# Evaluation Checklist – 30-Day Adoption Plan

## Day 0–1: Kick the Tires

- [ ] Follow the [Quickstart](../quickstart.md) to run the first scan and confirm quota headers (`X-Stella-Quota-Remaining`).
- [ ] Capture the deterministic replay bundle (`stella replay export`) to verify SRM evidence.
- [ ] Log into the Console, review the explain trace for the latest scan, and test policy waiver creation.

## Day 2–7: Prove Fit

- [ ] Import the [Offline Update Kit](../24_OFFLINE_KIT.md) and confirm feeds refresh with no Internet access.
- [ ] Apply a sovereign CryptoProfile matching your regulatory environment (FIPS, eIDAS, GOST, SM).
- [ ] Run policy simulations with your SBOMs using `stella policy simulate --input <sbom>`; log explain outcomes for review.
- [ ] Validate attestation workflows by exporting DSSE bundles and replaying them on a secondary host.

## Day 8–14: Integrate

- [ ] Wire the CLI into CI/CD to gate images using exit codes and `X-Stella-Quota-Remaining` telemetry.
- [ ] Configure `StellaOps.Notify` with at least one channel (email/webhook) and confirm digest delivery.
- [ ] Map existing advisory/VEX sources to Concelier connectors; note any feeds requiring custom plug-ins.
- [ ] Review `StellaOps.Policy.Engine` audit logs to ensure waiver ownership and expiry meet governance needs.

## Day 15–30: Harden & Measure

- [ ] Follow the [Security Hardening Guide](../17_SECURITY_HARDENING_GUIDE.md) to rotate keys and enable mTLS across modules.
- [ ] Enable observability pipelines (metrics + OpenTelemetry) to capture scan throughput and policy outcomes.
- [ ] Run performance checks against the [Performance Workbook](../12_PERFORMANCE_WORKBOOK.md) targets; note P95 latencies.
- [ ] Document operational runbooks (install, upgrade, rollback) referencing [Release Engineering Playbook](../13_RELEASE_ENGINEERING_PLAYBOOK.md).

## Decision Gates

| Question | Evidence to collect | Source |
|----------|--------------------|--------|
| Can we operate fully offline? | Offline kit import logs, quota JWT validation without Internet | Quickstart, Offline Kit guide |
| Are findings explainable and reproducible? | SRM replay results, policy explain traces | Key features, Policy Engine UI |
| Does it meet regional compliance? | CryptoProfile application, Attestor/Rekor mirror configuration | Sovereign crypto docs, Attestor guide |

**Next step:** once the checklist is green, plan production rollout with module-specific architecture docs under `docs/modules/`.