stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
96d52884e86650452c9c998d343469ea00fafdce
git.stella-ops.org/docs/ops/launch-readiness.md
master 96d52884e8
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add Policy DSL Validator, Schema Exporter, and Simulation Smoke tools 
- Implemented PolicyDslValidator with command-line options for strict mode and JSON output.
- Created PolicySchemaExporter to generate JSON schemas for policy-related models.
- Developed PolicySimulationSmoke tool to validate policy simulations against expected outcomes.
- Added project files and necessary dependencies for each tool.
- Ensured proper error handling and usage instructions across tools.
2025-10-27 08:00:11 +02:00

6.8 KiB
Raw Blame History

Launch Readiness Record - Stella Ops

Updated: 2025-10-26 (UTC)

This document captures production launch sign-offs, deployment readiness checkpoints, and any open risks that must be tracked before GA cutover.

1. Sign-off Summary

Module / Service Guild / Point of Contact Evidence (Task or Runbook) Status Timestamp (UTC) Notes
Authority (Issuer) Authority Core Guild AUTH-AOC-19-001 - scope issuance & configuration complete (DONE 2025-10-26) READY 2025-10-26T14:05Z Tenant scope propagation follow-up (AUTH-AOC-19-002) tracked in gaps section.
Signer Signer Guild SIGNER-API-11-101 / SIGNER-REF-11-102 / SIGNER-QUOTA-11-103 (DONE 2025-10-21) READY 2025-10-26T14:07Z DSSE signing, referrer verification, and quota enforcement validated in CI.
Attestor Attestor Guild ATTESTOR-API-11-201 / ATTESTOR-VERIFY-11-202 / ATTESTOR-OBS-11-203 (DONE 2025-10-19) READY 2025-10-26T14:10Z Rekor submission/verification pipeline green; telemetry pack published.
Scanner Web + Worker Scanner WebService Guild SCANNER-WEB-09-10x, SCANNER-RUNTIME-12-30x (DONE 2025-10-18 -> 2025-10-24) READY* 2025-10-26T14:20Z Orchestrator envelope work (SCANNER-EVENTS-16-301/302) still open; see gaps.
Concelier Core & Connectors Concelier Core / Ops Guild Ops runbook sign-off in docs/ops/concelier-conflict-resolution.md (2025-10-16) READY 2025-10-26T14:25Z Conflict resolution & connector coverage accepted; Mongo schema hardening pending (see gaps).
Excititor API Excititor Core Guild Wave 0 connector ingest sign-offs (EXECPLAN.Section Wave 0) READY 2025-10-26T14:28Z VEX linkset publishing complete for launch datasets.
Notify Web (legacy) Notify Guild Existing stack carried forward; Notifier program tracked separately (Sprint 38-40) PENDING 2025-10-26T14:32Z Legacy notify web remains operational; migration to Notifier blocked on SCANNER-EVENTS-16-301.
Web UI UI Guild Stable build registry.stella-ops.org/.../web-ui@sha256:10d9248... deployed in stage and smoke-tested READY 2025-10-26T14:35Z Policy editor GA items (Sprint 20) outside launch scope.
DevOps / Release DevOps Guild deploy/tools/validate-profiles.sh run (2025-10-26) covering dev/stage/prod/airgap/mirror READY 2025-10-26T15:02Z Compose/Helm lint + docker compose config validated; see Section 2 for details.
Offline Kit Offline Kit Guild DEVOPS-OFFLINE-18-004 (Go analyzer) and DEVOPS-OFFLINE-18-005 (Python analyzer) complete; debug-store mirror pending (DEVOPS-OFFLINE-17-004). PENDING 2025-10-26T15:05Z Awaiting release debug artefacts to finalise DEVOPS-OFFLINE-17-004; tracked in Section 3.

* READY with caveat - remaining work noted in Section 3.

