@darkelogix/openclaw-trusted-mode 1.0.0-rc.0

package/CHANGELOG.md

@@ -0,0 +1,35 @@
+# Changelog
+
+Terminology and acronyms: [`GLOSSARY.md`](./GLOSSARY.md).
+
+## Acronym Expansions
+
+- `PDP`: Policy Decision Point
+- `PEP`: Policy Enforcement Point
+- `CLI`: Command Line Interface
+- `CI`: Continuous Integration
+
+## Unreleased
+- Add governed release artifacts (`SECURITY.md`, `RELEASE_v1.0.0.md`, compatibility matrix).
+- Add Trusted Mode Check attestation status contract (`ENFORCED_OK`, `LOCKDOWN_ONLY`, `UNSAFE`) with JSON output.
+- Add CI gates for release artifact and changelog version discipline.
+- Add runtime certification gating (`CERTIFIED_ENFORCED` vs `LOCKDOWN_ONLY`/`UNSUPPORTED`) in plugin.
+- Add signed `trusted_mode_attest` pack verification and trace/axis metadata in Trusted Mode Check output.
+- Add compatibility certification workflow and matrix sync script.
+- Add release operations hardening workflow with reproducible artifact checksum/manifest generation.
+- Add security evidence workflow, threat model summary, triage log, and third-party notices generation/review templates.
+- Add adversarial regression suite script and CI gate (tampered attestation, malformed PDP schema, unreachable PDP, uncertified runtime).
+- Add unified startup health verification script for plugin/PDP/attestation/certification checks.
+- Add performance benchmark automation (PDP p50/p95 + interception overhead), CI workflow, and published baseline report.
+- Add security gate automation (`verify-security-gates`) with vulnerability threshold enforcement and triage log validation.
+- Add generated `SECURITY_RELEASE_INDEX.md` artifact and workflow integration for release evidence traceability.
+- Add enterprise hardening options in plugin config (`toolPolicyMode`, `allowedTools`, `requireTenantId`, `allowedTenantIds`) with fail-closed validation behavior.
+- Add plugin schema/runtime contract check (`verify-plugin-schema-contract`) and CI enforcement.
+- Add consolidated release evidence bundling command (`bundle-release-evidence`) and release workflow artifact publication.
+- Add enterprise TCTP/EVTP validation matrix runner (`npm run test-pack-matrix`) against live PDP.
+- Add release documentation for deterministic certification proof (`decision_proof`) vs timestamped operational `outcome_event`.
+
+## v1.0.0
+- Add Trusted Mode Check CLI (Node) with mock PDP for CI.
+- Add CI workflow to run build, tests, and CLI against mock PDP.
+- Enforce PDP timeout/fail-closed behavior and constraint checks in PEP.

package/GLOSSARY.md

@@ -0,0 +1,51 @@
+# Glossary
+
+This glossary defines terms used across the OpenClaw Trusted Mode plugin and related SDE runtime docs.
+
+## Core architecture terms
+
+- **SDE**: Strategic Decision Engine. The policy/decision platform used to evaluate governance rules.
+- **PDP**: Policy Decision Point. The service endpoint that returns allow/deny decisions.
+- **PEP**: Policy Enforcement Point. The runtime component that enforces PDP decisions.
+  In this project, the OpenClaw plugin is the PEP.
+- **OpenClaw plugin**: The `openclaw-trusted-mode` extension that intercepts tool calls and queries PDP.
+- **Policy pack**: Versioned JSON rule bundle used by PDP to decide allow/deny outcomes.
+- **Policy variant**: A named policy pack version (for example `guard-pro.v2026.02`).
+- **Entitlement**: Tenant-level authorization to use a decision capability (`decision_sku`).
+- **Tenant**: Logical customer/environment boundary for policy and entitlement isolation.
+
+## Decision and evidence terms
+
+- **Decision SKU**: Canonical identifier for a governed decision contract
+  (for example `openclaw.trusted_mode.authorize.v1`).
+- **Allow path**: Expected decision flow where a low-risk request returns `decision=allow`.
+- **Deny path**: Expected decision flow where a blocked request returns `decision=deny`.
+- **Fail-closed**: If PDP is unavailable, block tool execution for safety.
+- **Fail-open**: If PDP is unavailable, allow execution for availability.
