Add auto rotation of the license key provided KEYGEN_API_KEY.

[ildyria]

This pull request introduces automated license key rotation and API token health checks for Lychee's Keygen-based license management. When an admin logs in, Lychee can now automatically rotate an expired license key using a configured Keygen API token, and administrators will see warnings or errors on the diagnostics page if the API token is invalid or near expiration. The changes include new diagnostics checks, a background job for key rotation, event listener integration, and updated documentation.

Keygen License Management Integration:

• Added support for configuring a KEYGEN_API_KEY in .env to enable automatic license key rotation and API token health checks. (.env.example)
• Added a new diagnostics check (KeygenApiTokenCheck) to warn admins if the Keygen API token is invalid or expiring soon, and integrated it into the diagnostics pipeline. (app/Actions/Diagnostics/Pipes/Checks/KeygenApiTokenCheck.php, app/Actions/Diagnostics/Errors.php) [1] [2] [3]

Automatic License Key Rotation:

• Implemented a background job (RotateLicenseKeyJob) that attempts to rotate an expired license key using the Keygen API token, triggered after admin login or on diagnostics check. (app/Jobs/RotateLicenseKeyJob.php, app/Actions/Diagnostics/Pipes/Checks/OldLicenseCheck.php) [1] [2] [3] [4]
• Added an event listener (RotateLicenseKeyOnLogin) and registered it to fire after admin logins, dispatching the rotation job. (app/Listeners/RotateLicenseKeyOnLogin.php, app/Providers/EventServiceProvider.php) [1] [2] [3]

Documentation and Service Binding:

• Added comprehensive documentation explaining Keygen license management, configuration, and troubleshooting. (docs/specs/2-how-to/keygen-license-management.md)
• Registered the VerifyFactory binding in the service provider to support the new license management workflow. (app/Providers/AppServiceProvider.php) [1] [2]

Summary by CodeRabbit

• New Features
  • Automatic Keygen license key rotation now runs when an administrator logs in (when the edition/config is eligible).
  • Diagnostics now report Keygen API token issues, including validity and upcoming expiry warnings.
  • Added Keygen License Management configuration via KEYGEN_API_KEY, with optional secret support through KEYGEN_API_KEY_FILE.
• Documentation
  • Added a setup guide for Keygen License Management, including Docker wiring and troubleshooting diagnostic messages.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds Keygen license management: a new KEYGEN_API_KEY env variable enables automatic license key rotation via a background job dispatched on admin login. OldLicenseCheck gains inline rotation on diagnostics runs. A new KeygenApiTokenCheck diagnostic pipe validates the API token health. VerifyFactory is bound in DI, Docker environment configuration is added, and a how-to documentation page explains the feature.

Changes

Keygen License Management

Layer / File(s)	Summary
Environment, DI wiring, and Docker configuration .env.example, app/Providers/AppServiceProvider.php, app/Providers/EventServiceProvider.php, docker-compose.yaml, docker/scripts/01-validate-env.sh	Adds KEYGEN_API_KEY= env placeholder in .env and docker-compose, binds VerifyFactory → DefaultVerifyFactory in the service container, registers RotateLicenseKeyOnLogin as a Login event listener, and configures Docker to load and validate the Keygen API key from environment or secrets.
Rotation job and login listener app/Jobs/RotateLicenseKeyJob.php, app/Listeners/RotateLicenseKeyOnLogin.php	RotateLicenseKeyJob::handle() guards on schema existence, FREE_EDITION status, and both config keys before calling Rotation::rotate() and resetting verify status. RotateLicenseKeyOnLogin dispatches the job after the HTTP response when the logged-in user has may_administrate.
Diagnostics: OldLicenseCheck rotation and KeygenApiTokenCheck app/Actions/Diagnostics/Pipes/Checks/OldLicenseCheck.php, app/Actions/Diagnostics/Pipes/Checks/KeygenApiTokenCheck.php, app/Actions/Diagnostics/Errors.php	OldLicenseCheck accepts a Rotation dependency and attempts auto-rotation when keygen_api_key is set, suppressing the expired-license error on success. New KeygenApiTokenCheck calls TokenExtension::extend() and emits error or week-expiry warning diagnostics; both pipes are registered in Errors::get().
Keygen license management documentation docs/specs/2-how-to/keygen-license-management.md	How-to page covering KEYGEN_API_KEY configuration, rotation trigger behavior (admin login, 24-hour cooldown, diagnostics-triggered path), token health check semantics, and a troubleshooting table.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐇 Hippity-hop, the key has expired!
No panic—rotation's been wired!
Admin logs in, a job is queued neat,
The token gets checked, diagnostics complete.
KEYGEN_API_KEY keeps licenses bright,
Docker and Keygen sync up just right! 🔑✨

🚥 Pre-merge checks | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 57.14% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/specs/2-how-to/keygen-license-management.md (1)

1-63: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add required footer with last-updated date.

Documentation files must include a footer with an hr line and "Last updated: [date]" per coding guidelines. This provides clarity on documentation freshness and maintenance.

📝 Add footer to end of file

 | Rotation never triggers | User logging in is not an admin | Only admin logins (`may_administrate = true`) trigger rotation |
+
+---
+
+*Last updated: June 2026*

Source: Coding guidelines

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bfb1a13d-4242-4588-a6cd-c5d43c990a67

📥 Commits

Reviewing files that changed from the base of the PR and between 208fb3c and 535940a.

⛔ Files ignored due to path filters (1)

• composer.lock is excluded by !**/*.lock

📒 Files selected for processing (9)

• .env.example
• app/Actions/Diagnostics/Errors.php
• app/Actions/Diagnostics/Pipes/Checks/KeygenApiTokenCheck.php
• app/Actions/Diagnostics/Pipes/Checks/OldLicenseCheck.php
• app/Jobs/RotateLicenseKeyJob.php
• app/Listeners/RotateLicenseKeyOnLogin.php
• app/Providers/AppServiceProvider.php
• app/Providers/EventServiceProvider.php
• docs/specs/2-how-to/keygen-license-management.md

[codecov]

Codecov Report

❌ Patch coverage is 66.66667% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.45%. Comparing base (208fb3c) to head (4252587).
⚠️ Report is 2 commits behind head on master.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 64de3236-3929-4482-ba56-6af51f23e3b0

📥 Commits

Reviewing files that changed from the base of the PR and between 535940a and 4252587.

⛔ Files ignored due to path filters (1)

• composer.lock is excluded by !**/*.lock

📒 Files selected for processing (4)

• app/Jobs/RotateLicenseKeyJob.php
• app/Listeners/RotateLicenseKeyOnLogin.php
• docker-compose.yaml
• docker/scripts/01-validate-env.sh