tasks: - id: PLATFORM-FOUNDATION-OWNERSHIP title: Establish platform foundation ownership boundaries kind: epic role: orchestrator profile: platform-foundation owning_domain: platform-foundation owning_layer: architecture source_paths: - doc/architecture/platform-foundation/README.md - doc/architecture/platform-foundation/Platform_Foundation_Orchestrator_Work_Plan_v1.md - doc/architecture/platform-foundation/Platform_Code_And_Deployment_Architecture_v1.md target_paths: - doc/architecture/platform-foundation/ownership-maps/ - doc/architecture/platform-foundation/Platform_Foundation_Boundary_Guards_v1.md - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md review_domains: - architecture - governance risk_level: high migration_type: platform-foundation-epic acceptance_checks: - Ownership maps are complete enough to feed report-only guards. - No facade or package move starts before maps and guard visibility exist. - id: PF-PHASE-A-ARCH-FOUNDATION title: Phase A - Architecture foundation kind: epic role: architecture profile: platform-foundation parent_id: PLATFORM-FOUNDATION-OWNERSHIP owning_domain: platform-foundation owning_layer: architecture source_paths: - doc/architecture/platform-foundation/Platform_Code_And_Deployment_Architecture_v1.md - doc/architecture/platform-foundation/Platform_Foundation_Orchestrator_Work_Plan_v1.md target_paths: - doc/architecture/platform-foundation/ownership-maps/ - scripts/ci/platform_foundation_boundary_report.sh review_domains: - architecture - governance risk_level: high migration_type: phase-epic depends_on: - PLATFORM-FOUNDATION-OWNERSHIP acceptance_checks: - Ownership maps exist for packages, routes, schema, events, frontend surfaces, and workers. - Report-only guard output exists before broad implementation starts. - id: PF-PHASE-B-EVIDENCE-STATUS title: Phase B - Evidence/status first slice kind: epic role: backend profile: platform-foundation parent_id: PLATFORM-FOUNDATION-OWNERSHIP owning_domain: platform-foundation owning_layer: evidence-status source_paths: - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md - doc/architecture/platform-foundation/Platform_Evidence_Status_Frontend_Contract_v1.md target_paths: - packages/platform/evidence - packages/platform/statusops - cmd/api/routes_platform_evidence.go - cmd/api/routes_platform_statusops.go - packages/web/app/platform/evidence - packages/web/app/platform/status review_domains: - backend - frontend - ops - architecture risk_level: high migration_type: phase-epic depends_on: - PF-PHASE-A-ARCH-FOUNDATION acceptance_checks: - Platform evidence/status packages, route modules, contracts, inputs, and internal surface are present. - UAT/release evidence can prove named product invariants instead of only command completion. - id: PF-PHASE-C-IAM-REGISTRY title: Phase C - IAM and registry foundation kind: epic role: backend profile: platform-foundation parent_id: PLATFORM-FOUNDATION-OWNERSHIP owning_domain: platform-foundation owning_layer: iam-registry source_paths: - doc/architecture/platform-foundation/Platform_Registry_Contract_v1.md - doc/architecture/platform-foundation/Platform_Code_And_Deployment_Architecture_v1.md target_paths: - packages/platform/iam - packages/platform/registry - doc/architecture/platform-foundation/registry/platform-registry.seed.yaml review_domains: - backend - architecture - security - governance risk_level: high migration_type: phase-epic depends_on: - PF-PHASE-B-EVIDENCE-STATUS acceptance_checks: - IAM facade and seed-backed registry facade exist with platform-owned types. - Products can register shared-service metadata without hardcoding it in product packages. - id: PF-PHASE-D-PRODUCT-ALIGNMENT title: Phase D - Product package alignment kind: epic role: backend profile: platform-foundation parent_id: PLATFORM-FOUNDATION-OWNERSHIP owning_domain: platform-foundation owning_layer: product-packages source_paths: - packages/services/inventory - packages/services/provisioning - packages/services/terminal - packages/services/appruntime - doc/architecture/platform-foundation/Platform_Code_And_Deployment_Architecture_v1.md target_paths: - packages/products/gpuaas - packages/products/appplatform review_domains: - backend - architecture - frontend - ops risk_level: high migration_type: phase-epic depends_on: - PF-PHASE-C-IAM-REGISTRY acceptance_checks: - GPUaaS and App Platform product-owned logic move behind product facades. - Temporary adapters have explicit callers, tests, and removal conditions. - id: PF-PHASE-E-DEPLOYMENT-READINESS title: Phase E - Deployment extraction readiness kind: epic role: ops profile: platform-foundation parent_id: PLATFORM-FOUNDATION-OWNERSHIP owning_domain: platform-foundation owning_layer: deployment source_paths: - doc/architecture/platform-foundation/Platform_Code_And_Deployment_Architecture_v1.md - doc/operations - scripts/ci target_paths: - doc/architecture/platform-foundation/ - cmd - scripts/ci review_domains: - ops - architecture - security - backend risk_level: high migration_type: phase-epic depends_on: - PF-PHASE-D-PRODUCT-ALIGNMENT acceptance_checks: - Service-auth, degradation, worker split, and extraction-candidate criteria are defined before physical service extraction. - No service is extracted without a clear operational reason. - id: PF-SERVICE-AUTH-PATTERN-001 title: Define service-auth pattern for extraction candidates kind: architecture-map role: security profile: platform-foundation parent_id: PF-PHASE-E-DEPLOYMENT-READINESS owning_domain: platform-foundation owning_layer: deployment source_paths: - doc/architecture/platform-foundation/Platform_Code_And_Deployment_Architecture_v1.md - doc/architecture/platform-foundation/Platform_Shared_Services_Model_v2.md target_paths: - doc/architecture/platform-foundation/Platform_Deployment_Extraction_Readiness_v1.md review_domains: - security - architecture - ops risk_level: high migration_type: deployment-readiness depends_on: - PF-PHASE-D-PRODUCT-ALIGNMENT acceptance_checks: - Product-to-platform service identity, credential delivery, token validation, scopes, audit, rotation, and failure mode are defined before extraction. - id: PF-DEGRADATION-CONTRACTS-001 title: Define per-service degradation contracts for extraction candidates kind: architecture-map role: architecture profile: platform-foundation parent_id: PF-PHASE-E-DEPLOYMENT-READINESS owning_domain: platform-foundation owning_layer: deployment source_paths: - doc/architecture/platform-foundation/Platform_Shared_Services_Model_v2.md - doc/architecture/platform-foundation/Platform_Architecture_Gap_Register_v1.md target_paths: - doc/architecture/platform-foundation/Platform_Deployment_Extraction_Readiness_v1.md review_domains: - architecture - ops - security risk_level: high migration_type: deployment-readiness depends_on: - PF-PHASE-D-PRODUCT-ALIGNMENT acceptance_checks: - IAM, evidence/status, registry/artifacts, billing/payments, notification, secrets/PKI, and policy/entitlements degradation behavior is stated with observable evidence. - id: PF-WORKER-SPLIT-CRITERIA-001 title: Define worker split criteria before deployment separation kind: architecture-map role: ops profile: platform-foundation parent_id: PF-PHASE-E-DEPLOYMENT-READINESS owning_domain: platform-foundation owning_layer: deployment source_paths: - doc/architecture/platform-foundation/ownership-maps/worker-binary-ownership.md - cmd target_paths: - doc/architecture/platform-foundation/Platform_Deployment_Extraction_Readiness_v1.md review_domains: - ops - backend - architecture risk_level: high migration_type: deployment-readiness depends_on: - PF-PHASE-D-PRODUCT-ALIGNMENT acceptance_checks: - Worker split candidates are tied to runtime ownership, credentials, queue, retry profile, SLO, or blast-radius triggers rather than source layout alone. - id: PF-EXTRACTION-CANDIDATE-GATE-001 title: Define extraction candidate gate and first candidate recommendation kind: architecture-map role: architecture profile: platform-foundation parent_id: PF-PHASE-E-DEPLOYMENT-READINESS owning_domain: platform-foundation owning_layer: deployment source_paths: - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md - doc/architecture/platform-foundation/ownership-maps target_paths: - doc/architecture/platform-foundation/Platform_Deployment_Extraction_Readiness_v1.md review_domains: - architecture - ops - backend risk_level: high migration_type: deployment-readiness depends_on: - PF-PHASE-D-PRODUCT-ALIGNMENT acceptance_checks: - Extraction gate requires owner, consumer, contract, service-auth, degradation, data, event, operations, SLO, and migration answers. - First extraction candidate recommendation is explicit and tied to operational reason. - id: PF-DEPLOYMENT-READINESS-GUARD-001 title: Add CI guard for deployment extraction readiness structure kind: boundary-guard role: governance profile: platform-foundation parent_id: PF-PHASE-E-DEPLOYMENT-READINESS owning_domain: platform-foundation owning_layer: deployment source_paths: - doc/architecture/platform-foundation/Platform_Deployment_Extraction_Readiness_v1.md target_paths: - scripts/ci/platform_foundation_deployment_readiness.sh - scripts/ci/ci_script_smoke.sh review_domains: - governance - ops - architecture risk_level: medium migration_type: deployment-readiness depends_on: - PF-SERVICE-AUTH-PATTERN-001 - PF-DEGRADATION-CONTRACTS-001 - PF-WORKER-SPLIT-CRITERIA-001 - PF-EXTRACTION-CANDIDATE-GATE-001 acceptance_checks: - CI script validates required deployment-readiness sections and is covered by the CI script smoke suite. - id: PSSM-DEPLOYMENT-LEARNINGS-EPIC title: Track platform-control deployment learnings and guard follow-ups kind: epic role: ops profile: platform-foundation parent_id: PF-PHASE-E-DEPLOYMENT-READINESS owning_domain: release-engineering owning_layer: deployment source_paths: - .fairway/artifacts/platform-control-deploy-2256-lessons.md - doc/operations/Platform_Control_CI_CD_Target_Model_v1.md - doc/governance/Platform_Control_Release_Promotion_Policy.md - scripts/ci target_paths: - .fairway/platform-foundation-implementation-track.yaml - .fairway/artifacts/platform-control-deploy-2256-lessons.md - scripts/ci - doc/operations review_domains: - ops - architecture - governance - backend - frontend risk_level: high migration_type: deployment-learning-followup depends_on: - PF-PHASE-D-PRODUCT-ALIGNMENT acceptance_checks: - Platform-control deployment fixes are represented as Fairway history, not only git commits. - Follow-up guard tasks exist for schema drift, fast preflight, deploy observability, retry classification, frontend e2e health, and local remote-validation reproduction. - Future long-running CI/CD failures produce actionable Fairway-visible tasks before reviewer escalation. - id: PSSM-DEPLOY-INDEX-NAMESPACE-001 title: Repair platform access index namespace collision kind: release-evidence role: ops profile: platform-foundation parent_id: PSSM-DEPLOYMENT-LEARNINGS-EPIC owning_domain: release-engineering owning_layer: deployment source_paths: - doc/architecture/db_schema_v1.sql - scripts/ci/platform_control_deploy.sh - cmd/api/routes_integration_test.go - .fairway/artifacts/platform-control-deploy-2256-lessons.md target_paths: - doc/architecture/db_schema_v1.sql - scripts/ci/platform_control_deploy.sh - cmd/api/routes_integration_test.go review_domains: - ops - architecture - backend risk_level: high migration_type: schema-drift-repair depends_on: - PSSM-DEPLOYMENT-LEARNINGS-EPIC acceptance_checks: - Platform access index names are owner-qualified so legacy table indexes cannot cause `CREATE INDEX IF NOT EXISTS` to skip platform-table indexes. - Platform-control deploy can bootstrap tenant/project memberships after platform IAM migration. - Pipeline 2256 passed with the repaired schema/index posture. - id: PSSM-DEPLOY-POSIX-FK-001 title: Repair platform POSIX identity foreign key after IAM table migration kind: release-evidence role: ops profile: platform-foundation parent_id: PSSM-DEPLOYMENT-LEARNINGS-EPIC owning_domain: release-engineering owning_layer: deployment source_paths: - doc/architecture/db_schema_v1.sql - packages/platform/auth/legacyimpl/service.go - scripts/ops/role_authz_smoke.sh - .fairway/artifacts/platform-control-deploy-2256-lessons.md target_paths: - doc/architecture/db_schema_v1.sql - cmd/api/routes_integration_test.go review_domains: - ops - architecture - backend - security risk_level: high migration_type: schema-drift-repair depends_on: - PSSM-DEPLOYMENT-LEARNINGS-EPIC acceptance_checks: - "`platform_iam_user_posix_identities.user_id` references `platform_iam_users`, not legacy `users`." - Deploy repair deletes orphan platform POSIX rows before adding the repaired foreign key. - Role authorization smoke and pipeline 2256 remote validation passed after the repair. - id: PSSM-CI-SCHEMA-DRIFT-GUARD-001 title: Add schema drift guard for migrated platform-owned tables kind: boundary-guard role: ops profile: platform-foundation parent_id: PSSM-DEPLOYMENT-LEARNINGS-EPIC owning_domain: release-engineering owning_layer: ci-cd source_paths: - doc/architecture/db_schema_v1.sql - scripts/ci - .fairway/artifacts/platform-control-deploy-2256-lessons.md target_paths: - scripts/ci/platform_control_schema_drift_guard.sh - doc/operations review_domains: - ops - architecture - governance risk_level: high migration_type: schema-drift-guard depends_on: - PSSM-DEPLOY-INDEX-NAMESPACE-001 - PSSM-DEPLOY-POSIX-FK-001 acceptance_checks: - Guard fails when migrated platform-owned tables retain foreign keys to retired legacy owner tables. - Guard fails when platform-owned table indexes use legacy names that can collide during idempotent deploy. - Guard can run locally and in CI before full publish/deploy. - id: PSSM-CI-FAST-PREFLIGHT-001 title: Add fast platform-control deploy preflight before full publish kind: boundary-guard role: ops profile: platform-foundation parent_id: PSSM-DEPLOYMENT-LEARNINGS-EPIC owning_domain: release-engineering owning_layer: ci-cd source_paths: - scripts/ci - scripts/ops/role_authz_smoke.sh - .fairway/artifacts/platform-control-deploy-2256-lessons.md target_paths: - scripts/ci - doc/operations review_domains: - ops - governance - architecture risk_level: high migration_type: deploy-preflight depends_on: - PSSM-CI-SCHEMA-DRIFT-GUARD-001 acceptance_checks: - Preflight validates schema drift, role authz smoke prerequisites, and controller/bootstrap assumptions before expensive image publish. - Preflight output is short enough to classify failures without waiting for the full 30-40 minute CI/CD cycle. - Preflight can run against kind and dev without touching demo. - id: PSSM-DEPLOY-OBS-BOOTSTRAP-001 title: Improve bootstrap failure logging for release validation kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-DEPLOYMENT-LEARNINGS-EPIC owning_domain: platform-iam owning_layer: backend source_paths: - cmd/api - packages/platform/auth - .fairway/artifacts/platform-control-deploy-2256-lessons.md target_paths: - cmd/api - packages/platform/auth - doc/governance review_domains: - backend - ops - security risk_level: medium migration_type: deploy-observability depends_on: - PSSM-DEPLOY-POSIX-FK-001 acceptance_checks: - User-facing bootstrap failures remain canonical error responses with correlation IDs. - Server logs include the underlying bootstrap/authz failure reason without exposing secrets or PII. - Regression coverage exercises at least one bootstrap failure path. - id: PSSM-CI-RETRY-CLASSIFICATION-001 title: Classify retryable runner and cache failures in platform-control CI kind: release-evidence role: ops profile: platform-foundation parent_id: PSSM-DEPLOYMENT-LEARNINGS-EPIC owning_domain: release-engineering owning_layer: ci-cd source_paths: - .gitlab-ci.yml - scripts/ci - .fairway/artifacts/platform-control-deploy-2256-lessons.md target_paths: - .gitlab-ci.yml - scripts/ci - doc/operations review_domains: - ops - governance risk_level: medium migration_type: ci-signal-classification depends_on: - PSSM-DEPLOYMENT-LEARNINGS-EPIC acceptance_checks: - Docker builder/cache-miss failures are classified as retryable infrastructure failures when appropriate. - CI status packets distinguish retryable runner/cache noise from code, contract, schema, and deploy failures. - Retry classification does not mask deterministic product or migration failures. - id: PSSM-FRONTEND-E2E-HEALTH-001 title: Add cheap v3 shell health check before full Playwright matrix kind: frontend-contract role: frontend profile: platform-foundation parent_id: PSSM-DEPLOYMENT-LEARNINGS-EPIC owning_domain: frontend-platform owning_layer: frontend source_paths: - packages/web/e2e - scripts/ci - .fairway/artifacts/platform-control-deploy-2256-lessons.md target_paths: - packages/web/e2e - scripts/ci - doc/operations review_domains: - frontend - ops - governance risk_level: medium migration_type: frontend-e2e-health depends_on: - PSSM-DEPLOYMENT-LEARNINGS-EPIC acceptance_checks: - CI runs a cheap v3 shell readiness probe before launching the full Playwright matrix. - Broken setup fails early with a small diagnostic artifact instead of consuming the full frontend e2e window. - The health probe does not replace contract or user-journey coverage. - id: PSSM-REMOTE-VALIDATION-LOCAL-001 title: Make remote validation phases runnable locally against dev kind: release-evidence role: ops profile: platform-foundation parent_id: PSSM-DEPLOYMENT-LEARNINGS-EPIC owning_domain: release-engineering owning_layer: ci-cd source_paths: - scripts/ci/platform_control_remote_validation.sh - scripts/ops/role_authz_smoke.sh - doc/operations - .fairway/artifacts/platform-control-deploy-2256-lessons.md target_paths: - scripts/ci - scripts/ops - doc/operations review_domains: - ops - security - governance risk_level: medium migration_type: local-remote-validation depends_on: - PSSM-CI-FAST-PREFLIGHT-001 acceptance_checks: - Role-authz, controller bootstrap, schema drift, and release evidence checks can run locally against dev with one documented command. - Local reproduction uses kind and dev as approved targets and leaves demo untouched. - Missing local secrets or CA/key material fail with actionable setup guidance. - id: PF-PHASE-F-GUARD-GRADUATION title: Phase F - Guard graduation kind: epic role: governance profile: platform-foundation parent_id: PLATFORM-FOUNDATION-OWNERSHIP owning_domain: platform-foundation owning_layer: governance source_paths: - scripts/ci/platform_foundation_boundary_report.sh - doc/architecture/platform-foundation/Platform_Foundation_Guard_Graduation_Plan_v1.md target_paths: - scripts/ci - doc/architecture/platform-foundation/ review_domains: - governance - architecture - backend - ops risk_level: high migration_type: phase-epic depends_on: - PF-PHASE-C-IAM-REGISTRY acceptance_checks: - Report-only guards graduate to warning and then blocking for new unapproved violations. - Legacy debt remains allowed only with named owners and removal tasks. - id: PF-GUARD-ALLOWED-DEBT-001 title: Add allowed-debt inventory for platform foundation guards kind: boundary-guard role: governance profile: platform-foundation parent_id: PF-PHASE-F-GUARD-GRADUATION owning_domain: platform-foundation owning_layer: governance source_paths: - scripts/ci/platform_foundation_boundary_report.sh - doc/architecture/platform-foundation/Platform_Foundation_Guard_Graduation_Plan_v1.md target_paths: - doc/architecture/platform-foundation/guard-allowed-debt.tsv - scripts/ci/platform_foundation_boundary_report.sh review_domains: - governance - architecture - ops risk_level: high migration_type: guard-graduation depends_on: - PF-PHASE-E-DEPLOYMENT-READINESS acceptance_checks: - Existing route, schema, event, and worker topology findings are classified as named allowed debt with owner, task, expiry, and reason. - id: PF-GUARD-WARNING-MODE-001 title: Implement warning mode for platform foundation boundary guards kind: boundary-guard role: governance profile: platform-foundation parent_id: PF-PHASE-F-GUARD-GRADUATION owning_domain: platform-foundation owning_layer: governance source_paths: - scripts/ci/platform_foundation_boundary_report.sh target_paths: - scripts/ci/platform_foundation_boundary_report.sh review_domains: - governance - architecture risk_level: medium migration_type: guard-graduation depends_on: - PF-GUARD-ALLOWED-DEBT-001 acceptance_checks: - Warning mode writes guard artifacts, summarizes unapproved high/critical findings, and exits 0. - id: PF-GUARD-BLOCKING-NEW-001 title: Implement blocking-new mode for platform foundation boundary guards kind: boundary-guard role: governance profile: platform-foundation parent_id: PF-PHASE-F-GUARD-GRADUATION owning_domain: platform-foundation owning_layer: governance source_paths: - scripts/ci/platform_foundation_boundary_report.sh - doc/architecture/platform-foundation/guard-allowed-debt.tsv target_paths: - scripts/ci/platform_foundation_boundary_report.sh review_domains: - governance - architecture - backend - ops risk_level: high migration_type: guard-graduation depends_on: - PF-GUARD-WARNING-MODE-001 acceptance_checks: - Blocking-new mode fails on unapproved high/critical findings and allows only named legacy debt. - id: PF-GUARD-GRADUATION-SMOKE-001 title: Cover guard graduation modes in CI script smoke kind: boundary-guard role: governance profile: platform-foundation parent_id: PF-PHASE-F-GUARD-GRADUATION owning_domain: platform-foundation owning_layer: governance source_paths: - scripts/ci/platform_foundation_boundary_report.sh target_paths: - scripts/ci/ci_script_smoke.sh review_domains: - governance - ops risk_level: medium migration_type: guard-graduation depends_on: - PF-GUARD-BLOCKING-NEW-001 acceptance_checks: - CI script smoke runs report-only, warning, and blocking-new guard modes. - id: PSS-OPERATIONALIZATION title: Operationalize the Platform Shared Services Model kind: epic role: orchestrator profile: platform-foundation parent_id: PLATFORM-FOUNDATION-OWNERSHIP owning_domain: platform-foundation owning_layer: shared-services source_paths: - doc/architecture/platform-foundation/Platform_Shared_Services_Model_v2.md - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md - doc/architecture/platform-foundation/Platform_Code_And_Deployment_Architecture_v1.md - doc/architecture/platform-foundation/App_SDK_Readiness_Matrix_v1.md target_paths: - packages/platform - packages/products - cmd/api/routes_platform_evidence.go - cmd/api/routes_platform_statusops.go - scripts/ci - packages/web/src/components/v3/v3-platform-pages.tsx review_domains: - architecture - backend - frontend - ops - governance - security risk_level: high migration_type: pss-operationalization depends_on: - PF-PHASE-F-GUARD-GRADUATION acceptance_checks: - Shared-service boundaries are visible in contracts, routes, DB schema, code packages, CI evidence, and operator surfaces. - Evidence/status can prove release and UAT invariants without direct SQL or ad hoc artifact interpretation. - App SDK, registry/artifacts, IAM, policy, and secrets/PKI have executable follow-up tasks before broad service extraction. - id: PSS-TASK-FIRST-TRACKING-001 title: Require Fairway task before platform foundation changes kind: boundary-guard role: governance profile: platform-foundation parent_id: PSS-OPERATIONALIZATION owning_domain: platform-foundation owning_layer: governance source_paths: - .fairway/platform-foundation-implementation-track.yaml - scripts/ci/platform_foundation_boundary_report.sh target_paths: - .fairway/platform-foundation-implementation-track.yaml - .fairway/artifacts review_domains: - governance - architecture risk_level: medium migration_type: task-tracking-discipline acceptance_checks: - Every future platform-foundation code/doc change is tied to an explicit Fairway task before edits start. - Dashboard shows active/in-progress task state before implementation begins. - id: PLATFORM-WORKER-FACADE-CUTOVER-001 title: Complete worker and gateway facade cutover kind: facade role: backend profile: platform-foundation parent_id: PSS-OPERATIONALIZATION owning_domain: platform-foundation owning_layer: product-packages source_paths: - cmd/billing-worker - cmd/provisioning-worker - cmd/app-runtime-worker - cmd/proxy-runtime-reconciler - cmd/terminal-gateway target_paths: - packages/platform - packages/products - cmd review_domains: - backend - ops - architecture risk_level: high migration_type: caller-migration depends_on: - PSS-TASK-FIRST-TRACKING-001 acceptance_checks: - Worker and gateway binaries no longer import legacy packages/services directly for migrated platform-foundation surfaces. - Focused worker/gateway package tests pass after cutover. - id: PLATFORM-FACADE-ADAPTER-SHAPE-001 title: Normalize platform facades to adapter-file shape kind: facade role: backend profile: platform-foundation parent_id: PSS-OPERATIONALIZATION owning_domain: platform-foundation owning_layer: platform-facades source_paths: - packages/platform/storage - packages/platform/adminops - packages/platform/auth - packages/platform/maas - packages/platform/releases target_paths: - packages/platform review_domains: - backend - architecture - governance risk_level: high migration_type: adapter-shape depends_on: - PSS-TASK-FIRST-TRACKING-001 acceptance_checks: - Platform packages isolate legacy service imports in adapter files. - Platform foundation import-boundary guard reports zero unapproved adapter-shape findings. - id: FRONTEND-SHARED-AUTH-GUARD-CLEANUP-001 title: Clean up frontend shared auth boundary finding kind: frontend-contract role: frontend profile: platform-foundation parent_id: PSS-OPERATIONALIZATION owning_domain: platform-foundation owning_layer: frontend source_paths: - packages/web/src/shared/auth/session/platform-access.ts target_paths: - packages/web/src/shared/auth/session/access-context.ts - packages/web/src/lib/api/session.ts - packages/web/src/components/v3/v3-platform-pages.tsx review_domains: - frontend - architecture risk_level: medium migration_type: frontend-boundary-cleanup depends_on: - PSS-TASK-FIRST-TRACKING-001 acceptance_checks: - Frontend-boundary guard reports zero hard ownership-boundary findings after shared auth rename. - Web verification passes after the import rename. - id: PLATFORM-FOUNDATION-CUTOVER-VALIDATION-001 title: Record platform foundation cutover validation and push kind: release-evidence role: governance profile: platform-foundation parent_id: PSS-OPERATIONALIZATION owning_domain: platform-foundation owning_layer: governance source_paths: - scripts/ci/platform_foundation_boundary_report.sh - scripts/ci/frontend_architecture_boundary_report.sh - Makefile target_paths: - .fairway/artifacts - doc/architecture/platform-foundation/Platform_Facade_Callsite_Migration_Map_v1.md review_domains: - governance - ops - architecture risk_level: high migration_type: validation-handoff depends_on: - PLATFORM-WORKER-FACADE-CUTOVER-001 - PLATFORM-FACADE-ADAPTER-SHAPE-001 - FRONTEND-SHARED-AUTH-GUARD-CLEANUP-001 acceptance_checks: - Cutover commit is validated locally and pushed to all configured GPUaaS remotes. - Guard reports capture remaining allowed debt separately from unapproved findings. - id: PLATFORM-FACADE-CONTRACT-MATURITY-001 title: Complete platform facade contract maturity kind: epic role: orchestrator profile: platform-foundation parent_id: PSS-OPERATIONALIZATION owning_domain: platform-foundation owning_layer: platform-facades source_paths: - packages/platform/storage - packages/platform/adminops - packages/platform/auth - packages/platform/maas - packages/platform/releases - doc/architecture/platform-foundation/Platform_Code_And_Deployment_Architecture_v1.md target_paths: - packages/platform/storage - packages/platform/adminops - packages/platform/auth - packages/platform/maas - packages/platform/releases - scripts/ci/platform_foundation_boundary_report.sh review_domains: - architecture - backend - governance - security - ops risk_level: high migration_type: semantic-facade-maturity depends_on: - PLATFORM-FACADE-ADAPTER-SHAPE-001 acceptance_checks: - Platform facades expose platform-owned contracts, not only legacy aliases. - Facade services have backend interfaces, nil/unavailable handling, error mapping, and behavior tests. - Guard/reporting can distinguish adapter-file shape from semantic facade maturity. - id: PSSM-L1-COMPLETION title: Complete PSSM L1 structural contract kind: epic role: orchestrator profile: platform-foundation parent_id: PSS-OPERATIONALIZATION owning_domain: platform-foundation owning_layer: shared-services-model source_paths: - doc/architecture/platform-foundation - packages/platform - cmd/api - scripts/ci/platform_foundation_boundary_report.sh target_paths: - .fairway/platform-foundation-implementation-track.yaml - doc/architecture/platform-foundation - packages/platform - cmd/api - scripts/ci/platform_foundation_boundary_report.sh review_domains: - architecture - backend - governance - ops - security risk_level: high migration_type: pssm-l1-completion depends_on: - PLATFORM-FACADE-CONTRACT-MATURITY-001 acceptance_checks: - Semantic facade guard reports zero unapproved semantic-facade findings. - Registry runtime adoption is verified or converted into explicit follow-up tasks. - Route-placement guard debt is either closed through owner-visible route file names or intentionally deferred. - id: PLATFORM-STORAGE-FACADE-CONTRACT-001 title: Mature storage platform facade contract kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CONTRACT-MATURITY-001 owning_domain: platform-foundation owning_layer: storage checkin_mode: unattended source_paths: - packages/platform/storage - packages/services/storage - cmd/api - cmd/provisioning-worker target_paths: - packages/platform/storage - packages/platform/storage/service_test.go review_domains: - backend - architecture - ops risk_level: high migration_type: semantic-facade-maturity depends_on: - PLATFORM-FACADE-CONTRACT-MATURITY-001 acceptance_checks: - Storage facade exposes platform-owned types/errors for durable caller contracts. - Legacy storage service imports stay isolated behind adapter code. - Behavior tests cover nil backend, validation/error mapping, and delegation compatibility. - id: PLATFORM-ADMINOPS-FACADE-CONTRACT-001 title: Mature adminops platform facade contract kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CONTRACT-MATURITY-001 owning_domain: platform-foundation owning_layer: adminops checkin_mode: unattended source_paths: - packages/platform/adminops - packages/services/admin - cmd/api - cmd/provisioning-worker target_paths: - packages/platform/adminops - packages/platform/adminops/service_test.go review_domains: - backend - architecture - security - ops risk_level: high migration_type: semantic-facade-maturity depends_on: - PLATFORM-STORAGE-FACADE-CONTRACT-001 acceptance_checks: - Adminops facade exposes platform-owned access credential and node-agent lifecycle contracts where callers depend on them. - Legacy admin imports stay isolated behind adapter code with stable platform errors. - Behavior tests cover service construction, unavailable dependencies, lifecycle delegation, and error mapping. - id: PLATFORM-AUTH-FACADE-CONTRACT-001 title: Mature auth platform facade contract kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CONTRACT-MATURITY-001 owning_domain: platform-foundation owning_layer: auth checkin_mode: unattended source_paths: - packages/platform/auth - packages/services/auth - cmd/api target_paths: - packages/platform/auth - packages/platform/auth/service_test.go review_domains: - backend - architecture - security risk_level: high migration_type: semantic-facade-maturity depends_on: - PLATFORM-ADMINOPS-FACADE-CONTRACT-001 acceptance_checks: - Auth facade separates durable platform auth contracts from legacy auth service internals. - Identity, service-account, OIDC, and token flows have stable platform-owned request/result/error types where callers depend on them. - Behavior tests cover nil backend, validation, error mapping, and compatibility with current API callers. - id: PLATFORM-MAAS-FACADE-CONTRACT-001 title: Mature MAAS platform facade contract kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CONTRACT-MATURITY-001 owning_domain: platform-foundation owning_layer: maas checkin_mode: unattended source_paths: - packages/platform/maas - packages/services/maas - cmd/api - cmd/provisioning-worker target_paths: - packages/platform/maas - packages/platform/maas/service_test.go review_domains: - backend - architecture - ops - security risk_level: high migration_type: semantic-facade-maturity depends_on: - PLATFORM-AUTH-FACADE-CONTRACT-001 acceptance_checks: - MAAS facade exposes platform-owned site, profile, onboarding, decommission, reconciliation, and node provisioning contracts used by callers. - Legacy MAAS service imports stay isolated behind adapter code. - Behavior tests cover unavailable dependencies, workflow adapter delegation, and mapped failure modes. - id: PLATFORM-MAAS-FACADE-TYPES-001 title: Mature MAAS facade exported type contracts kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-MAAS-FACADE-CONTRACT-001 owning_domain: platform-foundation owning_layer: maas checkin_mode: unattended source_paths: - packages/platform/maas - packages/services/maas - cmd/api/routes.go - cmd/provisioning-worker/temporal.go target_paths: - packages/platform/maas - packages/platform/maas/service_test.go review_domains: - backend - architecture - ops - security risk_level: high migration_type: semantic-facade-maturity depends_on: - PLATFORM-AUTH-FACADE-CONTRACT-001 acceptance_checks: - MAAS exported structs/enums/errors are no longer public legacy aliases. - API request builders and workflow inputs use platform-owned nested MAAS types without breaking route contracts. - Adapter code owns conversion into legacy MAAS types. - id: PLATFORM-MAAS-FACADE-SERVICE-WRAPPER-001 title: Mature MAAS service wrapper methods used by API and workers kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-MAAS-FACADE-CONTRACT-001 owning_domain: platform-foundation owning_layer: maas checkin_mode: unattended source_paths: - packages/platform/maas - packages/services/maas - cmd/api - cmd/provisioning-worker target_paths: - packages/platform/maas - packages/platform/maas/service_test.go review_domains: - backend - architecture - ops - security risk_level: high migration_type: semantic-facade-maturity depends_on: - PLATFORM-MAAS-FACADE-TYPES-001 acceptance_checks: - MAAS service methods used by cmd/api and cmd/provisioning-worker return platform-owned types and map legacy errors. - Behavior tests cover nil service, mapped errors, and workflow delegation. - Focused cmd/api and provisioning-worker tests pass. - id: PLATFORM-MAAS-FACADE-CLIENTS-001 title: Mature MAAS client and provider adapter contracts kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-MAAS-FACADE-CONTRACT-001 owning_domain: platform-foundation owning_layer: maas checkin_mode: unattended source_paths: - packages/platform/maas - packages/services/maas/client.go - packages/services/provisioning/provider - packages/products/gpuaas/inventory target_paths: - packages/platform/maas - packages/products/gpuaas/inventory - packages/services/provisioning/provider review_domains: - backend - architecture - ops - security risk_level: high migration_type: semantic-facade-maturity depends_on: - PLATFORM-MAAS-FACADE-SERVICE-WRAPPER-001 acceptance_checks: - MAAS HTTP/probe/execution clients and provider callbacks cross through platform-owned contracts. - Inventory and provisioning provider adapters no longer depend on legacy MAAS type identity. - Focused provider/inventory tests pass. - id: PLATFORM-RELEASES-FACADE-CONTRACT-001 title: Mature releases platform facade contract kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CONTRACT-MATURITY-001 owning_domain: platform-foundation owning_layer: releases checkin_mode: unattended source_paths: - packages/platform/releases - packages/services/releases - cmd/api target_paths: - packages/platform/releases - packages/platform/releases/service_test.go review_domains: - backend - architecture - ops - security risk_level: high migration_type: semantic-facade-maturity depends_on: - PLATFORM-MAAS-FACADE-CONTRACT-001 acceptance_checks: - Releases facade exposes platform-owned artifact, release, download, and pull-intent contracts. - Legacy release service imports stay isolated behind adapter code. - Behavior tests cover nil backend, validation, error mapping, and API caller compatibility. - id: PLATFORM-FACADE-SEMANTIC-GUARD-001 title: Add semantic guard for alias-only platform facades kind: boundary-guard role: governance profile: platform-foundation parent_id: PLATFORM-FACADE-CONTRACT-MATURITY-001 owning_domain: platform-foundation owning_layer: governance checkin_mode: unattended source_paths: - scripts/ci/platform_foundation_boundary_report.sh - packages/platform target_paths: - scripts/ci/platform_foundation_boundary_report.sh - doc/architecture/platform-foundation/Platform_Foundation_Guard_Graduation_Plan_v1.md review_domains: - governance - architecture - backend risk_level: medium migration_type: semantic-facade-guard depends_on: - PLATFORM-RELEASES-FACADE-CONTRACT-001 acceptance_checks: - Guard reports platform packages that expose public contracts only as legacy aliases. - Guard allows adapter files to import legacy packages while requiring service/types contract files to be platform-owned. - Report distinguishes intentional temporary aliases from unapproved semantic facade debt. - id: PLATFORM-BILLING-FACADE-SEMANTIC-001 title: Mature billing platform facade semantic contract kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CONTRACT-MATURITY-001 owning_domain: platform-foundation owning_layer: billing checkin_mode: unattended source_paths: - packages/platform/billing - packages/services/billing - cmd/api target_paths: - packages/platform/billing review_domains: - backend - architecture - governance risk_level: high migration_type: semantic-facade-maturity depends_on: - PLATFORM-FACADE-SEMANTIC-GUARD-001 acceptance_checks: - Billing facade no longer exposes public Service/type/error aliases to packages/services/billing. - Legacy billing service imports remain isolated behind adapter files. - Billing facade tests cover unavailable handling, error mapping, and API caller compatibility. - id: PLATFORM-PAYMENTS-FACADE-SEMANTIC-001 title: Mature payments platform facade semantic contract kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CONTRACT-MATURITY-001 owning_domain: platform-foundation owning_layer: payments checkin_mode: unattended source_paths: - packages/platform/payments - packages/services/payments - cmd/api target_paths: - packages/platform/payments review_domains: - backend - security - architecture - governance risk_level: high migration_type: semantic-facade-maturity depends_on: - PLATFORM-FACADE-SEMANTIC-GUARD-001 acceptance_checks: - Payments facade no longer exposes public type/error aliases to packages/services/payments. - Legacy payments service imports remain isolated behind adapter files. - Payments facade tests cover provider selection, unavailable handling, and API caller compatibility. - id: PLATFORM-POLICY-FACADE-SEMANTIC-001 title: Mature policy platform facade semantic contract kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CONTRACT-MATURITY-001 owning_domain: platform-foundation owning_layer: policy checkin_mode: unattended source_paths: - packages/platform/policy - packages/shared/policy - scripts/seed.sql target_paths: - packages/platform/policy review_domains: - backend - architecture - governance risk_level: medium migration_type: semantic-facade-maturity depends_on: - PLATFORM-FACADE-SEMANTIC-GUARD-001 acceptance_checks: - Policy facade no longer exposes public aliases to packages/shared/policy. - Shared policy imports remain isolated behind adapter files. - Policy facade tests cover option compatibility, unavailable handling, and platform-owned read contracts. - id: PLATFORM-NOTIFICATION-FACADE-SEMANTIC-001 title: Mature notification platform facade semantic contract kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CONTRACT-MATURITY-001 owning_domain: platform-foundation owning_layer: notification checkin_mode: unattended source_paths: - packages/platform/notification - packages/services/notification - packages/shared/events target_paths: - packages/platform/notification review_domains: - backend - architecture - governance risk_level: medium migration_type: semantic-facade-maturity depends_on: - PLATFORM-FACADE-SEMANTIC-GUARD-001 acceptance_checks: - Notification facade no longer exposes public aliases to packages/services/notification. - Legacy notification imports remain isolated behind adapter files. - Notification facade tests cover channel contract conversion and relay compatibility. - id: PSS-RUNTIME-USAGE-UNIT-001 title: Verify usage-unit registry is load-bearing in billing writes kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-L1-COMPLETION owning_domain: platform-foundation owning_layer: billing checkin_mode: unattended source_paths: - packages/platform/registry - packages/platform/billing - packages/services/billing - doc/architecture/db_schema_v1.sql target_paths: - doc/architecture/platform-foundation - packages/platform/billing review_domains: - backend - architecture - governance risk_level: medium migration_type: registry-runtime-verification depends_on: - PLATFORM-BILLING-FACADE-SEMANTIC-001 acceptance_checks: - Billing write paths either validate usage_unit_id through the platform registry or record a concrete runtime-adoption gap. - Verification evidence identifies the exact write path, registry lookup point, and fallback behavior. - Any missing runtime usage is captured as follow-up work rather than left as an implicit architecture assumption. - id: PSS-RUNTIME-AUDIT-ACTION-001 title: Verify audit-action registry is load-bearing in privileged writes kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-L1-COMPLETION owning_domain: platform-foundation owning_layer: audit checkin_mode: unattended source_paths: - packages/platform/audit - packages/platform/registry - cmd/api - doc/architecture/db_schema_v1.sql target_paths: - doc/architecture/platform-foundation - packages/platform/audit review_domains: - backend - security - architecture - governance risk_level: medium migration_type: registry-runtime-verification depends_on: - PLATFORM-AUDIT-FACADE-001 acceptance_checks: - Privileged audit writes either reject unregistered action_id values through the platform registry or record a concrete runtime-adoption gap. - Verification evidence identifies representative privileged mutation paths and their audit action validation behavior. - Missing runtime enforcement is captured as follow-up work. - id: PSS-RUNTIME-NOTIFICATION-TEMPLATE-001 title: Verify notification-template registry is load-bearing in dispatch kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-L1-COMPLETION owning_domain: platform-foundation owning_layer: notification checkin_mode: unattended source_paths: - packages/platform/notification - packages/platform/registry - packages/services/notification - cmd/notification-relay target_paths: - doc/architecture/platform-foundation - packages/platform/notification review_domains: - backend - architecture - governance risk_level: medium migration_type: registry-runtime-verification depends_on: - PLATFORM-NOTIFICATION-FACADE-SEMANTIC-001 acceptance_checks: - Notification dispatch either validates template_id through the platform registry or records a concrete runtime-adoption gap. - Verification evidence identifies dispatch paths, template lookup behavior, and missing-template behavior. - Missing runtime enforcement is captured as follow-up work. - id: PSS-RUNTIME-EVIDENCE-TYPE-001 title: Verify evidence-type registry is load-bearing in evidence assembly kind: release-evidence role: governance profile: platform-foundation parent_id: PSSM-L1-COMPLETION owning_domain: platform-foundation owning_layer: evidence-status checkin_mode: unattended source_paths: - packages/platform/evidence - packages/platform/registry - scripts/ci/platform_evidence_payload.sh - scripts/ci/platform_guard_report_ingest.sh target_paths: - doc/architecture/platform-foundation - packages/platform/evidence - scripts/ci review_domains: - governance - ops - backend - architecture risk_level: medium migration_type: registry-runtime-verification depends_on: - PSS-EVIDENCE-GUARD-CONTRACT-001 acceptance_checks: - Evidence bundle assembly either validates evidence_type through the platform registry or records a concrete runtime-adoption gap. - Verification evidence identifies evidence ingestion and payload generation paths. - Missing runtime enforcement is captured as follow-up work. - id: PSS-RUNTIME-ARTIFACT-TYPE-001 title: Verify artifact-type registry is load-bearing in promotion gates kind: release-evidence role: governance profile: platform-foundation parent_id: PSSM-L1-COMPLETION owning_domain: platform-foundation owning_layer: artifacts checkin_mode: unattended source_paths: - packages/platform/artifacts - packages/platform/registry - packages/platform/releases - scripts/ci target_paths: - doc/architecture/platform-foundation - packages/platform/artifacts - packages/platform/releases review_domains: - governance - security - ops - backend - architecture risk_level: medium migration_type: registry-runtime-verification depends_on: - PLATFORM-RELEASES-FACADE-CONTRACT-001 acceptance_checks: - Artifact promotion gates either validate artifact_type and trust state through platform contracts or record a concrete runtime-adoption gap. - Verification evidence identifies the promotion path, trust-state check, and artifact-type lookup behavior. - Missing runtime enforcement is captured as follow-up work. - id: PSS-RUNTIME-POLICY-001 title: Verify policy and entitlement registry is load-bearing in quota decisions kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-L1-COMPLETION owning_domain: platform-foundation owning_layer: policy checkin_mode: unattended source_paths: - packages/platform/policy - packages/platform/registry - packages/shared/policy - scripts/seed.sql target_paths: - doc/architecture/platform-foundation - packages/platform/policy review_domains: - backend - architecture - governance risk_level: medium migration_type: registry-runtime-verification depends_on: - PLATFORM-POLICY-FACADE-SEMANTIC-001 acceptance_checks: - Quota and policy decisions either use versioned platform policy snapshots or record a concrete runtime-adoption gap. - Verification evidence identifies the policy read path, snapshot/version behavior, and write-path dependency. - Missing runtime enforcement is captured as follow-up work. - id: PSS-RUNTIME-PRODUCT-001 title: Verify product registry is load-bearing in product onboarding kind: release-evidence role: architecture profile: platform-foundation parent_id: PSSM-L1-COMPLETION owning_domain: platform-foundation owning_layer: registry checkin_mode: unattended source_paths: - packages/platform/registry - packages/products - doc/architecture/platform-foundation target_paths: - doc/architecture/platform-foundation - packages/platform/registry review_domains: - architecture - product - backend - governance risk_level: medium migration_type: registry-runtime-verification depends_on: - PSS-RUNTIME-POLICY-001 acceptance_checks: - Product onboarding either requires product registration through platform registry contracts or records a concrete runtime-adoption gap. - Verification evidence identifies the current onboarding path and registry dependency. - Missing runtime enforcement is captured as follow-up work. - id: PSS-ROUTE-OWNER-RENAME-001 title: Rename legacy route files to owner-visible route files kind: boundary-guard role: backend profile: platform-foundation parent_id: PSSM-L1-COMPLETION owning_domain: platform-foundation owning_layer: api-routing checkin_mode: unattended source_paths: - cmd/api/routes_account.go - cmd/api/routes_admin_billing.go - cmd/api/routes_admin_ops.go - cmd/api/routes_core_api.go - cmd/api/routes_financial_launch_guard.go - cmd/api/routes_managed_runtime.go - cmd/api/routes_storage.go target_paths: - cmd/api/routes_platform_iam_account.go - cmd/api/routes_platform_admin_billing.go - cmd/api/routes_platform_admin_ops.go - cmd/api/routes_platform_core.go - cmd/api/routes_platform_billing_launch_guard.go - cmd/api/routes_appplatform_runtime.go - cmd/api/routes_platform_storage.go review_domains: - backend - architecture - governance risk_level: low migration_type: route-owner-visibility depends_on: - PLATFORM-FACADE-SEMANTIC-GUARD-001 acceptance_checks: - Legacy route files are mechanically renamed to owner-visible names without behavior changes. - Route-placement guard reports zero findings or only intentionally deferred exceptions. - Go tests/build continue to pass after file renames. - id: PSSM-L2-OPERATIONAL-PROOF title: Prove PSSM contracts through runtime adoption and second consumer kind: epic role: orchestrator profile: platform-foundation parent_id: PSS-OPERATIONALIZATION owning_domain: platform-foundation owning_layer: shared-services-model source_paths: - doc/architecture/platform-foundation/Platform_Registry_Runtime_Verification_v1.md - packages/platform - packages/products - cmd target_paths: - doc/architecture/platform-foundation/Platform_Registry_Runtime_Verification_v1.md - packages/platform - packages/products - cmd review_domains: - architecture - backend - governance - ops - security risk_level: high migration_type: pssm-l2-operational-proof depends_on: - PSSM-L1-COMPLETION acceptance_checks: - A second product or App SDK reference app exercises the platform shared service contracts end to end. - Registry families marked partial or gap in runtime verification become load-bearing or are explicitly deferred by architecture decision. - Degradation and boundary guard enforcement are proven by runtime or review-path evidence. - id: PSS-RUNTIME-USAGE-UNIT-ADOPT-001 title: Make usage-unit registry validation cover billing-worker writes kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-L2-OPERATIONAL-PROOF owning_domain: platform-foundation owning_layer: billing checkin_mode: unattended source_paths: - cmd/billing-worker - packages/platform/billing - packages/services/billing - packages/platform/registry target_paths: - cmd/billing-worker - packages/platform/billing - packages/services/billing review_domains: - backend - governance risk_level: high migration_type: registry-runtime-adoption depends_on: - PSS-RUNTIME-USAGE-UNIT-001 acceptance_checks: - Billing-worker rating and ledger posting paths validate usage_unit through the platform registry before writing rated usage or ledger entries. - Unknown or inactive usage units fail closed with regression coverage. - Existing API billing service registry validation remains intact. - id: PSS-RUNTIME-AUDIT-ACTION-ADOPT-001 title: Make audit-action registry validation load-bearing kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-L2-OPERATIONAL-PROOF owning_domain: platform-foundation owning_layer: audit checkin_mode: unattended source_paths: - packages/platform/audit - cmd/api - packages/platform/registry target_paths: - packages/platform/audit - cmd/api review_domains: - backend - security - governance risk_level: high migration_type: registry-runtime-adoption depends_on: - PSS-RUNTIME-AUDIT-ACTION-001 acceptance_checks: - Privileged audit writes reject unregistered or inactive audit_action IDs. - Audit validation preserves existing audit row shape and does not rewrite historical rows. - Tests cover valid, missing, and inactive audit actions. - id: PSS-RUNTIME-NOTIFICATION-TEMPLATE-ADOPT-001 title: Make notification-template registry validation load-bearing kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-L2-OPERATIONAL-PROOF owning_domain: platform-foundation owning_layer: notification checkin_mode: unattended source_paths: - packages/platform/notification - packages/services/notification - cmd/notification-relay - packages/platform/registry target_paths: - packages/platform/notification - packages/services/notification - cmd/notification-relay review_domains: - backend - governance risk_level: medium migration_type: registry-runtime-adoption depends_on: - PSS-RUNTIME-NOTIFICATION-TEMPLATE-001 acceptance_checks: - Notification dispatch validates template IDs against the platform registry. - Missing or inactive templates fail closed without raw runtime pages or silent drops. - Tests cover valid template dispatch and unregistered template rejection. - id: PSS-RUNTIME-EVIDENCE-TYPE-ADOPT-001 title: Make evidence-type registry validation load-bearing kind: release-evidence role: governance profile: platform-foundation parent_id: PSSM-L2-OPERATIONAL-PROOF owning_domain: platform-foundation owning_layer: evidence-status checkin_mode: unattended source_paths: - packages/platform/evidence - packages/platform/registry - scripts/ci/platform_guard_report_ingest.sh target_paths: - packages/platform/evidence - scripts/ci review_domains: - governance - backend - ops risk_level: medium migration_type: registry-runtime-adoption depends_on: - PSS-RUNTIME-EVIDENCE-TYPE-001 acceptance_checks: - Evidence item recording validates evidence_type against the platform registry. - Missing or inactive evidence types fail closed with clear validation errors. - Guard/evidence ingestion tests cover registered and unregistered evidence types. - id: PSS-RUNTIME-ARTIFACT-TYPE-ADOPT-001 title: Make artifact-type registry validation load-bearing in promotion gates kind: release-evidence role: governance profile: platform-foundation parent_id: PSSM-L2-OPERATIONAL-PROOF owning_domain: platform-foundation owning_layer: artifacts checkin_mode: unattended source_paths: - packages/platform/artifacts - packages/products/appplatform/catalog - packages/platform/registry target_paths: - packages/platform/artifacts - packages/products/appplatform/catalog review_domains: - governance - backend - security risk_level: high migration_type: registry-runtime-adoption depends_on: - PSS-RUNTIME-ARTIFACT-TYPE-001 acceptance_checks: - Artifact promotion gates validate artifact_type and trust policy against the platform registry. - Unregistered, inactive, or untrusted artifact types fail closed before promotion. - Tests cover artifact-type registry validation and trust-state promotion behavior. - id: PSS-RUNTIME-POLICY-ADOPT-001 title: Make policy snapshot registry load-bearing in quota decisions kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-L2-OPERATIONAL-PROOF owning_domain: platform-foundation owning_layer: policy checkin_mode: unattended source_paths: - packages/platform/policy - packages/platform/registry - cmd/api - scripts/seed.sql target_paths: - packages/platform/policy - cmd/api review_domains: - backend - governance - architecture risk_level: medium migration_type: registry-runtime-adoption depends_on: - PSS-RUNTIME-POLICY-001 acceptance_checks: - Quota and policy decisions record or use a versioned policy snapshot kind from the platform registry. - Missing or inactive policy snapshot kinds fail closed where they affect writes. - Tests cover versioned snapshot lookup and fallback behavior. - id: PSS-RUNTIME-PRODUCT-ADOPT-001 title: Make product registry required for product onboarding kind: release-evidence role: architecture profile: platform-foundation parent_id: PSSM-L2-OPERATIONAL-PROOF owning_domain: platform-foundation owning_layer: registry checkin_mode: unattended source_paths: - packages/platform/registry - packages/products - doc/architecture/platform-foundation/Product_Onboarding_Checklist_v1.md target_paths: - packages/platform/registry - packages/products - doc/architecture/platform-foundation/Product_Onboarding_Checklist_v1.md review_domains: - architecture - product - backend - governance risk_level: medium migration_type: registry-runtime-adoption depends_on: - PSS-RUNTIME-PRODUCT-001 acceptance_checks: - New product onboarding requires an active platform registry product entry before runtime exposure. - Product onboarding docs and code identify the registry gate explicitly. - Tests or checklist evidence cover missing and inactive product registry entries. - id: PSS-VALIDATION-SECOND-PRODUCT-001 title: Validate PSSM contracts with a second product or App SDK reference app kind: release-evidence role: architecture profile: platform-foundation parent_id: PSSM-L2-OPERATIONAL-PROOF owning_domain: platform-foundation owning_layer: shared-services-model checkin_mode: attended source_paths: - packages/products - packages/products/appplatform/sdk - doc/architecture/platform-foundation/App_SDK_Readiness_Matrix_v1.md target_paths: - packages/products - packages/products/appplatform/sdk - doc/architecture/platform-foundation review_domains: - architecture - backend - frontend - governance - security risk_level: high migration_type: pssm-second-product-validation depends_on: - PSS-RUNTIME-USAGE-UNIT-ADOPT-001 - PSS-RUNTIME-AUDIT-ACTION-ADOPT-001 - PSS-RUNTIME-NOTIFICATION-TEMPLATE-ADOPT-001 - PSS-RUNTIME-EVIDENCE-TYPE-ADOPT-001 - PSS-RUNTIME-ARTIFACT-TYPE-ADOPT-001 - PSS-RUNTIME-POLICY-ADOPT-001 - PSS-RUNTIME-PRODUCT-ADOPT-001 acceptance_checks: - Token Factory or an App SDK reference app consumes IAM, billing, audit, evidence, notification, registry, artifacts, secrets, and policy through public platform contracts. - Validation includes launch/connect/decommission or equivalent runtime smoke evidence. - Contract gaps discovered by the second consumer become Fairway tasks before the validation is marked done. - id: PSS-VALIDATION-KIND-APP-DECOMMISSION-BLOCKER-001 title: Fix kind app decommission state blocker for SDK live validation kind: release-evidence role: backend profile: platform-foundation parent_id: PSS-VALIDATION-SECOND-PRODUCT-001 owning_domain: appplatform owning_layer: app-runtime-lifecycle checkin_mode: attended source_paths: - cmd/api - packages/products/gpuaas/inventory - packages/products/appplatform/runtime - pkg/sdk - scripts/ops target_paths: - cmd/api - packages/products/gpuaas/inventory - packages/products/appplatform/runtime - pkg/sdk - scripts/ops review_domains: - backend - ops - architecture risk_level: high migration_type: kind-sdk-live-validation-blocker depends_on: - PSS-VALIDATION-SECOND-PRODUCT-001 acceptance_checks: - Public API evidence captures the exact kind app-instance state before retrying decommission through v1 and v3 paths. - Audit/evidence/event records prove whether the first decommission request emitted `apps.instance.decommission_requested`. - Kind `gpuaas-app-runtime-worker` deployment image, commit, and durable consumer state are verified. - Launchable OCI remove task lifecycle is verified from event receipt through node-agent pickup and completion or cleanup-unavailable fallback. - Running app instances in kind can be decommissioned through public v1/v3 API paths without getting stuck in `decommissioning`. - SDK live launch/connect/decommission smoke passes in kind without leaving stale active or decommissioning instances. - id: PSSM-KIND-UAT-HARNESS-APP-WORKLOAD-SEQUENCING-001 title: Fix kind full UAT app workload sequencing kind: release-evidence role: ops profile: platform-foundation parent_id: PSS-VALIDATION-SECOND-PRODUCT-001 owning_domain: platform-foundation owning_layer: uat-evidence checkin_mode: unattended source_paths: - scripts/ops/demo_uat_package.sh - scripts/ops/demo_app_route_readiness.sh - scripts/ops/demo_supported_app_matrix.sh - scripts/ops/demo_app_browser_smoke.sh - scripts/ops/demo_openai_endpoint_smoke.sh - scripts/ops/app_runtime_first_slice_smoke.sh target_paths: - scripts/ops - dist/uat/kind review_domains: - ops - backend - governance tags: - program:uat-hardening - program:stabilization - environment:kind - surface:uat - gate:uat - work-type:harness risk_level: high migration_type: kind-post-pssm-uat-harness-sequencing depends_on: - PSSM-KIND-SCHEDULER-APP-PREREQ-001 acceptance_checks: - Kind full UAT distinguishes environment capacity/setup gaps from product/runtime failures. - CLI compute precheck uses the active environment region instead of relying on implicit defaults. - App route, browser, scheduler, and OpenAI-compatible checks run only after their managed-route workload prerequisites are established, or record an explicit prerequisite blocker. - Evidence records the setup step, validation step, and cleanup/decommission step for supporting app workloads. - A clean kind full UAT rerun is recorded before dev UAT starts. - id: PSSM-KIND-SCHEDULER-APP-FIXTURES-001 title: Create kind scheduler app fixtures for RKE2 and Slurm kind: release-evidence role: ops profile: platform-foundation parent_id: PSSM-KIND-UAT-HARNESS-APP-WORKLOAD-SEQUENCING-001 owning_domain: platform-foundation owning_layer: scheduler-app-fixtures source_paths: - scripts/ops/demo_supported_app_matrix.sh - scripts/ops/demo_scheduler_uat.sh - scripts/ops - dist/uat/kind target_paths: - scripts/ops - .fairway/artifacts - dist/uat/kind review_domains: - ops - backend - governance risk_level: high migration_type: kind-scheduler-app-fixtures-review acceptance_checks: - Kind has active rke2-self-managed Headlamp route and slurm-reference scheduler fixture. - Supported app/scheduler matrix no longer reports missing scheduler workloads. - App browser smoke passes with required apps including rke2-self-managed. - Matrix and scheduler UAT scripts fail nonzero when they emit `BLOCK` or `FAIL`. - If blocked by provider capacity/bootstrap, Fairway evidence identifies the owning provider lifecycle task and required review domains. - id: PSSM-KIND-RUNTIME-ROUTE-HOST-PORT-SYNC-001 title: Keep kind runtime managed routes aligned with MAAS-LXD bridge ports kind: bug role: backend profile: platform-foundation parent_id: PSSM-KIND-UAT-HARNESS-APP-WORKLOAD-SEQUENCING-001 owning_domain: appplatform owning_layer: runtime-managed-ingress checkin_mode: attended source_paths: - packages/products/appplatform/runtime - cmd/node-agent - scripts/ops/app_runtime_first_slice_smoke.sh target_paths: - packages/products/appplatform/runtime - dist/uat/kind - .fairway/artifacts review_domains: - backend - ops risk_level: high migration_type: kind-runtime-route-host-port-sync depends_on: - PSSM-KIND-SCHEDULER-APP-FIXTURES-001 acceptance_checks: - vLLM/OpenAI runtime route uses the MAAS-LXD bridge override port while the workload binds a bridge-compatible host port. - Jupyter, vLLM, code-server, and OpenClaw runtime fixture seeding reaches running or records an explicit blocker. - Kind route readiness and supported app matrix no longer fail due host-port mismatch for runtime apps. - id: PSSM-KIND-UAT-JUPYTER-OCI-EXIT128-001 title: Fix kind Jupyter managed-route OCI launch exit 128 kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-KIND-UAT-HARNESS-APP-WORKLOAD-SEQUENCING-001 owning_domain: appplatform owning_layer: app-runtime-lifecycle checkin_mode: attended source_paths: - packages/products/appplatform/runtime - cmd/node-agent - scripts/ops/app_runtime_first_slice_smoke.sh - scripts/ops/demo_jupyter_launch_uat.sh target_paths: - packages/products/appplatform/runtime - cmd/node-agent - scripts/ops - dist/uat/kind review_domains: - backend - ops risk_level: high migration_type: kind-jupyter-oci-launch-runtime-fix depends_on: - PSSM-KIND-UAT-HARNESS-APP-WORKLOAD-SEQUENCING-001 acceptance_checks: - Node-agent OCI launch failure evidence includes actionable Docker stderr/stdout, not only container exit code. - JupyterLab launch through the v3 app launch path reaches running with an active managed proxy route on kind. - Failed app instances can be decommissioned and their target allocation released without manual cleanup. - Focused kind evidence includes the disposable allocation id, app instance id, selected artifact id, node task id, and cleanup result. - id: PSSM-KIND-UAT-VLLM-PUBLIC-ARTIFACT-001 title: Provide kind-runnable vLLM public artifact for OpenAI endpoint UAT kind: release-evidence role: ops profile: platform-foundation parent_id: PSSM-KIND-UAT-HARNESS-APP-WORKLOAD-SEQUENCING-001 owning_domain: appplatform owning_layer: artifact-runtime-contract checkin_mode: attended source_paths: - scripts/ops/build_vllm_openai_smoke_image.sh - scripts/ops/publish_launchable_oci_artifact.sh - scripts/ops/demo_openai_endpoint_smoke.sh - doc/operations/runbooks/Kind_Jupyter_vLLM_Platform_Proxy_Smoke_Runbook.md target_paths: - scripts/ops - doc/operations/runbooks - dist/uat/kind review_domains: - ops - backend - governance tags: - program:uat-hardening - program:stabilization - environment:kind - surface:appplatform - gate:uat - work-type:artifact-readiness risk_level: high migration_type: kind-vllm-openai-artifact-readiness depends_on: - PSSM-KIND-UAT-HARNESS-APP-WORKLOAD-SEQUENCING-001 acceptance_checks: - Kind has a verified public-pull-compatible `vllm-openai` artifact for the target architecture, or the node-agent supports the project-scoped private pull contract. - OpenAI-compatible endpoint UAT discovers an active vLLM managed route and proves `/v1/models` plus completion/chat with a service-account token. - Artifact readiness and app launch precheck fail with an explicit blocker when only unsupported private artifacts exist. - id: PSSM-KIND-UAT-OPENCLAW-ARTIFACT-CACHE-001 title: Make OpenClaw kind artifact launch deterministic kind: release-evidence role: ops profile: platform-foundation parent_id: PSSM-KIND-UAT-HARNESS-APP-WORKLOAD-SEQUENCING-001 owning_domain: appplatform owning_layer: artifact-runtime-contract checkin_mode: attended source_paths: - scripts/ops/app_runtime_first_slice_smoke.sh - scripts/ops/demo_app_route_readiness.sh - scripts/ops/demo_supported_app_matrix.sh - scripts/ops/kind_maas_lxd_app_route_bridge.sh - packages/products/appplatform/runtime - cmd/node-agent target_paths: - scripts/ops - packages/products/appplatform/runtime - cmd/node-agent - dist/uat/kind - .fairway/artifacts review_domains: - ops - backend - governance tags: - program:uat-hardening - program:stabilization - environment:kind - surface:appplatform - gate:uat - work-type:artifact-cache risk_level: high migration_type: kind-openclaw-artifact-cache-readiness depends_on: - PSSM-KIND-RUNTIME-ROUTE-HOST-PORT-SYNC-001 - PSSM-KIND-MAAS-LXD-WORKER-OCI-PULL-LIVENESS-001 acceptance_checks: - OpenClaw kind UAT does not depend on a slow first-time GHCR pull inside the node-agent launch TTL. - The selected OpenClaw artifact is either mirrored/pre-cached in the kind worker environment or the launch TTL/pull strategy has explicit evidence and bounded retries. - "app_runtime_first_slice_smoke.sh can launch OpenClaw to running with an active managed route in kind." - Route readiness reports code-server, Jupyter, vLLM, and OpenClaw present without missing app workload blockers. - id: PSSM-KIND-MAAS-LXD-WORKER-OCI-PULL-LIVENESS-001 title: Fix kind MAAS-LXD worker OCI pull and LXD exec liveness kind: bug role: ops profile: platform-foundation parent_id: PSSM-KIND-UAT-HARNESS-APP-WORKLOAD-SEQUENCING-001 owning_domain: gpuaas owning_layer: provider-worker-runtime checkin_mode: attended source_paths: - cmd/node-agent - scripts/ops/app_runtime_first_slice_smoke.sh - scripts/ops/kind_maas_lxd_app_route_bridge.sh - dist/uat/kind target_paths: - cmd/node-agent - scripts/ops - dist/uat/kind - .fairway/artifacts review_domains: - ops - backend - governance tags: - program:uat-hardening - program:stabilization - environment:kind - surface:maas-lxd - gate:uat - work-type:runtime-liveness risk_level: high migration_type: kind-maas-lxd-worker-oci-pull-liveness acceptance_checks: - MAAS-LXD worker VM can execute diagnostic commands without stuck non-cancelable LXD `Executing command` operations. - Docker pull from `registry.gpuaas.test` for a mirrored launchable OCI artifact either completes within the node-task budget or fails with bounded actionable evidence. - Node-agent launch path does not leave the worker command channel wedged after a slow or failed image pull. - Focused kind evidence captures registry logs, worker pull logs, LXD operation state, and the owning fix or cleanup action. - id: PSSM-KIND-NODE-AGENT-D0BBF4DB-BOOTSTRAP-PUBLISH-001 title: Publish and self-update kind MAAS-LXD node-agent build d0bbf4db kind: task role: ops profile: platform-foundation parent_id: PSSM-KIND-MAAS-LXD-WORKER-OCI-PULL-LIVENESS-001 owning_domain: operations owning_layer: kind-node-agent-bootstrap source_paths: - scripts/k8s/kind_parity.sh - scripts/release/build_platform_release_artifacts.sh - cmd/node-agent/oci_workload.go - doc/operations/local-dev/README.md target_paths: - scripts/ops - .fairway/artifacts - tmp-ux review_domains: - ops - backend tags: - program:uat-hardening - program:stabilization - environment:kind - surface:maas-lxd - gate:uat - work-type:runtime-liveness risk_level: high migration_type: kind-node-agent-live-validation acceptance_checks: - A focused kind-only path publishes node-agent bootstrap artifacts for d0bbf4db without broad parity rebootstrap. - At least one disposable or approved kind MAAS-LXD worker reports agent_commit d0bbf4db after bootstrap or node.self_update. - A controlled OCI cache-miss/pull-timeout workload task fails with bounded pull classification and the worker accepts a subsequent no-op/status task. - Evidence includes bootstrap package digest/tag, node id, worker host, task ids, node-agent version, pull failure output, post-failure liveness task output, and cleanup/rollback notes. - id: PSS-VALIDATION-DEGRADATION-001 title: Exercise shared-service degradation contracts kind: release-evidence role: security profile: platform-foundation parent_id: PSSM-L2-OPERATIONAL-PROOF owning_domain: platform-foundation owning_layer: reliability-security checkin_mode: attended source_paths: - doc/architecture/platform-foundation/Platform_Shared_Services_Model_v2.md - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md - scripts/ci target_paths: - doc/architecture/platform-foundation - scripts/ci review_domains: - security - ops - governance - backend risk_level: high migration_type: pssm-degradation-validation depends_on: - PSSM-L1-COMPLETION acceptance_checks: - IAM, billing, audit/evidence, and policy degradation paths are deliberately exercised. - Evidence records expected fail-closed, fail-open, or degraded-mode behavior. - Unexpected degradation behavior becomes follow-up work before this task is marked done. - id: PSS-VALIDATION-GUARD-CATCH-001 title: Prove boundary guards catch a real review-path violation kind: boundary-guard role: governance profile: platform-foundation parent_id: PSSM-L2-OPERATIONAL-PROOF owning_domain: platform-foundation owning_layer: governance checkin_mode: unattended source_paths: - scripts/ci/platform_foundation_boundary_report.sh - doc/architecture/platform-foundation/Platform_Foundation_Guard_Graduation_Plan_v1.md target_paths: - scripts/ci/platform_foundation_boundary_report.sh - doc/architecture/platform-foundation review_domains: - governance - ops - architecture risk_level: medium migration_type: pssm-guard-validation depends_on: - PSSM-L1-COMPLETION acceptance_checks: - A seeded or real review-path violation is detected by the boundary guard. - The finding appears in report, warning, or blocking-new mode with owner and task metadata. - False-positive handling and allowed-debt classification are documented. - id: PSS-GUARD-RAW-PUBLISH-CLASSIFY-001 title: Classify DLQ replay raw publish before event guard graduation kind: boundary-guard role: ops profile: platform-foundation parent_id: PSSM-L2-OPERATIONAL-PROOF owning_domain: platform-foundation owning_layer: event-governance checkin_mode: unattended source_paths: - cmd/api/main.go - scripts/ci/platform_foundation_boundary_report.sh - doc/architecture/platform-foundation/guard-allowed-debt.tsv target_paths: - doc/architecture/platform-foundation - scripts/ci/platform_foundation_boundary_report.sh - cmd/api/main.go review_domains: - ops - governance - architecture - security risk_level: medium migration_type: event-guard-classification depends_on: - PSS-VALIDATION-GUARD-CATCH-001 acceptance_checks: - Redis Pub/Sub calls are not reported as NATS publish violations by the event-owner guard. - Admin DLQ replay is classified as approved operational replay or moved behind an explicit platform event replay contract. - Guard report has no unapproved medium raw publish findings before warning or blocking mode graduation. - id: PSS-GUARD-SCHEMA-EVENT-GRADUATION-001 title: Define schema and event owner debt graduation thresholds kind: boundary-guard role: governance profile: platform-foundation parent_id: PSSM-L2-OPERATIONAL-PROOF owning_domain: platform-foundation owning_layer: governance checkin_mode: unattended source_paths: - doc/architecture/platform-foundation/ownership-maps/schema-ownership.md - doc/architecture/platform-foundation/ownership-maps/event-ownership.md - doc/architecture/platform-foundation/guard-allowed-debt.tsv - scripts/ci/platform_foundation_boundary_report.sh target_paths: - doc/architecture/platform-foundation/Platform_Foundation_Guard_Graduation_Plan_v1.md - doc/architecture/platform-foundation/guard-allowed-debt.tsv - scripts/ci/platform_foundation_boundary_report.sh review_domains: - governance - architecture - backend - ops risk_level: medium migration_type: guard-graduation-thresholds depends_on: - PSS-VALIDATION-GUARD-CATCH-001 acceptance_checks: - Schema-owner and event-owner allowed debt has explicit graduation thresholds, not only indefinite visibility debt. - New owner-visible schema and event violations can be distinguished from legacy mapped debt. - Warning/blocking-new criteria are documented for schema-owner and event-owner guards. - id: PSS-L2-READINESS-MATRIX-001 title: Maintain PSSM L2 readiness matrix across runtime adoption tasks kind: release-evidence role: orchestrator profile: platform-foundation parent_id: PSSM-L2-OPERATIONAL-PROOF owning_domain: platform-foundation owning_layer: shared-services-model checkin_mode: unattended source_paths: - doc/architecture/platform-foundation/Platform_Registry_Runtime_Verification_v1.md - .fairway/platform-foundation-implementation-track.yaml target_paths: - doc/architecture/platform-foundation/Platform_Shared_Services_L2_Readiness_Matrix_v1.md - .fairway/platform-foundation-implementation-track.yaml review_domains: - architecture - governance - backend - ops - security risk_level: medium migration_type: pssm-l2-readiness-evidence depends_on: - PSSM-L1-COMPLETION acceptance_checks: - L2 readiness matrix maps every shared service to runtime consumer, degradation proof, guard proof, and second-product validation status. - Any partial or missing proof has an explicit Fairway task ID. - Matrix is updated before PSSM L2 is declared complete. - id: PSSM-L2-QUEUE-UNBLOCK-001 title: Fix PSSM L2 task dependency and claimability kind: boundary-guard role: orchestrator profile: platform-foundation parent_id: PSSM-L2-OPERATIONAL-PROOF owning_domain: platform-foundation owning_layer: fairway-orchestration checkin_mode: unattended source_paths: - .fairway/platform-foundation-implementation-track.yaml target_paths: - .fairway/platform-foundation-implementation-track.yaml review_domains: - governance - architecture risk_level: high migration_type: queue-claimability depends_on: - PSSM-L1-COMPLETION acceptance_checks: - L2 proof tasks do not depend on the parent L2 epic they are required to prove. - Fairway ready lists executable L2 work without manual queue surgery. - L2 completion epic remains open until runtime adoption, validation, and guard proof tasks are complete. - id: PSS-VALIDATION-SECOND-PRODUCT-PACKET-001 title: Produce second-product onboarding packet with platform contract proof kind: release-evidence role: architecture profile: platform-foundation parent_id: PSSM-L2-OPERATIONAL-PROOF owning_domain: platform-foundation owning_layer: second-product-validation checkin_mode: attended source_paths: - doc/architecture/platform-foundation/App_SDK_Readiness_Matrix_v1.md - doc/architecture/platform-foundation/Product_Onboarding_Checklist_v1.md - packages/products/appplatform/sdk target_paths: - doc/architecture/platform-foundation review_domains: - architecture - product - backend - governance - security risk_level: high migration_type: second-product-validation-packet depends_on: - PSS-L2-READINESS-MATRIX-001 acceptance_checks: - Packet identifies the selected second consumer, required platform services, registry entries, and validation commands. - Packet maps every consumed platform shared service to a proof artifact or follow-up task. - Product, developer, security, and ops review concerns are explicitly covered before execution. - id: PSS-VALIDATION-SDK-SMOKE-JUPYTER-VLLM-001 title: Run App SDK reference launch/connect/decommission smoke with evidence kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-L2-OPERATIONAL-PROOF owning_domain: platform-foundation owning_layer: app-sdk-validation checkin_mode: attended source_paths: - packages/products/appplatform/sdk - packages/products/appplatform/runtime - packages/web - scripts target_paths: - packages/products/appplatform/sdk - doc/architecture/platform-foundation - scripts review_domains: - backend - frontend - product - governance risk_level: high migration_type: sdk-reference-smoke depends_on: - PSS-VALIDATION-SECOND-PRODUCT-PACKET-001 acceptance_checks: - Reference app smoke covers launch, connect, and decommission flows for at least one SDK-visible app path. - Evidence captures manifest defaults, credential/connect contract, runtime status, and failure handling. - Gaps found during smoke are added as Fairway tasks before this is marked done. - id: PSS-DEGRADATION-FAIL-CLOSED-HARNESS-001 title: Add executable fail-closed degradation harness for shared services kind: release-evidence role: security profile: platform-foundation parent_id: PSSM-L2-OPERATIONAL-PROOF owning_domain: platform-foundation owning_layer: reliability-security checkin_mode: attended source_paths: - packages/platform/iam - packages/platform/billing - packages/platform/audit - packages/platform/evidence - packages/platform/policy - scripts/ci target_paths: - scripts/ci - doc/architecture/platform-foundation review_domains: - security - ops - backend - governance risk_level: high migration_type: degradation-harness depends_on: - PSS-VALIDATION-DEGRADATION-001 acceptance_checks: - Harness exercises unavailable IAM scope registry, billing usage-unit registry, evidence registry, and policy backend cases. - Expected fail-closed or degraded behavior is asserted, not only documented. - Harness output can be attached to release evidence. - id: PSS-GUARD-FINGERPRINT-BASELINE-001 title: Define guard finding fingerprint baseline for blocking-new mode kind: boundary-guard role: governance profile: platform-foundation parent_id: PSSM-L2-OPERATIONAL-PROOF owning_domain: platform-foundation owning_layer: governance checkin_mode: unattended source_paths: - scripts/ci/platform_foundation_boundary_report.sh - doc/architecture/platform-foundation/guard-allowed-debt.tsv target_paths: - scripts/ci/platform_foundation_boundary_report.sh - doc/architecture/platform-foundation review_domains: - governance - ops - architecture risk_level: high migration_type: guard-fingerprint-baseline depends_on: - PSS-VALIDATION-GUARD-CATCH-001 acceptance_checks: - Guard findings have stable fingerprints suitable for diffing against an approved baseline. - Blocking-new mode can distinguish existing approved debt from new unapproved findings. - Baseline artifact is documented and reproducible in CI. - id: PSS-L2-CI-ENFORCE-GUARD-EVIDENCE-001 title: Make L2 guard and evidence validation non-optional in promotion path kind: release-evidence role: ops profile: platform-foundation parent_id: PSSM-L2-OPERATIONAL-PROOF owning_domain: platform-foundation owning_layer: ci-release checkin_mode: attended source_paths: - .gitlab-ci.yml - scripts/ci - doc/governance/Platform_Control_Release_Promotion_Policy.md target_paths: - .gitlab-ci.yml - scripts/ci - doc/governance/Platform_Control_Release_Promotion_Policy.md review_domains: - ops - governance - security risk_level: high migration_type: l2-ci-enforcement depends_on: - PSS-GUARD-FINGERPRINT-BASELINE-001 - PSS-DEGRADATION-FAIL-CLOSED-HARNESS-001 acceptance_checks: - Platform-control promotion path requires boundary guard and evidence payload validation for L2 claims. - Optional or allow-failure evidence jobs are either hardened or explicitly scoped outside L2. - CI policy documents the exact local reproduction commands. - id: PSS-L2-PORTAL-SDK-EVIDENCE-001 title: Publish portal-visible SDK and evidence path for internal developers kind: frontend-contract role: frontend profile: platform-foundation parent_id: PSSM-L2-OPERATIONAL-PROOF owning_domain: platform-foundation owning_layer: developer-portal checkin_mode: attended source_paths: - packages/docs - packages/products/appplatform/sdk - doc/architecture/platform-foundation/App_SDK_Readiness_Matrix_v1.md - doc/architecture/platform-foundation/Platform_Evidence_Status_Frontend_Contract_v1.md target_paths: - packages/docs - doc/architecture/platform-foundation review_domains: - frontend - product - architecture - governance risk_level: medium migration_type: portal-sdk-evidence depends_on: - PSS-VALIDATION-SDK-SMOKE-JUPYTER-VLLM-001 acceptance_checks: - Internal developers can find the SDK contract, reference app evidence, and platform evidence/status path without GitHub docs. - Portal content links platform contracts to actual validation artifacts. - Public/internal visibility assumptions are documented for future access control. - id: PSS-L2-FAIRWAY-SCOPE-001 title: Make platform-foundation Fairway queue inspectable through standard commands kind: boundary-guard role: governance profile: platform-foundation parent_id: PSSM-L2-OPERATIONAL-PROOF owning_domain: platform-foundation owning_layer: fairway-orchestration checkin_mode: unattended source_paths: - .fairway/platform-foundation-config.toml - .fairway/platform-foundation-implementation-track.yaml - ../fairway target_paths: - .fairway/platform-foundation-config.toml - .fairway/platform-foundation-implementation-track.yaml - doc/architecture/platform-foundation review_domains: - governance - ops - architecture risk_level: medium migration_type: fairway-queue-inspection depends_on: - PSSM-L2-QUEUE-UNBLOCK-001 acceptance_checks: - Standard Fairway commands show ready work, status, and evidence without hidden local knowledge. - Dashboard and CLI status agree on task counts and blocked/ready state. - Any Fairway product gaps discovered during platform-foundation use are tracked in the Fairway repo. - id: PSSM-L3-LEGACY-RETIREMENT title: Retire legacy services after PSSM contract maturity kind: epic role: orchestrator profile: platform-foundation parent_id: PSS-OPERATIONALIZATION owning_domain: platform-foundation owning_layer: legacy-retirement checkin_mode: attended source_paths: - tmp-ux/PSSM_Completion_Backlog_v1.md - packages/services - packages/platform - packages/products - doc/architecture/platform-foundation/Platform_Code_And_Deployment_Architecture_v1.md target_paths: - packages/platform - packages/products - doc/architecture/platform-foundation - doc/architecture/db_schema_v1.sql - doc/api/asyncapi.draft.yaml - scripts/ci review_domains: - architecture - backend - ops - governance - security risk_level: high migration_type: pssm-legacy-retirement-epic depends_on: - PSSM-L1-COMPLETION acceptance_checks: - Legacy-retirement work is explicitly sequenced behind a decision gate. - No package, schema, or event rename starts until active worktrees, storage ownership, and release-window risks are known. - Completion criteria distinguish L2 operational proof from L3 legacy retirement. - id: PSSM-L3-DECISION-GATE-001 title: Decide whether to start L3 legacy retirement before second consumer validation kind: release-evidence role: architecture profile: platform-foundation parent_id: PSSM-L3-LEGACY-RETIREMENT owning_domain: platform-foundation owning_layer: architecture-decision checkin_mode: attended source_paths: - tmp-ux/PSSM_Completion_Backlog_v1.md - doc/architecture/Platform_Architecture_Open_Decisions_v1.md - doc/architecture/platform-foundation/Platform_Code_And_Deployment_Architecture_v1.md target_paths: - doc/architecture/platform-foundation - .fairway/platform-foundation-implementation-track.yaml review_domains: - architecture - product - ops - governance risk_level: high migration_type: legacy-retirement-decision-gate depends_on: - PSSM-L1-COMPLETION acceptance_checks: - Decision records whether Token Factory or another consumer has a hard date inside six weeks. - Active worktrees and in-progress release/demo work are inventoried before package or schema moves start. - Storage ownership is decided for the `packages/services/storage` move. - OD-001 and OD-002 impact on registry schema/version snapshot work is explicitly classified. - id: PSSM-L3-SERVICE-MOVE-PACKET-001 title: Produce per-domain service implementation move packet kind: architecture-map role: architecture profile: platform-foundation parent_id: PSSM-L3-LEGACY-RETIREMENT owning_domain: platform-foundation owning_layer: package-ownership checkin_mode: unattended source_paths: - packages/services - packages/platform - packages/products - doc/architecture/platform-foundation/ownership-maps/package-ownership.md target_paths: - doc/architecture/platform-foundation - .fairway/platform-foundation-implementation-track.yaml review_domains: - architecture - backend - governance risk_level: medium migration_type: service-move-planning depends_on: - PSSM-L3-DECISION-GATE-001 acceptance_checks: - Packet maps every `packages/services/*` package to its target platform or product package. - Packet names required import rewrites, tests to move, adapter deletion point, and rollback plan per domain. - Packet identifies which moves can run in parallel and which must be serialized. - id: PSSM-L3-PLATFORM-SERVICES-MOVE-001 title: Move platform-owned service implementations into platform packages kind: facade role: backend profile: platform-foundation parent_id: PSSM-L3-LEGACY-RETIREMENT owning_domain: platform-foundation owning_layer: platform-packages checkin_mode: attended source_paths: - packages/services/auth - packages/services/billing - packages/services/payments - packages/services/notification - packages/services/admin - packages/services/maas - packages/services/releases - packages/platform target_paths: - packages/platform - cmd review_domains: - backend - architecture - security - ops risk_level: high migration_type: platform-service-implementation-move depends_on: - PSSM-L3-SERVICE-MOVE-PACKET-001 - PSSM-L2-OPERATIONAL-PROOF acceptance_checks: - Platform-owned implementation files and tests move from `packages/services/*` to the owning `packages/platform/*` packages with history preserved where practical. - Callers import platform packages directly and no moved platform implementation depends on legacy service packages. - Go test `./packages/platform/... ./cmd/...` passes after each logical domain move. - id: PSSM-L3-GPUAAS-SERVICES-MOVE-001 title: Move GPUaaS product service implementations into product packages kind: facade role: backend profile: platform-foundation parent_id: PSSM-L3-LEGACY-RETIREMENT owning_domain: gpuaas owning_layer: product-packages checkin_mode: attended source_paths: - packages/services/inventory - packages/services/provisioning - packages/services/terminal - packages/services/storage - packages/products/gpuaas target_paths: - packages/products/gpuaas - packages/platform/storage - cmd review_domains: - backend - architecture - product - ops risk_level: high migration_type: gpuaas-service-implementation-move depends_on: - PSSM-L3-SERVICE-MOVE-PACKET-001 - PSSM-L2-OPERATIONAL-PROOF acceptance_checks: - GPUaaS inventory, provisioning, terminal, and storage ownership moves follow the approved packet and storage ownership decision. - Worker binaries and API routes continue to call product/platform contracts, not legacy service packages. - Go test `./packages/products/gpuaas/... ./cmd/provisioning-worker ./cmd/terminal-gateway ./cmd/api` passes after the move. - id: PSSM-L3-APPPLATFORM-SERVICES-MOVE-001 title: Move App Platform runtime service implementation into product package kind: facade role: backend profile: platform-foundation parent_id: PSSM-L3-LEGACY-RETIREMENT owning_domain: appplatform owning_layer: product-packages checkin_mode: attended source_paths: - packages/services/appruntime - packages/products/appplatform/runtime - packages/products/appplatform/sdk target_paths: - packages/products/appplatform/runtime - packages/products/appplatform/sdk - cmd/app-runtime-worker review_domains: - backend - architecture - product - frontend risk_level: high migration_type: appplatform-service-implementation-move depends_on: - PSSM-L3-SERVICE-MOVE-PACKET-001 - PSSM-L2-OPERATIONAL-PROOF acceptance_checks: - App runtime implementation and tests move from `packages/services/appruntime` into `packages/products/appplatform/runtime`. - App SDK examples and runtime worker use the product-owned runtime contract. - Go test `./packages/products/appplatform/... ./cmd/app-runtime-worker` passes after the move. - id: PSSM-L3-SCHEMA-RENAME-PACKET-001 title: Produce owner-visible schema rename packet kind: architecture-map role: architecture profile: platform-foundation parent_id: PSSM-L3-LEGACY-RETIREMENT owning_domain: platform-foundation owning_layer: schema-ownership checkin_mode: attended source_paths: - doc/architecture/db_schema_v1.sql - doc/architecture/platform-foundation/ownership-maps/schema-ownership.md - tmp-ux/PSSM_Completion_Backlog_v1.md target_paths: - doc/architecture/platform-foundation - scripts/ci review_domains: - architecture - backend - ops - governance risk_level: high migration_type: schema-rename-planning depends_on: - PSSM-L3-DECISION-GATE-001 acceptance_checks: - Packet maps legacy table names to owner-visible target names by logical domain. - Packet defines migration ordering, rollback notes, SQL reference scans, and maintenance-window owner. - Packet explicitly identifies tables that must not be renamed yet due to external/demo continuity risk. - id: PSSM-L3-SCHEMA-OWNER-RENAME-001 title: Rename legacy schema tables to owner-visible names by domain kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-L3-LEGACY-RETIREMENT owning_domain: platform-foundation owning_layer: schema-ownership checkin_mode: attended source_paths: - doc/architecture/db_schema_v1.sql - scripts - packages - cmd target_paths: - doc/architecture/db_schema_v1.sql - scripts - packages - cmd review_domains: - backend - ops - architecture - security risk_level: high migration_type: schema-owner-rename depends_on: - PSSM-L3-SCHEMA-RENAME-PACKET-001 - PSSM-L2-OPERATIONAL-PROOF - PSSM-L3-PLATFORM-SERVICES-MOVE-001 - PSSM-L3-GPUAAS-SERVICES-MOVE-001 - PSSM-L3-APPPLATFORM-SERVICES-MOVE-001 acceptance_checks: - Table renames are executed per logical domain with query updates in the same commit. - SQL scans show no stale references to renamed tables. - Go test `./...` and the relevant integration tests pass after each domain rename. - id: PSSM-L3-SCHEMA-IAM-ACCESS-001 title: Rename IAM access and tenancy tables to owner-visible platform names kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-L3-SCHEMA-OWNER-RENAME-001 owning_domain: platform-iam owning_layer: schema-ownership checkin_mode: attended source_paths: - doc/architecture/db_schema_v1.sql - packages/platform/auth - packages/platform/iam - cmd/api - scripts target_paths: - doc/architecture/db_schema_v1.sql - packages/platform/auth - packages/platform/iam - cmd/api - scripts review_domains: - backend - architecture - security risk_level: high migration_type: schema-owner-rename depends_on: - PSSM-L3-SCHEMA-RENAME-PACKET-001 - PSSM-L2-OPERATIONAL-PROOF - PSSM-L3-PLATFORM-SERVICES-MOVE-001 - PSSM-L3-GPUAAS-SERVICES-MOVE-001 - PSSM-L3-APPPLATFORM-SERVICES-MOVE-001 acceptance_checks: - Old-to-new IAM/access table map is recorded in task evidence. - Schema and all SQL references are updated in the same batch. - Stale-reference scan and focused IAM/auth tests pass. - id: PSSM-L3-SCHEMA-SERVICE-SECRETS-001 title: Rename service account and credential custody tables kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-L3-SCHEMA-OWNER-RENAME-001 owning_domain: platform-secrets owning_layer: schema-ownership checkin_mode: attended source_paths: - doc/architecture/db_schema_v1.sql - packages/platform/auth - packages/platform/adminops - packages/platform/secrets - cmd/api target_paths: - doc/architecture/db_schema_v1.sql - packages/platform/auth - packages/platform/adminops - packages/platform/secrets - cmd/api review_domains: - backend - security - ops risk_level: high migration_type: schema-owner-rename depends_on: - PSSM-L3-SCHEMA-IAM-ACCESS-001 acceptance_checks: - Service-account and credential table ownership split is explicit. - Schema and all SQL references are updated in the same batch. - Credential, auth, and adminops focused tests pass. - id: PSSM-L3-SCHEMA-GPUAAS-INVENTORY-001 title: Rename GPUaaS inventory and capacity tables kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-L3-SCHEMA-OWNER-RENAME-001 owning_domain: gpuaas-inventory owning_layer: schema-ownership checkin_mode: attended source_paths: - doc/architecture/db_schema_v1.sql - packages/products/gpuaas/inventory - cmd/api - scripts target_paths: - doc/architecture/db_schema_v1.sql - packages/products/gpuaas/inventory - cmd/api - scripts review_domains: - backend - architecture - ops risk_level: high migration_type: schema-owner-rename depends_on: - PSSM-L3-SCHEMA-SERVICE-SECRETS-001 acceptance_checks: - Inventory/capacity old-to-new table map is recorded in task evidence. - Schema and all SQL references are updated in the same batch. - Inventory, launch precheck, and provider-capacity focused tests pass. - id: PSSM-L3-SCHEMA-GPUAAS-NODE-LIFECYCLE-001 title: Rename GPUaaS MAAS and node lifecycle tables kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-L3-SCHEMA-OWNER-RENAME-001 owning_domain: gpuaas-node-lifecycle owning_layer: schema-ownership checkin_mode: attended source_paths: - doc/architecture/db_schema_v1.sql - packages/platform/maas - packages/products/gpuaas/inventory - packages/products/gpuaas/provisioning - cmd target_paths: - doc/architecture/db_schema_v1.sql - packages/platform/maas - packages/products/gpuaas/inventory - packages/products/gpuaas/provisioning - cmd review_domains: - backend - ops - security risk_level: high migration_type: schema-owner-rename depends_on: - PSSM-L3-SCHEMA-GPUAAS-INVENTORY-001 acceptance_checks: - MAAS/node lifecycle old-to-new table map is recorded in task evidence. - Schema and all SQL references are updated in the same batch. - Provisioning, MAAS, provider, and node lifecycle focused tests pass. - id: PSSM-L3-SCHEMA-GPUAAS-ALLOCATIONS-001 title: Rename GPUaaS allocation and terminal access tables kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-L3-SCHEMA-OWNER-RENAME-001 owning_domain: gpuaas-provisioning owning_layer: schema-ownership checkin_mode: attended source_paths: - doc/architecture/db_schema_v1.sql - packages/products/gpuaas/provisioning - packages/products/gpuaas/terminal - cmd/api - cmd/terminal-gateway target_paths: - doc/architecture/db_schema_v1.sql - packages/products/gpuaas/provisioning - packages/products/gpuaas/terminal - cmd/api - cmd/terminal-gateway review_domains: - backend - ops - product risk_level: high migration_type: schema-owner-rename depends_on: - PSSM-L3-SCHEMA-GPUAAS-NODE-LIFECYCLE-001 acceptance_checks: - Allocation/access old-to-new table map is recorded in task evidence. - Schema and all SQL references are updated in the same batch. - Provisioning and terminal focused tests pass. - id: PSSM-L3-SCHEMA-APPPLATFORM-001 title: Rename App Platform catalog runtime and artifact tables kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-L3-SCHEMA-OWNER-RENAME-001 owning_domain: appplatform owning_layer: schema-ownership checkin_mode: attended source_paths: - doc/architecture/db_schema_v1.sql - packages/products/appplatform - packages/products/gpuaas/inventory - cmd/api - cmd/app-runtime-worker - cmd/proxy-runtime-reconciler target_paths: - doc/architecture/db_schema_v1.sql - packages/products/appplatform - packages/products/gpuaas/inventory - cmd/api - cmd/app-runtime-worker - cmd/proxy-runtime-reconciler review_domains: - backend - product - architecture risk_level: high migration_type: schema-owner-rename depends_on: - PSSM-L3-SCHEMA-GPUAAS-ALLOCATIONS-001 acceptance_checks: - App Platform old-to-new table map is recorded in task evidence. - Schema and all SQL references are updated in the same batch. - App SDK smoke-relevant package tests pass. - id: PSSM-L3-SCHEMA-BILLING-PAYMENTS-001 title: Rename platform billing payments and finance tables kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-L3-SCHEMA-OWNER-RENAME-001 owning_domain: platform-billing owning_layer: schema-ownership checkin_mode: attended source_paths: - doc/architecture/db_schema_v1.sql - packages/platform/billing - packages/platform/payments - cmd/api - cmd/billing-worker - cmd/webhook-worker target_paths: - doc/architecture/db_schema_v1.sql - packages/platform/billing - packages/platform/payments - cmd/api - cmd/billing-worker - cmd/webhook-worker review_domains: - backend - security - finance - ops risk_level: critical migration_type: schema-owner-rename depends_on: - PSSM-L3-SCHEMA-APPPLATFORM-001 acceptance_checks: - Billing/payment old-to-new table map is recorded in task evidence. - Schema and all SQL references are updated in the same batch. - Immutable ledger, payment, billing-worker, and real Postgres focused tests pass. - id: PSSM-L3-SCHEMA-AUDIT-EVIDENCE-001 title: Rename platform audit evidence and status tables kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-L3-SCHEMA-OWNER-RENAME-001 owning_domain: platform-audit-evidence owning_layer: schema-ownership checkin_mode: attended source_paths: - doc/architecture/db_schema_v1.sql - packages/platform/audit - packages/platform/evidence - packages/platform/statusops - cmd/api target_paths: - doc/architecture/db_schema_v1.sql - packages/platform/audit - packages/platform/evidence - packages/platform/statusops - cmd/api review_domains: - backend - ops - governance risk_level: high migration_type: schema-owner-rename depends_on: - PSSM-L3-SCHEMA-BILLING-PAYMENTS-001 acceptance_checks: - Audit/evidence/status old-to-new table map is recorded in task evidence. - Schema and all SQL references are updated in the