stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

Add tests and implement timeline ingestion options with NATS and Redis subscribers

Browse Source 
- Introduced `BinaryReachabilityLifterTests` to validate binary lifting functionality.
- Created `PackRunWorkerOptions` for configuring worker paths and execution persistence.
- Added `TimelineIngestionOptions` for configuring NATS and Redis ingestion transports.
- Implemented `NatsTimelineEventSubscriber` for subscribing to NATS events.
- Developed `RedisTimelineEventSubscriber` for reading from Redis Streams.
- Added `TimelineEnvelopeParser` to normalize incoming event envelopes.
- Created unit tests for `TimelineEnvelopeParser` to ensure correct field mapping.
- Implemented `TimelineAuthorizationAuditSink` for logging authorization outcomes.
This commit is contained in:
StellaOps Bot
2025-12-03 09:46:48 +02:00
parent e923880694
commit 35c8f9216f
520 changed files with 4416 additions and 31492 deletions
Download Patch File Download Diff File Expand all files Collapse all files

139
docs/implplan/SPRINT_506_ops_devops_iv.md
View File

@@ -1,61 +1,84 @@
# Sprint 506 - Ops & Offline · 190.B) Ops Devops.IV
# Sprint 506 · Ops DevOps IV (Ops & Offline 190.B)
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
## Topic & Scope
- Ops & Offline focus on DevOps phase IV: incident automation, orchestrator observability, policy CI, signing/SDK pipelines, and mirror signing.
- Consolidate CI helpers, dashboards, and signing assets; document runbooks and cleanup paths.
- **Working directory:** ops/devops (and associated ops/devops/* subfolders).
[Ops & Offline] 190.B) Ops Devops.IV
Depends on: Sprint 190.B - Ops Devops.III
Summary: Ops & Offline focus on Ops Devops (phase IV).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DEVOPS-OBS-55-001 | DONE (2025-11-25) | Implement incident mode automation: feature flag service, auto-activation via SLO burn-rate, retention override management, and post-incident reset job. Dependencies: DEVOPS-OBS-54-001. | DevOps Guild, Ops Guild (ops/devops)
DEVOPS-ORCH-32-001 | DONE (2025-11-25) | Provision orchestrator Postgres/message-bus infrastructure, add CI smoke deploy, seed Grafana dashboards (queue depth, inflight jobs), and document bootstrap. | DevOps Guild, Orchestrator Service Guild (ops/devops)
DEVOPS-ORCH-33-001 | DONE (2025-11-25) | Publish Grafana dashboards/alerts for rate limiter, backpressure, error clustering, and DLQ depth; integrate with on-call rotations. Dependencies: DEVOPS-ORCH-32-001. | DevOps Guild, Observability Guild (ops/devops)
DEVOPS-ORCH-34-001 | DONE (2025-11-25) | Harden production monitoring (synthetic probes, burn-rate alerts, replay smoke), document incident response, and prep GA readiness checklist. Dependencies: DEVOPS-ORCH-33-001. | DevOps Guild, Orchestrator Service Guild (ops/devops)
DEVOPS-POLICY-27-001 | DONE (2025-11-25) | Add CI pipeline stages to run `stella policy lint | DevOps Guild, DevEx/CLI Guild (ops/devops)
DEVOPS-POLICY-27-002 | DONE (2025-11-25) | Provide optional batch simulation CI job (staging inventory) that triggers Registry run, polls results, and posts markdown summary to PR; enforce drift thresholds. Dependencies: DEVOPS-POLICY-27-001. | DevOps Guild, Policy Registry Guild (ops/devops)
DEVOPS-POLICY-27-003 | DONE (2025-11-25) | Manage signing key material for policy publish pipeline (OIDC workload identity + cosign), rotate keys, and document verification steps; integrate attestation verification stage. Dependencies: DEVOPS-POLICY-27-002. | DevOps Guild, Security Guild (ops/devops)
DEVOPS-POLICY-27-004 | DONE (2025-11-25) | Create dashboards/alerts for policy compile latency, simulation queue depth, approval latency, and promotion outcomes; integrate with on-call playbooks. Dependencies: DEVOPS-POLICY-27-003. | DevOps Guild, Observability Guild (ops/devops)
