# Installation Authority Tooling

The Product Root private key must stay outside the repository and outside the
cluster database. The backend stores only the public key and signed activation
records.

Generate a Product Root key pair:

```powershell
go run scripts/installation/product-root-tool.go generate-key
```

Configure production backend nodes with the generated `public_key_b64`:

```powershell
$env:INSTALLATION_AUTHORITY_MODE = "strict"
$env:INSTALLATION_PRODUCT_ROOT_PUBLIC_KEY_B64 = "<public_key_b64>"
```

Create a signed first-owner activation manifest:

```powershell
go run scripts/installation/product-root-tool.go activate `
  -private-key-file C:\secure\rap-product-root.json `
  -install-id install-prod-001 `
  -owner-email owner@example.com `
  -expires-at 2026-05-01T00:00:00Z `
  -environment production
```

Use the output `activation_payload` and `activation_signature` in the admin
panel first-owner screen or in `POST /api/v1/installation/bootstrap-owner`.