -> Validation {
+    let mut validation = Validation::new(Algorithm::EdDSA);
+    validation.validate_exp = true;
+    validation.leeway = 0;
+    validation.set_required_spec_claims(&["exp", "iat"]);
+    validation
+}
+
+/// Build the production `DecodingKey` from the embedded PEM constant.
+fn embedded_decoding_key() -> Result<DecodingKey, String> {
+    DecodingKey::from_ed_pem(PUBLIC_KEY_PEM.as_bytes())
+        .map_err(|e| format!("Invalid public key: {}", e))
+}
+
+/// Pure validation: decode the JWT, verify signature with the provided key, ensure the
+/// edition claim is one we recognize. Returns `LicenseInfo` on success.
+///
+/// Separated from the Tauri command so tests can pass their own key.
+fn validate_with_key(key: &str, decoding_key: &DecodingKey) -> Result<LicenseInfo, String> {
+    let jwt = strip_prefix(key)?;
+    let validation = strict_validation();
+
+    let data = decode::<LicenseClaims>(jwt, decoding_key, &validation)
+        .map_err(|e| format!("Invalid license: {}", e))?;
+
+    let claims = data.claims;
+    if claims.edition != EDITION_BASE && claims.edition != EDITION_PREMIUM {
+        return Err(format!("Unknown edition '{}'", claims.edition));
+    }
+
+    Ok(LicenseInfo {
+        edition: claims.edition,
+        email: claims.sub,
+        features: claims.features,
+        machine_limit: claims.machine_limit,
+        issued_at: claims.iat,
+        expires_at: claims.exp,
+    })
+}
+
+/// Validate an activation token against the local machine. The token must be signed by the
+/// license server and its `machine_id` claim must match the local machine identifier.
+fn validate_activation_with_key(
+    token: &str,
+    local_machine_id: &str,
+    decoding_key: &DecodingKey,
+) -> Result<(), String> {
+    let validation = strict_validation();
+
+    let data = decode::<ActivationClaims>(token.trim(), decoding_key, &validation)
+        .map_err(|e| format!("Invalid activation token: {}", e))?;
+
+    if data.claims.machine_id != local_machine_id {
+        return Err("Activation token belongs to a different machine".to_string());
+    }
+    Ok(())
+}
+
+// === Tauri commands ===========================================================================
+
+/// Validate a license key without persisting it. Used by the UI to give immediate feedback
+/// before the user confirms storage.
+#[tauri::command]
+pub fn validate_license_key(key: String) -> Result<LicenseInfo, String> {
+    let decoding_key = embedded_decoding_key()?;
+    validate_with_key(&key, &decoding_key)
+}
+
+/// Persist a previously-validated license key to disk. The activation token (machine binding)
+/// is stored separately by [`store_activation_token`] once the server has issued one.
+#[tauri::command]
+pub fn store_license(app: tauri::AppHandle, key: String) -> Result<LicenseInfo, String> {
+    let decoding_key = embedded_decoding_key()?;
+    let info = validate_with_key(&key, &decoding_key)?;
+    let path = license_path(&app)?;
+    if let Some(parent) = path.parent() {
+        fs::create_dir_all(parent).map_err(|e| format!("Cannot create app data dir: {}", e))?;
+    }
+    fs::write(&path, key.trim()).map_err(|e| format!("Cannot write license file: {}", e))?;
+    Ok(info)
+}
+
+/// Persist a server-issued activation token (machine binding). The token is opaque to the
+/// caller — it must validate against the local machine_id to be considered active.
+#[tauri::command]
+pub fn store_activation_token(app: tauri::AppHandle, token: String) -> Result<(), String> {
+    let local_id = machine_id_internal()?;
+    let decoding_key = embedded_decoding_key()?;
+    validate_activation_with_key(&token, &local_id, &decoding_key)?;
+    let path = activation_path(&app)?;
+    if let Some(parent) = path.parent() {
+        fs::create_dir_all(parent).map_err(|e| format!("Cannot create app data dir: {}", e))?;
+    }
+    fs::write(&path, token.trim()).map_err(|e| format!("Cannot write activation file: {}", e))
+}
+
+/// Read the stored license without revalidating. Returns `None` when no license is present.
+/// The returned info is only structurally decoded — call [`get_edition`] for the gating value.
+#[tauri::command]
+pub fn read_license(app: tauri::AppHandle) -> Result<Option<LicenseInfo>, String> {
+    let path = license_path(&app)?;
+    if !path.exists() {
+        return Ok(None);
+    }
+    let key = fs::read_to_string(&path).map_err(|e| format!("Cannot read license file: {}", e))?;
+    let Ok(decoding_key) = embedded_decoding_key() else {
+        return Ok(None);
+    };
+    Ok(validate_with_key(&key, &decoding_key).ok())
+}
+
+/// Returns the active edition (`"free"`, `"base"`, or `"premium"`) for use by feature gates.