DEVOPS-REL-17-004 | DONE (2025-11-23) | Release workflow now uploads `out/release/debug` (build-id tree + manifest) as a separate artefact and fails when symbols are missing. | DevOps Guild (ops/devops)
DEVOPS-RULES-33-001 | DONE (2025-11-25) | Contracts & Rules anchor:<br>• Gateway proxies only; Policy Engine composes overlays/simulations.<br>• AOC ingestion cannot merge; only lossless canonicalization.<br>• One graph platform: Graph Indexer + Graph API. Cartographer retired. | DevOps Guild, Platform Leads (ops/devops)
DEVOPS-SDK-63-001 | DONE (2025-11-25) | Provision registry credentials, signing keys, and secure storage for SDK publishing pipelines. | DevOps Guild, SDK Release Guild (ops/devops)
DEVOPS-SIG-26-001 | DONE (2025-11-25) | Provision CI/CD pipelines, Helm/Compose manifests for Signals service, including artifact storage and Redis dependencies. | DevOps Guild, Signals Guild (ops/devops)
DEVOPS-SIG-26-002 | DONE (2025-11-25) | Create dashboards/alerts for reachability scoring latency, cache hit rates, sensor staleness. Dependencies: DEVOPS-SIG-26-001. | DevOps Guild, Observability Guild (ops/devops)
DEVOPS-TEN-47-001 | BLOCKED (2025-11-25) | Add JWKS cache monitoring, signature verification regression tests, and token expiration chaos tests to CI. | DevOps Guild (ops/devops)
DEVOPS-TEN-48-001 | BLOCKED (2025-11-25) | Build integration tests to assert RLS enforcement, tenant-prefixed object storage, and audit event emission; set up lint to prevent raw SQL bypass. Dependencies: DEVOPS-TEN-47-001. | DevOps Guild (ops/devops)
DEVOPS-CI-110-001 | DONE (2025-11-25) | CI helper + TRX slices published at `ops/devops/ci-110-runner/` (artefacts: `ops/devops/artifacts/ci-110/20251125T030557Z/`). Warm restore, OpenSSL 1.1 check, Concelier health + Excititor airgap import smoke. | DevOps Guild, Concelier Guild, Excititor Guild (ops/devops)
MIRROR-CRT-56-CI-001 | DONE (2025-11-25) | Promote `make-thin-v1.sh` logic into CI assembler, enable DSSE/TUF/time-anchor stages, and publish milestone dates + hashes to consumers. Uses `MIRROR_SIGN_KEY_B64` from Gitea secrets. | Mirror Creator Guild, DevOps Guild (ops/devops)
MIRROR-CRT-56-002 | DONE (2025-11-25) | Release signing for thin bundle v1; install secret `MIRROR_SIGN_KEY_B64` (Ed25519 PEM, provided 2025-11-24) and rerun `.gitea/workflows/mirror-sign.yml` with `REQUIRE_PROD_SIGNING=1`. | Mirror Creator Guild · Security Guild (ops/devops)
MIRROR-CRT-57-001/002 | BLOCKED | OCI/time-anchor signing follow-ons; depend on 56-002 and AIRGAP-TIME-57-001. | Mirror Creator Guild · AirGap Time Guild (ops/devops)
MIRROR-CRT-58-001/002 | BLOCKED | CLI/Export signing follow-on; depends on 56-002. | Mirror Creator · CLI · Exporter Guilds (ops/devops)
EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001 | BLOCKED | Export/airgap provenance chain; needs signed thin bundle + time anchors. | Exporter Guild · AirGap Time · CLI Guild (ops/devops)
DEVOPS-LEDGER-29-009-REL | BLOCKED (2025-11-25) | Release/offline-kit packaging for ledger manifests/backups; depends on LEDGER-29-009 dev outputs. | DevOps Guild, Findings Ledger Guild (ops/devops)
DEVOPS-LEDGER-TEN-48-001-REL | BLOCKED (2025-11-25) | Apply RLS/partition migrations in release pipelines; publish manifests/offline-kit artefacts. | DevOps Guild, Findings Ledger Guild (ops/devops)
DEVOPS-SCANNER-JAVA-21-011-REL | BLOCKED (2025-11-25) | Package/sign Java analyzer plug-in for release/offline kits; depends on SCANNER-ANALYZERS-JAVA-21-011 dev. | DevOps Guild, Java Analyzer Guild (ops/devops)
## Dependencies & Concurrency
- Depends on Sprint 190.B Ops DevOps III artifacts.
- Mirror signing follow-ons depend on AIRGAP-TIME-57-001 and thin bundle v1 outputs.
- Tenant chaos/tests depend on Authority tenancy harness availability.
