stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
d92973d6fdeb259a3a8c5a67b0b6e95aaca8633f
git.stella-ops.org/docs/implplan/SPRINT_506_ops_devops_iv.md
StellaOps Bot d92973d6fd
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
sprints update
2025-11-25 07:49:24 +02:00

6.4 KiB
Raw Blame History

Sprint 506 - Ops & Offline · 190.B) Ops Devops.IV

Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).

[Ops & Offline] 190.B) Ops Devops.IV Depends on: Sprint 190.B - Ops Devops.III Summary: Ops & Offline focus on Ops Devops (phase IV).

Task ID State Task description Owners (Source)
DEVOPS-OBS-55-001 DONE (2025-11-25) Implement incident mode automation: feature flag service, auto-activation via SLO burn-rate, retention override management, and post-incident reset job. Dependencies: DEVOPS-OBS-54-001. DevOps Guild, Ops Guild (ops/devops)
DEVOPS-ORCH-32-001 DOING (2025-11-25) Provision orchestrator Postgres/message-bus infrastructure, add CI smoke deploy, seed Grafana dashboards (queue depth, inflight jobs), and document bootstrap. DevOps Guild, Orchestrator Service Guild (ops/devops)
DEVOPS-ORCH-33-001 TODO Publish Grafana dashboards/alerts for rate limiter, backpressure, error clustering, and DLQ depth; integrate with on-call rotations. Dependencies: DEVOPS-ORCH-32-001. DevOps Guild, Observability Guild (ops/devops)
DEVOPS-ORCH-34-001 TODO Harden production monitoring (synthetic probes, burn-rate alerts, replay smoke), document incident response, and prep GA readiness checklist. Dependencies: DEVOPS-ORCH-33-001. DevOps Guild, Orchestrator Service Guild (ops/devops)
DEVOPS-POLICY-27-001 TODO Add CI pipeline stages to run `stella policy lint DevOps Guild, DevEx/CLI Guild (ops/devops)
DEVOPS-POLICY-27-002 TODO Provide optional batch simulation CI job (staging inventory) that triggers Registry run, polls results, and posts markdown summary to PR; enforce drift thresholds. Dependencies: DEVOPS-POLICY-27-001. DevOps Guild, Policy Registry Guild (ops/devops)
DEVOPS-POLICY-27-003 TODO Manage signing key material for policy publish pipeline (OIDC workload identity + cosign), rotate keys, and document verification steps; integrate attestation verification stage. Dependencies: DEVOPS-POLICY-27-002. DevOps Guild, Security Guild (ops/devops)
DEVOPS-POLICY-27-004 TODO Create dashboards/alerts for policy compile latency, simulation queue depth, approval latency, and promotion outcomes; integrate with on-call playbooks. Dependencies: DEVOPS-POLICY-27-003. DevOps Guild, Observability Guild (ops/devops)
DEVOPS-REL-17-004 DONE (2025-11-23) Release workflow now uploads out/release/debug (build-id tree + manifest) as a separate artefact and fails when symbols are missing. DevOps Guild (ops/devops)
DEVOPS-RULES-33-001 REVIEW (2025-10-30) Contracts & Rules anchor:
• Gateway proxies only; Policy Engine composes overlays/simulations.
• AOC ingestion cannot merge; only lossless canonicalization.
• One graph platform: Graph Indexer + Graph API. Cartographer retired.		 DevOps Guild, Platform Leads (ops/devops)
DEVOPS-SDK-63-001 TODO Provision registry credentials, signing keys, and secure storage for SDK publishing pipelines. DevOps Guild, SDK Release Guild (ops/devops)
DEVOPS-SIG-26-001 TODO Provision CI/CD pipelines, Helm/Compose manifests for Signals service, including artifact storage and Redis dependencies. DevOps Guild, Signals Guild (ops/devops)
DEVOPS-SIG-26-002 TODO Create dashboards/alerts for reachability scoring latency, cache hit rates, sensor staleness. Dependencies: DEVOPS-SIG-26-001. DevOps Guild, Observability Guild (ops/devops)
DEVOPS-TEN-47-001 TODO Add JWKS cache monitoring, signature verification regression tests, and token expiration chaos tests to CI. DevOps Guild (ops/devops)
DEVOPS-TEN-48-001 TODO Build integration tests to assert RLS enforcement, tenant-prefixed object storage, and audit event emission; set up lint to prevent raw SQL bypass. Dependencies: DEVOPS-TEN-47-001. DevOps Guild (ops/devops)
DEVOPS-CI-110-001 DONE (2025-11-25) CI helper + TRX slices published at ops/devops/ci-110-runner/ (artefacts: ops/devops/artifacts/ci-110/20251125T030557Z/). Warm restore, OpenSSL 1.1 check, Concelier health + Excititor airgap import smoke. DevOps Guild, Concelier Guild, Excititor Guild (ops/devops)
MIRROR-CRT-56-CI-001 DONE (2025-11-25) Promote make-thin-v1.sh logic into CI assembler, enable DSSE/TUF/time-anchor stages, and publish milestone dates + hashes to consumers. Uses MIRROR_SIGN_KEY_B64 from Gitea secrets. Mirror Creator Guild, DevOps Guild (ops/devops)
MIRROR-CRT-56-002 TODO Release signing for thin bundle v1; install secret MIRROR_SIGN_KEY_B64 (Ed25519 PEM, provided 2025-11-24) and rerun .gitea/workflows/mirror-sign.yml with REQUIRE_PROD_SIGNING=1. Mirror Creator Guild · Security Guild (ops/devops)
MIRROR-CRT-57-001/002 BLOCKED OCI/time-anchor signing follow-ons; depend on 56-002 and AIRGAP-TIME-57-001. Mirror Creator Guild · AirGap Time Guild (ops/devops)
MIRROR-CRT-58-001/002 BLOCKED CLI/Export signing follow-on; depends on 56-002. Mirror Creator · CLI · Exporter Guilds (ops/devops)
EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001 BLOCKED Export/airgap provenance chain; needs signed thin bundle + time anchors. Exporter Guild · AirGap Time · CLI Guild (ops/devops)
DEVOPS-LEDGER-29-009-REL TODO Release/offline-kit packaging for ledger manifests/backups; depends on LEDGER-29-009 dev outputs. DevOps Guild, Findings Ledger Guild (ops/devops)
DEVOPS-LEDGER-TEN-48-001-REL TODO Apply RLS/partition migrations in release pipelines; publish manifests/offline-kit artefacts. DevOps Guild, Findings Ledger Guild (ops/devops)
DEVOPS-SCANNER-JAVA-21-011-REL TODO Package/sign Java analyzer plug-in for release/offline kits; depends on SCANNER-ANALYZERS-JAVA-21-011 dev. DevOps Guild, Java Analyzer Guild (ops/devops)

Updates

  • 2025-11-25 · DEVOPS-CI-110-001 runner published at ops/devops/ci-110-runner/; initial TRX slices stored under ops/devops/artifacts/ci-110/20251125T030557Z/ (Concelier health, Excititor airgap import).
  • 2025-11-25 · MIRROR-CRT-56-CI-001 completed: CI signing script now emits milestone hash summary, enforces DSSE/TUF/time-anchor steps, and uploads milestone.json via mirror-sign.yml.
  • 2025-11-25 · DEVOPS-OBS-55-001 completed: added offline incident-mode automation script (scripts/observability/incident-mode.sh) and runbook (ops/devops/observability/incident-mode.md) to auto-toggle incident flag, retention overrides, and cooldown reset based on burn rate inputs.