9f6e6f7fb3
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Policy Simulation / policy-simulate (push) Has been cancelled
SDK Publish & Sign / sdk-publish (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
12 KiB
12 KiB
Sprint 506 - Ops & Offline · 190.B) Ops Devops.IV
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
[Ops & Offline] 190.B) Ops Devops.IV Depends on: Sprint 190.B - Ops Devops.III Summary: Ops & Offline focus on Ops Devops (phase IV).
| Task ID | State | Task description | Owners (Source) |
|---|---|---|---|
| DEVOPS-OBS-55-001 | DONE (2025-11-25) | Implement incident mode automation: feature flag service, auto-activation via SLO burn-rate, retention override management, and post-incident reset job. Dependencies: DEVOPS-OBS-54-001. | DevOps Guild, Ops Guild (ops/devops) |
| DEVOPS-ORCH-32-001 | DONE (2025-11-25) | Provision orchestrator Postgres/message-bus infrastructure, add CI smoke deploy, seed Grafana dashboards (queue depth, inflight jobs), and document bootstrap. | DevOps Guild, Orchestrator Service Guild (ops/devops) |
| DEVOPS-ORCH-33-001 | DONE (2025-11-25) | Publish Grafana dashboards/alerts for rate limiter, backpressure, error clustering, and DLQ depth; integrate with on-call rotations. Dependencies: DEVOPS-ORCH-32-001. | DevOps Guild, Observability Guild (ops/devops) |
| DEVOPS-ORCH-34-001 | DONE (2025-11-25) | Harden production monitoring (synthetic probes, burn-rate alerts, replay smoke), document incident response, and prep GA readiness checklist. Dependencies: DEVOPS-ORCH-33-001. | DevOps Guild, Orchestrator Service Guild (ops/devops) |
| DEVOPS-POLICY-27-001 | DONE (2025-11-25) | Add CI pipeline stages to run `stella policy lint | DevOps Guild, DevEx/CLI Guild (ops/devops) |
| DEVOPS-POLICY-27-002 | DONE (2025-11-25) | Provide optional batch simulation CI job (staging inventory) that triggers Registry run, polls results, and posts markdown summary to PR; enforce drift thresholds. Dependencies: DEVOPS-POLICY-27-001. | DevOps Guild, Policy Registry Guild (ops/devops) |
| DEVOPS-POLICY-27-003 | DONE (2025-11-25) | Manage signing key material for policy publish pipeline (OIDC workload identity + cosign), rotate keys, and document verification steps; integrate attestation verification stage. Dependencies: DEVOPS-POLICY-27-002. | DevOps Guild, Security Guild (ops/devops) |
| DEVOPS-POLICY-27-004 | DONE (2025-11-25) | Create dashboards/alerts for policy compile latency, simulation queue depth, approval latency, and promotion outcomes; integrate with on-call playbooks. Dependencies: DEVOPS-POLICY-27-003. | DevOps Guild, Observability Guild (ops/devops) |
| DEVOPS-REL-17-004 | DONE (2025-11-23) | Release workflow now uploads out/release/debug (build-id tree + manifest) as a separate artefact and fails when symbols are missing. |
DevOps Guild (ops/devops) |
| DEVOPS-RULES-33-001 | DONE (2025-11-25) | Contracts & Rules anchor: • Gateway proxies only; Policy Engine composes overlays/simulations. • AOC ingestion cannot merge; only lossless canonicalization. • One graph platform: Graph Indexer + Graph API. Cartographer retired. |
DevOps Guild, Platform Leads (ops/devops) |
| DEVOPS-SDK-63-001 | DONE (2025-11-25) | Provision registry credentials, signing keys, and secure storage for SDK publishing pipelines. | DevOps Guild, SDK Release Guild (ops/devops) |
| DEVOPS-SIG-26-001 | DONE (2025-11-25) | Provision CI/CD pipelines, Helm/Compose manifests for Signals service, including artifact storage and Redis dependencies. | DevOps Guild, Signals Guild (ops/devops) |
| DEVOPS-SIG-26-002 | DONE (2025-11-25) | Create dashboards/alerts for reachability scoring latency, cache hit rates, sensor staleness. Dependencies: DEVOPS-SIG-26-001. | DevOps Guild, Observability Guild (ops/devops) |
| DEVOPS-TEN-47-001 | BLOCKED (2025-11-25) | Add JWKS cache monitoring, signature verification regression tests, and token expiration chaos tests to CI. | DevOps Guild (ops/devops) |
