feat(cert): Add live-network beta certification

docs/app-platform-beta-known-limitations.md

@@ -14,6 +14,14 @@ This page records conservative limits and safety boundaries for the Crypta app e
   the public Crypta network.
 - The beta does not require Docker, Node.js, npm, external network access, signing secrets, or
   public Crypta network access for its offline tests.
+- PR-246 live-network beta certification is an explicit release-manager step. It is not part of
+  normal PR or nightly evidence, and it should use disposable fixture catalog keys unless the
+  release manager is intentionally publishing the candidate first-party beta catalog.
+- Required live-network beta certification fails unless the configured expected catalog signing
+  key id matches the public `signatureKeyId` observed from the node's verified catalog summary.
+- Live-network beta app-facing steps authenticate with per-app browser sessions minted from the
+  configured static app bootstraps. A missing or stale bootstrap session fails required mode rather
+  than falling back to host/operator authority.
 - The beta does not modify FNP, FCP, wire protocol, or Hyphanet/Freenet network compatibility
   behavior.
 - FProxy browse remains retained.
@@ -99,6 +107,16 @@ This page records conservative limits and safety boundaries for the Crypta app e
 - `crypta:` catalog transport is not a trust boundary. Catalog bytes, catalog signatures, app
   artifacts, artifact digests, bundle signatures, review receipts, reviewer key lifecycle state,
   and permission/API compatibility still need their own checks.
+- Live-network beta certification proves only that signed catalog sidecars can be validated,
+  queued through a localhost node, and optionally fetched back from the configured public source.
+  It does not prove global propagation, public reputation, app safety beyond the signed
+  catalog/bundle/review gates, or deletion of published bytes.
+- Live synthetic content may remain retrievable and may not be deletable once inserted. Use fixture
+  catalog sources such as `crypta:USK@<catalog-key>/cryptad-app-catalog.properties`, immutable
+  artifact placeholders such as `crypta:CHK@<artifact-key>`, and a private insert URI supplied
+  only through environment-variable or protected-file indirection.
+- Lifecycle cleanup deletes only apps installed by that certification run. Prepared nodes with
+  existing first-party apps should use disposable certification app ids for lifecycle rehearsals.
 
 ## Data handling and redaction
 
@@ -113,6 +131,8 @@ Do not paste or commit:
   from real users, raw profile documents, raw signatures, or raw receipt signatures.
 - Local absolute paths, catalog scratch paths, staging paths, rollback backup paths, or host private
   configuration paths unless they are already redacted.
+- Real keys, production secrets, or user content in fixture certification examples, issue reports,
+  or release evidence.
 
 Safe placeholders include:
 
@@ -125,12 +145,13 @@ crypta:USK@<catalog-key>/cryptad-app-catalog.properties
 ```
 
 Release certification and issue templates should record statuses, relative repo paths, digests,
-app ids, capability names, evidence ids, and redacted summaries instead of raw payloads.
+app ids, capability names, evidence ids, public fixture URIs, and redacted summaries instead of
+raw payloads.
 
 ## Non-goals
 
-The beta does not introduce a live public app store, live public-network test dependency, global
-transparency log, full Web of Trust, old plugin ABI compatibility, old FCP plugin command
+The beta does not introduce a live public app store, a normal PR/nightly live-network dependency,
+global transparency log, full Web of Trust, old plugin ABI compatibility, old FCP plugin command
 compatibility, generic crawling, arbitrary HTTP/HTTPS fetching, a generic filesystem or database
 API for apps, Freetalk/Sone/Freemail compatibility, encrypted mail delivery, daemon-core social or
 mail protocols, new sandbox provider, new update scheduler policy, or any FNP/FCP/wire protocol

docs/app-platform-beta-program.md

@@ -109,6 +109,68 @@ crypta:CHK@<artifact-key>
 crypta:USK@<catalog-key>/cryptad-app-catalog.properties
 ```
 
