# Sprint 502 · Ops Deployment II (Ops & Offline)

## Topic & Scope
- Phase II of ops deployment/offline readiness stream (IMPL 190.A follow-on).
- Produce deployment overlays, Helm scaffolding, and rollout/runbook assets for policy, VEX Lens, Findings Ledger, and downloads pipeline.
- **Working directory:** docs/implplan (coordination); delivery artefacts expected in `deploy/` and `docs/runbooks/` as referenced per task.

## Dependencies & Concurrency
- Upstream: Sprint 190.A – Ops Deployment I (prereq for this batch).
- Tasks with explicit deps noted in Delivery Tracker (e.g., HELM-45-002 depends on HELM-45-001).

## Documentation Prerequisites
- docs/README.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/modules/platform/architecture-overview.md
- Any module-specific runbooks referenced by tasks (policy, VEX Lens, Findings Ledger).

> **BLOCKED Tasks:** Before working on BLOCKED tasks, review [BLOCKED_DEPENDENCY_TREE.md](./BLOCKED_DEPENDENCY_TREE.md) for root blockers and dependencies.

## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | DEPLOY-POLICY-27-002 | TODO | Depends on DEPLOY-POLICY-27-001 | Deployment Guild, Policy Guild | Document rollout/rollback playbooks for policy publish/promote (canary, emergency freeze, evidence retrieval) under `docs/runbooks/policy-incident.md` |
| 2 | DEPLOY-VEX-30-001 | TODO | None | Deployment Guild, VEX Lens Guild | Provide Helm/Compose overlays, scaling defaults, offline kit instructions for VEX Lens service |
| 3 | DEPLOY-VEX-30-002 | TODO | Depends on DEPLOY-VEX-30-001 | Deployment Guild, Issuer Directory Guild | Package Issuer Directory deployment manifests, backups, security hardening guidance |
| 4 | DEPLOY-VULN-29-001 | TODO | None | Deployment Guild, Findings Ledger Guild | Helm/Compose overlays for Findings Ledger + projector incl. DB migrations, Merkle anchor jobs, scaling guidance |
| 5 | DEPLOY-VULN-29-002 | TODO | Depends on DEPLOY-VULN-29-001 | Deployment Guild, Vuln Explorer API Guild | Package `stella-vuln-explorer-api` manifests, health checks, autoscaling policies, offline kit with signed images |
| 6 | DOWNLOADS-CONSOLE-23-001 | TODO | None | Deployment Guild, DevOps Guild | Maintain signed downloads manifest pipeline; publish JSON at `deploy/downloads/manifest.json`; doc sync cadence for Console/docs |
| 7 | HELM-45-001 | TODO | None | Deployment Guild | Scaffold `deploy/helm/stella` chart with values, toggles, pinned digests, migration Job templates |
| 8 | HELM-45-002 | TODO | Depends on HELM-45-001 | Deployment Guild, Security Guild | Add TLS/Ingress, NetworkPolicy, PodSecurityContexts, Secrets integration (external secrets), document security posture |
| 9 | HELM-45-003 | TODO | Depends on HELM-45-002 | Deployment Guild, Observability Guild | Implement HPA, PDB, readiness gates, Prometheus scrape annotations, OTel hooks, upgrade hooks |

## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-02 | Normalized sprint file to standard template; no task status changes | StellaOps Agent |

## Decisions & Risks
- Dependencies between HELM-45 tasks enforce serial order; note in task sequencing.
- Risk: Offline kit instructions must avoid external image pulls; ensure pinned digests and air-gap copy steps.

## Next Checkpoints
- None scheduled; add dates when guild checkpoints are set.