+///
+/// Returns "free" when:
+/// - no license is stored,
+/// - the license JWT is invalid or expired,
+/// - an activation token exists but does not match this machine.
+///
+/// Note: a missing activation token is treated as a graceful pre-activation state and does
+/// NOT downgrade the edition. Server-side activation happens later (Issue #53).
+#[tauri::command]
+pub fn get_edition(app: tauri::AppHandle) -> Result<String, String> {
+    Ok(current_edition(&app))
+}
+
+/// Internal helper used by `entitlements::check_entitlement`. Never returns an error — any
+/// failure resolves to "free" so feature gates fail closed.
+pub(crate) fn current_edition(app: &tauri::AppHandle) -> String {
+    let Ok(path) = license_path(app) else {
+        return EDITION_FREE.to_string();
+    };
+    if !path.exists() {
+        return EDITION_FREE.to_string();
+    }
+    let Ok(key) = fs::read_to_string(&path) else {
+        return EDITION_FREE.to_string();
+    };
+    let Ok(decoding_key) = embedded_decoding_key() else {
+        return EDITION_FREE.to_string();
+    };
+    let Ok(info) = validate_with_key(&key, &decoding_key) else {
+        return EDITION_FREE.to_string();
+    };
+
+    // If an activation token exists, it must match the local machine. A missing token is
+    // accepted (graceful pre-activation).
+    if let Ok(activation_path) = activation_path(app) {
+        if activation_path.exists() {
+            let Ok(token) = fs::read_to_string(&activation_path) else {
+                return EDITION_FREE.to_string();
+            };
+            let Ok(local_id) = machine_id_internal() else {
+                return EDITION_FREE.to_string();
+            };
+            if validate_activation_with_key(&token, &local_id, &decoding_key).is_err() {
+                return EDITION_FREE.to_string();
+            }
+        }
+    }
+
+    info.edition
+}
+
+/// Cross-platform machine identifier. Stable across reboots; will change after an OS reinstall
+/// or hardware migration, in which case the user must re-activate (handled in Issue #53).
+#[tauri::command]
+pub fn get_machine_id() -> Result<String, String> {
+    machine_id_internal()
+}
+
+fn machine_id_internal() -> Result<String, String> {
+    machine_uid::get().map_err(|e| format!("Cannot read machine id: {}", e))
+}
+
+// === Tests ====================================================================================
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use ed25519_dalek::SigningKey;
+    use jsonwebtoken::{encode, EncodingKey, Header};
+
+    // === Manual DER encoder for the Ed25519 private key =======================================
+    // We avoid the `pem` feature on `ed25519-dalek` because the `LineEnding` re-export path
+    // varies across `pkcs8`/`spki`/`der` versions. The Ed25519 PKCS#8 v1 byte layout is fixed
+    // and trivial: 16-byte prefix + 32-byte raw seed.
+    //
+    // Note the asymmetry in jsonwebtoken's API:
+    // - `EncodingKey::from_ed_der` expects a PKCS#8-wrapped private key (passed to ring's
+    //   `Ed25519KeyPair::from_pkcs8`).
+    // - `DecodingKey::from_ed_der` expects the *raw* 32-byte public key (passed to ring's
+    //   `UnparsedPublicKey::new` which takes raw bytes, not a SubjectPublicKeyInfo).
+
+    /// Wrap a 32-byte Ed25519 seed in a PKCS#8 v1 PrivateKeyInfo DER blob.
+    fn ed25519_pkcs8_private_der(seed: &[u8; 32]) -> Vec<u8> {
+        // SEQUENCE(46) {
+        //   INTEGER(1) 0           // version v1
+        //   SEQUENCE(5) {
+        //     OID(3) 1.3.101.112   // Ed25519
+        //   }
+        //   OCTET STRING(34) {
+        //     OCTET STRING(32) <32 bytes>
+        //   }
+        // }
+        let mut der = vec![
+            0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x04, 0x22,
+            0x04, 0x20,
+        ];
+        der.extend_from_slice(seed);
+        der
+    }
+
+    /// Build a deterministic test keypair so signed tokens are reproducible across runs.
+    fn test_keys(seed: [u8; 32]) -> (EncodingKey, DecodingKey) {
+        let signing_key = SigningKey::from_bytes(&seed);
+        let pubkey_bytes = signing_key.verifying_key().to_bytes();
+        let priv_der = ed25519_pkcs8_private_der(&seed);
+        let encoding_key = EncodingKey::from_ed_der(&priv_der);
+        // Raw 32-byte public key (NOT SubjectPublicKeyInfo) — see note above.
+        let decoding_key = DecodingKey::from_ed_der(&pubkey_bytes);
+        (encoding_key, decoding_key)
+    }
+
+    fn default_keys() -> (EncodingKey, DecodingKey) {
+        test_keys([42u8; 32])
+    }
+
+    fn make_token<T: serde::Serialize>(encoding_key: &EncodingKey, claims: &T) -> String {
