web/docs/chain-operations-runbook.md

# Chain Operations Runbook (Base, v1)

## Scope

Operational procedures for membership mint and checkout confirmation dependency on chain state.

## Normal Operation

1. Primary RPC healthy.
2. Confirmation endpoint verifies tx receipt and policy match.
3. Membership state transitions to `membership_active` only on valid confirmation.

## Degraded Scenarios

## RPC Outage

1. Mark confirmation dependency degraded.
2. Switch to secondary RPC endpoint.
3. Re-run receipt verification.
4. If uncertain, fail closed and queue retry.

## Reorg Risk

1. Apply minimum confirmation depth policy.
2. If tx dropped/reorged, revert to `pending_membership_mint`.
3. Notify via deterministic status message; do not promote state.

## Chain Congestion

1. Quote remains authoritative until expiry.
2. Expired quote requires re-quote.
3. No off-policy amount overrides.

## Safe Mode Triggers

1. Conflicting tx results across RPC providers.
2. Contract bytecode mismatch at expected address.
3. Persistent receipt retrieval failures beyond threshold.

Safe mode actions:

1. Pause new confirmations.
2. Keep purchase state blocked.
3. Emit incident evidence.

## Recovery

1. Validate RPC consensus.
2. Reconcile pending confirms deterministically.
3. Resume confirmations after verification threshold restored.