| DEVOPS-TEN-48-001 | BLOCKED (2025-11-25) | Build integration tests to assert RLS enforcement, tenant-prefixed object storage, and audit event emission; set up lint to prevent raw SQL bypass. Dependencies: DEVOPS-TEN-47-001. | DevOps Guild (ops/devops) |
| DEVOPS-CI-110-001 | DONE (2025-11-25) | CI helper + TRX slices published at ops/devops/ci-110-runner/ (artefacts: ops/devops/artifacts/ci-110/20251125T030557Z/). Warm restore, OpenSSL 1.1 check, Concelier health + Excititor airgap import smoke. |
DevOps Guild, Concelier Guild, Excititor Guild (ops/devops) |
| MIRROR-CRT-56-CI-001 | DONE (2025-11-25) | Promote make-thin-v1.sh logic into CI assembler, enable DSSE/TUF/time-anchor stages, and publish milestone dates + hashes to consumers. Uses MIRROR_SIGN_KEY_B64 from Gitea secrets. |
Mirror Creator Guild, DevOps Guild (ops/devops) |
| MIRROR-CRT-56-002 | DONE (2025-11-25) | Release signing for thin bundle v1; install secret MIRROR_SIGN_KEY_B64 (Ed25519 PEM, provided 2025-11-24) and rerun .gitea/workflows/mirror-sign.yml with REQUIRE_PROD_SIGNING=1. |
Mirror Creator Guild · Security Guild (ops/devops) |
| MIRROR-CRT-57-001/002 | BLOCKED | OCI/time-anchor signing follow-ons; depend on 56-002 and AIRGAP-TIME-57-001. | Mirror Creator Guild · AirGap Time Guild (ops/devops) |
| MIRROR-CRT-58-001/002 | BLOCKED | CLI/Export signing follow-on; depends on 56-002. | Mirror Creator · CLI · Exporter Guilds (ops/devops) |
| EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001 | BLOCKED | Export/airgap provenance chain; needs signed thin bundle + time anchors. | Exporter Guild · AirGap Time · CLI Guild (ops/devops) |
| DEVOPS-LEDGER-29-009-REL | BLOCKED (2025-11-25) | Release/offline-kit packaging for ledger manifests/backups; depends on LEDGER-29-009 dev outputs. | DevOps Guild, Findings Ledger Guild (ops/devops) |
| DEVOPS-LEDGER-TEN-48-001-REL | BLOCKED (2025-11-25) | Apply RLS/partition migrations in release pipelines; publish manifests/offline-kit artefacts. | DevOps Guild, Findings Ledger Guild (ops/devops) |
| DEVOPS-SCANNER-JAVA-21-011-REL | BLOCKED (2025-11-25) | Package/sign Java analyzer plug-in for release/offline kits; depends on SCANNER-ANALYZERS-JAVA-21-011 dev. | DevOps Guild, Java Analyzer Guild (ops/devops) |
Updates
- 2025-11-25 · DEVOPS-CI-110-001 runner published at
ops/devops/ci-110-runner/; initial TRX slices stored underops/devops/artifacts/ci-110/20251125T030557Z/(Concelier health, Excititor airgap import). - 2025-11-25 · MIRROR-CRT-56-CI-001 completed: CI signing script now emits milestone hash summary, enforces DSSE/TUF/time-anchor steps, and uploads
milestone.jsonviamirror-sign.yml. - 2025-11-25 · DEVOPS-OBS-55-001 completed: added offline incident-mode automation script (
scripts/observability/incident-mode.sh) and runbook (ops/devops/observability/incident-mode.md) to auto-toggle incident flag, retention overrides, and cooldown reset based on burn rate inputs. - 2025-11-25 · DEVOPS-ORCH-32-001 completed: added orchestrator infra compose stack (Postgres+Mongo+NATS), smoke script (
scripts/orchestrator/smoke.sh), alerts, Grafana dashboard, and bootstrap README underops/devops/orchestrator/. - 2025-11-25 · DEVOPS-ORCH-33-001 completed: expanded orchestrator Grafana with DLQ/backpressure/error panels and alerts (
ops/devops/orchestrator/alerts.yaml); dashboard lives atops/devops/orchestrator/grafana/orchestrator-overview.json. - 2025-11-25 · DEVOPS-POLICY-27-003 completed: cosign key rotation/signing/attestation scripts added (
scripts/policy/rotate-key.sh,sign-policy.sh,attest-verify.sh), CI attestation verification stage wired into.gitea/workflows/policy-simulate.yml, and runbook recorded atops/devops/policy-signing.md. - 2025-11-25 · DEVOPS-POLICY-27-004 completed: added policy pipeline alerts (