same batch. - Audit, evidence, and status focused tests pass. - id: PSSM-L3-SCHEMA-POLICY-INFRA-001 title: Rename platform policy idempotency and outbox tables kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-L3-SCHEMA-OWNER-RENAME-001 owning_domain: platform-policy-infra owning_layer: schema-ownership checkin_mode: attended source_paths: - doc/architecture/db_schema_v1.sql - packages/platform/policy - packages/shared/outbox - cmd/api - cmd/outbox-relay target_paths: - doc/architecture/db_schema_v1.sql - packages/platform/policy - packages/shared/outbox - cmd/api - cmd/outbox-relay review_domains: - backend - governance - ops risk_level: high migration_type: schema-owner-rename depends_on: - PSSM-L3-SCHEMA-AUDIT-EVIDENCE-001 acceptance_checks: - Policy/infra old-to-new table map is recorded in task evidence. - Schema and all SQL references are updated in the same batch. - Policy, idempotency, and outbox focused tests pass. - id: PSSM-L3-SCHEMA-STORAGE-001 title: Rename or explicitly defer platform storage tables kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-L3-SCHEMA-OWNER-RENAME-001 owning_domain: platform-storage owning_layer: schema-ownership checkin_mode: attended source_paths: - doc/architecture/db_schema_v1.sql - packages/platform/storage - cmd/api target_paths: - doc/architecture/db_schema_v1.sql - packages/platform/storage - cmd/api - doc/architecture/platform-foundation/ownership-maps/schema-ownership.md review_domains: - backend - architecture - ops risk_level: high migration_type: schema-owner-rename depends_on: - PSSM-L3-SCHEMA-POLICY-INFRA-001 acceptance_checks: - Storage rename or explicit deferral decision is recorded. - If renamed, schema and all SQL references are updated in the same batch. - Storage focused tests pass. - id: PSSM-L3-EVENT-SUBJECT-RENAME-PACKET-001 title: Produce owner-visible event subject rename packet kind: architecture-map role: architecture profile: platform-foundation parent_id: PSSM-L3-LEGACY-RETIREMENT owning_domain: platform-foundation owning_layer: event-ownership checkin_mode: attended source_paths: - doc/api/asyncapi.draft.yaml - packages/shared/events - doc/architecture/platform-foundation/ownership-maps/event-ownership.md - tmp-ux/PSSM_Completion_Backlog_v1.md target_paths: - doc/architecture/platform-foundation - doc/api review_domains: - architecture - ops - backend - governance risk_level: high migration_type: event-subject-rename-planning depends_on: - PSSM-L3-DECISION-GATE-001 acceptance_checks: - Packet maps every legacy subject to an owner-visible target subject. - Packet identifies producer, consumer, AsyncAPI, NATS stream, and replay impacts for each subject family. - Packet defines whether dual-publish/dual-consume is needed for demo or internal continuity. - id: PSSM-L3-EVENT-SUBJECT-RENAME-001 title: Rename legacy event subjects to owner-visible subjects kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-L3-LEGACY-RETIREMENT owning_domain: platform-foundation owning_layer: event-ownership checkin_mode: attended source_paths: - doc/api/asyncapi.draft.yaml - packages/shared/events - packages - cmd target_paths: - doc/api/asyncapi.draft.yaml - packages/shared/events - packages - cmd review_domains: - backend - ops - architecture - governance risk_level: high migration_type: event-subject-rename depends_on: - PSSM-L3-EVENT-SUBJECT-RENAME-PACKET-001 - PSSM-L2-OPERATIONAL-PROOF - PSSM-L3-PLATFORM-SERVICES-MOVE-001 - PSSM-L3-GPUAAS-SERVICES-MOVE-001 - PSSM-L3-APPPLATFORM-SERVICES-MOVE-001 acceptance_checks: - Event constants, producers, consumers, AsyncAPI subjects, and NATS stream configuration are updated in lockstep. - Event ownership guard no longer reports renamed subject families as legacy debt. - Event tests and worker tests pass after each subject family rename. - id: PSSM-L3-ADAPTER-SERVICES-DELETE-001 title: Delete redundant legacy adapters and packages/services tree kind: facade role: backend profile: platform-foundation parent_id: PSSM-L3-LEGACY-RETIREMENT owning_domain: platform-foundation owning_layer: package-ownership checkin_mode: attended source_paths: - packages/services - packages/platform - packages/products target_paths: - packages/platform - packages/products - packages/services review_domains: - backend - architecture - governance risk_level: high migration_type: legacy-adapter-delete depends_on: - PSSM-L3-PLATFORM-SERVICES-MOVE-001 - PSSM-L3-GPUAAS-SERVICES-MOVE-001 - PSSM-L3-APPPLATFORM-SERVICES-MOVE-001 acceptance_checks: - No production or test import path references `packages/services/*`. - Redundant `adapter_legacy.go` files are removed or explicitly retained only where still adapting an external dependency. - Go test `./...` passes after `packages/services/*` removal. - id: PSSM-L3-DOC-SWEEP-001 title: Update architecture, governance, and agent docs after legacy retirement kind: architecture-map role: architecture profile: platform-foundation parent_id: PSSM-L3-LEGACY-RETIREMENT owning_domain: platform-foundation owning_layer: documentation checkin_mode: unattended source_paths: - AGENTS.md - doc/architecture/Monorepo_Structure.md - doc/architecture/platform-foundation/Platform_Code_And_Deployment_Architecture_v1.md - doc/architecture/platform-foundation/Platform_Shared_Services_Model_v2.md target_paths: - AGENTS.md - doc/architecture - doc/architecture/platform-foundation review_domains: - architecture - governance - product risk_level: medium migration_type: legacy-retirement-doc-sweep depends_on: - PSSM-L3-ADAPTER-SERVICES-DELETE-001 acceptance_checks: - Repo layout docs no longer describe `packages/services/*` as the active implementation layer. - PSSM v2 current anchors point to platform/product packages. - Agent instructions and monorepo docs match the final code layout. - id: PSSM-L3-APPPLATFORM-INVENTORY-CONTRACT-001 title: Split App Platform catalog/runtime contracts from GPUaaS inventory legacy internals kind: facade role: backend profile: platform-foundation parent_id: PSSM-L3-LEGACY-RETIREMENT owning_domain: appplatform owning_layer: product-packages checkin_mode: attended source_paths: - packages/products/appplatform/catalog - packages/products/appplatform/runtime - packages/products/gpuaas/inventory/legacyimpl - scripts/ci/platform_foundation_boundary_report.sh target_paths: - packages/products/appplatform/catalog - packages/products/appplatform/runtime - packages/products/appplatform/sdk - doc/architecture/platform-foundation/guard-allowed-debt.tsv review_domains: - backend - architecture - product - governance risk_level: high migration_type: appplatform-contract-split depends_on: - PSSM-L3-APPPLATFORM-SERVICES-MOVE-001 - PSSM-L3-GUARD-DEBT-ZERO-001 acceptance_checks: - App Platform catalog/runtime public types no longer alias GPUaaS inventory legacy implementation types. - App Platform catalog/runtime backends depend on an explicit product integration contract or App Platform-owned implementation, not GPUaaS legacy internals. - Boundary guard no longer needs the `PSSM-L3-APPPLATFORM-INVENTORY-CONTRACT-001` allowed-debt entry. - id: PSSM-L3-GUARD-DEBT-ZERO-001 title: Close or reclassify remaining guard debt after legacy retirement kind: boundary-guard role: governance profile: platform-foundation parent_id: PSSM-L3-LEGACY-RETIREMENT owning_domain: platform-foundation owning_layer: governance checkin_mode: unattended source_paths: - scripts/ci/platform_foundation_boundary_report.sh - doc/architecture/platform-foundation/guard-allowed-debt.tsv - tmp/platform-foundation-guards target_paths: - scripts/ci/platform_foundation_boundary_report.sh - doc/architecture/platform-foundation/guard-allowed-debt.tsv - doc/architecture/platform-foundation review_domains: - governance - architecture - ops risk_level: high migration_type: guard-debt-closure depends_on: - PSSM-L3-DOC-SWEEP-001 acceptance_checks: - Guard allowed-debt file no longer carries stale route, schema, event, or semantic-facade debt from retired legacy structure. - Boundary guard can run in blocking mode for high/critical findings and warning/blocking-new mode for medium/low owner debt. - Guard report clearly distinguishes any intentional residual debt from legacy-retirement leftovers. - id: PSS-EVIDENCE-GUARD-CONTRACT-001 title: Align guard graduation contract with evidence ingestion and portal status kind: release-evidence role: governance profile: platform-foundation parent_id: PSS-OPERATIONALIZATION owning_domain: platform-foundation owning_layer: evidence-status checkin_mode: unattended source_paths: - scripts/ci/platform_foundation_boundary_report.sh - scripts/ci/platform_guard_report_ingest.sh - scripts/ci/platform_evidence_payload.sh - doc/api/openapi/domains/v3-read-models.yaml - packages/platform/statusops - packages/web/src/components/v3/v3-platform-pages.tsx target_paths: - doc/api/openapi/domains/v3-read-models.yaml - doc/api/openapi.draft.yaml - doc/architecture/db_schema_v1.sql - packages/platform/statusops - packages/shared/gen/openapi_types.gen.go - packages/web/src/lib/gen/openapi.types.ts - packages/web/src/components/v3/v3-platform-pages.tsx - scripts/ci review_domains: - governance - ops - frontend - backend risk_level: high migration_type: evidence-guard-contract depends_on: - PF-GUARD-GRADUATION-SMOKE-001 acceptance_checks: - Guard report modes include report-only, warning, blocking, blocking-new, and blocking-all in API contracts, schema checks, generated types, and status UI. - Guard findings preserve approval and allowed-debt metadata through report ingestion and portal rendering. - Evidence payload generation treats approved allowed debt as visible debt, not a failing release gate. - CI script smoke validates guard report ingestion, evidence payload generation, and submit dry-run validation. - id: PSS-RELEASE-GATE-POLICY-001 title: Define release gate policy from shared-service evidence kind: release-evidence role: governance profile: platform-foundation parent_id: PSS-OPERATIONALIZATION owning_domain: platform-foundation owning_layer: release-evidence source_paths: - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md - doc/architecture/platform-foundation/Platform_Evidence_Input_Mapping_v1.md - scripts/ci/platform_evidence_payload.sh - doc/governance/Platform_Control_Release_Promotion_Policy.md target_paths: - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md - scripts/ci/platform_evidence_payload.sh - scripts/ci/platform_evidence_submit.sh review_domains: - governance - ops - architecture - security risk_level: high migration_type: release-gate-policy depends_on: - PSS-EVIDENCE-GUARD-CONTRACT-001 acceptance_checks: - Release gates distinguish missing, stale, partial, failed, and approved-residual-risk evidence. - Product invariants for GPUaaS and App Platform are named in the evidence bundle instead of inferred from raw UAT logs. - CI submit dry-run can show the exact release-readiness payload before a promotion. - id: PSS-STATUSOPS-READINESS-HARDENING-001 title: Harden status/ops read models for operator use kind: release-evidence role: backend profile: platform-foundation parent_id: PSS-OPERATIONALIZATION owning_domain: platform-foundation owning_layer: statusops source_paths: - packages/platform/statusops - cmd/api/routes_platform_statusops.go - packages/web/src/components/v3/v3-platform-pages.tsx target_paths: - packages/platform/statusops - cmd/api/routes_platform_statusops.go - packages/web/app/platform/status - packages/web/src/components/v3/v3-platform-pages.tsx review_domains: - backend - frontend - ops - security risk_level: high migration_type: statusops-hardening depends_on: - PSS-EVIDENCE-GUARD-CONTRACT-001 acceptance_checks: - Status endpoints support pagination/filtering where datasets can grow beyond demo volume. - Operator pages show component freshness, guard posture, and release evidence without direct database access. - Tests cover healthy, stale, missing, and degraded status/readiness cases. - id: PSS-APP-SDK-READINESS-EXECUTION-001 title: Turn App SDK readiness matrix into executable contracts kind: facade role: backend profile: platform-foundation parent_id: PSS-OPERATIONALIZATION owning_domain: appplatform owning_layer: sdk source_paths: - doc/architecture/platform-foundation/App_SDK_Readiness_Matrix_v1.md - packages/products/appplatform - packages/services/appruntime - scripts/seed.sql target_paths: - packages/products/appplatform/sdk - packages/products/appplatform/catalog - packages/products/appplatform/runtime - doc/architecture/platform-foundation/App_SDK_Readiness_Matrix_v1.md review_domains: - backend - architecture - security risk_level: high migration_type: sdk-contract-execution depends_on: - PF-APPPLATFORM-CATALOG-FACADE-001 - PF-APPPLATFORM-RUNTIME-FACADE-001 acceptance_checks: - App changes are classified as runtime fix, catalog/manifest change, or SDK/developer contract change. - Manifest, launch, connect, publish, failure, and UAT contracts have validators or contract tests. - Seed/runtime one-offs are moved toward SDK-visible manifests and examples with smoke-test coverage. - id: PSS-REGISTRY-RUNTIME-CONSUMERS-001 title: Wire first runtime consumers to the platform registry facade kind: facade role: backend profile: platform-foundation parent_id: PSS-OPERATIONALIZATION owning_domain: platform-foundation owning_layer: registry source_paths: - packages/platform/registry - doc/architecture/platform-foundation/Platform_Registry_Contract_v1.md - doc/architecture/platform-foundation/registry/platform-registry.seed.yaml - packages/products target_paths: - packages/platform/registry - packages/products - cmd/api review_domains: - backend - architecture - ops risk_level: high migration_type: registry-consumer-wiring depends_on: - PF-PHASE-C-IAM-REGISTRY acceptance_checks: - At least one product/runtime consumer reads service/product metadata through the registry facade. - Registry usage avoids duplicating shared-service metadata in product code or seed-only assumptions. - Tests cover missing, invalid, and active registry records. - id: PSS-EXTRACTION-PACKET-001 title: Produce first shared-service extraction readiness packet kind: architecture-map role: architecture profile: platform-foundation parent_id: PSS-OPERATIONALIZATION owning_domain: platform-foundation owning_layer: deployment source_paths: - doc/architecture/platform-foundation/Platform_Deployment_Extraction_Readiness_v1.md - doc/architecture/platform-foundation/Platform_Shared_Services_Model_v2.md - doc/architecture/platform-foundation/ownership-maps target_paths: - doc/architecture/platform-foundation/Platform_Deployment_Extraction_Readiness_v1.md - .fairway/artifacts review_domains: - architecture - ops - security - backend risk_level: high migration_type: extraction-readiness-packet depends_on: - PSS-RELEASE-GATE-POLICY-001 - PSS-STATUSOPS-READINESS-HARDENING-001 - PSS-REGISTRY-RUNTIME-CONSUMERS-001 acceptance_checks: - Packet chooses one candidate service and answers owner, consumer, contract, auth, degradation, data, event, ops, SLO, and migration questions. - Packet recommends keep-in-process, split worker, or extract service with explicit operational reason. - id: PF-GPUAAS-INVENTORY-FACADE-001 title: Add GPUaaS inventory product facade kind: facade role: backend profile: platform-foundation parent_id: PF-PHASE-D-PRODUCT-ALIGNMENT owning_domain: gpuaas owning_layer: inventory checkin_mode: unattended source_paths: - packages/services/inventory - doc/architecture/platform-foundation/ownership-maps/package-ownership.md target_paths: - packages/products/gpuaas/inventory review_domains: - backend - architecture risk_level: medium migration_type: product-facade depends_on: - PF-PHASE-C-IAM-REGISTRY acceptance_checks: - Product-owned inventory facade wraps safe catalog/capacity methods before node lifecycle movement. - Unit tests cover unavailable, validation, and delegation behavior. - id: PF-GPUAAS-TERMINAL-FACADE-001 title: Add GPUaaS terminal product facade kind: facade role: backend profile: platform-foundation parent_id: PF-PHASE-D-PRODUCT-ALIGNMENT owning_domain: gpuaas owning_layer: terminal checkin_mode: unattended source_paths: - packages/services/terminal - cmd/terminal-gateway target_paths: - packages/products/gpuaas/terminal review_domains: - backend - security - architecture risk_level: medium migration_type: product-facade depends_on: - PF-PHASE-C-IAM-REGISTRY acceptance_checks: - Product-owned terminal facade wraps token/session/stream methods without changing Redis behavior. - Unit tests cover unavailable, validation, and delegation behavior. - id: PF-APPPLATFORM-CATALOG-FACADE-001 title: Add App Platform catalog product facade kind: facade role: backend profile: platform-foundation parent_id: PF-PHASE-D-PRODUCT-ALIGNMENT owning_domain: appplatform owning_layer: catalog checkin_mode: unattended source_paths: - packages/services/inventory - doc/architecture/platform-foundation/App_SDK_Readiness_Matrix_v1.md target_paths: - packages/products/appplatform/catalog review_domains: - backend - architecture risk_level: medium migration_type: product-facade depends_on: - PF-PHASE-C-IAM-REGISTRY acceptance_checks: - Product-owned catalog facade wraps app catalog, registry info, and artifact lifecycle methods. - Unit tests cover unavailable and delegation behavior. - id: PF-APPPLATFORM-RUNTIME-FACADE-001 title: Add App Platform runtime product facade kind: facade role: backend profile: platform-foundation parent_id: PF-PHASE-D-PRODUCT-ALIGNMENT owning_domain: appplatform owning_layer: runtime checkin_mode: unattended source_paths: - packages/services/appruntime - packages/services/inventory target_paths: - packages/products/appplatform/runtime review_domains: - backend - architecture - ops risk_level: high migration_type: product-facade depends_on: - PF-PHASE-C-IAM-REGISTRY acceptance_checks: - Product-owned runtime facade wraps app lifecycle handlers and app/shared-runtime inventory methods. - Unit tests cover unavailable and delegation behavior. - id: PF-TERMINAL-CALLER-MIGRATION-001 title: Move terminal API and gateway callers onto GPUaaS terminal facade kind: facade role: backend profile: platform-foundation parent_id: PF-PHASE-D-PRODUCT-ALIGNMENT owning_domain: gpuaas owning_layer: terminal checkin_mode: unattended source_paths: - cmd/api - cmd/terminal-gateway - packages/services/terminal target_paths: - cmd/api - cmd/terminal-gateway - packages/products/gpuaas/terminal review_domains: - backend - security risk_level: medium migration_type: caller-migration depends_on: - PF-GPUAAS-TERMINAL-FACADE-001 acceptance_checks: - API and terminal gateway depend on the GPUaaS terminal facade. - Legacy terminal service remains the runtime adapter behind the facade. - id: PF-APP-RUNTIME-WORKER-MIGRATION-001 title: Move app-runtime worker onto App Platform runtime facade kind: facade role: backend profile: platform-foundation parent_id: PF-PHASE-D-PRODUCT-ALIGNMENT owning_domain: appplatform owning_layer: runtime checkin_mode: unattended source_paths: - cmd/app-runtime-worker - packages/services/appruntime target_paths: - cmd/app-runtime-worker - packages/products/appplatform/runtime review_domains: - backend - ops risk_level: medium migration_type: caller-migration depends_on: - PF-APPPLATFORM-RUNTIME-FACADE-001 acceptance_checks: - App runtime worker depends on the App Platform runtime facade. - Lifecycle and launchable OCI reconciliation behavior remains unchanged. - id: PF-PROXY-RUNTIME-RECONCILER-MIGRATION-001 title: Move proxy-runtime reconciler onto App Platform runtime facade kind: facade role: backend profile: platform-foundation parent_id: PF-PHASE-D-PRODUCT-ALIGNMENT owning_domain: appplatform owning_layer: runtime checkin_mode: unattended source_paths: - cmd/proxy-runtime-reconciler - packages/services/inventory target_paths: - cmd/proxy-runtime-reconciler - packages/products/appplatform/runtime review_domains: - backend - ops risk_level: medium migration_type: caller-migration depends_on: - PF-APPPLATFORM-RUNTIME-FACADE-001 acceptance_checks: - Proxy-runtime reconciler depends on the App Platform runtime facade for proxy route contracts. - Pomerium/kubectl runtime construction remains an adapter behind the facade. - id: PF-GPUAAS-PROVISIONING-FACADE-001 title: Add GPUaaS provisioning product facade kind: facade role: backend profile: platform-foundation parent_id: PF-PHASE-D-PRODUCT-ALIGNMENT owning_domain: gpuaas owning_layer: provisioning checkin_mode: unattended source_paths: - packages/services/provisioning/orchestrator target_paths: - packages/products/gpuaas/provisioning review_domains: - backend - architecture risk_level: high migration_type: product-facade depends_on: - PF-PHASE-C-IAM-REGISTRY acceptance_checks: - Product-owned provisioning facade wraps allocation, release/restart, runtime bundle, SSH key, and access grant methods. - Unit tests cover unavailable, validation, and delegation behavior. - id: PF-PROVISIONING-API-FACADE-MIGRATION-001 title: Route API provisioning dependency through GPUaaS provisioning facade kind: facade role: backend profile: platform-foundation parent_id: PF-PHASE-D-PRODUCT-ALIGNMENT owning_domain: gpuaas owning_layer: provisioning checkin_mode: unattended source_paths: - cmd/api - packages/services/provisioning/orchestrator target_paths: - cmd/api - packages/products/gpuaas/provisioning review_domains: - backend - architecture risk_level: high migration_type: caller-migration depends_on: - PF-GPUAAS-PROVISIONING-FACADE-001 acceptance_checks: - API constructs legacy orchestrator behind the GPUaaS provisioning facade. - Route helper type migration remains a separate follow-up because the API allocation surface is broad. - id: PF-PRODUCT-FACADE-FOLLOWUPS-001 title: Plan remaining product facade migrations kind: facade role: architecture profile: platform-foundation parent_id: PF-PHASE-D-PRODUCT-ALIGNMENT owning_domain: platform-foundation owning_layer: product-packages source_paths: - cmd/provider-reconciler - cmd/proxy-runtime-reconciler - packages/services/provisioning - packages/services/inventory target_paths: - packages/products/gpuaas/provisioning - packages/products/appplatform/runtime review_domains: - architecture - backend - ops risk_level: high migration_type: follow-up-plan depends_on: - PF-GPUAAS-INVENTORY-FACADE-001 - PF-APPPLATFORM-RUNTIME-FACADE-001 acceptance_checks: - Provider-reconciler and proxy-runtime-reconciler migrations are split into bounded tasks before code movement. - Provisioning facade scope is defined before allocation/Temporal internals move. - id: PF-PROVIDER-RECONCILER-FACADE-MIGRATION-001 title: Move provider reconciler through GPUaaS provider lifecycle facade kind: facade role: backend profile: platform-foundation parent_id: PF-PHASE-D-PRODUCT-ALIGNMENT owning_domain: gpuaas owning_layer: inventory source_paths: - cmd/provider-reconciler - packages/services/inventory/provider_reconciler.go - packages/services/provisioning/provider target_paths: - cmd/provider-reconciler - packages/products/gpuaas/inventory - packages/products/gpuaas/provisioning review_domains: - backend - ops - architecture risk_level: high migration_type: caller-migration depends_on: - PF-GPUAAS-INVENTORY-FACADE-001 - PF-GPUAAS-PROVISIONING-FACADE-001 acceptance_checks: - Provider lifecycle store, observed-state reconcile, warm-pool handoff, and provider adapter types are exposed through GPUaaS-owned facades. - Provider reconciler depends on product facade contracts before any provider internals move. - id: PF-PROVISIONING-WORKER-FACADE-MIGRATION-001 title: Move provisioning worker through GPUaaS provisioning worker facade kind: facade role: backend profile: platform-foundation parent_id: PF-PHASE-D-PRODUCT-ALIGNMENT owning_domain: gpuaas owning_layer: provisioning source_paths: - cmd/provisioning-worker - packages/services/provisioning/worker target_paths: - cmd/provisioning-worker - packages/products/gpuaas/provisioning review_domains: - backend - ops - architecture risk_level: high migration_type: caller-migration depends_on: - PF-GPUAAS-PROVISIONING-FACADE-001 acceptance_checks: - Temporal provisioning worker runtime contracts are exposed through GPUaaS-owned facade types. - Worker behavior and node-task dispatch remain unchanged. - id: PF-API-PROVISIONING-TYPE-MIGRATION-001 title: Move API provisioning route helpers to GPUaaS provisioning types kind: facade role: backend profile: platform-foundation parent_id: PF-PHASE-D-PRODUCT-ALIGNMENT owning_domain: gpuaas owning_layer: provisioning source_paths: - cmd/api/routes.go - cmd/api/routes_v3_readmodels.go - cmd/api/routes_v3_launch_submit.go - cmd/api/routes_managed_runtime.go target_paths: - cmd/api - packages/products/gpuaas/provisioning review_domains: - backend - architecture risk_level: high migration_type: caller-migration depends_on: - PF-PROVISIONING-API-FACADE-MIGRATION-001 acceptance_checks: - API route helper signatures use GPUaaS provisioning type imports where the facade already owns the contract. - Integration tests continue to use legacy orchestrator only when constructing the runtime backend directly. - id: PF-MAP-PACKAGES title: Map package ownership for platform foundation kind: architecture-map role: architecture profile: platform-foundation parent_id: PF-PHASE-A-ARCH-FOUNDATION owning_domain: platform-foundation owning_layer: packages source_paths: - cmd - packages - doc/architecture/Domain_Ownership_Map.md - doc/architecture/Monorepo_Structure.md - doc/architecture/platform-foundation/Platform_Code_And_Deployment_Architecture_v1.md target_paths: - doc/architecture/platform-foundation/ownership-maps/package-ownership.md review_domains: - architecture - backend - governance risk_level: high migration_type: ownership-map depends_on: - PLATFORM-FOUNDATION-OWNERSHIP acceptance_checks: - Current and target owner are named for cmd binaries, shared packages, services packages, planned platform packages, and product packages. - Temporary adapter needs and move-later areas are called out with risk. - id: PF-MAP-ROUTES title: Map API route ownership for platform foundation kind: architecture-map role: architecture profile: platform-foundation parent_id: PF-PHASE-A-ARCH-FOUNDATION owning_domain: platform-foundation owning_layer: routes source_paths: - cmd/api - doc/api - doc/architecture/API_Domain_Authoring_Model_v1.md - doc/architecture/API_Route_Modularization_and_V1_Freeze_v1.md - doc/architecture/platform-foundation/Platform_Code_And_Deployment_Architecture_v1.md target_paths: - doc/architecture/platform-foundation/ownership-maps/route-ownership.md review_domains: - architecture - backend - security risk_level: high migration_type: ownership-map depends_on: - PLATFORM-FOUNDATION-OWNERSHIP acceptance_checks: - Current v1 frozen, v3 read-model, platform, product, and admin route owners are named. - Evidence/status route module target and guardable route-placement rule are explicit. - id: PF-MAP-SCHEMA title: Map schema and table ownership for platform foundation kind: architecture-map role: architecture profile: platform-foundation parent_id: PF-PHASE-A-ARCH-FOUNDATION owning_domain: platform-foundation owning_layer: schema source_paths: - doc/architecture/db_schema_v1.sql - doc/architecture/ERD.md - doc/architecture/platform-foundation/Platform_Shared_Services_Model_v2.md - doc/architecture/platform-foundation/Platform_Code_And_Deployment_Architecture_v1.md target_paths: - doc/architecture/platform-foundation/ownership-maps/schema-ownership.md review_domains: - architecture - backend - security risk_level: high migration_type: ownership-map depends_on: - PLATFORM-FOUNDATION-OWNERSHIP acceptance_checks: - Current and target owner are named for shared-service, GPUaaS product, app-platform, audit/evidence, registry/artifact, and policy tables. - Cross-domain direct DB access risks are identified for report-only guard input. - id: PF-MAP-EVENTS title: Map event and outbox ownership for platform foundation kind: architecture-map role: architecture profile: platform-foundation parent_id: PF-PHASE-A-ARCH-FOUNDATION owning_domain: platform-foundation owning_layer: events source_paths: - doc/api/asyncapi.draft.yaml - doc/api/asyncapi - doc/architecture/Event_Taxonomy.md - doc/architecture/NATS_Stream_Config.md - packages/shared/events - packages/shared/outbox target_paths: - doc/architecture/platform-foundation/ownership-maps/event-ownership.md review_domains: - architecture - backend - ops risk_level: medium migration_type: ownership-map depends_on: - PLATFORM-FOUNDATION-OWNERSHIP acceptance_checks: - Subject ownership and producer/consumer ownership are explicit. - Event ownership rules are usable for a later AsyncAPI/outbox guard. - id: PF-MAP-FRONTEND title: Map frontend surface ownership for platform foundation kind: frontend-contract role: frontend profile: platform-foundation parent_id: PF-PHASE-A-ARCH-FOUNDATION owning_domain: platform-foundation owning_layer: frontend source_paths: - packages/web - doc/architecture/Frontend_Surface_Architecture_Work_Plan_v1.md - doc/product/Product_Surface_IA_and_Role_Model_v1.md - doc/product/V3_Migration_Execution_Tracker_v1.md target_paths: - doc/architecture/platform-foundation/ownership-maps/frontend-surface-ownership.md review_domains: - frontend - architecture - product risk_level: medium migration_type: ownership-map depends_on: - PLATFORM-FOUNDATION-OWNERSHIP acceptance_checks: - Platform, product, shared shell, app-developer, and ops/security surfaces are named with current and target owners. - Evidence/status page-contract dependency is explicit before UI implementation work. - id: PF-MAP-WORKERS title: Map worker and binary ownership for platform foundation kind: architecture-map role: ops profile: platform-foundation parent_id: PF-PHASE-A-ARCH-FOUNDATION owning_domain: platform-foundation owning_layer: workers source_paths: - cmd - doc/architecture/Inter_Service_Communication.md - doc/operations - scripts/ci target_paths: - doc/architecture/platform-foundation/ownership-maps/worker-binary-ownership.md review_domains: - ops - architecture - governance risk_level: medium migration_type: ownership-map depends_on: - PLATFORM-FOUNDATION-OWNERSHIP acceptance_checks: - API, workers, node-agent, terminal-gateway, release tooling, and CI script ownership are named. - Deployment-boundary implications are identified without starting service extraction. - id: PF-GUARD-PLAN title: Define report-only boundary guard plan from ownership maps kind: boundary-guard role: governance profile: platform-foundation parent_id: PF-PHASE-A-ARCH-FOUNDATION owning_domain: platform-foundation owning_layer: guard source_paths: - doc/architecture/platform-foundation/ownership-maps/ - scripts/ci target_paths: - doc/architecture/platform-foundation/Platform_Foundation_Boundary_Guards_v1.md review_domains: - governance - architecture - ops risk_level: high migration_type: boundary-guard depends_on: - PF-MAP-PACKAGES - PF-MAP-ROUTES - PF-MAP-SCHEMA - PF-MAP-EVENTS - PF-MAP-FRONTEND - PF-MAP-WORKERS acceptance_checks: - Guard plan lists import-boundary, route-placement, schema-owner, event-owner, frontend-boundary, and worker/binary checks. - Guard plan stays report-only and includes false-positive and graduation criteria. - id: PF-GUARD-REPORT-001 title: Add report-only platform foundation guard report script kind: boundary-guard role: governance profile: platform-foundation parent_id: PF-PHASE-A-ARCH-FOUNDATION owning_domain: platform-foundation owning_layer: guard source_paths: - doc/architecture/platform-foundation/Platform_Foundation_Boundary_Guards_v1.md - doc/architecture/platform-foundation/ownership-maps/ - scripts/ci - cmd - packages - doc/api target_paths: - scripts/ci/platform_foundation_boundary_report.sh - doc/architecture/platform-foundation/Platform_Foundation_Boundary_Guards_v1.md review_domains: - governance - architecture - ops risk_level: high migration_type: boundary-guard depends_on: - PF-GUARD-PLAN acceptance_checks: - Script runs locally in report-only mode and exits zero while writing JSON and Markdown summary artifacts. - Report includes import-boundary, route-placement, schema-owner, event-owner, frontend-boundary, and worker/binary sections. - Current legacy debt is reported, not blocked, and artifact paths are suitable for Fairway guard-report evidence. - id: PF-EVIDENCE-STATUS-CONTRACT-001 title: Define platform evidence/status first-slice contract kind: release-evidence role: architecture profile: platform-foundation parent_id: PF-PHASE-B-EVIDENCE-STATUS owning_domain: platform-foundation owning_layer: evidence-status source_paths: - doc/architecture/platform-foundation/Platform_Shared_Services_Model_v2.md - doc/architecture/platform-foundation/Platform_Code_And_Deployment_Architecture_v1.md - doc/architecture/platform-foundation/AI_Factory_Production_Readiness_Gap_Portfolio_v1.md - doc/api - scripts/ci target_paths: - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md review_domains: - architecture - governance - ops - product risk_level: high migration_type: vertical-slice-contract depends_on: - PF-GUARD-REPORT-001 acceptance_checks: - Contract defines evidence bundle, status read model, release/UAT/security inputs, and named product invariants. - Contract states target route files, package facades, schema/events, and frontend page-contract expectations. - Contract does not move IAM, billing, provisioning, or app runtime code. - id: PF-EVIDENCE-API-CONTRACT-001 title: Add evidence/status read-model API contract kind: release-evidence role: architecture profile: platform-foundation parent_id: PF-PHASE-B-EVIDENCE-STATUS owning_domain: platform-foundation owning_layer: api-contract source_paths: - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md - doc/api/openapi/domains/v3-read-models.yaml - doc/api/openapi.draft.yaml target_paths: - doc/api/openapi/domains/v3-read-models.yaml - doc/api/openapi.draft.yaml review_domains: - architecture - backend - ops risk_level: high migration_type: api-contract depends_on: - PF-EVIDENCE-STATUS-CONTRACT-001 acceptance_checks: - OpenAPI includes evidence bundle list/detail, readiness, component status, and guard summary read-model endpoints. - Schemas include release/UAT/security evidence, product invariant coverage, guard findings, and status freshness fields. - Contract update is fragment-authored and canonical bundle validation passes. - id: PF-EVIDENCE-SCHEMA-001 title: Define evidence/status persistence schema kind: release-evidence role: backend profile: platform-foundation parent_id: PF-PHASE-B-EVIDENCE-STATUS owning_domain: platform-foundation owning_layer: schema source_paths: - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md - doc/architecture/db_schema_v1.sql - doc/architecture/ERD.md target_paths: - doc/architecture/platform-foundation/Platform_Evidence_Status_Schema_v1.md - doc/architecture/db_schema_v1.sql - doc/architecture/ERD.md review_domains: - architecture - backend - ops risk_level: high migration_type: schema-contract depends_on: - PF-EVIDENCE-API-CONTRACT-001 acceptance_checks: - Schema contract uses platform-owned table names and maps to API fields. - Initial migration path is additive and does not rename legacy tables. - Persistence plan identifies generated/imported evidence sources and read-model freshness. - id: PF-EVIDENCE-FACADE-001 title: Scaffold evidence/status platform package facades kind: facade role: backend profile: platform-foundation parent_id: PF-PHASE-B-EVIDENCE-STATUS owning_domain: platform-foundation owning_layer: service source_paths: - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md - packages/services/releases - cmd/api/routes_v3_readmodels_platform.go target_paths: - packages/platform/evidence - packages/platform/statusops - cmd/api/routes_platform_evidence.go - cmd/api/routes_platform_statusops.go review_domains: - backend - architecture - governance risk_level: high migration_type: facade depends_on: - PF-EVIDENCE-SCHEMA-001 acceptance_checks: - Facades define platform-owned request/response types and interfaces instead of re-exporting service types. - Initial API implementation can return read-model data without moving unrelated IAM, billing, provisioning, or app runtime code. - Tests cover contract shape and no direct NATS publish or cross-domain table mutation is introduced. - id: PF-EVIDENCE-READMODEL-001 title: Wire evidence/status facade into read-model API routes kind: facade role: backend profile: platform-foundation parent_id: PF-PHASE-B-EVIDENCE-STATUS owning_domain: platform-foundation owning_layer: api-read-model source_paths: - packages/platform/evidence - packages/platform/statusops - cmd/api/routes_v3_readmodels_domains.go - cmd/api/routes_v3_readmodels_platform.go - doc/api/openapi/domains/v3-read-models.yaml target_paths: - packages/platform/evidence - packages/platform/statusops - cmd/api/routes_platform_evidence.go - cmd/api/routes_platform_statusops.go - cmd/api/routes_v3_readmodels_domains.go review_domains: - backend - architecture - ops - governance risk_level: high migration_type: facade depends_on: - PF-EVIDENCE-FACADE-001 acceptance_checks: - Evidence bundle list/detail endpoints return platform-owned read models through the evidence facade. - Status readiness, component status, and guard summary endpoints return platform-owned read models through the statusops facade. - Route wiring uses the v3 platform ops-read guard and does not move unrelated IAM, billing, provisioning, or app runtime code. - id: PF-EVIDENCE-WRITE-001 title: Wire evidence bundle and item write endpoints kind: release-evidence role: backend profile: platform-foundation parent_id: PF-PHASE-B-EVIDENCE-STATUS owning_domain: platform-foundation owning_layer: api-mutation source_paths: - doc/api/openapi/domains/v3-read-models.yaml - packages/platform/evidence - cmd/api/routes_platform_evidence.go - cmd/api/routes_v3_readmodels_domains.go target_paths: - packages/platform/evidence - cmd/api/routes_platform_evidence.go - cmd/api/routes_v3_readmodels_domains.go review_domains: - backend - security - ops - governance risk_level: high migration_type: api-mutation depends_on: - PF-EVIDENCE-READMODEL-001 acceptance_checks: - POST evidence bundle and evidence item endpoints use the platform evidence facade and v3 idempotency wrapper. - Mutations require platform ops-write or stronger permission and emit audit log records with correlation IDs. - Validation/error paths use canonical errors and do not move unrelated IAM, billing, provisioning, or app runtime code. - id: PF-EVIDENCE-INPUTS-001 title: Map CI/UAT/security/guard artifacts into evidence payloads kind: release-evidence role: ops profile: platform-foundation parent_id: PF-PHASE-B-EVIDENCE-STATUS owning_domain: platform-foundation owning_layer: release-evidence-inputs source_paths: - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md - scripts/ci/platform_foundation_boundary_report.sh - scripts/ci/security_scans_summary.sh - scripts/ci/platform_control_uat_demo.sh - scripts/ci/README.md target_paths: - doc/architecture/platform-foundation/Platform_Evidence_Input_Mapping_v1.md - scripts/ci/platform_evidence_payload.sh - scripts/ci/README.md review_domains: - ops - security - governance - architecture risk_level: medium migration_type: release-evidence-inputs depends_on: - PF-EVIDENCE-WRITE-001 acceptance_checks: - Input mapping names the CI, UAT, security, guard, and product-invariant evidence producers and their evidence_type values. - Payload helper writes bundle and item JSON compatible with the platform evidence POST endpoints without contacting a live API by default. - The helper is portable CI script logic and documents the environment variables release/UAT jobs should provide. - id: PF-EVIDENCE-SUBMIT-001 title: Add optional evidence payload submission helper kind: release-evidence role: ops profile: platform-foundation parent_id: PF-PHASE-B-EVIDENCE-STATUS owning_domain: platform-foundation owning_layer: release-evidence-inputs checkin_mode: unattended checkin_trigger: helper writes payloads, dry-run validates shape, and live-submit remains opt-in source_paths: - scripts/ci/platform_evidence_payload.sh - doc/architecture/platform-foundation/Platform_Evidence_Input_Mapping_v1.md - scripts/ci/README.md target_paths: - scripts/ci/platform_evidence_submit.sh - scripts/ci/README.md review_domains: - ops - security risk_level: medium migration_type: release-evidence-inputs depends_on: - PF-EVIDENCE-INPUTS-001 acceptance_checks: - Helper can submit bundle and item payloads when explicitly provided API base URL and bearer token. - Default mode is dry-run/print; no live submission happens without an explicit opt-in environment variable. - Check-in when dry-run and shellcheck/bash syntax pass; pause only if auth model needs new secrets. - id: PF-EVIDENCE-CI-ARTIFACT-001 title: Publish platform evidence payloads as CI artifacts kind: release-evidence role: ops profile: platform-foundation parent_id: PF-PHASE-B-EVIDENCE-STATUS owning_domain: platform-foundation owning_layer: release-evidence-inputs checkin_mode: unattended checkin_trigger: CI jobs produce evidence payload artifacts without changing release blocking behavior source_paths: - scripts/ci/platform_evidence_payload.sh - scripts/ci/platform_control_uat_demo.sh - scripts/ci/security_scans_summary.sh - .gitlab-ci.yml target_paths: - .gitlab-ci.yml - scripts/ci/README.md review_domains: - ops - governance risk_level: medium migration_type: ci-artifact depends_on: - PF-EVIDENCE-INPUTS-001 acceptance_checks: - Platform-control CI can publish evidence payload artifacts from existing CI/UAT/security/guard producers. - Initial integration is report/artifact-only and does not add a new blocking release gate. - Check-in after local CI dry-run or config validation shows the new artifact wiring. - id: PF-EVIDENCE-STATUS-INGEST-001 title: Ingest guard report summaries into status read model kind: release-evidence role: backend profile: platform-foundation parent_id: PF-PHASE-B-EVIDENCE-STATUS owning_domain: platform-foundation owning_layer: status-read-model checkin_mode: unattended checkin_trigger: latest guard report can populate platform_guard_report_summaries and status guard endpoint source_paths: - scripts/ci/platform_foundation_boundary_report.sh - packages/platform/statusops - cmd/api/routes_platform_statusops.go target_paths: - packages/platform/statusops - scripts/ci/platform_evidence_payload.sh - scripts/ci/README.md review_domains: - backend - ops - governance risk_level: medium migration_type: read-model-ingest depends_on: - PF-EVIDENCE-WRITE-001 acceptance_checks: - Guard report summary fields map cleanly into platform_guard_report_summaries. - Status guards endpoint returns recorded guard report rows rather than only empty read models. - Check-in when ingestion path is tested and boundary report remains import-clean. - id: PF-EVIDENCE-FRONTEND-CONTRACT-001 title: Define V3 evidence/status page contract kind: frontend-contract role: frontend profile: platform-foundation parent_id: PF-PHASE-B-EVIDENCE-STATUS owning_domain: platform-foundation owning_layer: frontend-contract checkin_mode: needs-review checkin_trigger: page contract is ready for product/architecture review before UI implementation expands source_paths: - doc/architecture/Frontend_Surface_Architecture_Work_Plan_v1.md - doc/product/Product_Surface_IA_and_Role_Model_v1.md - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md - doc/api/openapi/domains/v3-read-models.yaml target_paths: - doc/architecture/platform-foundation/Platform_Evidence_Status_Frontend_Contract_v1.md review_domains: - frontend - architecture - product - ops risk_level: medium migration_type: frontend-contract depends_on: - PF-EVIDENCE-READMODEL-001 acceptance_checks: - Contract identifies pages, roles, read models, empty/error states, and evidence drill-downs. - Contract names what product, architecture, security, ops, and app-developer audiences should see. - Pause for review before building broad UI surfaces. - id: PF-EVIDENCE-FRONTEND-001 title: Build initial V3 evidence/status internal surface kind: frontend-contract role: frontend profile: platform-foundation parent_id: PF-PHASE-B-EVIDENCE-STATUS owning_domain: platform-foundation owning_layer: frontend checkin_mode: needs-review checkin_trigger: usable internal page is screenshot/browser verified against API read models source_paths: - packages/web - doc/architecture/platform-foundation/Platform_Evidence_Status_Frontend_Contract_v1.md - doc/api/openapi/domains/v3-read-models.yaml target_paths: - packages/web review_domains: - frontend - product - ops - architecture risk_level: medium migration_type: frontend-surface depends_on: - PF-EVIDENCE-FRONTEND-CONTRACT-001 - PF-EVIDENCE-STATUS-INGEST-001 acceptance_checks: - Initial internal surface shows evidence bundles, readiness, components, guard reports, and invariant coverage. - Browser verification covers desktop and mobile without layout overlap. - Pause for review with screenshots before expanding personas or navigation. - id: PF-APP-SDK-READINESS-MATRIX-001 title: Create App SDK manifest/launch/connect readiness matrix kind: architecture-map role: architecture profile: platform-foundation parent_id: PF-PHASE-B-EVIDENCE-STATUS owning_domain: app-platform owning_layer: sdk-contract checkin_mode: needs-review checkin_trigger: matrix identifies SDK-visible versus backend-only app behavior gaps from UAT source_paths: - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md - pkg/sdk - packages/services/appruntime - scripts/seed.sql - scripts/ops target_paths: - doc/architecture/platform-foundation/App_SDK_Readiness_Matrix_v1.md review_domains: - architecture - backend - product - app-developers risk_level: high migration_type: sdk-contract depends_on: - PF-EVIDENCE-INPUTS-001 acceptance_checks: - Matrix classifies app changes as runtime fix, catalog/manifest change, or SDK/developer contract change. - Supported apps map to manifest defaults, launch, connect, failure, publish, and UAT contract coverage. - Pause for review because this affects future App SDK ownership and developer portal scope. - id: PF-REGISTRY-CONTRACT-001 title: Define platform registry contract and first seed entries kind: architecture-map role: architecture profile: platform-foundation parent_id: PF-PHASE-C-IAM-REGISTRY owning_domain: platform-foundation owning_layer: registry checkin_mode: needs-review checkin_trigger: registry contract is clear enough to implement without hardcoding product metadata source_paths: - doc/architecture/platform-foundation/Platform_Shared_Services_Model_v2.md - doc/architecture/platform-foundation/Platform_Code_And_Deployment_Architecture_v1.md - scripts/seed.sql target_paths: - doc/architecture/platform-foundation/Platform_Registry_Contract_v1.md review_domains: - architecture - backend - governance risk_level: high migration_type: registry-contract depends_on: - PF-EVIDENCE-FACADE-001 acceptance_checks: - Contract defines product, scope, usage-unit, audit-action, notification-template, evidence-type, and app SDK registry entries. - Contract states seed-backed versus schema-backed implementation path. - Pause before implementation because registry timing affects IAM, audit, usage, product onboarding, and SDK work. - id: PF-IAM-FACADE-001 title: Scaffold IAM facade over current auth service kind: facade role: backend profile: platform-foundation parent_id: PF-PHASE-C-IAM-REGISTRY owning_domain: platform-foundation owning_layer: iam checkin_mode: unattended checkin_trigger: facade compiles, tests pass, and no route behavior changes source_paths: - packages/services/auth - packages/shared/authz - cmd/api - doc/architecture/platform-foundation/Platform_Code_And_Deployment_Architecture_v1.md target_paths: - packages/platform/iam review_domains: - backend - security - architecture risk_level: high migration_type: facade depends_on: - PF-REGISTRY-CONTRACT-001 acceptance_checks: - Facade lives under packages/platform/iam with platform-owned types and adapter over current auth/authz. - No auth route behavior changes are bundled into scaffold. - Check-in when tests and boundary report pass; pause if facade needs new authz semantics. - id: PF-REGISTRY-SEED-FACADE-001 title: Add seed-backed platform registry facade kind: facade role: backend profile: platform-foundation parent_id: PF-PHASE-C-IAM-REGISTRY owning_domain: platform-foundation owning_layer: registry checkin_mode: unattended checkin_trigger: seed validates, package tests pass, and no DB/API route migration is introduced source_paths: - doc/architecture/platform-foundation/Platform_Registry_Contract_v1.md - doc/architecture/platform-foundation/Platform_Shared_Services_Model_v2.md - packages/platform/iam - packages/platform/evidence - packages/platform/statusops target_paths: - doc/architecture/platform-foundation/registry/platform-registry.seed.yaml - packages/platform/registry - scripts/ci/platform_registry_seed_validate.sh review_domains: - backend - architecture - governance - security risk_level: medium migration_type: registry-facade depends_on: - PF-REGISTRY-CONTRACT-001 - PF-IAM-FACADE-001 acceptance_checks: - Seed artifact includes product, scope, usage-unit, audit-action, notification-template, evidence-type, artifact-type, and SDK contract families. - CI validation catches duplicate IDs and broken owner/evidence references. - Read-only