+## Optional live AppHost smoke
+
+Optional live AppHost lifecycle smoke exercises the generated sample app through localhost Platform
+API routes. It is useful release-manager evidence, but normal PR and nightly evidence remain
+offline-safe.
+
+```bash
+CRYPTAD_CERT_APP_SMOKE_LIVE=1 \
+CRYPTAD_CERT_NODE_BASE_URL=http://127.0.0.1:<port> \
+CRYPTAD_CERT_FORM_PASSWORD=<redacted> \
+tools/release-certification/run-release-certification.sh --mode nightly
+```
+
+The smoke installs, reads runtime status, starts, stops, updates, uninstalls, and reads diagnostics
+for `cert-smoke`. It records only localhost metadata, status codes, and redacted response summaries;
+it does not prove live network publication. If it fails after install, verify the stop/delete
+cleanup before reusing the node.
+
+## Live-network beta certification
+
+Live-network beta certification is for release managers, not normal PR or nightly evidence. It
+validates the app ecosystem against a localhost Crypta node and operator-provided live fixtures.
+
+```bash
+CRYPTAD_CERT_LIVE_NETWORK_BETA=1 \
+CRYPTAD_CERT_REQUIRE_LIVE_NETWORK_BETA=1 \
+CRYPTAD_CERT_NODE_BASE_URL=http://127.0.0.1:8888 \
+CRYPTAD_CERT_FORM_PASSWORD=<redacted> \
+CRYPTAD_CERT_LIVE_CATALOG_SOURCE=crypta:USK@<catalog-key>/cryptad-app-catalog.properties \
+CRYPTAD_CERT_LIVE_CATALOG_EXPECTED_KEY_ID=crypta-first-party-beta \
+CRYPTAD_CERT_LIVE_CONTENT_FETCH_URI=crypta:CHK@<artifact-key> \
+CRYPTAD_CERT_LIVE_FEED_USK_URI=crypta:USK@<feed-key>/feed.json \
+CRYPTAD_CERT_LIVE_TEST_INSERT_URI_FILE=<protected-insert-uri-file> \
+tools/release-certification/run-release-certification.sh \
+  --mode release-candidate \
+  --live-network-beta \
+  --require-live-network-beta
+```
+
+Use disposable fixture catalog keys for rehearsals. Public fixture URIs may use
+`crypta:USK@<catalog-key>/cryptad-app-catalog.properties` for the catalog source and
+`crypta:CHK@<artifact-key>` for immutable bundle artifacts. The matching private insert URI is a
+bare private USK directory insert URI for the same catalog parent and must be loaded indirectly
+through `CRYPTAD_CERT_LIVE_TEST_INSERT_URI_ENV` or `CRYPTAD_CERT_LIVE_TEST_INSERT_URI_FILE`. If
+both are present, env-name indirection takes precedence and the summary records only fixture
+presence.
+Required live-network beta certification also requires
+`CRYPTAD_CERT_LIVE_CATALOG_EXPECTED_KEY_ID`. The runner compares that configured public key id with
+the `signatureKeyId` observed from the node's verified catalog summary and fails catalog evidence
+when it is unset, unavailable, or mismatched.
+
+The runner does not prove global propagation, public reputation, app safety beyond the signed
+catalog/bundle/review gates, or deletion of published bytes. Preserve only the sanitized summary,
+report, and matrix. Assume live synthetic content may remain retrievable and may not be deletable.
+The Trust Graph `trust.score` app-service invocation runs only when
+`CRYPTAD_CERT_LIVE_APP_SERVICE_SCORE=1` is set; otherwise it is reported as optional skipped
+evidence. App-facing workflow steps use app browser sessions minted from each configured static app
+bootstrap and never write those session tokens to artifacts. Required mode fails if an app-only
+route cannot authenticate as the app principal. Cleanup deletes only an app that was absent before
+the run and installed successfully by the smoke. Do not use real keys, production secrets, or user
+content in fixture certification runs.
+
 ## Maintainer closeout runbook
 
 Use this runbook to decide whether the ecosystem beta is ready for a release candidate.
@@ -141,7 +203,11 @@ Use this runbook to decide whether the ecosystem beta is ready for a release can
    tools/release-certification/run-release-certification.sh --mode release-candidate --out-dir build/release-certification
    ```
 
-5. Inspect the release summary and report.
+5. Run live-network beta certification when the release will claim public first-party beta catalog
+   readiness. Use the command above with disposable fixture keys unless the release manager is
+   intentionally publishing the candidate catalog.
+
+6. Inspect the release summary and report.
 
    ```text
    build/release-certification/release-certification-summary.json
@@ -152,17 +218,17 @@ Use this runbook to decide whether the ecosystem beta is ready for a release can
    build/release-certification/app-platform-smoke/app-platform-smoke-report.md
    ```
 
-6. Confirm the app-review governance evidence passes: review receipts, reviewer key lifecycle,
+7. Confirm the app-review governance evidence passes: review receipts, reviewer key lifecycle,
    local transparency log, review-history API, and first-party review chain.
-7. Confirm the legacy plugin migration guide evidence passes:
+8. Confirm the legacy plugin migration guide evidence passes:
    `legacy-plugin.migration-guide` and `legacy-plugin.social-inbox-spike`.
-8. Confirm legacy retirement evidence passes, including `legacy-admin.removal-wave-3`, and FProxy
+9. Confirm legacy retirement evidence passes, including `legacy-admin.removal-wave-3`, and FProxy
    browse remains retained.
-9. Confirm docs evidence passes: portal, beta tutorials, beta program, known limitations, issue
+10. Confirm docs evidence passes: portal, beta tutorials, beta program, known limitations, issue
    templates, internal links, and redaction checks.
-10. Confirm the ecosystem certification matrix includes `app-platform-beta-docs-and-program` and no
+11. Confirm the ecosystem certification matrix includes `app-platform-beta-docs-and-program` and no
    active blocker remains unless a release manager recorded an explicit waiver.
-11. Publish release notes with the known beta limitations and any accepted waivers or residual
+12. Publish release notes with the known beta limitations and any accepted waivers or residual
     risks.
 