+        encode(&Header::new(Algorithm::EdDSA), claims, encoding_key).unwrap()
+    }
+
+    fn now() -> i64 {
+        std::time::SystemTime::now()
+            .duration_since(std::time::UNIX_EPOCH)
+            .unwrap()
+            .as_secs() as i64
+    }
+
+    #[test]
+    fn rejects_key_without_prefix() {
+        let (_enc, dec) = default_keys();
+        let result = validate_with_key("nonsense", &dec);
+        assert!(result.is_err());
+    }
+
+    #[test]
+    fn accepts_well_formed_base_license() {
+        let (enc, dec) = default_keys();
+        let claims = LicenseClaims {
+            sub: "user@example.com".to_string(),
+            iss: "lacompagniemaximus.com".to_string(),
+            iat: now(),
+            exp: now() + 86400,
+            edition: EDITION_BASE.to_string(),
+            features: vec!["auto-update".to_string()],
+            machine_limit: 3,
+        };
+        let jwt = make_token(&enc, &claims);
+        let key = format!("{}{}", KEY_PREFIX_BASE, jwt);
+        let info = validate_with_key(&key, &dec).unwrap();
+        assert_eq!(info.edition, EDITION_BASE);
+        assert_eq!(info.email, "user@example.com");
+        assert_eq!(info.machine_limit, 3);
+    }
+
+    #[test]
+    fn rejects_expired_license() {
+        let (enc, dec) = default_keys();
+        let claims = LicenseClaims {
+            sub: "user@example.com".to_string(),
+            iss: "lacompagniemaximus.com".to_string(),
+            iat: now() - 1000,
+            exp: now() - 100,
+            edition: EDITION_BASE.to_string(),
+            features: vec![],
+            machine_limit: 3,
+        };
+        let jwt = make_token(&enc, &claims);
+        let key = format!("{}{}", KEY_PREFIX_BASE, jwt);
+        let result = validate_with_key(&key, &dec);
+        assert!(result.is_err(), "expired license must be rejected");
+    }
+
+    #[test]
+    fn rejects_license_signed_with_wrong_key() {
+        let (enc_signer, _dec_signer) = default_keys();
+        let (_enc_other, dec_other) = test_keys([7u8; 32]);
+        let claims = LicenseClaims {
+            sub: "user@example.com".to_string(),
+            iss: "lacompagniemaximus.com".to_string(),
+            iat: now(),
+            exp: now() + 86400,
+            edition: EDITION_BASE.to_string(),
+            features: vec![],
+            machine_limit: 3,
+        };
+        let jwt = make_token(&enc_signer, &claims);
+        let key = format!("{}{}", KEY_PREFIX_BASE, jwt);
+        let result = validate_with_key(&key, &dec_other);
+        assert!(result.is_err(), "wrong-key signature must be rejected");
+    }
+
+    #[test]
+    fn rejects_corrupted_jwt() {
+        let (_enc, dec) = default_keys();
+        let key = format!("{}not.a.real.jwt", KEY_PREFIX_BASE);
+        let result = validate_with_key(&key, &dec);
+        assert!(result.is_err());
+    }
+
+    #[test]
+    fn rejects_unknown_edition() {
+        let (enc, dec) = default_keys();
+        let claims = LicenseClaims {
+            sub: "user@example.com".to_string(),
+            iss: "lacompagniemaximus.com".to_string(),
+            iat: now(),
+            exp: now() + 86400,
+            edition: "enterprise".to_string(),
+            features: vec![],
+            machine_limit: 3,
+        };
+        let jwt = make_token(&enc, &claims);
+        let key = format!("{}{}", KEY_PREFIX_BASE, jwt);
+        let result = validate_with_key(&key, &dec);
+        assert!(result.is_err());
+    }
+
+    #[test]
+    fn activation_token_matches_machine() {
+        let (enc, dec) = default_keys();
+        let claims = ActivationClaims {
+            sub: "license-id".to_string(),
+            iat: now(),
+            exp: now() + 86400,
+            machine_id: "this-machine".to_string(),
+        };
+        let token = make_token(&enc, &claims);
+        assert!(validate_activation_with_key(&token, "this-machine", &dec).is_ok());
+    }
+
+    #[test]
+    fn activation_token_rejects_other_machine() {
+        let (enc, dec) = default_keys();
+        let claims = ActivationClaims {
+            sub: "license-id".to_string(),
+            iat: now(),
+            exp: now() + 86400,
+            machine_id: "machine-A".to_string(),
+        };
+        let token = make_token(&enc, &claims);
+        let result = validate_activation_with_key(&token, "machine-B", &dec);
+        assert!(result.is_err(), "copied activation token must be rejected");
+    }
+
+    #[test]
+    fn embedded_public_key_pem_parses() {
+        // Sanity check that the production PEM constant is well-formed.
+        assert!(embedded_decoding_key().is_ok());
+    }
+}