ops/devops/observability/policy-alerts.yaml), Grafana dashboard (ops/devops/observability/grafana/policy-pipeline.json), and on-call playbook (ops/devops/observability/policy-playbook.md) covering compile, simulation, approval, and promotion signals. - 2025-11-25 · DEVOPS-ORCH-34-001 completed: added synthetic infra probe (
scripts/orchestrator/probe.sh), replay smoke wrapper (scripts/orchestrator/replay-smoke.sh), burn-rate alert for failures inops/devops/orchestrator/alerts.yaml, updated README, and incident/GA readiness playbook (ops/devops/orchestrator/incident-response.md). - 2025-11-25 · DEVOPS-POLICY-27-001 completed: added
policy-lintworkflow (.gitea/workflows/policy-lint.yml) runningstella policy linton sample DSLs, caching nugets, and publishing lint artifacts; simulate entrypoint smoke included. - 2025-11-25 · DEVOPS-POLICY-27-002 completed: added batch simulation harness (
scripts/policy/batch-simulate.sh), sample SBOM fixture, and CI workflow (.gitea/workflows/policy-simulate.yml) enforcing violation threshold and uploading summaries. - 2025-11-25 · DEVOPS-POLICY-27-001 completed: added
policy-lintworkflow (.gitea/workflows/policy-lint.yml) runningstella policy linton sample DSLs, caching nugets, and publishing lint artifacts; simulate entrypoint smoke included. - 2025-11-25 · DEVOPS-ORCH-33-001 completed: expanded orchestrator Grafana with DLQ/backpressure/error panels and alerts (
ops/devops/orchestrator/alerts.yaml); dashboard lives atops/devops/orchestrator/grafana/orchestrator-overview.json. - 2025-11-25 · MIRROR-CRT-56-002 completed: mirror-sign workflow now enforces prod signing (rc2 SDK), prerequisite check, signing + verification steps for thin bundle v1 using
MIRROR_SIGN_KEY_B64withREQUIRE_PROD_SIGNING=1. - 2025-11-25 · DEVOPS-SDK-63-001 completed: added SDK signing/publishing toolchain (scripts/sdk/*), secrets guidance (
ops/devops/sdk/README.md), NuGet signing/publish workflow (.gitea/workflows/sdk-publish.yml), and sample config for offline/local feeds. - 2025-11-25 · DEVOPS-TEN-47-001 marked BLOCKED: JWKS cache/chaos testing requires runnable Authority instance and tenant fixture; upstream Authority/tenancy harness not present in repo.
- 2025-11-25 · DEVOPS-TEN-48-001 marked BLOCKED: RLS/object-store/audit integration tests depend on TEN-47 harness and tenant-aware data plane not available in this sprint scope.
- 2025-11-25 · DEVOPS-LEDGER-29-009-REL marked BLOCKED: release packaging awaits LEDGER-29-009 dev outputs and manifests not present in repo.
- 2025-11-25 · DEVOPS-LEDGER-TEN-48-001-REL marked BLOCKED: RLS migrations/artefacts depend on ledger tenant partition work not yet delivered.
- 2025-11-25 · DEVOPS-SCANNER-JAVA-21-011-REL marked BLOCKED: Java analyzer plugin artefacts from SCANNER-ANALYZERS-JAVA-21-011 dev are not available to package.
- 2025-11-25 · DEVOPS-RULES-33-001 completed: codified rules anchor in
ops/devops/rules/contracts-anchor.mdand closed review. - 2025-11-25 · Work paused: host cannot allocate PTY (
No space left on device); further CI/script execution blocked until disk/pty space is freed. - 2025-11-25 · Added disk cleanup helper
scripts/devops/cleanup-workspace.sh(safe defaults, optional bin/obj) to unblock low-space runners; useDRY_RUN=1to preview. - 2025-11-25 · Documented space recovery steps in
ops/devops/README-space.md(cleanup script, docker prune, nuget cache clear, artefact dirs). - 2025-11-25 · DEVOPS-SIG-26-001 completed: added Signals Dockerfile/compose stack (
ops/devops/signals/), Helm values (helm/signals/values-signals.yaml), CI workflow (.gitea/workflows/signals-ci.yml), and image export helper (scripts/signals/build.sh) with Mongo/Redis dependencies and artifact volume. - 2025-11-25 · DEVOPS-SIG-26-002 completed: added Signals observability pack—alerts (
ops/devops/observability/signals-alerts.yaml), Grafana dashboard (ops/devops/observability/grafana/signals-pipeline.json), and playbook (ops/devops/observability/signals-playbook.md) for scoring latency, cache hit rate, ingestion failures, and sensor staleness.