Trichakra Nexus® DACC v4.00.6

Section C Launch Readiness Demo — Static HTML, no external calls, no real secrets.

1. Install / Update / Rollback Flow

Fresh Install
DOMAIN=www.trichakra.ltd bash deploy/fresh_install.sh
Creates DB, generates secrets, prints VAULT KEY once. Never shows again.

Update existing
bash deploy/update_release.sh /path/to/package.zip
Backs up first, preserves .env, runs migrations forward only.

Rollback
bash deploy/rollback_release.sh /root/nexus-backups/backup-20240101
Restores code only. .env preserved. DB rollback is manual.

Deploy Doctor
bash deploy/deploy_doctor.sh
Checks: migration 009, nexus_modules, commerce_engine=not_installed, /health, /auth/setup-status, /modules/my.

2. Module Activation Flow

Check module registry — GET /api/v1/modules — lists 19 modules (admin only)

Activate module — POST /api/v1/modules/{key}/activate — checks dependencies, audit-logged

Inactive module access — returns 403 module_disabled

Staff visibility — GET /api/v1/modules/my — returns only allowed active modules; hidden modules not exposed

3. Permission Matrix

Action	Admin	Staff
Activate/deactivate module	✅ Yes	❌ 403 + audit
Change module permissions	✅ Yes	❌ 403 + audit
See hidden module names	✅ Yes	❌ Not exposed
View audit logs	✅ Yes	❌ No
Apply ad recommendation	❌ Never	❌ Never

4. Vault Model

All credentials stored via Vault (AES-256-GCM encrypted). AAD frozen: rklifeops-vault-v1

VAULT_ENCRYPTION_KEY generated at install, printed ONCE — never stored in code or DB

Modules with secret access require explicit approval: nexus_module_secrets_access.approved = true

No tokens/keys in frontend, logs, or API responses

5. First Admin Setup

python3 backend/app/scripts/create_first_admin.py --email admin@yourdomain.com --name "Name"

Verify: GET /api/v1/auth/setup-status → {"admin_exists": true, "module_system_ready": true}

Open Module Center → activate needed modules → run deploy_doctor

6. Backup / Restore Flow

bash deploy/backup.sh → saves code + frontend + DB dump + .env (restricted 600)

bash deploy/test_restore.sh /root/nexus-backups/backup-XYZ → verifies backup integrity

bash deploy/restore_backup.sh /root/nexus-backups/backup-XYZ → restores code; .env preserved

7. Launch Checklist

Check	Status
Migration head = 009	Verify with deploy_doctor
Module registry seeded (19 modules)	Auto on startup
commerce_engine = not_installed	Enforced
No write-enabled modules	Default false
No API keys in frontend	Verified by test
No browser LLM calls	Verified by test
Admin created + TOTP enabled	Manual step
VAULT_ENCRYPTION_KEY saved offline	Manual — do not skip

Static demo — no external calls, no real secrets, no private data · DACC v4.00.6 · www.trichakra.ltd