src-tauri/src/commands/mod.rs

@@ -1,7 +1,11 @@
-pub mod fs_commands;
+pub mod entitlements;
 pub mod export_import_commands;
+pub mod fs_commands;
+pub mod license_commands;
 pub mod profile_commands;
 
-pub use fs_commands::*;
+pub use entitlements::*;
 pub use export_import_commands::*;
+pub use fs_commands::*;
+pub use license_commands::*;
 pub use profile_commands::*;

src-tauri/src/lib.rs

@@ -114,6 +114,13 @@ pub fn run() {
             commands::hash_pin,
             commands::verify_pin,
             commands::repair_migrations,
+            commands::validate_license_key,
+            commands::store_license,
+            commands::store_activation_token,
+            commands::read_license,
+            commands::get_edition,
+            commands::get_machine_id,
+            commands::check_entitlement,
         ])
         .run(tauri::generate_context!())
         .expect("error while running tauri application");

src/components/settings/LicenseCard.tsx

@@ -0,0 +1,128 @@
+import { useState } from "react";
+import { useTranslation } from "react-i18next";
+import { openUrl } from "@tauri-apps/plugin-opener";
+import { KeyRound, CheckCircle, AlertCircle, Loader2, ExternalLink } from "lucide-react";
+import { useLicense } from "../../hooks/useLicense";
+
+const PURCHASE_URL = "https://lacompagniemaximus.com/simpl-resultat";
+
+export default function LicenseCard() {
+  const { t } = useTranslation();
+  const { state, submitKey } = useLicense();
+  const [keyInput, setKeyInput] = useState("");
+  const [showInput, setShowInput] = useState(false);
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+    const trimmed = keyInput.trim();
+    if (!trimmed) return;
+    const result = await submitKey(trimmed);
+    if (result.ok) {
+      setKeyInput("");
+      setShowInput(false);
+    }
+  };
+
+  const handlePurchase = () => {
+    void openUrl(PURCHASE_URL);
+  };
+
+  const formatExpiry = (timestamp: number) => {
+    return new Date(timestamp * 1000).toLocaleDateString();
+  };
+
+  const editionLabel = t(`license.editions.${state.edition}`);
+
+  return (
+    <div className="bg-[var(--card)] border border-[var(--border)] rounded-xl p-6 space-y-4">
+      <h2 className="text-lg font-semibold flex items-center gap-2">
+        <KeyRound size={18} />
+        {t("license.title")}
+      </h2>
+
+      <div className="flex items-center justify-between">
+        <div>
+          <p className="text-sm text-[var(--muted-foreground)]">
+            {t("license.currentEdition")}
+          </p>
+          <p className="text-base font-medium">
+            {editionLabel}
+            {state.edition !== "free" && (
+              <CheckCircle size={16} className="inline ml-2 text-[var(--positive)]" />
+            )}
+          </p>
+        </div>
+        {state.info && state.info.expires_at > 0 && (
+          <div className="text-right">
+            <p className="text-xs text-[var(--muted-foreground)]">
+              {t("license.expiresAt")}
+            </p>
+            <p className="text-sm">{formatExpiry(state.info.expires_at)}</p>
+          </div>
+        )}
+      </div>
+
+      {state.status === "error" && state.error && (
+        <div className="flex items-start gap-2 text-sm text-[var(--negative)]">
+          <AlertCircle size={16} className="mt-0.5 shrink-0" />
+          <p>{state.error}</p>
+        </div>
+      )}
+
+      {!showInput && (
+        <div className="flex flex-wrap gap-3">
+          <button
+            type="button"
+            onClick={() => setShowInput(true)}
+            className="px-4 py-2 border border-[var(--border)] rounded-lg hover:bg-[var(--border)] transition-colors text-sm"
+          >
+            {t("license.enterKey")}
+          </button>
+          {state.edition === "free" && (
+            <button
+              type="button"
+              onClick={handlePurchase}
+              className="flex items-center gap-2 px-4 py-2 bg-[var(--primary)] text-white rounded-lg hover:opacity-90 transition-opacity text-sm"
+            >
+              <ExternalLink size={14} />
+              {t("license.purchase")}
+            </button>
+          )}