+- **`decision_hash`**: Deterministic hash of decision output used for traceability.
+- **`decision_proof`**: Deterministic proof artifact (optionally signed) tied to a decision.
+- **`outcome_event`**: Operational event artifact emitted with decision context.
+- **Audit export**: JSON Lines (`.jsonl`) records for downstream audit/SIEM processing.
+
+## Packaging and deployment terms
+
+- **Reference stack**: Compose deployment including PDP, hardening service, and license service.
+- **Air-gapped deployment**: Installation with no outbound internet dependency at runtime.
+- **FQDN**: Fully Qualified Domain Name (for example `license.example.com`).
+
+## Tooling and operations terms
+
+- **CLI**: Command Line Interface.
+- **OpenClaw CLI**: `openclaw` command used to install/manage plugins and gateway state.
+- **`sde-cli`**: SDE command-line tool from `core/sde-core`.
+- **WSL**: Windows Subsystem for Linux.
+- **CI**: Continuous Integration pipeline automation.
+- **SLA**: Service Level Agreement (support response/mitigation targets).
+- **MTTD**: Mean Time To Detect.
+- **MTTR**: Mean Time To Resolve.
+
+## Severity shorthand used in operations
+
+- **P1**: Highest-priority incident (critical governance bypass or full outage risk).
+- **P2**: High-priority incident (major partial impact).
+- **P3**: Lower-priority incident (non-critical degradation or documentation/tooling issue).

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Darkelogix
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,201 @@
+# @darkelogix/openclaw-trusted-mode
+
+Terminology and acronyms: [`GLOSSARY.md`](./GLOSSARY.md).
+
+## Acronym Expansions
+
+- `SDE`: Strategic Decision Engine
+- `PDP`: Policy Decision Point
+- `WSL`: Windows Subsystem for Linux
+- `CI`: Continuous Integration
+
+OpenClaw plugin that enforces Trusted Mode policy checks on `before_tool_call`.
+Documentation index (by audience and task): [`docs/README.md`](./docs/README.md).
+
+## npm Package
+
+Install the public MIT adapter/plugin package with:
+
+```bash
+npm install @darkelogix/openclaw-trusted-mode
+```
+
+## What `npm install` gives you
+
+`npm install @darkelogix/openclaw-trusted-mode` gives you the MIT adapter/plugin layer and standalone hardening flow only. It does not grant access to the proprietary SDE runtime, enterprise deployment packs, or governed tenant entitlements.
+
+## Need governed mode?
+
+If you want SDE-backed governed mode, obtain your licensed SDE runtime and deployment instructions from the Darkelogix customer console. Use the public npm package for adapter installation, then connect it to your licensed SDE environment for governed authorization, evidence, and rollout controls.
+
+The npm package contains the MIT plugin files and standalone hardening logic only.
+It does not include the proprietary `sde-enterprise` runtime.
+
+## Licensing
+
+`openclaw-trusted-mode` is licensed under the MIT License.
+
+`sde-enterprise`, including the SDE PDP runtime and related enterprise deployment assets, is proprietary software and is not covered by the plugin's MIT license. Use, copying, modification, distribution, or deployment of the SDE runtime requires a separate commercial license or written permission from Darkelogix.
+
+First-time setup (download/install/configure/test/run): [`START_HERE.md`](./START_HERE.md).
+Troubleshooting decision tree: [`SELF_SERVICE_FAQ.md`](./SELF_SERVICE_FAQ.md).
+Org defaults and support metadata: `<org-values-file>`.
+One-command setup: `powershell -ExecutionPolicy Bypass -File <bootstrap-self-service-script-path>`.
+For full install/reinstall/uninstall/startup/config/troubleshooting guidance across both plugin and SDE-PDP, see [`OPERATIONS_GUIDE.md`](./OPERATIONS_GUIDE.md).
+For a simpler operator runbook, see [`RUNBOOK_NON_TECHNICAL.md`](./RUNBOOK_NON_TECHNICAL.md).
+For go-live gating, use [`PRODUCTION_READINESS_CHECKLIST.md`](./PRODUCTION_READINESS_CHECKLIST.md).
+For a pre-filled starting point, use [`PRODUCTION_READINESS_CHECKLIST_EXAMPLE.md`](./PRODUCTION_READINESS_CHECKLIST_EXAMPLE.md).
