| title | Live Rails Operator Runbook |
|---|---|
| slug | /reference/live-rails-operator-runbook |
Date: March 28, 2026
This is the canonical operator-only runbook for live Safe, session-capability, archive, and Filecoin registry paths.
Use this only for the second gate. Do not use it to describe the default public staged-launch bar. The stage-based release progression lives in Production Release Checklist.
Use this doc when all of these are true:
- the mock-first staged-launch bar is already green
- you are intentionally validating live Safe, Green Goods, archive, session-capability, or Filecoin registry rails
- the build is operator-controlled rather than a standard public Chrome Web Store candidate
For the current public-release boundary, read Current Release Status.
Standard staged-launch builds stay mock-first:
VITE_COOP_ONCHAIN_MODE=mock
VITE_COOP_ARCHIVE_MODE=mock
VITE_COOP_SESSION_MODE=offWhy the separation matters:
- Coop's frontend
VITE_env values are baked into the built extension bundle - live integration config therefore belongs only in controlled operator builds
- public Chrome Web Store candidates should not carry trusted-node archive signing material
Do not ship these values in a public Chrome Web Store candidate:
VITE_COOP_TRUSTED_NODE_ARCHIVE_*
Treat any build enabling live rails as operator-controlled until that secret boundary changes in code.
Before you touch live env:
bun run test
bun run test:coverage
bun run build
bun run validate:store-readiness
bun run validate:production-readinessFor a public candidate, also complete the manual real-Chrome popup Capture Tab and Screenshot
checks before claiming release readiness.
These switches enable the second gate:
VITE_COOP_ONCHAIN_MODE=live
VITE_COOP_ARCHIVE_MODE=live
VITE_COOP_SESSION_MODE=liveRebuild after any env change because Vite bakes them into the bundle.
Recommended commands:
bun run build:operator-live
bun run validate:operator-liveThe operator-live profile overlay lives at config/env/profiles/operator-live.env and supplies
only the non-secret live mode/origin values. Keep the actual live credentials in the repo-root
.env.local.
Command:
bun run validate:arbitrum-safe-liveRequired env:
VITE_PIMLICO_API_KEYCOOP_ONCHAIN_PROBE_PRIVATE_KEY
Optional:
COOP_ONCHAIN_PROBE_CHAIN=arbitrum
Current behavior:
- deploys a probe Safe for the specified chain
- prints the resulting Safe address and deployment transaction hash
- exits cleanly with a skip message when the required env is missing
Operational guidance:
- use a dedicated probe private key, not a treasury owner key
- record the Safe address and tx hash from successful rehearsals
Command:
bun run validate:session-key-liveRequired env:
VITE_PIMLICO_API_KEYCOOP_SESSION_PROBE_PRIVATE_KEY
Optional:
COOP_SESSION_PROBE_CHAIN=arbitrumCOOP_SESSION_PROBE_SAFE_ADDRESS=0x...COOP_SESSION_PROBE_NAMECOOP_SESSION_PROBE_SLUGCOOP_SESSION_PROBE_DESCRIPTIONCOOP_SESSION_PROBE_LOCATIONCOOP_SESSION_PROBE_BANNER_IMAGECOOP_SESSION_PROBE_METADATACOOP_SESSION_PROBE_HYPOTHETICAL_GARDEN_ADDRESS
Current behavior:
- attaches to an existing probe Safe or deploys one
- validates the bounded policy locally before any live send
- exercises one allowed
green-goods-create-gardenaction when the probe Safe supports the required modules - confirms a disallowed action is rejected
- revokes the session and confirms later rejection
- exits cleanly with a skip message when the required env is missing
Use a dedicated probe Safe when you want repeatable rehearsals. COOP_SESSION_PROBE_SAFE_ADDRESS
is the right way to reuse that boundary instead of mixing real operator safes into the probe path.
Command:
bun run validate:archive-liveCore trusted-node archive env for a real delegation:
VITE_COOP_TRUSTED_NODE_ARCHIVE_SPACE_DIDVITE_COOP_TRUSTED_NODE_ARCHIVE_DELEGATION_ISSUERVITE_COOP_TRUSTED_NODE_ARCHIVE_SPACE_DELEGATION
Commonly needed:
VITE_COOP_TRUSTED_NODE_ARCHIVE_AGENT_PRIVATE_KEYVITE_COOP_TRUSTED_NODE_ARCHIVE_PROOFSVITE_COOP_TRUSTED_NODE_ARCHIVE_GATEWAY_URLVITE_COOP_TRUSTED_NODE_ARCHIVE_ALLOWS_FILECOIN_INFOVITE_COOP_TRUSTED_NODE_ARCHIVE_EXPIRATION_SECONDSVITE_COOP_TRUSTED_NODE_ARCHIVE_FILECOIN_WITNESS_RPC_URLVITE_COOP_TRUSTED_NODE_ARCHIVE_FILECOIN_WITNESS_RPC_TOKENCOOP_ARCHIVE_PROBE_AUDIENCE_DID
Important current behavior:
- if the trusted-node archive env is missing, the script falls back to an in-process static delegation
- that fallback is useful for wiring checks, but it is not a proof that operator archive credentials are configured correctly
Operational guidance:
- only treat this probe as a live-archive check when the real trusted-node archive env is present
- keep
COOP_ARCHIVE_PROBE_AUDIENCE_DIDon a non-production audience for rehearsals
Once the staged-launch bar is green and the live env is intentionally configured:
bun run validate:production-live-readinessThat composite gate runs:
production-readinessarbitrum-safe-livesession-key-livegreengoods-livearchive-livefvm-registry-live
If probe env is missing, some component probes can skip cleanly. Review the logs and do not claim live readiness from a skipped rehearsal.
The Filecoin registry path is now member-directed.
Relevant env:
VITE_COOP_FVM_CHAINVITE_COOP_FVM_REGISTRY_ADDRESS
Current constraint:
- deployment can use a Foundry keystore or private key from
packages/contracts - runtime registry actions in the extension use a member-local Filecoin signer that is provisioned on first use for the authenticated passkey member
- members must fund that local signer address on the selected FVM network before registry writes can succeed
Recommended operating rules:
- keep live env only in the repo-root
.env.local - rebuild after changing live env
- use probe-specific private keys instead of production treasury keys
- unset live env before packaging a standard public staged-launch candidate
- treat successful live probes as rehearsal evidence, not as permission to blur public and operator-only release claims