+        </div>
+      )}
+
+      {showInput && (
+        <form onSubmit={handleSubmit} className="space-y-3">
+          <input
+            type="text"
+            value={keyInput}
+            onChange={(e) => setKeyInput(e.target.value)}
+            placeholder={t("license.keyPlaceholder")}
+            className="w-full px-3 py-2 bg-[var(--background)] border border-[var(--border)] rounded-lg text-sm font-mono focus:outline-none focus:border-[var(--primary)]"
+            autoFocus
+          />
+          <div className="flex gap-2">
+            <button
+              type="submit"
+              disabled={state.status === "validating" || !keyInput.trim()}
+              className="flex items-center gap-2 px-4 py-2 bg-[var(--primary)] text-white rounded-lg hover:opacity-90 transition-opacity text-sm disabled:opacity-50"
+            >
+              {state.status === "validating" && <Loader2 size={14} className="animate-spin" />}
+              {t("license.activate")}
+            </button>
+            <button
+              type="button"
+              onClick={() => {
+                setShowInput(false);
+                setKeyInput("");
+              }}
+              className="px-4 py-2 border border-[var(--border)] rounded-lg hover:bg-[var(--border)] transition-colors text-sm"
+            >
+              {t("common.cancel")}
+            </button>
+          </div>
+        </form>
+      )}
+    </div>
+  );
+}

src/hooks/useLicense.ts

@@ -0,0 +1,98 @@
+import { useCallback, useEffect, useReducer } from "react";
+import {
+  Edition,
+  LicenseInfo,
+  checkEntitlement as checkEntitlementCmd,
+  getEdition,
+  readLicense,
+  storeLicense,
+} from "../services/licenseService";
+
+type LicenseStatus = "idle" | "loading" | "ready" | "validating" | "error";
+
+interface LicenseState {
+  status: LicenseStatus;
+  edition: Edition;
+  info: LicenseInfo | null;
+  error: string | null;
+}
+
+type LicenseAction =
+  | { type: "LOAD_START" }
+  | { type: "LOAD_DONE"; edition: Edition; info: LicenseInfo | null }
+  | { type: "VALIDATE_START" }
+  | { type: "VALIDATE_DONE"; info: LicenseInfo }
+  | { type: "ERROR"; error: string };
+
+const initialState: LicenseState = {
+  status: "idle",
+  edition: "free",
+  info: null,
+  error: null,
+};
+
+function reducer(state: LicenseState, action: LicenseAction): LicenseState {
+  switch (action.type) {
+    case "LOAD_START":
+      return { ...state, status: "loading", error: null };
+    case "LOAD_DONE":
+      return {
+        status: "ready",
+        edition: action.edition,
+        info: action.info,
+        error: null,
+      };
+    case "VALIDATE_START":
+      return { ...state, status: "validating", error: null };
+    case "VALIDATE_DONE":
+      return {
+        status: "ready",
+        edition: action.info.edition,
+        info: action.info,
+        error: null,
+      };
+    case "ERROR":
+      return { ...state, status: "error", error: action.error };
+  }
+}
+
+export function useLicense() {
+  const [state, dispatch] = useReducer(reducer, initialState);
+
+  const refresh = useCallback(async () => {
+    dispatch({ type: "LOAD_START" });
+    try {
+      const [edition, info] = await Promise.all([getEdition(), readLicense()]);
+      dispatch({ type: "LOAD_DONE", edition, info });
+    } catch (e) {
+      dispatch({
+        type: "ERROR",
+        error: e instanceof Error ? e.message : String(e),
+      });
+    }
+  }, []);
+
+  const submitKey = useCallback(async (key: string) => {
+    dispatch({ type: "VALIDATE_START" });
+    try {
+      const info = await storeLicense(key);
+      dispatch({ type: "VALIDATE_DONE", info });
+      return { ok: true as const, info };
+    } catch (e) {
+      const message = e instanceof Error ? e.message : String(e);
+      dispatch({ type: "ERROR", error: message });
+      return { ok: false as const, error: message };
+    }
+  }, []);
+
+  const checkEntitlement = useCallback(
+    (feature: string) => checkEntitlementCmd(feature),
+    [],
+  );
+
+  useEffect(() => {
+    void refresh();
+  }, [refresh]);
+
+  return { state, refresh, submitKey, checkEntitlement };
+}

