stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions Releases Wiki Activity
Files
66cb6c4b8af58a33efa1521b7953dda834431497
git.stella-ops.org/ops/devops/TASKS.md
master 66cb6c4b8a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Add guild charters and task boards for various components 
- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform.
- Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds.
- Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies.
- Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.
2025-11-01 02:21:46 +02:00

27 KiB
Raw Blame History

DevOps Task Board

Governance & Rules

ID Status Owner(s) Depends on Description Exit Criteria
DEVOPS-RULES-33-001 REVIEW (2025-10-30) DevOps Guild, Platform Leads Contracts & Rules anchor:
• Gateway proxies only; Policy Engine composes overlays/simulations.
• AOC ingestion cannot merge; only lossless canonicalization.
• One graph platform: Graph Indexer + Graph API. Cartographer retired.		 Rules posted in SPRINTS/TASKS; duplicates cleaned per guidance; reviewers acknowledge in changelog.

2025-10-30: Published governance anchor (docs/devops/contracts-and-rules.md), archived Cartographer plan, and logged reviewer acknowledgement in docs/updates/2025-10-30-devops-governance.md.

ID Status Owner(s) Depends on Description Exit Criteria
DEVOPS-AOC-19-001 BLOCKED (2025-10-26) DevOps Guild, Platform Guild WEB-AOC-19-003 Integrate the AOC Roslyn analyzer and guard tests into CI, failing builds when ingestion projects attempt banned writes. Analyzer runs in PR/CI pipelines, results surfaced in build summary, docs updated under docs/modules/devops/runbooks/ci-aoc.md.

Docs hand-off (2025-10-26): see docs/ingestion/aggregation-only-contract.md §5, docs/modules/platform/architecture-overview.md, and docs/modules/cli/guides/cli-reference.md for guard + verifier expectations. | DEVOPS-AOC-19-002 | BLOCKED (2025-10-26) | DevOps Guild | CLI-AOC-19-002, CONCELIER-WEB-AOC-19-004, EXCITITOR-WEB-AOC-19-004 | Add pipeline stage executing stella aoc verify --since against seeded Mongo snapshots for Concelier + Excititor, publishing violation report artefacts. | Stage runs on main/nightly, fails on violations, artifacts retained, runbook documented. | Blocked: waiting on CLI verifier command and Concelier/Excititor guard endpoints to land (CLI-AOC-19-002, CONCELIER-WEB-AOC-19-004, EXCITITOR-WEB-AOC-19-004). | DEVOPS-AOC-19-003 | BLOCKED (2025-10-26) | DevOps Guild, QA Guild | CONCELIER-WEB-AOC-19-003, EXCITITOR-WEB-AOC-19-003 | Enforce unit test coverage thresholds for AOC guard suites and ensure coverage exported to dashboards. | Coverage report includes guard projects, threshold gate passes/fails as expected, dashboards refreshed with new metrics. | Blocked: guard coverage suites and exporter hooks pending in Concelier/Excititor (CONCELIER-WEB-AOC-19-003, EXCITITOR-WEB-AOC-19-003). | DEVOPS-AOC-19-101 | TODO (2025-10-28) | DevOps