+For alternate port deployments, use [`PRODUCTION_READINESS_CHECKLIST_EXAMPLE_ALT_PORTS.md`](./PRODUCTION_READINESS_CHECKLIST_EXAMPLE_ALT_PORTS.md).
+For public launch readiness, use [`PUBLIC_RELEASE_READINESS_CHECKLIST.md`](./PUBLIC_RELEASE_READINESS_CHECKLIST.md).
+For end-to-end public release execution steps (what/where/how), use [`PUBLIC_RELEASE_PROCESS_RUNBOOK.md`](./PUBLIC_RELEASE_PROCESS_RUNBOOK.md).
+For certified runtime support status, see [`COMPATIBILITY_MATRIX.md`](./COMPATIBILITY_MATRIX.md).
+For vulnerability reporting and security posture, see [`SECURITY.md`](./SECURITY.md).
+For release hardening process, see [`RELEASE_OPERATIONS.md`](./RELEASE_OPERATIONS.md).
+For security evidence indexing, see [`SECURITY_EVIDENCE_BUNDLE.md`](./SECURITY_EVIDENCE_BUNDLE.md).
+For performance baseline evidence, see [`PERFORMANCE_BASELINE.md`](./PERFORMANCE_BASELINE.md).
+For governed release declaration, see [`RELEASE_v1.0.0.md`](./RELEASE_v1.0.0.md).
+
+## What it does
+
+- Free standalone mode defaults to local hardening with a minimal allowlist:
+  - `read_file`
+  - `list_files`
+  - `search_files`
+- Blocks high-risk tools such as `exec`, file writes/edits, and deletes unless you deliberately widen the policy.
+- Sends tool call context to a Policy Decision Point (PDP) endpoint.
+- Denies execution when PDP returns a deny decision.
+- Optionally enforces returned constraints.
+- Supports fail-closed (default) or fail-open behavior.
+
+## Free vs Paid
+
+The product boundary should be explicit at install time:
+
+- `npm install` gets you the adapter/plugin and standalone hardening path
+- governed mode requires a separately licensed SDE deployment
+- the customer console is the supported way to obtain governed runtime artifacts and deployment instructions
+
+
+- Free standalone use:
+  - useful as a local hardening layer
+  - works without `sde-enterprise`
+  - best for "read/search only" OpenClaw sessions
+- Paid / enterprise use:
+  - PDP-backed authorization and deny decisions
+  - signed policy packs
+  - tenant entitlements and governed rollout
+  - release attestation and compatibility certification
+
+## Build and test
+
+```powershell
+npm run build
+npm test
+npm run adversarial-check
+npm run performance-benchmark
+npm run test-pack-matrix
+```
+
+## Trusted Mode Check
+
+```bash
+npm run trusted-mode-check
+npm run trusted-mode-check -- --json
+```
+
+`trusted-mode-check` is a PDP-backed validation path. It is useful for SDE-integrated deployments, not for standalone free-mode validation.
+
+JSON output status values:
+- `ENFORCED_OK`
+- `LOCKDOWN_ONLY`
+- `UNSAFE`
+
+Attestation pack inputs:
+- `attestation/trusted_mode_attest_v1.json`
+- `attestation/trusted_mode_attest_v1.sig`
+
+Runtime/certification env vars:
+- `CERTIFICATION_STATUS` (`CERTIFIED_ENFORCED` | `LOCKDOWN_ONLY` | `UNSUPPORTED`)
+- `OPENCLAW_VERSION`
+- `EXPECTED_STATUS` (optional CI assertion override)
+
+## Local install in OpenClaw (WSL)
+
+```bash
+openclaw plugins install /mnt/c/path/to/openclaw-trusted-mode
+openclaw plugins info openclaw-trusted-mode
+```
+
+For a standalone free-mode config, start from [`openclaw.user-config.entry.example.json`](./openclaw.user-config.entry.example.json).
