feat(licensing): verification runtime — minting deploy + prod public-key wiring (PR C)

[blove]

Summary

Closes the loop on the @ngaf/chat relicense. Mostly operational/CI work plus one library bug fix and one example wiring. Enforcement stays advisory only (console.warn, no UI nag) per the locked brainstorm decision. Origin allowlist deferred.

What this PR delivers:

1. runLicenseCheck idempotency bug fixed. Repeat calls with the same (package, token) tuple now return the cached actual LicenseStatus, not the literal 'licensed'. Adds a regression test for the no-token path.
2. CACHEPLANE_LICENSE_PUBLIC_KEY wired into publish.yml. The GH secret existed since 2026-04-30 but was never referenced; published @ngaf/chat therefore baked in the dev fixture key. One-line env injection makes the prebuild script (libs/licensing/scripts/generate-public-key.mjs) pick up the prod hex.
3. apps/minting-service deployed via CI. New minting-deploy job in ci.yml, parallel to existing website/cockpit/demo deploys, gated on push to main. Hits https://minting.threadplane.ai/api/health after deploy for a sanity check.
4. libs/chat/README.md gains a "Using a commercial license" section showing the provideChat({ license: '…' }) snippet customers paste after purchase, plus the build-time-define variant.
5. examples/chat/angular/ wired to read environment.license. Default is undefined so the demo stays unlicensed in main; a smoke-test session can drop a real token into environment.ts to exercise the verify path.

Operational tasks (post-merge, not in code)

• Add GH secret VERCEL_MINTING_PROJECT_ID = prj_3x6SBua2bmAk374uFrp0MdqZSe9u
• In Vercel UI: assign domain minting.threadplane.ai to the threadplane-minting-service project
• In Stripe Dashboard: point the live-mode webhook at https://minting.threadplane.ai/api/stripe-webhook
• On the first @ngaf/chat publish after this lands: confirm dist/libs/licensing/fesm2022/*.mjs contains the prod public-key hex (not the dev fixture 793132582f3d…)
• Execute the end-to-end smoke test runbook from docs/superpowers/specs/2026-05-20-licensing-verification-runtime-design.md

Test plan

• npx nx run licensing:test → success (regression test passes; no regressions in existing tests)
• npx nx run chat:test → success (no library code changed; baseline preserved)
• npx nx run examples-chat-angular:build → success
• YAML validation of both workflow files (yaml.safe_load) → ok
• Scope check: only libs/licensing/, libs/chat/README.md, .github/workflows/{publish,ci}.yml, examples/chat/angular/, and docs/superpowers/ touched.

Out of scope (deliberately)

• No nag UI. Enforcement is advisory only, same as today.
• No claims schema changes. LicenseClaims stays { sub, tier, iat, exp, seats }. Origin allowlist is a future PR.
• No new env var conventions. Token source is ChatConfig.license only. Customer pastes the token into their app config.
• No nag-UI / banner component / license signal exposed to consumers. Just console.warn from runLicenseCheck.

Risks

• Public-key / private-key mismatch. The GH secret was set 2026-04-30; the Vercel private key was set in the same window. Likely match but unverifiable from secrets alone. The smoke-test runbook in the spec includes an explicit derive-from-private check via vercel env pull + @noble/ed25519.
• First minting deploy could fail if VERCEL_MINTING_PROJECT_ID secret hasn't been added yet. The CI job's if: gate means it only runs on push to main; a pre-merge dry-run isn't possible. Mitigation: the operational checklist above is the first thing to do post-merge.
• No example wiring runs in CI today because environment.license stays undefined by default. The verify path is only exercised during manual smoke testing. Acceptable for an advisory-only enforcement model.

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
threadplane	Ready	Preview, Comment	May 21, 2026 5:40pm