Guild, Concelier Storage Guild | CONCELIER-STORE-AOC-19-002 | Draft supersedes backfill rollout (freeze window, dry-run steps, rollback) once advisory_raw idempotency index passes staging verification. | Runbook committed in docs/deploy/containers.md + Offline Kit notes, staging rehearsal scheduled with dependencies captured in SPRINTS. | | DEVOPS-OBS-50-002 | DOING (2025-10-26) | DevOps Guild, Security Guild | DEVOPS-OBS-50-001, TELEMETRY-OBS-51-002 | Stand up multi-tenant storage backends (Prometheus, Tempo/Jaeger, Loki) with retention policies, tenant isolation, and redaction guard rails. Integrate with Authority scopes for read paths. | Storage stack deployed with auth; retention configured; integration tests verify tenant isolation; runbook drafted. | Coordination started with Observability Guild (2025-10-26) to schedule staging rollout and provision service accounts. Staging bootstrap commands and secret names documented in docs/modules/telemetry/operations/storage.md. 2025-10-30: Added static validator ops/devops/telemetry/validate_storage_stack.py and updated storage runbook to require it alongside TLS/tenant setup. | DEVOPS-OBS-51-001 | TODO | DevOps Guild, Observability Guild | WEB-OBS-51-001, DEVOPS-OBS-50-001 | Implement SLO evaluator service (burn rate calculators, webhook emitters), Grafana dashboards, and alert routing to Notifier. Provide Terraform/Helm automation. | Dashboards live; evaluator emits webhooks; alert runbook referenced; staging alert fired in test. | | DEVOPS-OBS-52-001 | TODO | DevOps Guild, Timeline Indexer Guild | TIMELINE-OBS-52-002 | Configure streaming pipeline (NATS/Redis/Kafka) with retention, partitioning, and backpressure tuning for timeline events; add CI validation of schema + rate caps. | Pipeline deployed; load test meets SLA; schema validation job passes; documentation updated. | | DEVOPS-OBS-53-001 | TODO | DevOps Guild, Evidence Locker Guild | EVID-OBS-53-001 | Provision object storage with WORM/retention options (S3 Object Lock / MinIO immutability), legal hold automation, and backup/restore scripts for evidence locker. | Storage configured with WORM; legal hold script documented; backup test performed; runbook updated. | | DEVOPS-OBS-54-001 | TODO | DevOps Guild, Security Guild | PROV-OBS-53-002, EVID-OBS-54-001 | Manage provenance signing infrastructure (KMS keys, rotation schedule, timestamp authority integration) and integrate verification jobs into CI. | Keys provisioned with rotation policy; timestamp authority configured; CI verifies sample bundles; audit trail stored. | | DEVOPS-OBS-55-001 | TODO | DevOps Guild, Ops Guild | DEVOPS-OBS-51-001, WEB-OBS-55-001 | Implement incident mode automation: feature flag service, auto-activation via SLO burn-rate, retention override management, and post-incident reset job. | Incident mode toggles via API/CLI; automation tested in staging; reset job verified; runbook referenced. |