Updates
-------
- 2025-11-25 · DEVOPS-CI-110-001 runner published at `ops/devops/ci-110-runner/`; initial TRX slices stored under `ops/devops/artifacts/ci-110/20251125T030557Z/` (Concelier health, Excititor airgap import).
- 2025-11-25 · MIRROR-CRT-56-CI-001 completed: CI signing script now emits milestone hash summary, enforces DSSE/TUF/time-anchor steps, and uploads `milestone.json` via `mirror-sign.yml`.
- 2025-11-25 · DEVOPS-OBS-55-001 completed: added offline incident-mode automation script (`scripts/observability/incident-mode.sh`) and runbook (`ops/devops/observability/incident-mode.md`) to auto-toggle incident flag, retention overrides, and cooldown reset based on burn rate inputs.
- 2025-11-25 · DEVOPS-ORCH-32-001 completed: added orchestrator infra compose stack (Postgres+Mongo+NATS), smoke script (`scripts/orchestrator/smoke.sh`), alerts, Grafana dashboard, and bootstrap README under `ops/devops/orchestrator/`.
- 2025-11-25 · DEVOPS-ORCH-33-001 completed: expanded orchestrator Grafana with DLQ/backpressure/error panels and alerts (`ops/devops/orchestrator/alerts.yaml`); dashboard lives at `ops/devops/orchestrator/grafana/orchestrator-overview.json`.
- 2025-11-25 · DEVOPS-POLICY-27-003 completed: cosign key rotation/signing/attestation scripts added (`scripts/policy/rotate-key.sh`, `sign-policy.sh`, `attest-verify.sh`), CI attestation verification stage wired into `.gitea/workflows/policy-simulate.yml`, and runbook recorded at `ops/devops/policy-signing.md`.
- 2025-11-25 · DEVOPS-POLICY-27-004 completed: added policy pipeline alerts (`ops/devops/observability/policy-alerts.yaml`), Grafana dashboard (`ops/devops/observability/grafana/policy-pipeline.json`), and on-call playbook (`ops/devops/observability/policy-playbook.md`) covering compile, simulation, approval, and promotion signals.
- 2025-11-25 · DEVOPS-ORCH-34-001 completed: added synthetic infra probe (`scripts/orchestrator/probe.sh`), replay smoke wrapper (`scripts/orchestrator/replay-smoke.sh`), burn-rate alert for failures in `ops/devops/orchestrator/alerts.yaml`, updated README, and incident/GA readiness playbook (`ops/devops/orchestrator/incident-response.md`).
- 2025-11-25 · DEVOPS-POLICY-27-001 completed: added `policy-lint` workflow (`.gitea/workflows/policy-lint.yml`) running `stella policy lint` on sample DSLs, caching nugets, and publishing lint artifacts; simulate entrypoint smoke included.
- 2025-11-25 · DEVOPS-POLICY-27-002 completed: added batch simulation harness (`scripts/policy/batch-simulate.sh`), sample SBOM fixture, and CI workflow (`.gitea/workflows/policy-simulate.yml`) enforcing violation threshold and uploading summaries.
- 2025-11-25 · DEVOPS-POLICY-27-001 completed: added `policy-lint` workflow (`.gitea/workflows/policy-lint.yml`) running `stella policy lint` on sample DSLs, caching nugets, and publishing lint artifacts; simulate entrypoint smoke included.
- 2025-11-25 · DEVOPS-ORCH-33-001 completed: expanded orchestrator Grafana with DLQ/backpressure/error panels and alerts (`ops/devops/orchestrator/alerts.yaml`); dashboard lives at `ops/devops/orchestrator/grafana/orchestrator-overview.json`.
- 2025-11-25 · MIRROR-CRT-56-002 completed: mirror-sign workflow now enforces prod signing (rc2 SDK), prerequisite check, signing + verification steps for thin bundle v1 using `MIRROR_SIGN_KEY_B64` with `REQUIRE_PROD_SIGNING=1`.
- 2025-11-25 · DEVOPS-SDK-63-001 completed: added SDK signing/publishing toolchain (scripts/sdk/*), secrets guidance (`ops/devops/sdk/README.md`), NuGet signing/publish workflow (`.gitea/workflows/sdk-publish.yml`), and sample config for offline/local feeds.
- 2025-11-25 · DEVOPS-TEN-47-001 marked BLOCKED: JWKS cache/chaos testing requires runnable Authority instance and tenant fixture; upstream Authority/tenancy harness not present in repo.
