OrbitalRegLicenseExpiring

Severity: warning · For: 1h · Runbook owner: platform on-call

What it means

The active OrbitalReg license envelope (the JWS wrapper around the customer entitlements) has fewer than 30 days of validity remaining. The metric orbitalreg_license_days_until_expiry reflects the exp claim of the license payload minus now().

What happens on expiry:

• Existing artifacts continue to be served (read paths stay open).
• New uploads / pushes are rejected with HTTP 402 + a X-Orbital-License-Expired header.
• Scheduled detection scans pause.
• The Admin overview displays a red banner.

This alert fires 30 days out so you have time to coordinate the renewal with the OrbitalReg vendor without rushing.

Likely causes

1. Standard end-of-term renewal cycle.
2. License envelope was applied for a short evaluation window (e.g., a 30-day trial that's burning down).
3. License envelope was rotated to a shorter window during contract negotiation.

Diagnose

# Days remaining (gauge)
curl -sf https://orbitalreg.example.com/metrics \
  | grep ^orbitalreg_license_days_until_expiry

# Full license details
curl -sf -H "Authorization: Bearer $TOKEN" \
  https://orbitalreg.example.com/api/admin/license | jq

# Recent license events
curl -sf -H "Authorization: Bearer $TOKEN" \
  https://orbitalreg.example.com/api/admin/license/events | jq '.[0:10]'

The Admin → License page renders the same data including the customer name, license ID, install ID, and a "renew" link.

Fix

1. Renewal envelope received — paste the new JWS into Admin → License → "Apply envelope". The platform replaces the active row atomically; no restart needed.
2. Bootstrap from env — set ORBITALREG_LICENSE_KEY to the new envelope and restart. The bootstrap path applies it on first boot only when no license row exists, so this is mostly useful for fresh re-installs.
3. Air-gapped customer — the new envelope arrives via the same channel as the docs tarball (item 29 of the roadmap). Apply through Admin → License the same way.

Escalate

• License envelope was applied but the metric / Admin page still shows the old expiry → likely the envelope's install_id doesn't match this deployment's. Check Admin → License → Install ID against the envelope's payload.
• Vendor has not provided a renewal envelope by expiry - 7d → escalate to the customer-success counterpart at OrbitalReg. Read-only fallback on expiry is a documented behaviour, not an emergency, but it does require coordination.