Surface Sharing Enablement

ID Status Owner(s) Depends on Description Exit Criteria
OPS-ENV-01 TODO DevOps Guild, Scanner Guild SURFACE-ENV-02 Update deployment manifests (Helm/Compose) and configuration docs to include Surface.Env variables for Scanner and Zastava services. Templates merged; config docs updated; air-gap bootstrap tested with new vars.
OPS-SECRETS-01 TODO DevOps Guild, Security Guild SURFACE-SECRETS-03 Define secret provisioning workflow (Kubernetes, Compose, Offline Kit) for Surface.Secrets references and update runbooks. Runbook merged; sample manifests include secret refs; security review noted.
OPS-SECRETS-02 TODO DevOps Guild, Offline Kit Guild OPS-SECRETS-01 Embed Surface.Secrets material (encrypted bundles, manifests) into offline kit packaging scripts. Offline kit build includes secrets manifest; verification script added; docs refreshed.

Air-Gapped Mode (Epic 16)

ID Status Owner(s) Depends on Description Exit Criteria
DEVOPS-AIRGAP-56-001 TODO DevOps Guild AIRGAP-CTL-56-001 Ship deny-all egress policies for Kubernetes (NetworkPolicy/eBPF) and docker-compose firewall rules; provide verification script for sealed mode. Policies committed with tests; verification script passes/fails as expected; docs cross-linked.
DEVOPS-AIRGAP-56-002 TODO DevOps Guild, AirGap Importer Guild AIRGAP-IMP-57-002 Provide import tooling for bundle staging: checksum validation, offline object-store loader scripts, removable media guidance. Scripts documented; smoke tests validate import; runbook updated.
DEVOPS-AIRGAP-56-003 TODO DevOps Guild, Container Distribution Guild EXPORT-AIRGAP-56-002 Build Bootstrap Pack pipeline bundling images/charts, generating checksums, and publishing manifest for offline transfer. Pipeline runs in connected env; pack verified in air-gap smoke test; manifest recorded.
DEVOPS-AIRGAP-57-001 TODO DevOps Guild, Mirror Creator Guild MIRROR-CRT-56-002 Automate Mirror Bundle creation jobs with dual-control approvals, artifact signing, and checksum publication. Approval workflow enforced; CI artifact includes DSSE/TUF metadata; audit logs stored.
DEVOPS-AIRGAP-57-002 TODO DevOps Guild, Authority Guild AUTH-OBS-50-001 Configure sealed-mode CI tests that run services with sealed flag and ensure no egress occurs (iptables + mock DNS). CI suite fails on attempted egress; reports remediation; documentation updated.
DEVOPS-AIRGAP-58-001 TODO DevOps Guild, Notifications Guild NOTIFY-AIRGAP-56-002 Provide local SMTP/syslog container templates and health checks for sealed environments; integrate into Bootstrap Pack. Templates deployed successfully; health checks in CI; docs updated.
DEVOPS-AIRGAP-58-002 TODO DevOps Guild, Observability Guild DEVOPS-AIRGAP-56-001, DEVOPS-OBS-51-001 Ship sealed-mode observability stack (Prometheus/Grafana/Tempo/Loki) pre-configured with offline dashboards and no remote exporters. Stack boots offline; dashboards available; verification script confirms zero egress.
DEVOPS-REL-17-004 BLOCKED (2025-10-26) DevOps Guild DEVOPS-REL-17-002 Ensure release workflow publishes out/release/debug (build-id tree + manifest) and fails when symbols are missing. Release job emits debug artefacts, mirror_debug_store.py summary committed, warning cleared from build logs, docs updated.

Note (2025-10-26, BLOCKED): IdentityModel.Tokens patched for logging 9.x, but release bundle still fails because Docker cannot stream multi-arch build context (unix:///var/run/docker.sock unavailable, EOF during copy). Retry once docker daemon/socket is healthy; until then out/release/debug cannot be generated. | DEVOPS-CONSOLE-23-001 | BLOCKED (2025-10-26) | DevOps Guild, Console Guild | CONSOLE-CORE-23-001 | Add console CI workflow (pnpm cache, lint, type-check, unit, Storybook a11y, Playwright, Lighthouse) with offline runners and artifact retention for screenshots/reports. | Workflow runs on PR & main, caches reduce install time, failing checks block merges, artifacts uploaded for triage, docs updated. | Blocked: Console workspace and package scripts (CONSOLE-CORE-23-001..005) are not yet present; CI cannot execute pnpm/Playwright/Lighthouse until the Next.js app lands. | DEVOPS-CONSOLE-23-002 | TODO | DevOps Guild, Console Guild | DEVOPS-CONSOLE-23-001, CONSOLE-REL-23-301 | Produce stella-console container build + Helm chart overlays with deterministic digests, SBOM/provenance artefacts, and offline bundle packaging scripts. | Container published to registry mirror, Helm values committed, SBOM/attestations generated, offline kit job passes smoke test, docs updated. |

Policy Engine v2

ID Status Owner(s) Depends on Description Exit Criteria

2025-10-27: .gitea/workflows/build-test-deploy.yml publishes the policy-schema-exports artefact under artifacts/policy-schemas/<commit>/ and posts Slack diffs via POLICY_ENGINE_SCHEMA_WEBHOOK; diff stored as policy-schema-diff.patch.