2. Deployment Readiness Checklist

  • Production profiles committed: deploy/compose/docker-compose.prod.yaml and deploy/helm/stellaops/values-prod.yaml added with front-door network hand-off and secret references for Mongo/MinIO/core services.
  • Secrets placeholders documented: deploy/compose/env/prod.env.example enumerates required credentials (MONGO_INITDB_ROOT_PASSWORD, MINIO_ROOT_PASSWORD, Redis/NATS endpoints, FRONTDOOR_NETWORK). Helm values reference Kubernetes secrets (stellaops-prod-core, stellaops-prod-mongo, stellaops-prod-minio, stellaops-prod-notify).
  • Static validation executed: deploy/tools/validate-profiles.sh run on 2025-10-26 (docker compose config + helm lint/template) with all profiles passing.
  • Ingress model defined: Production compose profile introduces external frontdoor network; README updated with creation instructions and scope of externally reachable services.
  • Observability hooks: Authority/Signer/Attestor telemetry packs verified; scanner runtime build-id metrics landed (SCANNER-RUNTIME-17-401). Grafana dashboards referenced in component runbooks.
  • Rollback assets: Stage Compose profile remains aligned (docker-compose.stage.yaml), enabling rehearsals before prod cutover; release manifests (deploy/releases/2025.09-stable.yaml) map digests for reproducible rollback.
  • Rehearsal status: 2025-10-26 validation dry-run executed (deploy/tools/validate-profiles.sh across dev/stage/prod/airgap/mirror). Full stage Helm rollout pending access to the managed staging cluster; target to complete once credentials are provisioned.

3. Outstanding Gaps & Follow-ups

Item Owner Tracking Ref Target / Next Step Impact
Tenant scope propagation and audit coverage Authority Core Guild AUTH-AOC-19-002 (DOING 2025-10-26) Land enforcement + audit fixtures by Sprint 19 freeze Medium - required for multi-tenant GA but does not block initial cutover if tenants scoped manually.
Orchestrator event envelopes + Notifier handshake Scanner WebService Guild SCANNER-EVENTS-16-301 (BLOCKED), SCANNER-EVENTS-16-302 (DOING) Coordinate with Gateway/Notifier owners on preview package replacement or binding redirects; rerun dotnet test once patch lands and refresh schema docs. Share envelope samples in docs/events/ after tests pass. High — gating Notifier migration; legacy notify path remains functional meanwhile.
Offline Kit Python analyzer bundle Offline Kit Guild + Scanner Guild DEVOPS-OFFLINE-18-005 (DONE 2025-10-26) Monitor for follow-up manifest updates and rerun smoke script when analyzers change. Medium - ensures language analyzer coverage stays current for offline installs.
Offline Kit debug store mirror Offline Kit Guild + DevOps Guild DEVOPS-OFFLINE-17-004 (BLOCKED 2025-10-26) Release pipeline must publish out/release/debug artefacts; once available, run mirror_debug_store.py and commit metadata/debug-store.json. Low - symbol lookup remains accessible from staging assets but required before next Offline Kit tag.
Mongo schema validators for advisory ingestion Concelier Storage Guild CONCELIER-STORE-AOC-19-001 (TODO) Finalize JSON schema + migration toggles; coordinate with Ops for rollout window Low - current validation handled in app layer; schema guard adds defense-in-depth.
Authority plugin telemetry alignment Security Guild SEC2.PLG, SEC3.PLG, SEC5.PLG (BLOCKED pending AUTH DPoP/MTLS tasks) Resume once upstream auth surfacing stabilises Low - plugin remains optional; launch uses default Authority configuration.

4. Approvals & Distribution

  • Record shared in #launch-readiness (Mattermost) 2025-10-26 15:15 UTC with DevOps + Guild leads for acknowledgement.
  • Updates to this document require dual sign-off from DevOps Guild (owner) and impacted module guild lead; retain change log via Git history.
  • Cutover rehearsal and rollback drills are tracked separately in docs/ops/launch-cutover.md (see associated Task DEVOPS-LAUNCH-18-001). *** End Patch