web/docs/chain-operations-runbook.md

Chain Operations Runbook (Base, v1)

Scope

Operational procedures for membership mint, checkout confirmation, and availability lease/renewal dependency on chain state.

Normal Operation

1. Primary RPC healthy.
2. Confirmation endpoint verifies tx receipt and policy match.
3. Membership state transitions to membership_active only on valid confirmation.
4. Connected-class lease heartbeats refresh availability before expiry.
5. Sovereign-class offline renewal bundles validate signature and policy hash before state promotion.

Degraded Scenarios

RPC Outage

1. Mark confirmation dependency degraded.
2. Switch to secondary RPC endpoint.
3. Re-run receipt verification.
4. If uncertain, fail closed and queue retry.

Reorg Risk

1. Apply minimum confirmation depth policy.
2. If tx dropped/reorged, revert to pending_membership_mint.
3. Notify via deterministic status message; do not promote state.

Chain Congestion

1. Quote remains authoritative until expiry.
2. Expired quote requires re-quote.
3. No off-policy amount overrides.

Safe Mode Triggers

1. Conflicting tx results across RPC providers.
2. Contract bytecode mismatch at expected address.
3. Persistent receipt retrieval failures beyond threshold.

Safe mode actions:

1. Pause new confirmations.
2. Keep purchase state blocked.
3. Emit incident evidence.
4. Prevent availability promotions when renewal evidence is uncertain.

Recovery

1. Validate RPC consensus.
2. Reconcile pending confirms deterministically.
3. Resume confirmations after verification threshold restored.