stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
43e2af88f621a3a015293b86e03e302ba92ab752
git.stella-ops.org/docs/modules/devops/runbooks/launch-readiness.md
StellaOps Bot 43e2af88f6 docs consolidation
2025-12-24 21:45:46 +02:00

7.2 KiB
Raw Blame History

Launch Readiness Record - Stella Ops

Updated: 2025-10-26 (UTC)

Note (2025-12): This document reflects the state at initial launch. Since then, MongoDB has been fully removed (Sprint 4400) and replaced with PostgreSQL. Redis references now use Valkey. See current deployment docs in deploy/ for up-to-date configuration.

This document captures production launch sign-offs, deployment readiness checkpoints, and any open risks that must be tracked before GA cutover.

1. Sign-off Summary

Module / Service Guild / Point of Contact Evidence (Task or Runbook) Status Timestamp (UTC) Notes
Authority (Issuer) Authority Core Guild AUTH-AOC-19-001 - scope issuance & configuration complete (DONE 2025-10-26) READY 2025-10-26T14:05Z Tenant scope propagation follow-up (AUTH-AOC-19-002) tracked in gaps section.
Signer Signer Guild SIGNER-API-11-101 / SIGNER-REF-11-102 / SIGNER-QUOTA-11-103 (DONE 2025-10-21) READY 2025-10-26T14:07Z DSSE signing, referrer verification, and quota enforcement validated in CI.
Attestor Attestor Guild ATTESTOR-API-11-201 / ATTESTOR-VERIFY-11-202 / ATTESTOR-OBS-11-203 (DONE 2025-10-19) READY 2025-10-26T14:10Z Rekor submission/verification pipeline green; telemetry pack published.
Scanner Web + Worker Scanner WebService Guild SCANNER-WEB-09-10x, SCANNER-RUNTIME-12-30x (DONE 2025-10-18 -> 2025-10-24) READY* 2025-10-26T14:20Z Orchestrator envelope work (SCANNER-EVENTS-16-301/302) still open; see gaps.
Concelier Core & Connectors Concelier Core / Ops Guild Ops runbook sign-off in docs/modules/concelier/operations/conflict-resolution.md (2025-10-16) READY 2025-10-26T14:25Z Conflict resolution & connector coverage accepted; Mongo schema hardening pending (see gaps).
Excititor API Excititor Core Guild Wave 0 connector ingest sign-offs (Sprint backlog reference) READY 2025-10-26T14:28Z VEX linkset publishing complete for launch datasets.
Notify Web (legacy) Notify Guild Existing stack carried forward; Notifier program tracked separately (Sprint 38-40) PENDING 2025-10-26T14:32Z Legacy notify web remains operational; migration to Notifier blocked on SCANNER-EVENTS-16-301.
Web UI UI Guild Stable build registry.stella-ops.org/.../web-ui@sha256:10d9248... deployed in stage and smoke-tested READY 2025-10-26T14:35Z Policy editor GA items (Sprint 20) outside launch scope.
DevOps / Release DevOps Guild deploy/tools/validate-profiles.sh run (2025-10-26) covering dev/stage/prod/airgap/mirror READY 2025-10-26T15:02Z Compose/Helm lint + docker compose config validated; see Section 2 for details.
Offline Kit Offline Kit Guild DEVOPS-OFFLINE-18-004 (Go analyzer) and DEVOPS-OFFLINE-18-005 (Python analyzer) complete; debug-store mirror pending (DEVOPS-OFFLINE-17-004). PENDING 2025-11-23T15:05Z Release workflow now ships out/release/debug; run mirror_debug_store.py on next release artefact and commit metadata/debug-store.json.

* READY with caveat - remaining work noted in Section 3.

