QCOS Licensing Design Document
Version: 1.0 Status: APPROVED Author: SoftQuantus Engineering Date: December 2024
Executive Summaryβ
This document describes the technical architecture for QCOS binary distribution and license management. QCOS is delivered exclusively as binary artifacts (containers, VM images, libraries) with cryptographic license enforcement.
Key Principlesβ
- Binary-Only Distribution: QCOS source code is never distributed. All deliverables are pre-compiled binaries.
- Cryptographic License Enforcement: Licenses are digitally signed and verified at runtime.
- Offline-First: The system works completely offline for air-gapped environments (HPC, government, defense).
- Enterprise Control: Customers manage licenses through a secure portal with full audit trails.
1. Distribution Architectureβ
1.1 Artifact Typesβ
| Format | Use Case | Delivery |
|---|---|---|
| OCI Container | Cloud, Kubernetes, HPC | Registry pull or tar export |
| VM Image | On-prem hypervisors | Portal download |
| Shared Library | OEM integration | Portal download |
| SDK/Wheel | Development tools | Public PyPI (open) |
1.2 Container Registryβ
Primary Registry: registry.softquantus.com
registry.softquantus.com/
βββ softqcos/
β βββ core:<version> # QCOS Kernel + Runtime
β βββ autopilot:<version> # Autopilot Optimization Engine
β βββ license-server:<version> # On-prem license management
β βββ benchmark-suite:<version> # Benchmarking tools
β βββ hal-<vendor>:<version> # Hardware Abstraction Layers
β βββ hal-ibm
β βββ hal-iqm
β βββ hal-pasqal
β βββ hal-quantinuum
β βββ hal-generic
1.3 Version Taggingβ
<major>.<minor>.<patch>[-<customer>]
Examples:
1.0.0 # General release
1.0.0-ibm # IBM-specific build (HAL included)
1.0.0-lts # Long-term support
2. License File Formatβ
2.1 Structureβ
Licenses are JSON files with cryptographic signatures:
{
"version": "1.0",
"format": "softquantus-license-v1",
"grant": {
"license_id": "QCOS-20241201-ABCD1234",
"customer_id": "IBM-001",
"customer_name": "IBM Corporation",
"contract_id": "QSOFT-IBM-EP-2024-001",
"product": "QCOS",
"version": {
"major": 1,
"minor_min": 0,
"minor_max": 99
},
"license_type": "enterprise_platform",
"sla_tier": "platinum",
"modules": ["kernel", "autopilot", "hal_ibm", "benchmarking"],
"environments": ["ibm-hpc-east", "ibm-hpc-west"],
"validity": {
"issued_at": "2024-12-01T00:00:00Z",
"valid_from": "2024-12-01",
"valid_until": "2026-12-31"
},
"features": {
"autopilot_enabled": true,
"benchmark_suite_enabled": true,
"max_qubits": 127,
"max_backends": 20,
"max_concurrent_jobs": 100
}
},
"signature": "<base64-encoded-rsa-pss-signature>",
"public_key_id": "a1b2c3d4e5f6"
}
2.2 Cryptographyβ
| Component | Algorithm |
|---|---|
| Key Type | RSA-4096 |
| Signature | RSA-PSS with SHA-256 |
| Key Storage | HSM (production) |
2.3 License ID Formatβ
QCOS-<YYYYMMDD>-<RANDOM8>
Example: QCOS-20241201-ABCD1234
3. License Enforcementβ
3.1 Runtime Validation Flowβ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β QCOS Startup β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Load Public Key (embedded in binary or /etc/softqcos/license.pub) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Load License File β
β - QCOS_LICENSE_FILE env var β
β - /etc/softqcos/license.lic β
β - ~/.softqcos/license.lic β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Verify Signature β
β - Extract grant JSON β
β - Verify RSA-PSS signature β
β - Check key ID matches embedded key β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββ΄ββββββββββββββββ
βΌ βΌ
ββββββββββββ ββββββββββββββββ
β INVALID β β VALID β
β β EXIT 1 β β β
ββββββββββββ ββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββ
β Check Validity Dates β
β - Not before valid_from β
β - Not after valid_until β
βββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββ
β Check Version Compatibility β
β - Major version match β
β - Minor within range β
βββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββ
β Check Environment (if set) β
β - Hostname in allowed list β
βββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββ
β Load Features & Limits β
β - max_qubits β
β - max_backends β
β - enabled modules β
βββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββ
β β QCOS Ready β
βββββββββββββββββββββββββββββββββββ
3.2 Module Enforcementβ
Each QCOS module checks its own license at initialization:
from licensing.client import require_module, Module
class AutopilotEngine:
def __init__(self):
require_module(Module.AUTOPILOT) # Raises if not licensed
...