Graph Explorer v1

ID Status Owner(s) Depends on Description Exit Criteria

Orchestrator Dashboard

ID Status Owner(s) Depends on Description Exit Criteria
DEVOPS-ORCH-32-001 TODO DevOps Guild, Orchestrator Service Guild ORCH-SVC-32-001 Provision orchestrator Postgres/message-bus infrastructure, add CI smoke deploy, seed Grafana dashboards (queue depth, inflight jobs), and document bootstrap. Helm/Compose profiles committed; CI smoke deploy runs; dashboards live with metrics; runbook updated.
DEVOPS-ORCH-33-001 TODO DevOps Guild, Observability Guild DEVOPS-ORCH-32-001, ORCH-SVC-33-001..003 Publish Grafana dashboards/alerts for rate limiter, backpressure, error clustering, and DLQ depth; integrate with on-call rotations. Dashboards and alerts configured; synthetic tests validate thresholds; on-call playbook updated.
DEVOPS-ORCH-34-001 TODO DevOps Guild, Orchestrator Service Guild DEVOPS-ORCH-33-001, ORCH-SVC-34-001..003 Harden production monitoring (synthetic probes, burn-rate alerts, replay smoke), document incident response, and prep GA readiness checklist. Synthetic probes created; burn-rate alerts firing on test scenario; GA checklist approved; runbook linked.

Link-Not-Merge v1

ID Status Owner(s) Depends on Description Exit Criteria
DEVOPS-LNM-22-001 BLOCKED (2025-10-27) DevOps Guild, Concelier Guild CONCELIER-LNM-21-102 Run migration/backfill pipelines for advisory observations/linksets in staging, validate counts/conflicts, and automate deployment steps. Awaiting storage backfill tooling.
DEVOPS-LNM-22-002 BLOCKED (2025-10-27) DevOps Guild, Excititor Guild EXCITITOR-LNM-21-102 Execute VEX observation/linkset backfill with monitoring; ensure NATS/Redis events integrated; document ops runbook. Blocked until Excititor storage migration lands.
DEVOPS-LNM-22-003 TODO DevOps Guild, Observability Guild CONCELIER-LNM-21-005, EXCITITOR-LNM-21-005 Add CI/monitoring coverage for new metrics (advisory_observations_total, linksets_total, etc.) and alerts on ingest-to-API SLA breaches. Metrics scraped into Grafana; alert thresholds set; CI job verifies metric emission.

Graph & Vuln Explorer v1

ID Status Owner(s) Depends on Description Exit Criteria
DEVOPS-GRAPH-24-001 TODO DevOps Guild, SBOM Service Guild SBOM-GRAPH-24-002 Load test graph index/adjacency APIs with 40k-node assets; capture perf dashboards and alert thresholds. Perf suite added; dashboards live; alerts configured.
DEVOPS-GRAPH-24-002 TODO DevOps Guild, UI Guild UI-GRAPH-24-001..005 Integrate synthetic UI perf runs (Playwright/WebGL metrics) for Graph/Vuln explorers; fail builds on regression. CI job runs UI perf tests; baseline stored; documentation updated.
DEVOPS-GRAPH-24-003 TODO DevOps Guild WEB-GRAPH-24-002 Implement smoke job for simulation endpoints ensuring we stay within SLA (<3s upgrade) and log results. Smoke job in CI; alerts when SLA breached; runbook documented.
DEVOPS-POLICY-27-001 TODO DevOps Guild, DevEx/CLI Guild CLI-POLICY-27-001, REGISTRY-API-27-001 Add CI pipeline stages to run `stella policy lint compile
DEVOPS-POLICY-27-002 TODO DevOps Guild, Policy Registry Guild REGISTRY-API-27-005, SCHED-WORKER-27-301 Provide optional batch simulation CI job (staging inventory) that triggers Registry run, polls results, and posts markdown summary to PR; enforce drift thresholds. Job configurable via label, summary comment generated, drift threshold gates merges, runbook documented.
DEVOPS-POLICY-27-003 TODO DevOps Guild, Security Guild AUTH-POLICY-27-002, REGISTRY-API-27-007 Manage signing key material for policy publish pipeline (OIDC workload identity + cosign), rotate keys, and document verification steps; integrate attestation verification stage. Keys stored in secure vault, rotation procedure documented, CI verifies attestations, audit logs recorded.
DEVOPS-POLICY-27-004 TODO DevOps Guild, Observability Guild WEB-POLICY-27-005, TELEMETRY-CONSOLE-27-001 Create dashboards/alerts for policy compile latency, simulation queue depth, approval latency, and promotion outcomes; integrate with on-call playbooks. Grafana dashboards live, alerts tuned, runbooks updated, observability tests verify metric ingestion.

