Launch Readiness Record - Stella Ops
Updated: 2025-10-26 (UTC)
This document captures production launch sign-offs, deployment readiness checkpoints, and any open risks that must be tracked before GA cutover.
1. Sign-off Summary
| Module / Service | Guild / Point of Contact | Evidence (Task or Runbook) | Status | Timestamp (UTC) | Notes |
|---|---|---|---|---|---|
| Authority (Issuer) | Authority Core Guild | AUTH-AOC-19-001 - scope issuance & configuration complete (DONE 2025-10-26) | READY | 2025-10-26T14:05Z | Tenant scope propagation follow-up (AUTH-AOC-19-002) tracked in gaps section. |
| Signer | Signer Guild | SIGNER-API-11-101 / SIGNER-REF-11-102 / SIGNER-QUOTA-11-103 (DONE 2025-10-21) | READY | 2025-10-26T14:07Z | DSSE signing, referrer verification, and quota enforcement validated in CI. |
| Attestor | Attestor Guild | ATTESTOR-API-11-201 / ATTESTOR-VERIFY-11-202 / ATTESTOR-OBS-11-203 (DONE 2025-10-19) | READY | 2025-10-26T14:10Z | Rekor submission/verification pipeline green; telemetry pack published. |
| Scanner Web + Worker | Scanner WebService Guild | SCANNER-WEB-09-10x, SCANNER-RUNTIME-12-30x (DONE 2025-10-18 -> 2025-10-24) | READY* | 2025-10-26T14:20Z | Orchestrator envelope work (SCANNER-EVENTS-16-301/302) still open; see gaps. |
| Concelier Core & Connectors | Concelier Core / Ops Guild | Ops runbook sign-off in docs/modules/concelier/operations/conflict-resolution.md (2025-10-16) | READY | 2025-10-26T14:25Z | Conflict resolution & connector coverage accepted; Mongo schema hardening pending (see gaps). |
| Excititor API | Excititor Core Guild | Wave 0 connector ingest sign-offs (Sprint backlog reference) | READY | 2025-10-26T14:28Z | VEX linkset publishing complete for launch datasets. |
| Notify Web (legacy) | Notify Guild | Existing stack carried forward; Notifier program tracked separately (Sprint 38-40) | PENDING | 2025-10-26T14:32Z | Legacy notify web remains operational; migration to Notifier blocked on SCANNER-EVENTS-16-301. |
| Web UI | UI Guild | Stable build registry.stella-ops.org/.../web-ui@sha256:10d9248... deployed in stage and smoke-tested | READY | 2025-10-26T14:35Z | Policy editor GA items (Sprint 20) outside launch scope. |
| DevOps / Release | DevOps Guild | deploy/tools/validate-profiles.sh run (2025-10-26) covering dev/stage/prod/airgap/mirror | READY | 2025-10-26T15:02Z | Compose/Helm lint + docker compose config validated; see Section 2 for details. |
| Offline Kit | Offline Kit Guild | DEVOPS-OFFLINE-18-004 (Go analyzer) and DEVOPS-OFFLINE-18-005 (Python analyzer) complete; debug-store mirror pending (DEVOPS-OFFLINE-17-004). | PENDING | 2025-11-23T15:05Z | Release workflow now ships out/release/debug; run mirror_debug_store.py on next release artefact and commit metadata/debug-store.json. |
* READY with caveat - remaining work noted in Section 3.
2. Deployment Readiness Checklist
- Production profiles committed:
deploy/compose/docker-compose.prod.yamlanddeploy/helm/stellaops/values-prod.yamladded with front-door network hand-off and secret references for Mongo/MinIO/core services. - Secrets placeholders documented:
deploy/compose/env/prod.env.exampleenumerates required credentials (MONGO_INITDB_ROOT_PASSWORD,MINIO_ROOT_PASSWORD, Redis/NATS endpoints,FRONTDOOR_NETWORK). Helm values reference Kubernetes secrets (stellaops-prod-core,stellaops-prod-mongo,stellaops-prod-minio,stellaops-prod-notify). - Static validation executed:
deploy/tools/validate-profiles.shrun on 2025-10-26 (docker compose config + helm lint/template) with all profiles passing. - Ingress model defined: Production compose profile introduces external
frontdoornetwork; README updated with creation instructions and scope of externally reachable services. - Observability hooks: Authority/Signer/Attestor telemetry packs verified; scanner runtime build-id metrics landed (
SCANNER-RUNTIME-17-401). Grafana dashboards referenced in component runbooks. - Rollback assets: Stage Compose profile remains aligned (
docker-compose.stage.yaml), enabling rehearsals before prod cutover; release manifests (deploy/releases/2025.09-stable.yaml) map digests for reproducible rollback. - Rehearsal status: 2025-10-26 validation dry-run executed (
deploy/tools/validate-profiles.shacross dev/stage/prod/airgap/mirror). Full stage Helm rollout pending access to the managed staging cluster; target to complete once credentials are provisioned.
3. Outstanding Gaps & Follow-ups
| Item | Owner | Tracking Ref | Target / Next Step | Impact |
|---|---|---|---|---|
| Tenant scope propagation and audit coverage | Authority Core Guild | AUTH-AOC-19-002 (DOING 2025-10-26) | Land enforcement + audit fixtures by Sprint 19 freeze | Medium - required for multi-tenant GA but does not block initial cutover if tenants scoped manually. |
| Orchestrator event envelopes + Notifier handshake | Scanner WebService Guild | SCANNER-EVENTS-16-301 (BLOCKED), SCANNER-EVENTS-16-302 (DOING) | Coordinate with Gateway/Notifier owners on preview package replacement or binding redirects; rerun dotnet test once patch lands and refresh schema docs. Share envelope samples in docs/events/ after tests pass. | High — gating Notifier migration; legacy notify path remains functional meanwhile. |
| Offline Kit Python analyzer bundle | Offline Kit Guild + Scanner Guild | DEVOPS-OFFLINE-18-005 (DONE 2025-10-26) | Monitor for follow-up manifest updates and rerun smoke script when analyzers change. | Medium - ensures language analyzer coverage stays current for offline installs. |
| Offline Kit debug store mirror | Offline Kit Guild + DevOps Guild | DEVOPS-OFFLINE-17-004 (TODO 2025-11-23) | Release pipeline now publishes out/release/debug; run mirror_debug_store.py, verify hashes, and commit metadata/debug-store.json. | Low - symbol lookup remains accessible from staging assets but required before next Offline Kit tag. |
| Mongo schema validators for advisory ingestion | Concelier Storage Guild | CONCELIER-STORE-AOC-19-001 (TODO) | Finalize JSON schema + migration toggles; coordinate with Ops for rollout window | Low - current validation handled in app layer; schema guard adds defense-in-depth. |
| Authority plugin telemetry alignment | Security Guild | SEC2.PLG, SEC3.PLG, SEC5.PLG (BLOCKED pending AUTH DPoP/MTLS tasks) | Resume once upstream auth surfacing stabilises | Low - plugin remains optional; launch uses default Authority configuration. |
4. Approvals & Distribution
- Record shared in
#launch-readiness(Mattermost) 2025-10-26 15:15 UTC with DevOps + Guild leads for acknowledgement. - Updates to this document require dual sign-off from DevOps Guild (owner) and impacted module guild lead; retain change log via Git history.
- Cutover rehearsal and rollback drills are tracked separately in
docs/modules/devops/runbooks/launch-cutover.md(see associated TaskDEVOPS-LAUNCH-18-001). *** End Patch