+
+## Plugin config
+
+See [`openclaw.plugin.json`](./openclaw.plugin.json) for config schema and defaults, including:
+
+- `pdpUrl`
+- `policyVariant`
+- `pdpTimeoutMs`
+- `failClosed`
+- `tenantId`
+- `certificationStatus`
+- `openclawVersion`
+- `certifiedOpenClawVersions`
+- `highRiskTools`
+- `toolPolicyMode`
+- `allowedTools`
+- `requireTenantId`
+- `allowedTenantIds`
+- `contextCurator`
+
+Recommended standalone free-mode baseline:
+
+```json
+{
+  "toolPolicyMode": "ALLOWLIST_ONLY",
+  "allowedTools": ["read_file", "list_files", "search_files"],
+  "failClosed": true,
+  "certificationStatus": "LOCKDOWN_ONLY"
+}
+```
+
+Recommended paid / PDP-backed baseline:
+
+```json
+{
+  "toolPolicyMode": "PDP",
+  "pdpUrl": "http://localhost:8001/v1/authorize",
+  "tenantId": "trial-tenant",
+  "failClosed": true,
+  "certificationStatus": "LOCKDOWN_ONLY"
+}
+```
+
+## Compatibility Matrix Automation
+
+```bash
+npm run update-compatibility-matrix
+npm run verify-compatibility-matrix
+```
+
+## Security Gates
+
+```bash
+npm run collect-security-evidence
+npm run generate-security-release-index
+npm run verify-security-gates
+```
+
+## Schema Contract and Evidence Bundle
+
+```bash
+npm run verify-plugin-schema-contract
+npm run bundle-release-evidence
+```
+
+## Startup Health Verification
+
+```bash
+npm run startup-health-check -- --skip-plugin-check
+```
+
+

package/SELF_SERVICE_FAQ.md

@@ -0,0 +1,151 @@
+# Self-Service FAQ
+
+Terminology and acronyms: [`GLOSSARY.md`](./GLOSSARY.md).
+
+## Acronym Expansions
+
+- `SDE`: Strategic Decision Engine
+- `PDP`: Policy Decision Point
+- `CLI`: Command Line Interface
+- `FQDN`: Fully Qualified Domain Name
+- `SKU`: Stock Keeping Unit
+- `WSL`: Windows Subsystem for Linux
+
+## 1) `openclaw` command not found
+
+Install OpenClaw CLI and verify:
+
+```powershell
+openclaw --version
+```
+
+If still not found:
+
+1. Confirm CLI install location is on PATH.
+2. Open a new terminal and retry.
+
+## 2) PDP health check fails
+
+If you are using the free standalone plugin mode, you can ignore this section. PDP is required only for SDE-backed governed mode.
+
+1. Start/restart PDP:
+
+```powershell
+Set-Location <sde-enterprise-path>
+docker compose -f ops/docker-compose.pdp.yml up --build -d
+```
+
+2. Retry health:
+
+```powershell
+curl -s http://localhost:8001/healthz
+```
+
+Expected: `{"status":"ok"}`.
+
+If not:
+
+- Check container status: `docker ps`
+- Check PDP logs: `docker compose -f ops/docker-compose.pdp.yml logs`
+
+## 3) Plugin not loaded
+
+```powershell
+Set-Location <openclaw-trusted-mode-path>
+npm install
+npm run build
+openclaw plugins install <openclaw-trusted-mode-path> --no-color
+openclaw plugins info openclaw-trusted-mode --no-color
+```
+
+Expected: plugin status is `loaded`.
+
+If not loaded:
+
+1. Confirm plugin ID matches `openclaw-trusted-mode`.
+2. Reinstall plugin and restart OpenClaw gateway.
+
+## 4) Actions are allowed when they should be denied
+
+If you are using standalone free mode, check these first:
+
+1. Confirm `toolPolicyMode` is `ALLOWLIST_ONLY`.
+2. Confirm the blocked tool is not present in `allowedTools`.
+3. For shell execution, verify the runtime tool name is `exec`.
+
+Run SDE smoke test:
+
+```powershell
+Set-Location <sde-enterprise-path>
+powershell -ExecutionPolicy Bypass -File scripts\first_success_smoke.ps1
+```
+
+Then verify:
+
+1. Active policy pack includes exact runtime tool key.
+2. Tenant variant mapping points to intended variant.
+3. Entitlement and tenant ID are correct.
+
+## 5) `[Trusted Mode BLOCKED] fetch failed`
+
+Meaning: plugin cannot reach PDP.