3.3 Feature Limitsβ
Runtime enforcement of licensed limits:
def submit_job(circuit, shots):
ctx = get_license_context()
if circuit.num_qubits > ctx.features.max_qubits:
raise LicenseError(f"Circuit exceeds licensed qubit limit ({ctx.features.max_qubits})")
if shots > ctx.features.max_shots_per_job:
raise LicenseError(f"Shots exceed licensed limit ({ctx.features.max_shots_per_job})")
4. License Server (Enterprise)β
4.1 Purposeβ
For large deployments, customers can run a License Server inside their datacenter to:
- Centralize license management
- Enforce seat/concurrent usage limits
- Enable license updates without redeploying QCOS
4.2 Architectureβ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Customer Datacenter β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββββββ ββββββββββββββββββββββββββββββββββββ β
β β License Server β β QCOS Nodes β β
β β (softqcos-license- ββββββΊβ - softqcos-core β β
β β server:1.0.0) β β - softqcos-autopilot β β
β β β β - softqcos-hal-ibm β β
β β *.lic files β β β β
β β license.pub β β (checkout license at startup) β β
β ββββββββββββββββββββ ββββββββββββββββββββββββββββββββββββ β
β β β
β β (no internet required) β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
4.3 API Endpointsβ
| Endpoint | Method | Description |
|---|---|---|
/validate | POST | Validate license |
/checkout | POST | Acquire license seat |
/release | POST | Release license seat |
/heartbeat | POST | Maintain seat checkout |
/status/{id} | GET | Get license status |
4.4 Seat Managementβ
License: max_concurrent_jobs = 100
βββββββββββββββββββββββββββββββββββββββββββ
β Active Seats: 45/100 β
βββββββββββββββββββββββββββββββββββββββββββ€
β node-01 β autopilot β checked out 2h β
β node-02 β core β checked out 1h β
β node-03 β benchmark β checked out 4h β
β ... β
βββββββββββββββββββββββββββββββββββββββββββ
5. Enterprise Portalβ
5.1 Customer Portalβ
URL: https://portal.softquantus.com
Features:
- View contracts and products
- Download license files
- Access release artifacts
- Generate registry credentials
- View usage/audit logs
5.2 Portal Architectureβ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SoftQuantus Cloud β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββββββββββ β
β β Portal UI β β Portal API β β Container Registry β β
β β (React/Vue) ββββΊβ (FastAPI) ββββΊβ (registry.soft...) β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββββββββββ β
β β β β
β βΌ βΌ β
β ββββββββββββββββ ββββββββββββββββββββββββ β
β β License DB β β Artifact Storage β β
β β (Postgres) β β (Azure Blob/S3) β β
β ββββββββββββββββ ββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
5.3 Authenticationβ
- SSO integration (Azure AD, Okta, etc.)
- Per-customer user management
- Role-based access (admin, download-only, view-only)
6. Delivery Workflowβ
6.1 New Customer Onboardingβ
1. Contract Signed
β
βΌ
2. Create Customer in Portal
- customer_id: IBM-001
- tier: enterprise
- contacts
β
βΌ
3. Create Contract Record
- contract_id: QSOFT-IBM-EP-2024-001
- products: [QCOS-EP, QCOS-BENCH]
- modules: [kernel, autopilot, hal_ibm, benchmarking]
- term: 2024-2026
β
βΌ
4. Generate License
- Run: softqcos-license generate --customer-id IBM-001 ...
- Output: IBM_qcos_enterprise_2024.lic
β
βΌ
5. Upload License to Portal
- Customer can download from portal
β
βΌ
6. Generate Registry Credentials
- Customer receives docker login command
β
βΌ
7. Customer Deploys QCOS
- Pull images or load tars
- Mount license file
- Start services
6.2 Air-Gapped Deliveryβ
For environments without internet:
1. Package Artifacts
$ ./scripts/build_binaries.sh package IBM kernel,autopilot,hal_ibm
Output: dist/customers/IBM/
βββ softqcos-core-1.0.0.tar.gz
βββ softqcos-license-server-1.0.0.tar.gz
βββ softqcos-hal-ibm-1.0.0.tar.gz
βββ MANIFEST.json
βββ SHA256SUMS
βββ install.sh
2. Secure Transfer
- USB/physical media
- Secure file transfer
- VPN upload to customer
3. Customer Installation
$ ./install.sh
β docker load -i softqcos-core-1.0.0.tar.gz
β docker load -i softqcos-license-server-1.0.0.tar.gz
...
