# Hekate Production Readiness

This runbook is the helicopter-view gate between private beta and stronger
mainnet or enterprise claims.

The short rule:

```txt
Private beta can ship with clear boundaries.
Mainnet and enterprise claims require real custody, real facilitator proof,
real receipt signing, and external review.
```

## Local readiness command

Run:

```bash
npm run hekate:readiness
```

The command does not print secrets. It checks local/public readiness and tells
you which operator steps are still missing.

Expected private-beta output may include:

```json
{
  "ok": true,
  "public_beta_ready": true,
  "mainnet_claims_allowed": false,
  "enterprise_claims_allowed": false
}
```

That is acceptable while custody, facilitator proof, or external review are
not complete.

## Live production smoke

After every production deploy, run:

```bash
npm run hekate:production-smoke
```

The smoke command calls the live Hekate domain and verifies:

```txt
/v1/health still reports not_certified mainnet status
/v1/receipts/signing-status is ed25519_ready
/.well-known/agentsec-jwks.json exposes the active Ed25519 public key
/v1/registry/status-history is signed with the active key
/v1/mcp/preflight returns an ed25519.signer.v1 receipt
/v1/receipts/verify accepts that receipt as a production signature
/registry/profiles.json is present
```

Use `HEKATE_PRODUCTION_BASE=https://your-preview.example` or
`npm run hekate:production-smoke -- --base https://your-preview.example`
to point it at a preview deployment. The output is secret-free and can be
attached to review packets.

## Required before mainnet claims

1. Ed25519 receipt signer configured:

```txt
HEKATE_RECEIPT_ED25519_PRIVATE_KEY_PEM
HEKATE_RECEIPT_KEY_ID
HEKATE_RECEIPT_SIGNER_ID
```

2. Real custody gateway configured:

```txt
MC_SIGNER_CUSTODY_URL
MC_SIGNER_CUSTODY_KEY_ID
MC_SIGNER_CUSTODY_HMAC_SECRET
MC_SIGNER_CUSTODY_PUBLIC_KEY_PEM
```

or:

```txt
MC_SIGNER_CUSTODY_VERIFIER_KEYS_JSON
```

3. Real facilitator verifier configured:

```txt
MC_AGENTSEC_LITE_FACILITATOR_URL
MC_AGENTSEC_LITE_FACILITATOR_HMAC_SECRET
AGENTSEC_CONFORMANCE_X_PAYMENT
```

4. Conformance checks pass:

```bash
npm run hekate:receipt-signer:conformance
curl https://hekategate.com/v1/receipts/signing-status
npm run hekate:production-smoke
npm run custody:conformance
npm run facilitator:conformance
```

5. External security review has no unresolved critical or high findings.

## Required before enterprise claims

All mainnet requirements, plus:

```txt
SSO/RBAC review
tenant isolation review
incident response runbook
retention/deletion review
audit evidence export review
dependency risk register acceptance
```

## Claim boundaries

Allowed now:

```txt
private beta
testnet-first
security preflight
policy gates
signed receipts when signer configured
audit evidence
```

Not allowed yet:

```txt
mainnet certified
enterprise certified
guarantees agent safety
prevents all prompt injection
replaces legal/compliance review
```

## Reviewer packet

Send the reviewer:

```txt
docs/HEKATE_SECURITY_REVIEW_HANDOFF.md
docs/HEKATE_LAUNCH_CHECKLIST.md
docs/HEKATE_RECEIPT_SIGNER_SETUP.md
docs/HEKATE_PRODUCTION_READINESS.md
```

Also attach redacted outputs from:

```bash
npm run security:ci
npm run hekate:readiness
npm run hekate:production-smoke
npm run custody:conformance
npm run facilitator:conformance
```