packages/platform/registry facade exposes platform-owned lookup types without DB migration or write APIs. - Platform package tests and boundary report pass. - id: PF-GUARD-GRADUATION-PLAN-001 title: Define report to warning to blocking guard graduation calendar kind: boundary-guard role: governance profile: platform-foundation parent_id: PF-PHASE-F-GUARD-GRADUATION owning_domain: platform-foundation owning_layer: guard checkin_mode: needs-review checkin_trigger: governance can approve dates and allowed-debt handling before warning mode starts source_paths: - scripts/ci/platform_foundation_boundary_report.sh - doc/architecture/platform-foundation/Platform_Foundation_Boundary_Guards_v1.md - doc/architecture/platform-foundation/ownership-maps target_paths: - doc/architecture/platform-foundation/Platform_Foundation_Guard_Graduation_Plan_v1.md - scripts/ci/README.md review_domains: - governance - architecture - backend - ops risk_level: high migration_type: guard-graduation depends_on: - PF-EVIDENCE-STATUS-INGEST-001 acceptance_checks: - Plan defines report-only, warning, and blocking dates/triggers with allowed-debt policy. - Plan states that new unapproved violations block before legacy debt does. - Pause for review before enabling warning or blocking behavior. - id: FRONTEND-ARCHITECTURE-HARDENING title: Complete frontend architecture hardening after platform foundation kind: epic role: orchestrator profile: platform-foundation parent_id: PLATFORM-FOUNDATION-OWNERSHIP owning_domain: frontend owning_layer: frontend checkin_mode: needs-review checkin_trigger: review the first module split plan before moving broad frontend imports source_paths: - doc/architecture/platform-foundation/ownership-maps/frontend-surface-ownership.md - doc/architecture/platform-foundation/Platform_Code_And_Deployment_Architecture_v1.md - doc/product/V3_Workbench_Consistency_Plan_v2.md - doc/product/V3_Mock_To_Production_Data_Parity_v1.md - packages/web/app - packages/web/src target_paths: - packages/web/app - packages/web/src/platform - packages/web/src/products/gpuaas - packages/web/src/products/appplatform - packages/web/src/shared - scripts/ci review_domains: - frontend - architecture - product - governance risk_level: high migration_type: frontend-architecture-hardening depends_on: - PLATFORM-FOUNDATION-OWNERSHIP acceptance_checks: - Frontend physical module ownership split exists for platform, GPUaaS product, App Platform product, and shared modules. - New frontend boundary guard reports cross-owner imports before any blocking behavior is introduced. - Workbench and page-contract gaps are tracked separately from route namespace cleanup. - No user-visible route behavior changes are bundled with mechanical module moves unless explicitly required. - id: FRONTEND-MODULE-SPLIT-001 title: Split frontend modules by physical ownership kind: frontend-contract role: frontend profile: platform-foundation parent_id: FRONTEND-ARCHITECTURE-HARDENING owning_domain: frontend owning_layer: frontend checkin_mode: needs-review checkin_trigger: module ownership map and first low-risk move slice are ready for review source_paths: - doc/architecture/platform-foundation/ownership-maps/frontend-surface-ownership.md - packages/web/src/components - packages/web/src/hooks - packages/web/src/lib target_paths: - packages/web/src/platform - packages/web/src/products/gpuaas - packages/web/src/products/appplatform - packages/web/src/shared review_domains: - frontend - architecture risk_level: high migration_type: frontend-module-split depends_on: - FRONTEND-ARCHITECTURE-HARDENING acceptance_checks: - Module moves follow the frontend ownership map and preserve current route behavior. - Shared modules contain only generic UI, data, auth, telemetry, generated-client, and system primitives. - Platform modules do not absorb GPUaaS or App Platform product-specific behavior. - Representative frontend unit and route smoke tests pass after each move slice. - id: FRONTEND-BOUNDARY-GUARD-001 title: Add frontend ownership import guard in report-only mode kind: boundary-guard role: governance profile: platform-foundation parent_id: FRONTEND-ARCHITECTURE-HARDENING owning_domain: frontend owning_layer: guard checkin_mode: unattended checkin_trigger: report-only guard artifact exists and local checks pass source_paths: - doc/architecture/platform-foundation/ownership-maps/frontend-surface-ownership.md - packages/web/src - scripts/ci target_paths: - scripts/ci - doc/architecture/platform-foundation/Frontend_Architecture_Guard_Report_v1.md review_domains: - governance - frontend - architecture risk_level: medium migration_type: frontend-boundary-guard depends_on: - FRONTEND-MODULE-SPLIT-001 acceptance_checks: - Guard reports shared-to-platform/product imports, platform-to-product imports, and cross-product imports. - Guard starts report-only with allowed-debt entries for legacy imports. - Graduation criteria are documented before warning or blocking mode is enabled. - id: FRONTEND-WORKBENCH-GAPS-001 title: Close frontend workbench and page-contract migration gaps kind: frontend-contract role: frontend profile: platform-foundation parent_id: FRONTEND-ARCHITECTURE-HARDENING owning_domain: frontend owning_layer: frontend checkin_mode: needs-review checkin_trigger: page-level gap list is ready before broad workbench edits source_paths: - doc/product/V3_Workbench_Consistency_Plan_v2.md - doc/product/V3_Mock_To_Production_Data_Parity_v1.md - packages/web/app - packages/web/src target_paths: - packages/web/app - packages/web/src - doc/product review_domains: - frontend - product - architecture risk_level: medium migration_type: frontend-workbench-hardening depends_on: - FRONTEND-BOUNDARY-GUARD-001 acceptance_checks: - Workbench consistency gaps are converted into page-level tasks with owner, route, data dependency, and test coverage. - Frontend-only gaps are separated from backend read-model depth gaps. - Empty, loading, error, drawer, action, status, and evidence states are covered for representative surfaces. - id: PLATFORM-FACADE-CALLSITE-MIGRATION title: Migrate platform call sites to shared-service facades kind: epic role: orchestrator profile: platform-foundation parent_id: PLATFORM-FOUNDATION-OWNERSHIP owning_domain: platform-foundation owning_layer: backend checkin_mode: needs-review checkin_trigger: review inventory before creating missing facades or cutting over call sites source_paths: - doc/architecture/platform-foundation/Platform_Code_And_Deployment_Architecture_v1.md - packages/platform - packages/services - cmd/api - scripts/ci/platform_foundation_boundary_report.sh target_paths: - packages/platform - packages/products - cmd/api - scripts/ci review_domains: - architecture - backend - governance - security risk_level: high migration_type: platform-facade-callsite-migration depends_on: - PLATFORM-FOUNDATION-OWNERSHIP acceptance_checks: - Remaining direct cmd/api imports of legacy packages/services are inventoried and ranked by migration risk. - IAM, billing, payments, audit, notification, and policy facade gaps are tracked explicitly. - Call-site migration uses existing facade contracts first and creates new facades only where ownership is clear. - Boundary guard remains clean for new imports and allowed debt shrinks instead of growing. - id: PLATFORM-FACADE-INVENTORY-001 title: Inventory platform facade coverage and legacy call sites kind: architecture-map role: architecture profile: platform-foundation parent_id: PLATFORM-FACADE-CALLSITE-MIGRATION owning_domain: platform-foundation owning_layer: architecture checkin_mode: unattended checkin_trigger: inventory doc is complete and boundary report has no hard ownership violations source_paths: - packages/platform - packages/services - packages/products - cmd/api - scripts/ci/platform_foundation_boundary_report.sh target_paths: - doc/architecture/platform-foundation/Platform_Facade_Callsite_Migration_Map_v1.md review_domains: - architecture - backend - governance risk_level: medium migration_type: facade-inventory depends_on: - PLATFORM-FACADE-CALLSITE-MIGRATION acceptance_checks: - Inventory lists existing platform packages, missing platform packages, product facades, and direct legacy service imports. - Inventory separates contract-ready facades from packages that are only scaffolds or adapter shells. - Top call-site migration candidates are ordered by blast radius and expected test coverage. - id: PLATFORM-LOW-RISK-CALLSITE-CUTOVER-001 title: Cut remaining terminal and provisioning API wiring to product facades kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CALLSITE-MIGRATION owning_domain: platform-foundation owning_layer: routes checkin_mode: unattended checkin_trigger: targeted Go tests and boundary report pass source_paths: - doc/architecture/platform-foundation/Platform_Facade_Callsite_Migration_Map_v1.md - cmd/api/main.go - packages/products/gpuaas/provisioning - packages/products/gpuaas/terminal target_paths: - cmd/api/main.go - packages/products/gpuaas/provisioning - packages/products/gpuaas/terminal review_domains: - backend - architecture risk_level: medium migration_type: platform-callsite-cutover depends_on: - PLATFORM-FACADE-INVENTORY-001 acceptance_checks: - Production API wiring constructs terminal and provisioning services through product facade constructors. - Route behavior tests pass and boundary report does not add new high/critical findings. - id: PLATFORM-PAYMENTS-FACADE-001 title: Create platform payments facade contract kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CALLSITE-MIGRATION owning_domain: platform-foundation owning_layer: backend checkin_mode: unattended checkin_trigger: payments facade and cmd/api tests pass source_paths: - doc/architecture/platform-foundation/Platform_Facade_Callsite_Migration_Map_v1.md - packages/services/payments - cmd/api target_paths: - packages/platform/payments - cmd/api review_domains: - backend - security - architecture risk_level: high migration_type: platform-facade-creation depends_on: - PLATFORM-FACADE-INVENTORY-001 acceptance_checks: - Facade exposes payment session/provider contract without changing Stripe/mock behavior. - cmd/api imports platform payments facade instead of services/payments. - Adapter delegation tests cover disabled-provider and provider selection paths. - id: PLATFORM-BILLING-FACADE-001 title: Create platform billing facade contract kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CALLSITE-MIGRATION owning_domain: platform-foundation owning_layer: backend checkin_mode: unattended checkin_trigger: billing facade and cmd/api tests pass source_paths: - doc/architecture/platform-foundation/Platform_Facade_Callsite_Migration_Map_v1.md - packages/services/billing - cmd/api target_paths: - packages/platform/billing - cmd/api review_domains: - backend - architecture risk_level: high migration_type: platform-facade-creation depends_on: - PLATFORM-FACADE-INVENTORY-001 acceptance_checks: - Facade exposes billing-owned account, usage, ledger, invoice, budget, and rating contracts without changing legacy behavior. - cmd/api imports platform billing facade instead of services/billing. - Tests cover facade aliases and cmd/api billing route behavior. - id: PLATFORM-AUDIT-FACADE-SCOPE-001 title: Split audit facade scope from legacy admin service kind: architecture-map role: architecture profile: platform-foundation parent_id: PLATFORM-FACADE-CALLSITE-MIGRATION owning_domain: platform-foundation owning_layer: architecture checkin_mode: unattended checkin_trigger: audit scope map and first code task are ready for backend implementation source_paths: - doc/architecture/platform-foundation/Platform_Facade_Callsite_Migration_Map_v1.md - packages/services/admin - cmd/api/audit_presentation.go - cmd/api/routes_v3_readmodels.go - doc/architecture/db_schema_v1.sql target_paths: - doc/architecture/platform-foundation/Platform_Audit_Facade_Scope_v1.md - packages/platform/audit review_domains: - architecture - backend - security risk_level: high migration_type: platform-facade-scope depends_on: - PLATFORM-FACADE-INVENTORY-001 acceptance_checks: - Audit facade scope separates audit from access-credential and lifecycle admin concerns. - First code task for packages/platform/audit has owner, adapter source, tests, and removal condition. - id: PLATFORM-AUDIT-FACADE-001 title: Create platform audit facade contract and adapter kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CALLSITE-MIGRATION owning_domain: platform-foundation owning_layer: backend checkin_mode: unattended checkin_trigger: audit facade package tests and boundary report pass source_paths: - doc/architecture/platform-foundation/Platform_Audit_Facade_Scope_v1.md - cmd/api/routes.go - cmd/api/audit_presentation.go - doc/architecture/db_schema_v1.sql target_paths: - packages/platform/audit - cmd/api review_domains: - backend - architecture - security risk_level: high migration_type: platform-facade-creation depends_on: - PLATFORM-AUDIT-FACADE-SCOPE-001 acceptance_checks: - Facade exposes append, transaction-aware append, query/export, and presentation contracts over platform_audit_logs. - Adapter delegates to the current platform_audit_logs table without changing route response behavior. - Unit tests cover validation, unavailable behavior, presentation classification, and adapter query shape. - id: PLATFORM-POLICY-FACADE-001 title: Create platform policy facade contract kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CALLSITE-MIGRATION owning_domain: platform-foundation owning_layer: backend checkin_mode: unattended checkin_trigger: policy facade tests and boundary report pass source_paths: - doc/architecture/platform-foundation/Platform_Facade_Callsite_Migration_Map_v1.md - packages/shared/policy - scripts/seed.sql target_paths: - packages/platform/policy review_domains: - backend - architecture - governance risk_level: medium migration_type: platform-facade-creation depends_on: - PLATFORM-FACADE-INVENTORY-001 acceptance_checks: - Facade exposes platform-owned policy read contract while preserving shared PolicyClient compatibility. - Adapter delegates to packages/shared/policy without moving platform_policy_values table logic yet. - Unit tests cover delegation, unavailable behavior, and scope option compatibility. - id: PLATFORM-AUDIT-CALLSITE-CUTOVER-001 title: Cut API audit helper writes to platform audit facade kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CALLSITE-MIGRATION owning_domain: platform-foundation owning_layer: routes checkin_mode: unattended checkin_trigger: audit helper cutover tests and boundary report pass source_paths: - packages/platform/audit - cmd/api/routes.go - cmd/api/main.go target_paths: - cmd/api - packages/platform/audit review_domains: - backend - architecture - security risk_level: high migration_type: platform-callsite-cutover depends_on: - PLATFORM-AUDIT-FACADE-001 acceptance_checks: - API audit insert helpers delegate through packages/platform/audit while preserving transaction semantics. - Existing audit helper semantics are preserved for nil pool/tx, default success result, and validation errors. - Audit read/export routes and admin-service direct writes remain for later slices. - id: PLATFORM-AUDIT-SSHKEY-CUTOVER-001 title: Cut SSH-key transactional audit writes to platform audit facade kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CALLSITE-MIGRATION owning_domain: platform-foundation owning_layer: routes checkin_mode: unattended checkin_trigger: SSH-key audit helper coverage is verified source_paths: - packages/platform/audit - cmd/api/routes.go target_paths: - cmd/api/routes.go review_domains: - backend - security - architecture risk_level: medium migration_type: platform-callsite-cutover depends_on: - PLATFORM-AUDIT-CALLSITE-CUTOVER-001 acceptance_checks: - create/delete/default SSH-key audit writes use the platform audit facade inside the existing transaction. - Audit failure still returns 500 before commit and preserves existing response messages. - SSH-key route tests continue passing. - id: PLATFORM-NOTIFICATION-FACADE-001 title: Create platform notification facade contract kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CALLSITE-MIGRATION owning_domain: platform-foundation owning_layer: backend checkin_mode: unattended checkin_trigger: notification facade tests and boundary report pass source_paths: - doc/architecture/platform-foundation/Platform_Facade_Callsite_Migration_Map_v1.md - packages/services/notification - packages/shared/events target_paths: - packages/platform/notification review_domains: - backend - architecture risk_level: medium migration_type: platform-facade-creation depends_on: - PLATFORM-FACADE-INVENTORY-001 acceptance_checks: - Facade exposes platform-owned notification payload, delivery, channel, and event-envelope transform contracts. - Adapter delegates to packages/services/notification without changing notification payload behavior. - Unit tests cover channel helpers, delegation, unsupported events, and unavailable backend behavior. - id: PLATFORM-POLICY-CALLSITE-CUTOVER-001 title: Cut API policy call sites to platform policy facade kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CALLSITE-MIGRATION owning_domain: platform-foundation owning_layer: routes checkin_mode: unattended checkin_trigger: cmd/api and platform policy tests pass source_paths: - packages/platform/policy - cmd/api - packages/shared/policy target_paths: - cmd/api review_domains: - backend - architecture - governance risk_level: medium migration_type: platform-callsite-cutover depends_on: - PLATFORM-POLICY-FACADE-001 acceptance_checks: - cmd/api imports packages/platform/policy for API-local policy resolution and constants. - Existing middleware, terminal, and service dependencies keep receiving a compatible PolicyClient. - cmd/api and platform policy tests pass. - id: PLATFORM-NOTIFICATION-CALLSITE-CUTOVER-001 title: Cut notification relay to platform notification facade kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CALLSITE-MIGRATION owning_domain: platform-foundation owning_layer: worker checkin_mode: unattended checkin_trigger: notification-relay and platform notification tests pass source_paths: - packages/platform/notification - cmd/notification-relay target_paths: - cmd/notification-relay review_domains: - backend - ops - architecture risk_level: medium migration_type: platform-callsite-cutover depends_on: - PLATFORM-NOTIFICATION-FACADE-001 acceptance_checks: - notification-relay imports packages/platform/notification instead of packages/services/notification. - Relay behavior, channel names, and envelope transform outputs remain unchanged. - notification-relay and platform notification tests pass. - id: PLATFORM-NOTIFICATION-WS-CUTOVER-001 title: Cut API notification WebSocket wiring to platform notification facade kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CALLSITE-MIGRATION owning_domain: platform-foundation owning_layer: routes checkin_mode: unattended checkin_trigger: API notification WS tests and platform notification tests pass source_paths: - packages/platform/notification - cmd/api/main.go - cmd/api/routes_test.go target_paths: - packages/platform/notification - cmd/api review_domains: - backend - frontend - architecture risk_level: medium migration_type: platform-callsite-cutover depends_on: - PLATFORM-NOTIFICATION-FACADE-001 acceptance_checks: - cmd/api imports packages/platform/notification for notification WebSocket service wiring. - WS service constructor/stats/proxy behavior remain delegated to the existing implementation. - API notification WS tests and platform notification tests pass. - id: PLATFORM-AUDIT-QUERY-PARITY-001 title: Extend audit query/export facade to route parity kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CALLSITE-MIGRATION owning_domain: platform-foundation owning_layer: backend checkin_mode: unattended checkin_trigger: platform audit query parity tests and go test ./packages/platform/audit pass source_paths: - packages/platform/audit - cmd/api/routes.go - cmd/api/audit_presentation.go - cmd/api/routes_v3_readmodels.go - cmd/api/routes_v3_readmodels_domains.go target_paths: - packages/platform/audit review_domains: - backend - architecture - security risk_level: high migration_type: platform-facade-parity depends_on: - PLATFORM-AUDIT-CALLSITE-CUTOVER-001 acceptance_checks: - Audit query facade supports current admin/user/org/project/v3 filters, prefix action filters, scope joins, sorts, and cursor semantics. - Presentation output and export shaping remain route-equivalent before route read/export cutover. - Platform audit facade tests pass without changing cmd/api response handlers. - id: PLATFORM-AUDIT-READ-ROUTE-CUTOVER-001 title: Cut generic audit list/export routes to platform audit facade kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CALLSITE-MIGRATION owning_domain: platform-foundation owning_layer: routes checkin_mode: unattended checkin_trigger: cmd/api and platform audit tests pass source_paths: - cmd/api/routes.go - packages/platform/audit target_paths: - cmd/api/routes.go - packages/platform/audit review_domains: - backend - architecture - security risk_level: high migration_type: platform-callsite-cutover depends_on: - PLATFORM-AUDIT-QUERY-PARITY-001 acceptance_checks: - Generic audit list routes delegate query execution and pagination to packages/platform/audit. - Admin audit export delegates query execution to packages/platform/audit while preserving CSV and JSON response shapes. - V3 access audit read model remains unchanged until its presentation-specific cutover has separate parity tests. - id: PLATFORM-RELEASES-FACADE-CUTOVER-001 title: Create platform releases facade and cut API release imports kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CALLSITE-MIGRATION owning_domain: platform-foundation owning_layer: backend checkin_mode: unattended checkin_trigger: platform releases and cmd/api tests pass source_paths: - packages/services/releases - cmd/api target_paths: - packages/platform/releases - cmd/api review_domains: - backend - architecture - ops risk_level: medium migration_type: platform-facade-creation depends_on: - PLATFORM-FACADE-INVENTORY-001 acceptance_checks: - packages/platform/releases exposes the platform-owned release artifact contract over the existing legacy service. - cmd/api imports packages/platform/releases for release types, errors, service construction, and tests. - Release facade and cmd/api tests pass. - id: PLATFORM-MAAS-FACADE-CUTOVER-001 title: Create platform MAAS lifecycle facade and cut API imports kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CALLSITE-MIGRATION owning_domain: platform-foundation owning_layer: backend checkin_mode: unattended checkin_trigger: platform maas and cmd/api tests pass source_paths: - packages/services/maas - cmd/api target_paths: - packages/platform/maas - cmd/api review_domains: - backend - architecture - ops risk_level: medium migration_type: platform-facade-creation depends_on: - PLATFORM-FACADE-INVENTORY-001 acceptance_checks: - packages/platform/maas exposes the platform-owned MAAS lifecycle contract over the existing legacy service. - cmd/api imports packages/platform/maas for MAAS lifecycle types, errors, workflow constants, service construction, and tests. - MAAS facade and cmd/api tests pass. - id: PLATFORM-STORAGE-FACADE-CUTOVER-001 title: Create platform storage facade and cut API imports kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CALLSITE-MIGRATION owning_domain: platform-foundation owning_layer: backend checkin_mode: unattended checkin_trigger: platform storage and cmd/api tests pass source_paths: - packages/services/storage - cmd/api target_paths: - packages/platform/storage - cmd/api review_domains: - backend - architecture - security risk_level: medium migration_type: platform-facade-creation depends_on: - PLATFORM-FACADE-INVENTORY-001 acceptance_checks: - packages/platform/storage exposes the platform-owned storage object/grant/provider capability contract over the existing legacy service. - cmd/api imports packages/platform/storage for storage types, validation helpers, errors, service construction, and tests. - Storage facade and cmd/api tests pass. - id: PLATFORM-ADMINOPS-FACADE-CUTOVER-001 title: Create platform adminops facade and cut operational admin imports kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CALLSITE-MIGRATION owning_domain: platform-foundation owning_layer: backend checkin_mode: unattended checkin_trigger: platform adminops and cmd/api tests pass source_paths: - packages/services/admin - cmd/api target_paths: - packages/platform/adminops - cmd/api