Add FlowChain owner activation plan

Author: FlowmemoryAI

docs/agent-runs/live-product-infra-rpc/COMPLETION_AUDIT.md

@@ -1,6 +1,6 @@
 # FlowChain Completion Audit
 
-Generated: 2026-05-18T06:22:40.6530606Z
+Generated: 2026-05-18T06:33:15.5719579Z
 Status: blocked
 Completion ready: False
 Refresh mode: no-refresh-existing-reports
@@ -27,14 +27,15 @@ Latest observed height: 66326
 | Owner public RPC, tester write gateway, backup, and Base 8453 bridge inputs are validated without printing values. | blocked | ownerInputsStatus=blocked, ownerInputReady=False, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\owner-inputs-report.json | npm run flowchain:owner-inputs |
 | Owner onboarding distinguishes repo-owned FlowChain RPC from the external Base 8453 RPC dependency and gives no-values setup commands. | passed | onboardingStatus=passed, flowChainRpcIsOurs=True, thirdPartyFlowChainRpcProviderNeeded=False, publicRpcRequiresOwnerPublicEdge=True, base8453RpcIsExternalChainDependency=True, localEnvFileSupported=True, failedChecks=0, secretFindings=0, missingChecks=0, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\owner-onboarding-report.json | npm run flowchain:owner:onboarding |
 | Owner signup checklist maps public RPC edge, tester write token/cap, always-on host, backup storage, Base 8453 RPC, bridge details, and local env-file setup to exact owner actions without requesting secrets. | passed | signupStatus=passed, itemCount=9, externalSignupCount=3, missingCoverage=0, repoOwned=True, localEnvFileSupported=True, failedChecks=0, secretFindings=0, missingChecks=0, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\owner-signup-checklist-report.json | npm run flowchain:owner:signup-checklist |
+| Owner activation plan turns remaining public launch inputs into ordered stages with exact validation commands, resource boundaries, and no-secret handoff instructions. | passed | activationPlanStatus=passed, activationReady=False, stages=8, readyStages=2, failedChecks=0, secretFindings=0, missingChecks=0, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\owner-activation-plan-report.json | npm run flowchain:owner:activation-plan |
 | Owner env-file setup has a command-generated local scaffold whose target path is git-ignored before owner values are added. | passed | templateStatus=passed, pathIsGitIgnored=True, requiredEnvNameCount=17, optionalEnvNameCount=2, includesAllRequired=True, failedChecks=0, secretFindings=0, missingChecks=0, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\owner-env-template-report.json | npm run flowchain:owner-env:template |
 | Owner env readiness validator fails closed before child gates for missing owner env files and repo-local env files that are not git-ignored. | passed | validationStatus=passed, missingFails=True, unignoredFails=True, failedChecks=0, secretFindings=0, missingChecks=0, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\owner-env-readiness-validation-report.json | npm run flowchain:owner-env:readiness:validate |
 | The ignored owner env file can drive owner-input, live-infra, and public deployment gates through one redacted command. | blocked | readinessStatus=blocked, pathGitIgnored=True, ownerInputsReady=False, liveInfraReady=False, publicDeploymentContractReady=False, blockedOnlyKnown=True, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\owner-env-readiness-report.json | npm run flowchain:owner-env:readiness -- -AllowBlocked |
 | Public RPC exposure has a no-values owner edge template for HTTPS reverse proxying, rate limiting, and CORS-origin forwarding. | passed | edgeTemplateStatus=passed, repoOwned=True, requiresTls=True, requiresRateLimit=True, forwardsOrigin=True, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\public-rpc-edge-template-report.json | npm run flowchain:public-rpc:edge-template |
 | Public RPC deployment bundle has no-secret Nginx, owner env, owner render validation, tester write preflight, verification, and rollback artifacts for exposing FlowChain's own RPC. | passed | bundleStatus=passed, repoOwned=True, nginxTemplate=True, renderValidation=True, testerWritePreflight=True, failedChecks=0, missingChecks=0, secretFindings=0, verifyRunbook=True, rollbackRunbook=True, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\public-rpc-deployment-bundle-report.json | npm run flowchain:public-rpc:deployment-bundle |
 | Public RPC deployment automation validates owner-host rendering of concrete Nginx, systemd, shell preflight, Windows preflight, tester write unauthenticated rejection probe, post-deploy verification, and rollback phases without host mutation or owner-value leakage. | passed | automationStatus=passed, action=Validate, renderCommand=True, noPlaceholders=True, testerUnauthProbe=True, hostMutationFalse=True, failedChecks=0, missingChecks=0, secretFindings=0, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\public-rpc-deployment-automation-report.json | npm run flowchain:public-rpc:deployment:automation |
-| Node operator package collects no-secret runbooks, command matrix, owner-input names, and current evidence for install, autorecovery, public RPC, backup, ops, bridge, testers, and release gates. | passed | operatorPackageStatus=passed, commands=41, runbooks=24, evidenceReports=34, failedChecks=0, secretFindings=0, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\operator-package-report.json | npm run flowchain:operator:package |
-| Node operator package verifier independently checks the generated package manifest, expected files, command matrix, owner-input names, forbidden local files, and no-secret scan. | passed | verifyStatus=passed, expectedFiles=53, commands=41, failedChecks=0, secretFindings=0, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\operator-package-verify-report.json | npm run flowchain:operator:package:verify |
+| Node operator package collects no-secret runbooks, command matrix, owner-input names, and current evidence for install, autorecovery, public RPC, backup, ops, bridge, testers, and release gates. | passed | operatorPackageStatus=passed, commands=42, runbooks=25, evidenceReports=35, failedChecks=0, secretFindings=0, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\operator-package-report.json | npm run flowchain:operator:package |
+| Node operator package verifier independently checks the generated package manifest, expected files, command matrix, owner-input names, forbidden local files, and no-secret scan. | passed | verifyStatus=passed, expectedFiles=55, commands=42, failedChecks=0, secretFindings=0, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\operator-package-verify-report.json | npm run flowchain:operator:package:verify |
 | Public RPC readiness validator proves endpoint checks, CORS allowed-origin acceptance, disallowed-origin rejection, bounded rate-limit rejection, retry-after evidence, and response hygiene against a temporary local control plane. | passed | validationStatus=passed, allowedOriginAccepted=True, disallowedProbe=True, disallowedRejected=True, endpointChecks=True, rateLimitProbe=True, rateLimitRejected=True, rateLimitRetryAfter=True, responseHygiene=True, failedChecks=0, secretFindings=0, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\public-rpc-validation-report.json | npm run flowchain:public-rpc:validate |
 | Public RPC abuse harness proves CORS rejection, media-type rejection, parse-error handling, method/params failure envelopes, batch/body caps, notification 204 handling, rate limiting, and no-secret response summaries. | passed | abuseStatus=passed, abuseReady=True, failedChecks=0, secretFindings=0, missingChecks=0, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\public-rpc-abuse-test-report.json | npm run flowchain:public-rpc:abuse-test |
 | Public tester write gateway proves bearer auth configuration, public-only wallet creation, capped send settlement, and over-cap rejection on a temporary local control-plane. | passed | gatewayStatus=passed, configured=True, transferAccepted=True, capRejected=True, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\public-tester-gateway-e2e-report.json | npm run flowchain:tester:gateway:e2e |