4. License Activation
- Copy license.lic to /etc/softqcos/
- Copy license.pub to /etc/softqcos/
- Start services
7. Security Considerationsβ
7.1 Key Managementβ
| Key | Location | Access |
|---|---|---|
| Private Key | HSM / Secure Vault | License Authority only |
| Public Key | Embedded in binaries | All QCOS instances |
7.2 License File Securityβ
- Licenses are signed, not encrypted (contents are readable)
- Customer-specific data (limits, modules) is visible
- Financial terms are never in license files
- Signature prevents tampering
7.3 Binary Protectionβ
- Binaries are not obfuscated (standard Python wheel/containers)
- Protection is through license enforcement, not obscurity
- All critical paths check license validity
- Consider PyInstaller/Nuitka for additional compilation in future
7.4 Audit Trailβ
Portal and License Server log:
- License generation events
- Download events
- Checkout/release events
- Authentication events
8. Operationsβ
8.1 License Revocationβ
To revoke a license:
- Mark license as revoked in portal database
- If customer uses License Server:
- Push updated license file to customer
- License Server reloads and rejects revoked license
- If customer uses local file:
- Next version of QCOS checks revocation list (future)
- Or: wait for expiry
8.2 License Renewalβ
1. Customer contract renewed
β
βΌ
2. Generate new license with extended validity
- Same license_id prefix
- New valid_until date
β
βΌ
3. Customer downloads new .lic file
β
βΌ
4. Customer replaces old file or reloads License Server
8.3 Version Upgradesβ
Major Version (1.x β 2.x):
- May require new license with version.major = 2
- Commercial upgrade discussion
Minor Version (1.0 β 1.5):
- Works if version_minor_max >= 5
- No license change needed
Patch Version (1.0.0 β 1.0.5):
- Always compatible
- No license change needed
9. Implementation Statusβ
Phase 1 (Current) β β
- License file format definition
- License Authority (signing)
- License Validator (verification)
- CLI tool for license generation
- Basic runtime validation
Phase 2 (Q1 2025)β
- License Server deployment
- Portal backend API
- Container registry setup
- Customer onboarding workflow
Phase 3 (Q2 2025)β
- Portal frontend UI
- SSO integration
- Usage analytics
- Revocation list support
10. Appendixβ
A. Environment Variablesβ
| Variable | Description | Default |
|---|---|---|
QCOS_LICENSE_FILE | Path to license file | /etc/softqcos/license.lic |
QCOS_LICENSE_PUBLIC_KEY | Path to public key | /etc/softqcos/license.pub |
QCOS_LICENSE_SERVER | License server URL | (none) |
QCOS_LICENSE_ID | License ID for server mode | (none) |
QCOS_LICENSE_API_TOKEN | API token for server | (none) |
QCOS_ENVIRONMENT | Environment name | hostname |
QCOS_VERSION_MAJOR | Major version | 1 |
QCOS_VERSION_MINOR | Minor version | 0 |
B. File Locationsβ
/etc/softqcos/
βββ license.lic # License file
βββ license.pub # Public key
βββ licenses/ # For License Server: multiple licenses
~/.softqcos/
βββ license.lic # User-level license (fallback)
βββ license.pub # User-level public key (fallback)
C. Error Messagesβ
| Error | Cause | Solution |
|---|---|---|
| "Invalid license signature" | Tampering or wrong key | Redownload license |
| "License expired" | Past valid_until | Renew contract |
| "License not yet valid" | Before valid_from | Wait or check date |
| "Version mismatch" | QCOS version not covered | Upgrade license or downgrade QCOS |
| "Module not licensed" | Using unlicensed feature | Upgrade license |
| "All seats in use" | Concurrent limit reached | Release other seats or upgrade |
Document Historyβ
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2024-12-09 | Engineering | Initial release |
Β© 2024 SoftQuantus. Confidential and Proprietary.