Production Baseline runbook
The production baseline is the minimum platform posture needed before public or customer-impacting production use. It separates required MVP controls from deferred infrastructure complexity.
Required Control Areas
| Area | Required posture |
|---|---|
| Edge | Public ingress/API gateway, WAF, TLS, websocket routing policy |
| Secrets and identity | Runtime secret manager, service identity, certificate lifecycle |
| Observability | Structured logs, metrics, traces, SLO alerts, correlation IDs |
| Data resilience | Postgres backup/restore drills and config recovery |
| Network security | Default-deny east/west policy and explicit allow-list flows |
| Runtime security | Image scanning/signing, secret rotation, break-glass controls |
| Terminal operations | Websocket affinity, stream drain on shutdown, terminal gateway health |
| Release readiness | Evidence bundles, UAT automation, security checks, rollback readiness |
Related deep dives: Terminal Session Security and Node Lifecycle.
Operator Workstreams
Launch Gate
Public launch is blocked unless required controls are implemented and validated in staging. Deferred components such as full service mesh are revisited only when current controls cannot satisfy policy, compliance, or traffic needs.