docs/agent-runs/live-product-infra-rpc/OPERATOR_PACKAGE.md

@@ -1,15 +1,15 @@
 # FlowChain Operator Package
 
-Generated: 2026-05-18T06:22:09.9036475Z
+Generated: 2026-05-18T06:32:22.5250733Z
 Status: passed
 
 ## Package
 
 - Directory: `E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\operator-package`
 - Manifest: `E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\operator-package\OPERATOR_PACKAGE_MANIFEST.json`
 - Command matrix: `E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\operator-package\OPERATOR_COMMAND_MATRIX.json`
-- Runbooks copied: 24
-- Evidence reports copied: 34
+- Runbooks copied: 25
+- Evidence reports copied: 35
 
 ## Checks
 

docs/agent-runs/live-product-infra-rpc/OPERATOR_PACKAGE_VERIFY.md

@@ -1,6 +1,6 @@
 # FlowChain Operator Package Verify
 
-Generated: 2026-05-18T06:22:30.3674198Z
+Generated: 2026-05-18T06:32:33.7007452Z
 Status: passed
 
 ## Checks
@@ -32,8 +32,8 @@ Status: passed
 
 - Package report: `E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\operator-package-report.json`
 - Package directory: `E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\operator-package`
-- Expected files: 53
+- Expected files: 55
 - Missing files: 0
 - Forbidden local files: 0
-- Command count: 41
+- Command count: 42
 - Owner-input names: 17