- 2025-11-25 · DEVOPS-TEN-48-001 marked BLOCKED: RLS/object-store/audit integration tests depend on TEN-47 harness and tenant-aware data plane not available in this sprint scope.
- 2025-11-25 · DEVOPS-LEDGER-29-009-REL marked BLOCKED: release packaging awaits LEDGER-29-009 dev outputs and manifests not present in repo.
- 2025-11-25 · DEVOPS-LEDGER-TEN-48-001-REL marked BLOCKED: RLS migrations/artefacts depend on ledger tenant partition work not yet delivered.
- 2025-11-25 · DEVOPS-SCANNER-JAVA-21-011-REL marked BLOCKED: Java analyzer plugin artefacts from SCANNER-ANALYZERS-JAVA-21-011 dev are not available to package.
- 2025-11-25 · DEVOPS-RULES-33-001 completed: codified rules anchor in `ops/devops/rules/contracts-anchor.md` and closed review.
- 2025-11-25 · Work paused: host cannot allocate PTY (`No space left on device`); further CI/script execution blocked until disk/pty space is freed.
- 2025-11-25 · Added disk cleanup helper `scripts/devops/cleanup-workspace.sh` (safe defaults, optional bin/obj) to unblock low-space runners; use `DRY_RUN=1` to preview.
- 2025-11-25 · Documented space recovery steps in `ops/devops/README-space.md` (cleanup script, docker prune, nuget cache clear, artefact dirs).
- 2025-11-25 · DEVOPS-SIG-26-001 completed: added Signals Dockerfile/compose stack (`ops/devops/signals/`), Helm values (`helm/signals/values-signals.yaml`), CI workflow (`.gitea/workflows/signals-ci.yml`), and image export helper (`scripts/signals/build.sh`) with Mongo/Redis dependencies and artifact volume.
- 2025-11-25 · DEVOPS-SIG-26-002 completed: added Signals observability pack—alerts (`ops/devops/observability/signals-alerts.yaml`), Grafana dashboard (`ops/devops/observability/grafana/signals-pipeline.json`), and playbook (`ops/devops/observability/signals-playbook.md`) for scoring latency, cache hit rate, ingestion failures, and sensor staleness.
## Documentation Prerequisites
- docs/README.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/modules/devops/architecture.md
- ops/devops/README.md
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | DEVOPS-OBS-55-001 | DONE (2025-11-25) | Depends on DEVOPS-OBS-54-001 | DevOps Guild · Ops Guild | Incident mode automation: feature flag service, burn-rate trigger, retention overrides, reset job. |
| 2 | DEVOPS-ORCH-32-001 | DONE (2025-11-25) | Bootstrap orchestrator infra | DevOps Guild · Orchestrator Guild | Provision orchestrator Postgres/message bus, CI smoke deploy, dashboards, bootstrap docs. |
| 3 | DEVOPS-ORCH-33-001 | DONE (2025-11-25) | Depends on 32-001 | DevOps Guild · Observability Guild | Grafana dashboards/alerts for rate limiter, backpressure, error clustering, DLQ depth. |
| 4 | DEVOPS-ORCH-34-001 | DONE (2025-11-25) | Depends on 33-001 | DevOps Guild · Orchestrator Guild | Harden production monitoring: synthetic probes, burn-rate alerts, replay smoke, GA readiness checklist. |
| 5 | DEVOPS-POLICY-27-001 | DONE (2025-11-25) | None | DevOps Guild · DevEx/CLI Guild | Add CI stage to run `stella policy lint`. |
| 6 | DEVOPS-POLICY-27-002 | DONE (2025-11-25) | Depends on 27-001 | DevOps Guild · Policy Registry Guild | Batch simulation CI job, threshold enforcement, PR markdown summary. |
| 7 | DEVOPS-POLICY-27-003 | DONE (2025-11-25) | Depends on 27-002 | DevOps Guild · Security Guild | Manage signing keys (OIDC + cosign), rotate keys, verify attestations. |
| 8 | DEVOPS-POLICY-27-004 | DONE (2025-11-25) | Depends on 27-003 | DevOps Guild · Observability Guild | Dashboards/alerts for policy compile latency, simulation queue depth, approval latency, promotion outcomes. |
| 9 | DEVOPS-REL-17-004 | DONE (2025-11-23) | None | DevOps Guild | Release workflow uploads `out/release/debug` and fails when symbols missing. |