2. Deployment Readiness Checklist

  • Production profiles committed: deploy/compose/docker-compose.prod.yaml and deploy/helm/stellaops/values-prod.yaml added with front-door network hand-off and secret references for Mongo/MinIO/core services.
  • Secrets placeholders documented: deploy/compose/env/prod.env.example enumerates required credentials (MONGO_INITDB_ROOT_PASSWORD, MINIO_ROOT_PASSWORD, Redis/NATS endpoints, FRONTDOOR_NETWORK). Helm values reference Kubernetes secrets (stellaops-prod-core, stellaops-prod-mongo, stellaops-prod-minio, stellaops-prod-notify).
  • Static validation executed: deploy/tools/validate-profiles.sh run on 2025-10-26 (docker compose config + helm lint/template) with all profiles passing.
  • Ingress model defined: Production compose profile introduces external frontdoor network; README updated with creation instructions and scope of externally reachable services.
  • Observability hooks: Authority/Signer/Attestor telemetry packs verified; scanner runtime build-id metrics landed (SCANNER-RUNTIME-17-401). Grafana dashboards referenced in component runbooks.
  • Rollback assets: Stage Compose profile remains aligned (docker-compose.stage.yaml), enabling rehearsals before prod cutover; release manifests (deploy/releases/2025.09-stable.yaml) map digests for reproducible rollback.
  • Rehearsal status: 2025-10-26 validation dry-run executed (deploy/tools/validate-profiles.sh across dev/stage/prod/airgap/mirror). Full stage Helm rollout pending access to the managed staging cluster; target to complete once credentials are provisioned.

3. Outstanding Gaps & Follow-ups

Item Owner Tracking Ref Target / Next Step Impact
Tenant scope propagation and audit coverage Authority Core Guild AUTH-AOC-19-002 (DOING 2025-10-26) Land enforcement + audit fixtures by Sprint 19 freeze Medium - required for multi-tenant GA but does not block initial cutover if tenants scoped manually.
Orchestrator event envelopes + Notifier handshake Scanner WebService Guild SCANNER-EVENTS-16-301 (BLOCKED), SCANNER-EVENTS-16-302 (DOING) Coordinate with Gateway/Notifier owners on preview package replacement or binding redirects; rerun dotnet test once patch lands and refresh schema docs. Share envelope samples in docs/events/ after tests pass. High — gating Notifier migration; legacy notify path remains functional meanwhile.
Offline Kit Python analyzer bundle Offline Kit Guild + Scanner Guild DEVOPS-OFFLINE-18-005 (DONE 2025-10-26) Monitor for follow-up manifest updates and rerun smoke script when analyzers change. Medium - ensures language analyzer coverage stays current for offline installs.
Offline Kit debug store mirror Offline Kit Guild + DevOps Guild DEVOPS-OFFLINE-17-004 (TODO 2025-11-23) Release pipeline now publishes out/release/debug; run mirror_debug_store.py, verify hashes, and commit metadata/debug-store.json. Low - symbol lookup remains accessible from staging assets but required before next Offline Kit tag.
Mongo schema validators for advisory ingestion Concelier Storage Guild CONCELIER-STORE-AOC-19-001 (TODO) Finalize JSON schema + migration toggles; coordinate with Ops for rollout window Low - current validation handled in app layer; schema guard adds defense-in-depth.
Authority plugin telemetry alignment Security Guild SEC2.PLG, SEC3.PLG, SEC5.PLG (BLOCKED pending AUTH DPoP/MTLS tasks) Resume once upstream auth surfacing stabilises Low - plugin remains optional; launch uses default Authority configuration.

4. Approvals & Distribution

  • Record shared in #launch-readiness (Mattermost) 2025-10-26 15:15 UTC with DevOps + Guild leads for acknowledgement.
  • Updates to this document require dual sign-off from DevOps Guild (owner) and impacted module guild lead; retain change log via Git history.
  • Cutover rehearsal and rollback drills are tracked separately in docs/modules/devops/runbooks/launch-cutover.md (see associated Task DEVOPS-LAUNCH-18-001). *** End Patch