docs/agent-runs/live-product-infra-rpc/OWNER_ACTIVATION_PLAN.md

@@ -0,0 +1,106 @@
+# FlowChain Owner Activation Plan
+
+Generated: 2026-05-18T06:32:02.7988038+00:00
+Status: passed
+Activation ready: False
+
+This plan is the current launch handoff. It records names, statuses, and commands only. Put real values in the ignored owner env file or the service environment; do not paste secrets into chat, GitHub, or generated reports.
+
+## Current Missing Owner Inputs
+
+- `FLOWCHAIN_RPC_PUBLIC_URL`
+- `FLOWCHAIN_RPC_ALLOWED_ORIGINS`
+- `FLOWCHAIN_RPC_RATE_LIMIT_PER_MINUTE`
+- `FLOWCHAIN_RPC_TLS_TERMINATED`
+- `FLOWCHAIN_RPC_STATE_BACKUP_PATH`
+- `FLOWCHAIN_TESTER_WRITE_ENABLED`
+- `FLOWCHAIN_TESTER_WRITE_TOKEN_SHA256`
+- `FLOWCHAIN_TESTER_MAX_SEND_UNITS`
+- `FLOWCHAIN_PILOT_OPERATOR_ACK`
+- `FLOWCHAIN_BASE8453_RPC_URL`
+- `FLOWCHAIN_BASE8453_LOCKBOX_ADDRESS`
+- `FLOWCHAIN_BASE8453_SUPPORTED_TOKEN`
+- `FLOWCHAIN_BASE8453_ASSET_DECIMALS`
+- `FLOWCHAIN_BASE8453_FROM_BLOCK`
+- `FLOWCHAIN_PILOT_MAX_DEPOSIT_WEI`
+- `FLOWCHAIN_PILOT_TOTAL_CAP_WEI`
+- `FLOWCHAIN_PILOT_CONFIRMATIONS`
+
+## Activation Stages
+
+| Stage | Status | Missing inputs | Validate with |
+| --- | --- | --- | --- |
+| Keep the chain and private RPC running | ready | none | npm run flowchain:service:status -- -AllowBlocked; npm run flowchain:service:monitor |
+| Fill the ignored local owner env file | ready | none | npm run flowchain:owner-env:template; npm run flowchain:owner-env:readiness:validate; npm run flowchain:owner-env:readiness -- -AllowBlocked |
+| Expose repo-owned FlowChain RPC through a public HTTPS edge | needs-owner-input | FLOWCHAIN_RPC_PUBLIC_URL, FLOWCHAIN_RPC_ALLOWED_ORIGINS, FLOWCHAIN_RPC_RATE_LIMIT_PER_MINUTE, FLOWCHAIN_RPC_TLS_TERMINATED | npm run flowchain:public-rpc:check -- -AllowBlocked; npm run flowchain:public-rpc:validate; npm run flowchain:public-rpc:abuse-test |
+| Provision durable state backup storage | needs-owner-input | FLOWCHAIN_RPC_STATE_BACKUP_PATH | npm run flowchain:backup:check -- -AllowBlocked; npm run flowchain:backup:restore:validate; npm run flowchain:backup:owner-path:dry-run |
+| Enable capped friends-and-family tester writes | needs-owner-input | FLOWCHAIN_TESTER_WRITE_ENABLED, FLOWCHAIN_TESTER_WRITE_TOKEN_SHA256, FLOWCHAIN_TESTER_MAX_SEND_UNITS | npm run flowchain:tester:gateway:e2e; npm run flowchain:external-tester:packet -- -AllowBlocked; npm run flowchain:external-tester:packet:validate |
+| Configure capped Base 8453 bridge pilot observation | needs-owner-input | FLOWCHAIN_PILOT_OPERATOR_ACK, FLOWCHAIN_BASE8453_RPC_URL, FLOWCHAIN_BASE8453_LOCKBOX_ADDRESS, FLOWCHAIN_BASE8453_SUPPORTED_TOKEN, FLOWCHAIN_BASE8453_ASSET_DECIMALS, FLOWCHAIN_BASE8453_FROM_BLOCK, FLOWCHAIN_PILOT_MAX_DEPOSIT_WEI, FLOWCHAIN_PILOT_TOTAL_CAP_WEI, FLOWCHAIN_PILOT_CONFIRMATIONS | npm run flowchain:bridge:live:check -- -AllowBlocked; npm run flowchain:bridge:infra:check -- -AllowBlocked; npm run flowchain:bridge:relayer:guardrail:validate; npm run flowchain:bridge:relayer:loop:validate |
+| Release the external tester packet only after public gates pass | needs-owner-input | FLOWCHAIN_RPC_PUBLIC_URL, FLOWCHAIN_RPC_ALLOWED_ORIGINS, FLOWCHAIN_RPC_RATE_LIMIT_PER_MINUTE, FLOWCHAIN_RPC_TLS_TERMINATED, FLOWCHAIN_RPC_STATE_BACKUP_PATH, FLOWCHAIN_TESTER_WRITE_ENABLED, FLOWCHAIN_TESTER_WRITE_TOKEN_SHA256, FLOWCHAIN_TESTER_MAX_SEND_UNITS, FLOWCHAIN_PILOT_OPERATOR_ACK, FLOWCHAIN_BASE8453_RPC_URL, FLOWCHAIN_BASE8453_LOCKBOX_ADDRESS, FLOWCHAIN_BASE8453_SUPPORTED_TOKEN, FLOWCHAIN_BASE8453_ASSET_DECIMALS, FLOWCHAIN_BASE8453_FROM_BLOCK, FLOWCHAIN_PILOT_MAX_DEPOSIT_WEI, FLOWCHAIN_PILOT_TOTAL_CAP_WEI, FLOWCHAIN_PILOT_CONFIRMATIONS | npm run flowchain:external-tester:packet -- -AllowBlocked; npm run flowchain:external-tester:packet:validate; npm run flowchain:dashboard:ui:readiness |