 Release-candidate mode should require docs and beta evidence unless a release-manager waiver

docs/cryptad-release-workflow-and-runbook.md

@@ -85,6 +85,41 @@ Treat these as release blockers, in order:
    `cryptad-app-catalog.signature` is the sibling at the same USK edition. The catalog contract is
    documented in
    [app-catalogs.md](app-catalogs.md).
+   PR-246 live-network beta certification is an explicit release-manager wrapper mode. Run it only
+   with a localhost node, redacted environment variables, and disposable live fixtures unless the
+   release manager is intentionally publishing the candidate first-party beta catalog:
+   ```bash
+   CRYPTAD_CERT_LIVE_NETWORK_BETA=1 \
+   CRYPTAD_CERT_REQUIRE_LIVE_NETWORK_BETA=1 \
+   CRYPTAD_CERT_NODE_BASE_URL=http://127.0.0.1:8888 \
+   CRYPTAD_CERT_FORM_PASSWORD=<redacted> \
+   CRYPTAD_CERT_LIVE_CATALOG_SOURCE=crypta:USK@<catalog-key>/cryptad-app-catalog.properties \
+   CRYPTAD_CERT_LIVE_CATALOG_EXPECTED_KEY_ID=crypta-first-party-beta \
+   CRYPTAD_CERT_LIVE_CONTENT_FETCH_URI=crypta:CHK@<artifact-key> \
+   CRYPTAD_CERT_LIVE_FEED_USK_URI=crypta:USK@<feed-key>/feed.json \
+   CRYPTAD_CERT_LIVE_TEST_INSERT_URI_FILE=<protected-insert-uri-file> \
+   tools/release-certification/run-release-certification.sh \
+     --mode release-candidate \
+     --live-network-beta \
+     --require-live-network-beta
+   ```
+   The private insert URI must be the bare private USK directory insert URI for the same catalog
+   parent as the public `crypta:USK@<catalog-key>/cryptad-app-catalog.properties` fixture source.
+   Load it through `CRYPTAD_CERT_LIVE_TEST_INSERT_URI_ENV` or
+   `CRYPTAD_CERT_LIVE_TEST_INSERT_URI_FILE`, never as an inline shell assignment. Use env-name
+   indirection only when a protected channel already exported the private URI and the command names
+   that variable without showing its value; if both are present, env-name indirection wins
+   deterministically. In required mode `CRYPTAD_CERT_LIVE_CATALOG_EXPECTED_KEY_ID` must match the
+   node-observed public `signatureKeyId` from the verified catalog summary, otherwise catalog
+   evidence fails.
+   Preserve only the sanitized summary, report, and matrix, and assume live
+   synthetic content may remain retrievable and may not be deletable. Do not use real keys,
+   production secrets, or user content in fixture runs.
+   The live workflow mints app browser sessions from each configured static app bootstrap and keeps
+   those tokens in memory only. If a required app cannot provide a bootstrap session, required mode
+   fails instead of retrying as the host operator. Cleanup deletes only an app that was absent
+   before the run and installed successfully by the smoke; use disposable app ids when certifying
+   on a node that already has first-party apps installed.
 6. **Developer app CLI smoke, when `:platform-devtools` changes** - run
    `./gradlew :platform-devtools:test` and `./gradlew :platform-devtools:installDist`, then verify
    `platform-devtools/build/install/crypta-app/bin/crypta-app --help`. The CLI contract is
@@ -326,6 +361,16 @@ Treat these as release blockers, in order:
   unsanitized local paths to the release record. CI uploads contain sanitized certification
   artifacts only; preserve raw local or CI gate failure directories separately when deeper
   diagnostics are needed.
+- Run optional live AppHost lifecycle smoke only when a localhost node is prepared:
+  ```bash
+  CRYPTAD_CERT_APP_SMOKE_LIVE=1 \
+  CRYPTAD_CERT_NODE_BASE_URL=http://127.0.0.1:<port> \
+  CRYPTAD_CERT_FORM_PASSWORD=<redacted> \
+  tools/release-certification/run-release-certification.sh --mode nightly
+  ```
+  This proves local install/start/status/stop/update/uninstall paths for the generated sample app;
+  it does not prove live network publication or global app safety. The smoke attempts stop/delete
+  cleanup for `cert-smoke` after failures.
 
 ## Production Rollout
 - Publish descriptor and artifacts to the production USK.