Read how the local vault, OS keychain, backend-only request execution, EULA acceptance, trial, and subscription licensing work together.
- Vault and keychain model
- Backend-only request boundary
- Trial and subscription mechanics
- Offline grace and restricted mode
Applies to
WindowsmacOSLinux
Covers
SecurityLicensingTrialSetup
Security, vault, and licensing
Vault and credential boundary
CF Guard Desk is built around the real security boundary: Cloudflare tokens with access to zone configuration, DNS records, WAF rulesets, and security events.
The baseline model is:
- vault access required before operational commands
- credentials stored in the OS keychain only
- Cloudflare requests executed in the desktop backend
- HTTPS enforced for endpoint handling
What the vault does
The vault is a real gate.
While the vault is locked:
- operational commands stay unavailable
- scan execution stays blocked
- findings and workspaces are not treated as active
Trial and EULA behavior
Every installer starts with 7 days of full Pro access.
The trial flow is explicit:
- Install the app.
- Accept the EULA on first launch.
- Start the 7-day Pro trial.
- Subscribe through Lemon Squeezy if you want to continue after the trial.
License verification
License state is verified locally with a 7-day offline grace window.
Visible states should remain explicit in the product surface:
- Trial
- Active
- Grace period
- Invalid
- Expired or inactive
Privacy posture
The desktop app ships with no in-app telemetry by default.
That means:
- no analytics SDKs in the runtime
- no crash reporting by default
- no required hosted account system
Website analytics and cookies are handled separately from the desktop runtime.