+
+If you intended to use the free standalone plugin only, switch to:
+
+- `toolPolicyMode = ALLOWLIST_ONLY`
+- a non-empty `allowedTools` list
+
+That removes the PDP dependency.
+
+Check in order:
+
+1. PDP is running and healthy.
+2. Plugin `pdpUrl` points to reachable host/port.
+3. If using WSL, test `host.docker.internal` endpoint.
+4. Keep `failClosed=true` in production.
+
+## 6) License endpoint or support placeholders are unresolved
+
+Define and verify the values from `START_HERE.md` section "Remaining org-specific values to fill once":
+
+1. License server FQDN.
+2. Support contacts and escalation channel.
+3. Artifact/registry coordinates used by your deployment.
+
+After setting values:
+
+1. Re-run licensing/activation check (`sde-cli license status`).
+2. Re-run pilot or production readiness checklist.
+
+## 7) `ENTITLEMENT_DENIED` for expected active tenant
+
+1. Inspect `ops/entitlements.json` for exact tenant key and SKU.
+2. Confirm request `tenant_id` matches exactly.
+3. Restart PDP after file changes.
+4. Re-test with:
+
+```powershell
+Set-Location <sde-enterprise-path>
+python ops\pdp_admin_cli.py authorize-test --tenant-id <tenant_id> --tool-name read_file --gateway-id gw-1 --environment prod
+```
+
+## 8) Policy pack signature verification errors
+
+1. Confirm both files exist for active variant:
+- `<variant>.json`
+- `<variant>.sig`
+2. Validate with:
+
+```powershell
+Set-Location <sde-enterprise-path>
+python ops\pdp_admin_cli.py validate-policy-pack --variant <variant>
+```
+
+3. If validation fails, restore known-good signed pair and restart PDP.
+
+## 9) Where to go next
+
+- First-time setup: `START_HERE.md`
+- Detailed operations: `OPERATIONS_GUIDE.md`
+- Non-technical operations: `RUNBOOK_NON_TECHNICAL.md`
+- Governance controls: `<sde-enterprise-path>\docs\governance_control_plane.md`

package/START_HERE.md

@@ -0,0 +1,204 @@
+# Start Here: Self-Service Setup
+
+This guide assumes an npm-first customer path:
+
+- install the public adapter/plugin from npm
+- use standalone mode immediately if you only need local hardening
+- obtain the licensed SDE runtime and deployment materials through the Darkelogix customer console only if you want governed mode
+
+Terminology and acronyms: [`GLOSSARY.md`](./GLOSSARY.md).
+
+## Acronym Expansions
+
+- `SDE`: Strategic Decision Engine
+- `PDP`: Policy Decision Point
+- `CLI`: Command Line Interface
+
+This guide is the single entrypoint for first-time users of:
+
+- `<openclaw-trusted-mode-path>` (plugin)
+- `<sde-enterprise-path>` (Strategic Decision Engine (SDE) Policy Decision Point (PDP) runtime)
+
+Goal: download, install, configure, test, and run without direct support.
+
+There are two valid setup paths:
+
+- npm package: public adapter/plugin only
+- customer console: licensed SDE runtime, deployment bundles, and governed rollout instructions
+
+Then choose one of these runtime paths:
+
+- Free standalone plugin hardening:
+  - local allowlist-only mode
+  - no SDE PDP required
+- SDE-backed governed mode:
+  - requires `<sde-enterprise-path>`
+  - adds PDP authorization, signed policy packs, and entitlements
+
+Org-specific values are centralized in `<org-values-file>`.
+
+## 0) One-command bootstrap (recommended)
+
+If you are coming from the public npm package, you can install it first with:
+
+```powershell
+npm install @darkelogix/openclaw-trusted-mode
+```
+
+Use the bootstrap path when you want the guided local setup flow.