+| Run final no-secret production audit before public use | needs-owner-input | FLOWCHAIN_RPC_PUBLIC_URL, FLOWCHAIN_RPC_ALLOWED_ORIGINS, FLOWCHAIN_RPC_RATE_LIMIT_PER_MINUTE, FLOWCHAIN_RPC_TLS_TERMINATED, FLOWCHAIN_RPC_STATE_BACKUP_PATH, FLOWCHAIN_TESTER_WRITE_ENABLED, FLOWCHAIN_TESTER_WRITE_TOKEN_SHA256, FLOWCHAIN_TESTER_MAX_SEND_UNITS, FLOWCHAIN_PILOT_OPERATOR_ACK, FLOWCHAIN_BASE8453_RPC_URL, FLOWCHAIN_BASE8453_LOCKBOX_ADDRESS, FLOWCHAIN_BASE8453_SUPPORTED_TOKEN, FLOWCHAIN_BASE8453_ASSET_DECIMALS, FLOWCHAIN_BASE8453_FROM_BLOCK, FLOWCHAIN_PILOT_MAX_DEPOSIT_WEI, FLOWCHAIN_PILOT_TOTAL_CAP_WEI, FLOWCHAIN_PILOT_CONFIRMATIONS | npm run flowchain:completion:audit -- -AllowBlocked; npm run flowchain:truth-table -- -AllowBlocked; npm run flowchain:no-secret:scan |
+
+## Owner Actions
+
+### Keep the chain and private RPC running
+- Choose the host that will stay online and keep the FlowChain node/control-plane running.
+- Resources: Always-on Windows host, Linux host, or VPS
+### Fill the ignored local owner env file
+- Run the template command, fill real values only on the launch host, and point FLOWCHAIN_OWNER_ENV_FILE at that file.
+- Resources: Local ignored env file or service environment
+### Expose repo-owned FlowChain RPC through a public HTTPS edge
+- Create DNS or a tunnel hostname for the FlowChain RPC edge.
+- Terminate TLS at the edge.
+- Set exact allowed browser origins and a positive per-minute rate limit.
+- Resources: DNS provider or existing domain, TLS edge, reverse proxy, or tunnel
+### Provision durable state backup storage
+- Create a writable persistent directory available to the FlowChain service process.
+- Keep the path local to the launch host or mounted as durable storage.
+- Resources: Persistent local disk, mounted volume, or owner-managed backup directory
+### Enable capped friends-and-family tester writes
+- Generate a random bearer token outside the repo.
+- Store only its SHA-256 digest in the owner env file.
+- Choose a small positive per-send test-unit cap.
+- Resources: Owner password manager or secret store
+### Configure capped Base 8453 bridge pilot observation
+- Provide a Base chain 8453 HTTPS endpoint.
+- Provide deployed lockbox and supported-token addresses.
+- Choose the bootstrap from-block, confirmations, max deposit, total cap, and explicit capped-pilot acknowledgement.
+- Resources: Base RPC provider or owner-operated Base node, Deployed pilot bridge contract details
+### Release the external tester packet only after public gates pass
+- Share wallet/tester instructions only after the packet report marks external sharing ready.
+- Keep per-send caps low for the first pilot.
+- Resources: Friends-and-family tester list
+### Run final no-secret production audit before public use
+- Run the aggregate gates after all owner values are configured.
+- Do not announce public readiness until completionReady is true and the truth table has no owner blockers.
+- Resources: None beyond the configured launch resources
+
+## Do Not Send
+
+- Host login password
+- SSH private key
+- Owner env file contents
+- Provider URLs that carry account tokens
+- Registrar password
+- tunnel token
+- TLS private key
+- Storage account secret
+- cloud backup credentials
+- Raw tester bearer token
+- token hash together with the raw token
+- Wallet private key
+- wallet recovery words
+- provider dashboard password
+- Raw tester token in GitHub or chat
+- owner env file contents
+- Any secret-bearing provider URL
+- wallet recovery material
+
+## Next Commands
+
+- npm run flowchain:owner-env:template
+- npm run flowchain:owner-env:readiness -- -AllowBlocked
+- npm run flowchain:owner-inputs -- -AllowBlocked
+- npm run flowchain:public-rpc:check -- -AllowBlocked
+- npm run flowchain:bridge:live:check -- -AllowBlocked
+- npm run flowchain:completion:audit -- -AllowBlocked