Remark (2025-10-20): Repacked Mongo2Go local feed to require MongoDB.Driver 3.5.0 + SharpCompress 0.41.0; cache regression tests green and NU1902/NU1903 suppressed. Remark (2025-10-21): Compose/Helm profiles now surface SCANNER__EVENTS__* toggles with docs pointing at new .env placeholders.

Reachability v1

ID Status Owner(s) Depends on Description Exit Criteria
DEVOPS-SIG-26-001 TODO DevOps Guild, Signals Guild SIGNALS-24-001 Provision CI/CD pipelines, Helm/Compose manifests for Signals service, including artifact storage and Redis dependencies. Pipelines ship Signals service; deployment docs updated; smoke tests green.
DEVOPS-SIG-26-002 TODO DevOps Guild, Observability Guild SIGNALS-24-004 Create dashboards/alerts for reachability scoring latency, cache hit rates, sensor staleness. Dashboards live; alert thresholds configured; documentation updated.
DEVOPS-VULN-29-001 TODO DevOps Guild, Findings Ledger Guild LEDGER-29-002..009 Provision CI jobs for ledger projector (replay, determinism), set up backups, monitor Merkle anchoring, and automate verification. CI job verifies hash chains; backups documented; alerts for anchoring failures configured.
DEVOPS-VULN-29-002 TODO DevOps Guild, Vuln Explorer API Guild VULN-API-29-002..009 Configure load/perf tests (5M findings/tenant), query budget enforcement, API SLO dashboards, and alerts for vuln_list_latency and projection_lag. Perf suite integrated; dashboards live; alerts firing; runbooks updated.
DEVOPS-VULN-29-003 TODO DevOps Guild, Console Guild WEB-VULN-29-004, CONSOLE-VULN-29-007 Instrument analytics pipeline for Vuln Explorer (telemetry ingestion, query hashes), ensure compliance with privacy/PII guardrails, and update observability docs. Telemetry pipeline operational; PII redaction verified; docs updated with checklist.
DEVOPS-VEX-30-001 TODO DevOps Guild, VEX Lens Guild VEXLENS-30-009, ISSUER-30-005 Provision CI, load tests, dashboards, alerts for VEX Lens and Issuer Directory (compute latency, disputed totals, signature verification rates). CI/perf suites running; dashboards live; alerts configured; docs updated.
DEVOPS-AIAI-31-001 TODO DevOps Guild, Advisory AI Guild AIAI-31-006..007 Stand up CI pipelines, inference monitoring, privacy logging review, and perf dashboards for Advisory AI (summaries/conflicts/remediation). CI covers golden outputs, telemetry dashboards live, privacy controls reviewed, alerts configured.

Export Center

ID Status Owner(s) Depends on Description Exit Criteria
DEVOPS-EXPORT-35-001 BLOCKED (2025-10-29) DevOps Guild, Exporter Service Guild EXPORT-SVC-35-001..006 Establish exporter CI pipeline (lint/test/perf smoke), configure object storage fixtures, seed Grafana dashboards, and document bootstrap steps. CI pipeline running; smoke export job seeded; dashboards live; runbook updated.
DEVOPS-EXPORT-36-001 TODO DevOps Guild, Exporter Service Guild DEVOPS-EXPORT-35-001, EXPORT-SVC-36-001..004 Integrate Trivy compatibility validation, cosign signature checks, trivy module db import smoke tests, OCI distribution verification, and throughput/error dashboards. CI executes cosign + Trivy import validation; OCI push smoke passes; dashboards/alerts configured.
DEVOPS-EXPORT-37-001 TODO DevOps Guild, Exporter Service Guild DEVOPS-EXPORT-36-001, EXPORT-SVC-37-001..004 Finalize exporter monitoring (failure alerts, verify metrics, retention jobs) and chaos/latency tests ahead of GA. Alerts tuned; chaos tests documented; retention monitoring active; runbook updated.