| 10 | DEVOPS-RULES-33-001 | DONE (2025-11-25) | None | DevOps Guild · Platform Leads | Contracts & Rules anchor (gateway proxies, AOC no-merge, graph platform consolidation). |
| 11 | DEVOPS-SDK-63-001 | DONE (2025-11-25) | None | DevOps Guild · SDK Release Guild | Provision registry creds, signing keys, secure storage for SDK publishing pipelines. |
| 12 | DEVOPS-SIG-26-001 | DONE (2025-11-25) | None | DevOps Guild · Signals Guild | Provision CI/CD, Helm/Compose manifests for Signals service with artifact storage + Redis. |
| 13 | DEVOPS-SIG-26-002 | DONE (2025-11-25) | Depends on 26-001 | DevOps Guild · Observability Guild | Dashboards/alerts for reachability scoring latency, cache hit rates, sensor staleness. |
| 14 | DEVOPS-TEN-47-001 | BLOCKED (2025-11-25) | Needs Authority tenancy harness | DevOps Guild | JWKS cache monitoring, signature verification regression tests, token expiration chaos tests in CI. |
| 15 | DEVOPS-TEN-48-001 | BLOCKED (2025-11-25) | Depends on 47-001 | DevOps Guild | Integration tests for RLS enforcement, tenant-prefixed object storage, audit events; lint to prevent raw SQL bypass. |
| 16 | DEVOPS-CI-110-001 | DONE (2025-11-25) | None | DevOps Guild · Concelier Guild · Excititor Guild | CI helper + TRX slices at `ops/devops/ci-110-runner/`; warm restore + health smokes. |
| 17 | MIRROR-CRT-56-CI-001 | DONE (2025-11-25) | None | Mirror Creator Guild · DevOps Guild | Move `make-thin-v1.sh` into CI assembler, enforce DSSE/TUF/time-anchor, publish milestone hashes. |
| 18 | MIRROR-CRT-56-002 | DONE (2025-11-25) | Depends on 56-CI-001 | Mirror Creator Guild · Security Guild | Release signing for thin bundle v1 using `MIRROR_SIGN_KEY_B64`; run `.gitea/workflows/mirror-sign.yml`. |
| 19 | MIRROR-CRT-57-001/002 | BLOCKED | Wait on 56-002 + AIRGAP-TIME-57-001 | Mirror Creator Guild · AirGap Time Guild | OCI/time-anchor signing follow-ons. |
| 20 | MIRROR-CRT-58-001/002 | BLOCKED | Depends on 56-002 | Mirror Creator · CLI · Exporter Guilds | CLI/Export signing follow-ons. |
| 21 | EXPORT-OBS-51-001 / 54-001 / AIRGAP-TIME-57-001 / CLI-AIRGAP-56-001 / PROV-OBS-53-001 | BLOCKED | Need signed thin bundle + time anchors | Exporter · AirGap Time · CLI Guild | Export/airgap provenance chain work. |
| 22 | DEVOPS-LEDGER-29-009-REL | BLOCKED (2025-11-25) | Needs LEDGER-29-009 dev outputs | DevOps Guild · Findings Ledger Guild | Release/offline-kit packaging for ledger manifests/backups. |
| 23 | DEVOPS-LEDGER-TEN-48-001-REL | BLOCKED (2025-11-25) | Needs ledger tenant partition work | DevOps Guild · Findings Ledger Guild | Apply RLS/partition migrations in release pipelines; publish manifests/offline-kit artefacts. |
| 24 | DEVOPS-SCANNER-JAVA-21-011-REL | BLOCKED (2025-11-25) | Needs SCANNER-ANALYZERS-JAVA-21-011 outputs | DevOps Guild · Java Analyzer Guild | Package/sign Java analyzer plug-in for release/offline kits. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-03 | Normalised sprint file to standard template; preserved all tasks/logs; no status changes. | Planning |
| 2025-11-25 | DEVOPS-CI-110-001 runner published at `ops/devops/ci-110-runner/`; initial TRX slices stored under `ops/devops/artifacts/ci-110/20251125T030557Z/`. | DevOps |
| 2025-11-25 | MIRROR-CRT-56-CI-001 completed: CI signing script emits milestone hash summary, enforces DSSE/TUF/time-anchor steps, uploads `milestone.json` via `mirror-sign.yml`. | DevOps |
| 2025-11-25 | DEVOPS-OBS-55-001 completed: added incident-mode automation script (`scripts/observability/incident-mode.sh`) and runbook (`ops/devops/observability/incident-mode.md`). | DevOps |
