# Runbook Coverage Tracking

This document tracks operational runbook coverage across Stella Ops modules.

**Target:** 80% coverage of critical failure modes before declaring operability moat achieved.

---

## Coverage Summary

| Module | Critical Failures | Runbooks | Coverage | Status |
|--------|-------------------|----------|----------|--------|
| Scanner | 5 | 0 | 0% | 🔴 Gap |
| Policy Engine | 5 | 0 | 0% | 🔴 Gap |
| Release Orchestrator | 5 | 0 | 0% | 🔴 Gap |
| Attestor | 5 | 0 | 0% | 🔴 Gap |
| Feed Connectors | 4 | 0 | 0% | 🔴 Gap |
| **Database (Postgres)** | 4 | 4 | 100% | ✅ Complete |
| **Crypto Subsystem** | 4 | 4 | 100% | ✅ Complete |
| **Evidence Locker** | 4 | 4 | 100% | ✅ Complete |
| **Backup/Restore** | 4 | 4 | 100% | ✅ Complete |
| Authority (OAuth/OIDC) | 3 | 0 | 0% | 🔴 Gap |
| **Overall** | **43** | **16** | **37%** | 🟡 In Progress |

---

## Available Runbooks

### Database Operations
- [postgres-ops.md](postgres-ops.md) - PostgreSQL database operations

### Crypto Subsystem
- [crypto-ops.md](crypto-ops.md) - Regional crypto operations (FIPS, eIDAS, GOST, SM)

### Evidence Locker
- [evidence-locker-ops.md](evidence-locker-ops.md) - Evidence locker operations

### Backup/Restore
- [backup-restore-ops.md](backup-restore-ops.md) - Backup and restore procedures

### Vulnerability Operations
- [vuln-ops.md](vuln-ops.md) - Vulnerability management operations

### VEX Operations
- [vex-ops.md](vex-ops.md) - VEX statement operations

### Policy Incidents
- [policy-incident.md](policy-incident.md) - Policy-related incident response

---

## Gap Analysis

### High Priority Gaps (Critical modules without runbooks)

1. **Scanner** - Core scanning functionality
   - Worker stuck
   - OOM on large images
   - Registry auth failures

2. **Policy Engine** - Policy evaluation
   - Slow evaluation
   - OPA crashes
   - Compilation failures

3. **Release Orchestrator** - Promotion workflow
   - Stuck promotions
   - Gate timeouts
   - Missing evidence

### Medium Priority Gaps

4. **Attestor** - Signing and verification
   - Signing failures
   - Key expiration
   - Rekor unavailability

5. **Feed Connectors** - Advisory feeds
   - NVD failures
   - Rate limiting
   - Offline bundle issues

### Lower Priority Gaps

6. **Authority** - Authentication
   - Token validation failures
   - OIDC provider issues

---

## Template

New runbooks should use the template: [_template.md](_template.md)

---

## Doctor Check Integration

Runbooks should be linked from Doctor check output. Current integration status:

| Module | Doctor Checks | Linked to Runbook |
|--------|---------------|-------------------|
| Postgres | 4 | 0 |
| Crypto | 8 | 0 |
| Storage | 3 | 0 |
| Evidence | 4 | 0 |

**Next step:** Update Doctor check implementations to include runbook links in remediation output.

---

_Last updated: 2026-01-17 (UTC)_