CLI Parity & Task Packs

ID Status Owner(s) Depends on Description Exit Criteria
DEVOPS-CLI-41-001 TODO DevOps Guild, DevEx/CLI Guild CLI-CORE-41-001 Establish CLI build pipeline (multi-platform binaries, SBOM, checksums), parity matrix CI enforcement, and release artifact signing. Build pipeline operational; SBOM/checksums published; parity gate failing on drift; docs updated.
DEVOPS-CLI-42-001 TODO DevOps Guild DEVOPS-CLI-41-001, CLI-PARITY-41-001 Add CLI golden output tests, parity diff automation, pack run CI harness, and artifact cache for remote mode. Golden tests running; parity diff automation in CI; pack run harness executes sample packs; documentation updated.
DEVOPS-CLI-43-001 DOING (2025-10-27) DevOps Guild DEVOPS-CLI-42-001, TASKRUN-42-001 Finalize multi-platform release automation, SBOM signing, parity gate enforcement, and Task Pack chaos tests. Release automation verified; SBOM signed; parity gate enforced; chaos tests documented.

2025-10-27: Release pipeline now packages CLI multi-platform artefacts with SBOM/signature coverage and enforces the CLI parity gate (ops/devops/check_cli_parity.py). Task Pack chaos smoke still pending CLI pack command delivery. | DEVOPS-CLI-43-002 | TODO | DevOps Guild, Task Runner Guild | CLI-PACKS-43-001, TASKRUN-43-001 | Implement Task Pack chaos smoke in CI (random failure injection, resume, sealed-mode toggle) and publish evidence bundles for review. | Chaos smoke job runs nightly; failures alert Slack; evidence stored in out/pack-chaos; runbook updated. | | DEVOPS-CLI-43-003 | TODO | DevOps Guild, DevEx/CLI Guild | CLI-PARITY-41-001, CLI-PACKS-42-001 | Integrate CLI golden output/parity diff automation into release gating; export parity report artifact consumed by Console Downloads workspace. | check_cli_parity.py wired to compare parity matrix and CLI outputs; artifact uploaded; release fails on regressions.

Containerized Distribution (Epic 13)

ID Status Owner(s) Depends on Description Exit Criteria
DEVOPS-CONTAINERS-44-001 TODO DevOps Guild DOCKER-44-001..003 Automate multi-arch image builds with buildx, SBOM generation, cosign signing, and signature verification in CI. Pipeline builds amd64/arm64; SBOMs pushed as referrers; cosign verify job passes.
DEVOPS-CONTAINERS-45-001 TODO DevOps Guild HELM-45-001 Add Compose and Helm smoke tests (fresh VM + kind cluster) to CI; publish test artifacts and logs. CI jobs running; failures block releases; documentation updated.
DEVOPS-CONTAINERS-46-001 TODO DevOps Guild DEPLOY-PACKS-43-001 Build air-gap bundle generator (src/Tools/make-airgap-bundle.sh), produce signed bundle, and verify in CI using private registry. Bundle artifact produced with signatures/checksums; verification job passes; instructions documented.

Container Images (Epic 13)

ID Status Owner(s) Depends on Description Exit Criteria
DOCKER-44-001 TODO DevOps Guild, Service Owners DEVOPS-CLI-41-001 Author multi-stage Dockerfiles for all core services (API, Console, Orchestrator, Task Runner, Conseiller, Excitator, Policy, Notify, Export, AI) with non-root users, read-only file systems, and health scripts. Dockerfiles committed; images build successfully; container security scans clean; health endpoints reachable.
DOCKER-44-002 TODO DevOps Guild DOCKER-44-001 Generate SBOMs and cosign attestations for each image and integrate verification into CI. SBOMs attached as OCI artifacts; cosign signatures published; CI verifies signatures prior to release.
DOCKER-44-003 TODO DevOps Guild DOCKER-44-001 Implement /health/liveness, /health/readiness, /version, /metrics, and ensure capability endpoint returns merge=false for Conseiller/Excitator. Endpoints available across services; automated tests confirm responses; documentation updated with imposed rule reminder.