| 2025-11-25 | DEVOPS-ORCH-32-001 completed: orchestrator infra compose stack, smoke script, alerts, Grafana dashboard, bootstrap README under `ops/devops/orchestrator/`. | DevOps |
| 2025-11-25 | DEVOPS-ORCH-33-001 completed: DLQ/backpressure/error panels + alerts (`ops/devops/orchestrator/alerts.yaml`); dashboard `ops/devops/orchestrator/grafana/orchestrator-overview.json`. | DevOps |
| 2025-11-25 | DEVOPS-POLICY-27-003 completed: cosign key rotation/signing/attestation scripts added; CI attestation verification stage wired into `.gitea/workflows/policy-simulate.yml`; runbook `ops/devops/policy-signing.md`. | DevOps |
| 2025-11-25 | DEVOPS-POLICY-27-004 completed: policy pipeline alerts/dashboard/playbook added. | DevOps |
| 2025-11-25 | DEVOPS-POLICY-27-001 completed: `policy-lint` workflow added; caches nugets; publishes lint artifacts. | DevOps |
| 2025-11-25 | DEVOPS-POLICY-27-002 completed: batch simulation harness + CI workflow enforcing violation thresholds, uploads summaries. | DevOps |
| 2025-11-25 | DEVOPS-ORCH-34-001 completed: synthetic probe, replay smoke wrapper, burn-rate alert, README, incident/GA readiness playbook. | DevOps |
| 2025-11-25 | MIRROR-CRT-56-002 completed: mirror-sign workflow enforces prod signing for thin bundle v1 (`REQUIRE_PROD_SIGNING=1`). | DevOps |
| 2025-11-25 | DEVOPS-SDK-63-001 completed: SDK signing/publishing toolchain, secrets guidance, CI workflow, offline/local feed config. | DevOps |
| 2025-11-25 | DEVOPS-TEN-47-001 marked BLOCKED: requires Authority tenancy harness and tenant fixture. | DevOps |
| 2025-11-25 | DEVOPS-TEN-48-001 marked BLOCKED: RLS/object-store/audit tests depend on TEN-47 harness. | DevOps |
| 2025-11-25 | DEVOPS-LEDGER-29-009-REL marked BLOCKED: waiting on LEDGER-29-009 dev outputs. | DevOps |
| 2025-11-25 | DEVOPS-LEDGER-TEN-48-001-REL marked BLOCKED: RLS migrations/artefacts depend on ledger tenant partition work. | DevOps |
| 2025-11-25 | DEVOPS-SCANNER-JAVA-21-011-REL marked BLOCKED: Java analyzer plugin artefacts unavailable. | DevOps |
| 2025-11-25 | Work paused: `No space left on device`; added cleanup helper `scripts/devops/cleanup-workspace.sh` and doc `ops/devops/README-space.md`. | DevOps |
| 2025-11-25 | DEVOPS-SIG-26-001 completed: Signals Dockerfile/compose, Helm values, CI workflow, image export helper with Mongo/Redis deps. | DevOps |
| 2025-11-25 | DEVOPS-SIG-26-002 completed: Signals alerts, dashboard, playbook for latency/cache/staleness. | DevOps |
| 2025-11-23 | DEVOPS-REL-17-004 completed: release workflow uploads debug artefacts and fails on missing symbols. | DevOps |
| 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md` (updated 2025-11-08). | Planning |
## Decisions & Risks
- Hardened Docker/CI artefacts rely on available disk; keep cleanup script in runner docs.
- Cosign key management supports keyless; offline/air-gap paths require mirrored registry + secrets provided to `sbom_attest.sh`.
- Tenant chaos drill requires iptables/root; run only on isolated agents; monitor JWKS cache TTL to avoid auth outages.
- Surface.Env: ZASTAVA_* fallback to SCANNER_* in Helm/Compose; keep docs aligned if prefixes/fields change.
- Surface.Secrets: provisioning playbook published; ensure Helm/Compose env stays in sync; offline kit bundles encrypted secrets—unpack path must match `*_SURFACE_SECRETS_ROOT`.
## Next Checkpoints
- Unblock DEVOPS-TEN-47-001/48-001 by landing Authority tenancy harness and tenant fixtures.
- Deliver AIRGAP-TIME-57-001 to unblock mirror signing follow-ons (MIRROR-CRT-57/58) and export provenance chain.
- Free runner disk space routinely using `scripts/devops/cleanup-workspace.sh` and docker prune to keep CI green.