src/i18n/locales/en.json

@@ -846,5 +846,19 @@
     "total": "Total",
     "darkMode": "Dark mode",
     "lightMode": "Light mode"
+  },
+  "license": {
+    "title": "License",
+    "currentEdition": "Current edition",
+    "expiresAt": "Expires on",
+    "enterKey": "Enter a license key",
+    "keyPlaceholder": "SR-BASE-...",
+    "activate": "Activate",
+    "purchase": "Buy Simpl'Result",
+    "editions": {
+      "free": "Free",
+      "base": "Base",
+      "premium": "Premium"
+    }
   }
 }

src/i18n/locales/fr.json

@@ -846,5 +846,19 @@
     "total": "Total",
     "darkMode": "Mode sombre",
     "lightMode": "Mode clair"
+  },
+  "license": {
+    "title": "Licence",
+    "currentEdition": "Édition actuelle",
+    "expiresAt": "Expire le",
+    "enterKey": "Entrer une clé de licence",
+    "keyPlaceholder": "SR-BASE-...",
+    "activate": "Activer",
+    "purchase": "Acheter Simpl'Résultat",
+    "editions": {
+      "free": "Gratuite",
+      "base": "Base",
+      "premium": "Premium"
+    }
   }
 }

src/pages/SettingsPage.tsx

@@ -19,6 +19,7 @@ import { Link } from "react-router-dom";
 import { APP_NAME } from "../shared/constants";
 import { PageHelp } from "../components/shared/PageHelp";
 import DataManagementCard from "../components/settings/DataManagementCard";
+import LicenseCard from "../components/settings/LicenseCard";
 import LogViewerCard from "../components/settings/LogViewerCard";
 
 export default function SettingsPage() {
@@ -72,6 +73,9 @@ export default function SettingsPage() {
         <PageHelp helpKey="settings" />
       </div>
 
+      {/* License card */}
+      <LicenseCard />
+
       {/* About card */}
       <div className="bg-[var(--card)] border border-[var(--border)] rounded-xl p-6">
         <div className="flex items-center gap-4">

src/services/licenseService.ts

@@ -0,0 +1,36 @@
+import { invoke } from "@tauri-apps/api/core";
+
+export type Edition = "free" | "base" | "premium";
+
+export interface LicenseInfo {
+  edition: Edition;
+  email: string;
+  features: string[];
+  machine_limit: number;
+  issued_at: number;
+  expires_at: number;
+}
+
+export async function validateLicenseKey(key: string): Promise<LicenseInfo> {
+  return invoke<LicenseInfo>("validate_license_key", { key });
+}
+
+export async function storeLicense(key: string): Promise<LicenseInfo> {
+  return invoke<LicenseInfo>("store_license", { key });
+}
+
+export async function readLicense(): Promise<LicenseInfo | null> {
+  return invoke<LicenseInfo | null>("read_license");
+}
+
+export async function getEdition(): Promise<Edition> {
+  return invoke<Edition>("get_edition");
+}
+
+export async function getMachineId(): Promise<string> {
+  return invoke<string>("get_machine_id");
+}
+
+export async function checkEntitlement(feature: string): Promise<boolean> {
+  return invoke<boolean>("check_entitlement", { feature });
+}