Authority-Backed Scopes & Tenancy (Epic 14)

ID Status Owner(s) Depends on Description Exit Criteria
DEVOPS-TEN-47-001 TODO DevOps Guild AUTH-TEN-47-001 Add JWKS cache monitoring, signature verification regression tests, and token expiration chaos tests to CI. CI verifies tokens using cached keys; chaos test for expired keys passes; documentation updated.
DEVOPS-TEN-48-001 TODO DevOps Guild WEB-TEN-48-001 Build integration tests to assert RLS enforcement, tenant-prefixed object storage, and audit event emission; set up lint to prevent raw SQL bypass. Tests fail on cross-tenant access; lint enforced; dashboards capture audit events.
DEVOPS-TEN-49-001 TODO DevOps Guild AUTH-TEN-49-001 Deploy audit pipeline, scope usage metrics, JWKS outage chaos tests, and tenant load/perf benchmarks. Audit pipeline live; metrics dashboards updated; chaos tests documented; perf benchmarks recorded.

SDKs & OpenAPI (Epic 17)

ID Status Owner(s) Depends on Description Exit Criteria
DEVOPS-OAS-61-001 TODO DevOps Guild, API Contracts Guild OAS-61-002 Add CI stages for OpenAPI linting, validation, and compatibility diff; enforce gating on PRs. Pipeline active; merge blocked on failures; documentation updated.
DEVOPS-OAS-61-002 TODO DevOps Guild, Contract Testing Guild CONTR-62-002 Integrate mock server + contract test suite into PR and nightly workflows; publish artifacts. Tests run in CI; artifacts stored; failures alert.
DEVOPS-SDK-63-001 TODO DevOps Guild, SDK Release Guild SDKREL-63-001 Provision registry credentials, signing keys, and secure storage for SDK publishing pipelines. Keys stored/rotated; publish pipeline authenticated; audit logs recorded.
DEVOPS-DEVPORT-63-001 TODO DevOps Guild, Developer Portal Guild DEVPORT-62-001 Automate developer portal build pipeline with caching, link & accessibility checks, performance budgets. Pipeline enforced; reports archived; failures gate merges.
DEVOPS-DEVPORT-64-001 TODO DevOps Guild, DevPortal Offline Guild DVOFF-64-001 Schedule devportal --offline nightly builds with checksum validation and artifact retention policies. Nightly job running; checksums published; retention policy documented.

Attestor Console (Epic 19)

ID Status Owner(s) Depends on Description Exit Criteria
DEVOPS-ATTEST-73-001 TODO DevOps Guild, Attestor Service Guild ATTESTOR-72-002 Provision CI pipelines for attestor service (lint/test/security scan, seed data) and manage secrets for KMS drivers. CI pipeline running; secrets stored securely; docs updated.
DEVOPS-ATTEST-73-002 TODO DevOps Guild, KMS Guild KMS-72-001 Establish secure storage for signing keys (vault integration, rotation schedule) and audit logging. Key storage configured; rotation documented; audit logs verified.
DEVOPS-ATTEST-74-001 TODO DevOps Guild, Transparency Guild TRANSP-74-001 Deploy transparency log witness infrastructure and monitoring. Witness service deployed; dashboards/alerts live.
DEVOPS-ATTEST-74-002 TODO DevOps Guild, Export Attestation Guild EXPORT-ATTEST-74-001 Integrate attestation bundle builds into release/offline pipelines with checksum verification. Bundle job in CI; checksum verification passes; docs updated.
DEVOPS-ATTEST-75-001 TODO DevOps Guild, Observability Guild ATTEST-VERIFY-74-001 Add dashboards/alerts for signing latency, verification failures, key rotation events. Dashboards live; alerts configured.