+
+
+```powershell
+powershell -ExecutionPolicy Bypass -File <bootstrap-self-service-script-path>
+```
+
+Optional (also install `sde-cli`):
+
+```powershell
+powershell -ExecutionPolicy Bypass -File <bootstrap-self-service-script-path> -InstallSdeCli
+```
+
+## 1) Prerequisites
+
+- Windows PowerShell 7+ or bash
+- Git
+- Docker Desktop (or Docker Engine + Compose)
+- Node.js 22.x (plugin build/runtime)
+- Python 3.11+ (for `sde-cli` and plugin matrix test)
+- OpenClaw Command Line Interface (CLI) available in shell as `openclaw`
+
+Quick version checks:
+
+```powershell
+node --version
+python --version
+docker --version
+docker compose version
+openclaw --version
+```
+
+## 2) Acquire the two repos
+
+Option A: you already have them locally at:
+
+- `<openclaw-trusted-mode-path>`
+- `<sde-enterprise-path>`
+
+Option B: clone them:
+
+```powershell
+git clone <openclaw-trusted-mode-repo-url> <openclaw-trusted-mode-path>
+git clone <sde-enterprise-repo-url> <sde-enterprise-path>
+```
+
+## 3) Configure known-good local defaults
+
+1. Create local SDE env file:
+
+```powershell
+Copy-Item <sde-enterprise-path>\.env.example <sde-enterprise-path>\.env -Force
+```
+
+2. Use the default tenant/policy mapping (already present in repo):
+- `<sde-enterprise-path>\ops\entitlements.json`
+- `<sde-enterprise-path>\ops\tenant_variants.json`
+
+3. Optional plugin config template:
+- `<openclaw-trusted-mode-path>\openclaw.user-config.entry.example.json`
+
+## 4) Free standalone plugin install
+
+Use this path if you want practical local hardening without SDE PDP.
+
+```powershell
+Set-Location <openclaw-trusted-mode-path>
+npm install
+npm run build
+openclaw plugins install <openclaw-trusted-mode-path> --no-color
+openclaw plugins info openclaw-trusted-mode --no-color
+```
+
+Expected: plugin status is `loaded`.
+
+Default free posture:
+
+- `toolPolicyMode = ALLOWLIST_ONLY`
+- `allowedTools = ["read_file", "list_files", "search_files"]`
+- shell/write/delete tools blocked locally
+
+## 5) Build and run SDE PDP (Policy Decision Point)
+
+Use this governed path only after you have licensed access to SDE. The supported customer-facing way to obtain the runtime, bundles, and instructions is through the Darkelogix customer console, not by assuming direct source-repo access.
+
+
+Use the hardened profile for all production-style and release validation runs.
+
+```powershell
+Set-Location <sde-enterprise-path>
+docker compose -f ops/docker-compose.pdp.yml -f ops/docker-compose.pdp.hardened.yml up --build -d
+```
+
+Verify health:
+
+```powershell
+curl -s http://localhost:8001/healthz
+```
+
+Expected:
+
+```json
+{"status":"ok"}
+```
+
+## 6) Build and install plugin for SDE-backed mode
+
+```powershell
+Set-Location <openclaw-trusted-mode-path>
+npm install
+npm run build
+openclaw plugins install <openclaw-trusted-mode-path> --no-color
+openclaw plugins info openclaw-trusted-mode --no-color
+```
+
+Expected: plugin status is `loaded`.
+
+## 7) Run first-success smoke tests
+
+Standalone free-mode smoke test:
+
+1. Confirm `read_file` still works in OpenClaw.
+2. Confirm high-risk actions such as `exec` are blocked.
+
+SDE-backed smoke test:
+
+```powershell
+Set-Location <sde-enterprise-path>
+powershell -ExecutionPolicy Bypass -File scripts\first_success_smoke.ps1
+```
+
+Run plugin startup health:
+
+```powershell
+Set-Location <openclaw-trusted-mode-path>
+powershell -ExecutionPolicy Bypass -File scripts\first_success_smoke.ps1
+```
+
+## 8) Day-2 operations docs
+
+- Primary technical ops: `<openclaw-trusted-mode-path>\OPERATIONS_GUIDE.md`
+- Non-technical runbook: `<openclaw-trusted-mode-path>\RUNBOOK_NON_TECHNICAL.md`
+- SDE deployment docs: `<sde-enterprise-path>\README.md`
+
+## 9) Remaining org-specific values to fill once
+
+For full production self-service, define these values once in your operations documentation:
+
+1. `<openclaw-trusted-mode-repo-url>`
+2. `<sde-enterprise-repo-url>`
+3. `<license-server-fqdn>`
+4. Support contact block (owner/channel/email)
+5. Private registry/image coordinates (if used)
+
+These values are release-ops inputs, not blockers for local build/test validation.
+
+