review_domains: - backend - architecture - security risk_level: medium migration_type: platform-facade-creation depends_on: - PLATFORM-AUDIT-FACADE-SCOPE-001 acceptance_checks: - packages/platform/adminops exposes access credential, node-agent lifecycle, and probe-backoff operational contracts over the existing admin service. - cmd/api imports packages/platform/adminops for operational admin types, errors, constructors, and tests. - Adminops facade and cmd/api tests pass. - id: PLATFORM-INVENTORY-FACADE-CUTOVER-001 title: Cut API inventory imports to GPUaaS product inventory facade kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CALLSITE-MIGRATION owning_domain: gpuaas owning_layer: backend checkin_mode: unattended checkin_trigger: product inventory and cmd/api tests pass source_paths: - packages/services/inventory - packages/products/gpuaas/inventory - cmd/api target_paths: - packages/products/gpuaas/inventory - cmd/api review_domains: - backend - architecture - product risk_level: high migration_type: product-facade-callsite-cutover depends_on: - PLATFORM-FACADE-INVENTORY-001 acceptance_checks: - packages/products/gpuaas/inventory exposes the currently required API inventory type/error/constructor compatibility surface. - cmd/api imports packages/products/gpuaas/inventory instead of packages/services/inventory for inventory route, read-model, and test wiring. - Product inventory facade and cmd/api tests pass. - id: PLATFORM-AUTH-FACADE-CUTOVER-001 title: Create platform auth compatibility facade and cut API auth imports kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CALLSITE-MIGRATION owning_domain: platform-foundation owning_layer: backend checkin_mode: unattended checkin_trigger: platform auth and cmd/api tests pass source_paths: - packages/services/auth - packages/platform/iam - cmd/api target_paths: - packages/platform/auth - cmd/api review_domains: - backend - architecture - security risk_level: high migration_type: platform-facade-creation depends_on: - PLATFORM-FACADE-CALLSITE-MIGRATION acceptance_checks: - packages/platform/auth exposes the current auth runtime/session/project-scope compatibility contract over the existing auth service. - cmd/api imports packages/platform/auth instead of packages/services/auth for auth runtime types, errors, constructors, and tests. - Platform auth facade and cmd/api tests pass. - id: PLATFORM-PROVISIONING-TEST-CUTOVER-001 title: Cut remaining API provisioning test helper to GPUaaS provisioning facade kind: facade role: backend profile: platform-foundation parent_id: PLATFORM-FACADE-CALLSITE-MIGRATION owning_domain: gpuaas owning_layer: tests checkin_mode: unattended checkin_trigger: cmd/api tests pass and no cmd/api packages/services imports remain source_paths: - cmd/api/routes_integration_test.go - packages/products/gpuaas/provisioning target_paths: - cmd/api/routes_integration_test.go review_domains: - backend - architecture - governance risk_level: low migration_type: product-facade-test-cutover depends_on: - PLATFORM-LOW-RISK-CALLSITE-CUTOVER-001 acceptance_checks: - API integration-test helper imports packages/products/gpuaas/provisioning instead of packages/services/provisioning/orchestrator. - cmd/api and notification relay have no remaining direct packages/services imports. - cmd/api tests pass. - id: PSSM-R6-FUTURE-PRODUCT-READINESS title: Future product readiness after PSSM completion kind: epic role: orchestrator profile: platform-foundation owning_domain: platform-foundation owning_layer: readiness source_paths: - doc/architecture/platform-foundation/Platform_Architecture_Gap_Register_v1.md - doc/architecture/Unified_IAM_Billing_Across_Products_v1.md - doc/architecture/Token_Factory_Gateway_Product_Model_v1.md - doc/governance/Agent_Work_Queue.yaml target_paths: - doc/architecture/token-factory/Token_Factory_Readiness_Backlog_v1.md - doc/architecture/token-factory/Token_Factory_Readiness_Decision_Packet_v1.md - doc/architecture/token-factory/IAM_Department_Layer_Readiness_v1.md review_domains: - architecture - governance - security risk_level: medium migration_type: readiness-epic acceptance_checks: - Future-product readiness tasks are source-backed, Fairway-visible, and do not start Token Factory implementation. - id: PSSM-R6-SOURCE-DOC-RECONCILIATION-001 title: Reconcile future-product readiness tasks to existing source docs kind: architecture-map role: architecture profile: platform-foundation parent_id: PSSM-R6-FUTURE-PRODUCT-READINESS owning_domain: platform-foundation owning_layer: architecture source_paths: - doc/architecture/Unified_IAM_Billing_Across_Products_v1.md - doc/architecture/API_Gateway_Evaluation_v1.md - doc/architecture/Token_Factory_Gateway_Product_Model_v1.md - doc/governance/Agent_Work_Queue.yaml target_paths: - doc/architecture/token-factory/Token_Factory_Readiness_Backlog_v1.md review_domains: - architecture - governance risk_level: low migration_type: source-reconciliation depends_on: - PSSM-R6-FUTURE-PRODUCT-READINESS acceptance_checks: - Readiness backlog includes a source-doc map and avoids duplicating existing canonical docs or Agent_Work_Queue tasks. - id: PSSM-R6-DEPARTMENT-LAYER-READINESS-001 title: Prepare department-layer readiness contract kind: architecture-map role: architecture profile: platform-foundation parent_id: PSSM-R6-FUTURE-PRODUCT-READINESS owning_domain: iam owning_layer: platform-iam source_paths: - doc/architecture/Unified_IAM_Billing_Across_Products_v1.md - doc/architecture/token-factory/IAM_Department_Layer_Readiness_v1.md - doc/governance/Agent_Work_Queue.yaml target_paths: - doc/api - doc/architecture/db_schema_v1.sql - doc/architecture/ERD.md - packages/platform/iam review_domains: - architecture - backend - security risk_level: medium migration_type: readiness-contract depends_on: - PSSM-R6-SOURCE-DOC-RECONCILIATION-001 acceptance_checks: - Department readiness follows fixed organization -> department -> project model and maps to existing A-IAM-DEPARTMENTS-SCHEMA-001 scope. - id: IAM-DEPARTMENT-HIERARCHY-EPIC title: Implement mandatory department hierarchy with gated capabilities kind: epic role: orchestrator profile: platform-foundation parent_id: PSSM-R6-FUTURE-PRODUCT-READINESS owning_domain: iam owning_layer: platform-iam source_paths: - doc/architecture/IAM_Department_Hierarchy_Implementation_Plan_v1.md - doc/architecture/Unified_IAM_Billing_Across_Products_v1.md - doc/architecture/Tenant_Project_Ownership_Baseline.md - doc/architecture/token-factory/IAM_Department_Layer_Readiness_v1.md target_paths: - doc/api - doc/architecture/db_schema_v1.sql - doc/architecture/ERD.md - scripts/seed.sql - packages/platform/iam - packages/platform/auth - packages/platform/policy - packages/platform/billing - packages/platform/audit - packages/web review_domains: - architecture - backend - frontend - security - governance risk_level: high migration_type: iam-hierarchy-epic depends_on: - PSSM-R6-DEPARTMENT-LAYER-READINESS-001 acceptance_checks: - Every organization has a default department and every project has non-null department attribution. - Department is mandatory in the data/model boundary but department admins, budgets, inheritance, approval flows, and always-visible context pickers remain capability-gated. - IAM, billing, audit, policy, usage, and reporting share the same organization -> department -> project shape. - id: IAM-DEPARTMENT-CONTRACT-001 title: Define department contract and migration boundary kind: architecture-map role: architecture profile: platform-foundation parent_id: IAM-DEPARTMENT-HIERARCHY-EPIC owning_domain: iam owning_layer: platform-iam source_paths: - doc/architecture/IAM_Department_Hierarchy_Implementation_Plan_v1.md - doc/architecture/Unified_IAM_Billing_Across_Products_v1.md - doc/architecture/Tenant_Project_Ownership_Baseline.md target_paths: - doc/api/openapi.draft.yaml - doc/api/openapi - doc/architecture/db_schema_v1.sql - doc/architecture/ERD.md - doc/architecture/IAM_Department_Hierarchy_Implementation_Plan_v1.md review_domains: - architecture - backend - security - governance risk_level: high migration_type: contract-first depends_on: - IAM-DEPARTMENT-HIERARCHY-EPIC acceptance_checks: - Department object shape, default department semantics, lifecycle, and non-null project attribution are contractually defined before code changes. - Contract states that department capabilities are optional and gated even though department attribution is mandatory. - Migration plan is additive-first and avoids a nullable department steady state. - id: IAM-DEPARTMENT-SCHEMA-BOOTSTRAP-001 title: Add department schema, backfill, and bootstrap paths kind: facade role: backend profile: platform-foundation parent_id: IAM-DEPARTMENT-HIERARCHY-EPIC owning_domain: iam owning_layer: platform-iam source_paths: - doc/architecture/IAM_Department_Hierarchy_Implementation_Plan_v1.md - doc/architecture/db_schema_v1.sql - scripts/seed.sql - packages/platform/auth target_paths: - doc/architecture/db_schema_v1.sql - doc/architecture/ERD.md - scripts/seed.sql - packages/platform/auth - cmd/api review_domains: - backend - architecture - security risk_level: high migration_type: schema-bootstrap depends_on: - IAM-DEPARTMENT-CONTRACT-001 acceptance_checks: - "`platform_iam_departments` exists with organization, slug, display name, default marker, lifecycle, and timestamps." - Existing organizations and projects are backfilled to one default department per organization before enforcing non-null project department attribution. - Signup and project-creation paths assign the organization default department without adding department onboarding friction. - id: IAM-DEPARTMENT-RESOLUTION-001 title: Extend IAM scope resolution with department context kind: facade role: backend profile: platform-foundation parent_id: IAM-DEPARTMENT-HIERARCHY-EPIC owning_domain: iam owning_layer: platform-iam source_paths: - packages/platform/iam - packages/platform/auth - doc/architecture/IAM_Department_Hierarchy_Implementation_Plan_v1.md target_paths: - packages/platform/iam - packages/platform/auth - cmd/api review_domains: - backend - architecture - security risk_level: high migration_type: iam-resolver depends_on: - IAM-DEPARTMENT-SCHEMA-BOOTSTRAP-001 acceptance_checks: - Project-scope resolution returns organization, department, project, actor, and effective membership context. - Existing tenant/project memberships remain valid and department delegation is not introduced in this slice. - Products consume platform IAM/auth facades rather than reading department tables directly. - id: IAM-DEPARTMENT-POLICY-QUOTA-001 title: Add department scope to policy and quota evaluation shape kind: facade role: backend profile: platform-foundation parent_id: IAM-DEPARTMENT-HIERARCHY-EPIC owning_domain: policy-entitlements owning_layer: platform-policy source_paths: - doc/architecture/IAM_Department_Hierarchy_Implementation_Plan_v1.md - doc/architecture/Tenant_Admin_Quota_Delegation_v1.md - packages/platform/policy - scripts/seed.sql target_paths: - doc/architecture/db_schema_v1.sql - scripts/seed.sql - packages/platform/policy - packages/platform/iam review_domains: - backend - architecture - security risk_level: high migration_type: policy-scope depends_on: - IAM-DEPARTMENT-RESOLUTION-001 acceptance_checks: - Department is a recognized policy/quota scope in storage and lookup contracts. - Effective policy evaluation can use global -> plan -> organization -> department -> project ordering. - Department hard budgets and admin delegation remain disabled unless separate capability tasks enable them. - id: IAM-DEPARTMENT-USAGE-AUDIT-ATTRIBUTION-001 title: Define platform billing attribution contract across products kind: facade role: backend profile: platform-foundation parent_id: IAM-DEPARTMENT-HIERARCHY-EPIC owning_domain: billing-audit owning_layer: platform-shared-services source_paths: - doc/architecture/IAM_Department_Hierarchy_Implementation_Plan_v1.md - doc/architecture/Unified_IAM_Billing_Across_Products_v1.md - packages/platform/billing - packages/platform/audit - packages/platform/evidence target_paths: - doc/api/asyncapi.draft.yaml - doc/api/openapi.draft.yaml - packages/platform/billing - packages/platform/audit - packages/platform/evidence - cmd/billing-worker review_domains: - backend - architecture - governance risk_level: high migration_type: attribution-contract depends_on: - IAM-DEPARTMENT-RESOLUTION-001 acceptance_checks: - Usage, billing, audit, and evidence contracts separate billing owner, metering principal, product resource, usage measurement, rating context, and governance/traceability dimensions. - Accepted usage always carries or resolves organization, department, and project attribution from IAM/project context. - Product onboarding requires product ID, usage units, resource types, pricing/rating rules, optional quota dimensions, and shared usage emission before billing integration. - Ledger immutability is preserved; historical ledger rows are not updated in place. - Token Factory/future-product accepted usage can meter by API key, credential, model, endpoint, SKU, app, or storage resource without product-specific department fields or direct ledger writes. - id: IAM-DEPARTMENT-SERVICE-ACCOUNT-SNAPSHOT-001 title: Snapshot department context on service accounts and API keys kind: facade role: backend profile: platform-foundation parent_id: IAM-DEPARTMENT-HIERARCHY-EPIC owning_domain: iam owning_layer: platform-iam source_paths: - doc/architecture/IAM_Department_Hierarchy_Implementation_Plan_v1.md - doc/architecture/Unified_IAM_Billing_Across_Products_v1.md - packages/platform/auth - packages/platform/iam - packages/platform/registry - packages/platform/secrets target_paths: - doc/api/openapi.draft.yaml - packages/platform/auth - packages/platform/iam - packages/platform/registry - packages/platform/secrets review_domains: - backend - architecture - security risk_level: high migration_type: credential-snapshot depends_on: - IAM-DEPARTMENT-RESOLUTION-001 - PSSM-R6-SCOPE-KEY-READMODEL-READINESS-001 acceptance_checks: - Service-account/API-key records can expose or snapshot project, department, scope registry version, expiry policy, actor, and correlation evidence. - API keys remain platform IAM credentials and are not forked per product. - Secret custody and one-time reveal rules are preserved. - id: IAM-DEPARTMENT-PORTAL-GATE-001 title: Gate department UX behind enterprise capabilities kind: frontend-contract role: frontend profile: platform-foundation parent_id: IAM-DEPARTMENT-HIERARCHY-EPIC owning_domain: access-ux owning_layer: frontend source_paths: - doc/architecture/IAM_Department_Hierarchy_Implementation_Plan_v1.md - doc/product/UX_Implementation_Spec.md - doc/product/UX_Journeys.md - packages/web target_paths: - packages/web - doc/product/UX_Implementation_Spec.md - doc/product/UX_Journeys.md review_domains: - frontend - architecture - security risk_level: medium migration_type: frontend-contract depends_on: - IAM-DEPARTMENT-CONTRACT-001 - IAM-DEPARTMENT-RESOLUTION-001 acceptance_checks: - Small tenants can onboard and create projects without choosing a department. - Department selector/filtering appears only when multiple departments or department capabilities are enabled. - Visible UX does not imply department admins, budgets, or approval workflows before those capabilities ship. - id: IAM-MFA-EPIC title: Add MFA policy, posture, and Keycloak enforcement for human users kind: epic role: orchestrator profile: platform-foundation parent_id: PSSM-R6-FUTURE-PRODUCT-READINESS owning_domain: iam owning_layer: human-authentication source_paths: - doc/architecture/IAM_MFA_Policy_and_Keycloak_Enforcement_v1.md - doc/architecture/Platform_IAM_Model_v1.md - doc/architecture/Tenant_Federation_SSO_Model.md - doc/product/V3_Workbench_Consistency_Plan_v2.md - doc/architecture/platform-foundation/Frontend_Workbench_Page_Gap_Backlog_v1.md - doc/api/openapi.draft.yaml - doc/api/openapi/domains/v3-read-models.yaml - doc/operations/local-dev/keycloak/realm-export.json target_paths: - doc/architecture/IAM_MFA_Policy_and_Keycloak_Enforcement_v1.md - doc/api - cmd/api - packages/platform/iam - packages/platform/auth - packages/web - scripts/ops - doc/operations/runbooks - .fairway/artifacts review_domains: - architecture - security - backend - frontend - ops - governance tags: - program:mfa - program:security-review - surface:iam - surface:keycloak - gate:security-review - work-type:planning risk_level: high migration_type: iam-mfa-epic acceptance_checks: - MFA enforcement authority is Keycloak for human login; GPUaaS consumes tokens, posture, policy, and audit state. - Platform admin and ops MFA is required before production admin/ops access; normal users remain optional in the first slice unless organization policy requires MFA. - Service accounts and API keys are explicitly excluded from human MFA and continue to rely on scoped credentials, rotation, rate limits, and audit. - id: IAM-MFA-ARCHITECTURE-001 title: Define MFA policy, posture, and enforcement architecture kind: architecture-map role: architecture profile: platform-foundation parent_id: IAM-MFA-EPIC owning_domain: iam owning_layer: human-authentication source_paths: - doc/architecture/Platform_IAM_Model_v1.md - doc/architecture/Tenant_Federation_SSO_Model.md - doc/product/V3_Workbench_Consistency_Plan_v2.md - doc/architecture/platform-foundation/Frontend_Workbench_Page_Gap_Backlog_v1.md - doc/api/openapi/domains/v3-read-models.yaml - cmd/api/routes_v3_readmodels.go - packages/web/src/components/v3/v3-account-subpages.tsx - doc/operations/local-dev/keycloak/realm-export.json - scripts/ops/configure_kind_public_auth_urls.sh - scripts/ops/configure_platform_control_dev_auth_urls.sh target_paths: - doc/architecture/IAM_MFA_Policy_and_Keycloak_Enforcement_v1.md - .fairway/platform-foundation-implementation-track.yaml review_domains: - architecture - security - backend - frontend - ops risk_level: high migration_type: iam-mfa-architecture depends_on: - IAM-MFA-EPIC acceptance_checks: - Decision doc states Keycloak owns human MFA enforcement and GPUaaS owns IAM policy, posture read models, audit, UX state, and sensitive-operation gates. - Rollout policy defines required MFA for platform_superadmin, platform_admin, and platform_ops, with tenant/org admin enforcement deferred or capability-gated. - Implementation tasks are created for Keycloak flow config, existing V3 account/security posture read model extension, existing account security UX extension, ops runbooks, and optional sensitive-operation claim gates. - id: IAM-MFA-KEYCLOAK-FLOW-001 title: Configure Keycloak MFA enforcement for platform admin and ops roles kind: release-evidence role: ops profile: platform-foundation parent_id: IAM-MFA-EPIC owning_domain: iam owning_layer: identity-provider source_paths: - doc/architecture/IAM_MFA_Policy_and_Keycloak_Enforcement_v1.md - doc/operations/local-dev/keycloak/realm-export.json - scripts/ops/configure_kind_public_auth_urls.sh - scripts/ops/configure_platform_control_dev_auth_urls.sh - scripts/ci/platform_control_reconcile_keycloak_client.sh target_paths: - doc/operations/local-dev/keycloak/realm-export.json - scripts/ops - scripts/ci - .fairway/artifacts review_domains: - ops - security - backend tags: - program:mfa - program:security-review - environment:keycloak - surface:iam - surface:keycloak - gate:mfa-provider-posture - work-type:ops-readiness risk_level: high migration_type: keycloak-mfa-flow depends_on: - IAM-MFA-ARCHITECTURE-001 acceptance_checks: - Keycloak realm/client configuration supports TOTP enrollment and role-appropriate MFA enforcement for platform admin/ops users without breaking dev bootstrap. - Smoke evidence proves platform admin/ops users are prompted for MFA while service-account/API-key and non-human flows are unaffected. - Rollback and break-glass behavior is documented and does not require disabling all authentication. - id: IAM-MFA-POSTURE-READMODEL-001 title: Extend existing V3 account security read model with provider-aware MFA posture kind: facade role: backend profile: platform-foundation parent_id: IAM-MFA-EPIC owning_domain: iam owning_layer: account-security source_paths: - doc/architecture/IAM_MFA_Policy_and_Keycloak_Enforcement_v1.md - doc/api/openapi.draft.yaml - doc/api/openapi/domains/v3-read-models.yaml - cmd/api/routes_v3_readmodels.go - cmd/api/routes_v3_readmodels_test.go - cmd/api/routes_v3_readmodels_domains.go - packages/platform/iam - packages/platform/auth target_paths: - doc/api/openapi.draft.yaml - doc/api/openapi/domains/v3-read-models.yaml - cmd/api - packages/platform/iam - packages/platform/auth - packages/web/src/lib/gen/openapi.types.ts review_domains: - backend - security - frontend - architecture tags: - program:mfa - program:security-review - surface:api - surface:iam - gate:contract-codegen - gate:mfa-provider-posture - work-type:readmodel risk_level: high migration_type: mfa-posture-readmodel depends_on: - IAM-MFA-ARCHITECTURE-001 - IAM-MFA-KEYCLOAK-FLOW-001 acceptance_checks: - Existing GET /api/v1/v3/account/security contract exposes MFA posture source, effective requirement, enrollment/manage action state, and unavailable state in addition to factor booleans. - Backend no longer hardcodes MFA posture as false; provider posture or explicit unavailable state is returned with tests. - No new account security route or parallel MFA-specific read model is created. - No per-request Keycloak call is introduced into normal API authorization paths. - id: IAM-MFA-ACCOUNT-UX-001 title: Extend existing account security page with MFA posture and enrollment UX kind: frontend-contract role: frontend profile: platform-foundation parent_id: IAM-MFA-EPIC owning_domain: iam owning_layer: account-security-ux source_paths: - doc/architecture/IAM_MFA_Policy_and_Keycloak_Enforcement_v1.md - doc/product/V3_Workbench_Consistency_Plan_v2.md - doc/architecture/platform-foundation/Frontend_Workbench_Page_Gap_Backlog_v1.md - packages/web/src/components/v3/v3-account-subpages.tsx - packages/web/src/components/v3/v3-account-security-sessions.test.tsx - packages/web/src/lib/v3/api.ts target_paths: - packages/web - doc/product review_domains: - frontend - security - backend tags: - program:mfa - program:security-review - surface:web - surface:iam - gate:frontend-e2e - gate:mfa-provider-posture - work-type:ux risk_level: medium migration_type: mfa-account-ux depends_on: - IAM-MFA-POSTURE-READMODEL-001 acceptance_checks: - Existing /account/security page shows MFA required, optional, grace, exempt, enabled, disabled, or unavailable states without implying GPUaaS verifies factors directly. - Enrollment/manage actions route to the approved Keycloak/provider flow and never collect TOTP or WebAuthn secrets in GPUaaS frontend code. - No new MFA page or duplicate account security navigation surface is created. - Frontend tests cover required MFA, optional MFA, unavailable provider posture, and missing permission/session cases. - id: IAM-MFA-OPS-RUNBOOK-001 title: Add MFA enrollment, reset, break-glass, and rollback runbooks kind: release-evidence role: ops profile: platform-foundation parent_id: IAM-MFA-EPIC owning_domain: iam owning_layer: security-operations source_paths: - doc/architecture/IAM_MFA_Policy_and_Keycloak_Enforcement_v1.md - doc/operations/runbooks - doc/operations/SRE_Runbook_Index.md - scripts/ops target_paths: - doc/operations/runbooks/IAM_MFA_Enrollment_Reset_and_Breakglass_Runbook.md - doc/operations/SRE_Runbook_Index.md - .fairway/artifacts review_domains: - ops - security - governance risk_level: high migration_type: mfa-ops-runbook depends_on: - IAM-MFA-ARCHITECTURE-001 acceptance_checks: - Runbook covers enrollment, lost factor reset, break-glass access, rollback, audit evidence, and post-incident review expectations. - Break-glass access is time-bounded, reasoned, actor-attributed, and audit logged. - SRE runbook index links the MFA runbook. - id: IAM-MFA-SENSITIVE-OPS-GATE-001 title: Gate sensitive operations on MFA-authenticated sessions when claims are reliable kind: boundary-guard role: backend profile: platform-foundation parent_id: IAM-MFA-EPIC owning_domain: iam owning_layer: sensitive-operation-auth source_paths: - doc/architecture/IAM_MFA_Policy_and_Keycloak_Enforcement_v1.md - packages/shared/middleware/auth.go - cmd/api - packages/platform/iam - packages/platform/auth - doc/architecture/Error_Code_Catalog.md target_paths: - packages/shared/middleware - cmd/api - packages/platform/iam - doc/api - doc/architecture/Error_Code_Catalog.md review_domains: - backend - security - architecture - governance tags: - program:mfa - program:security-review - surface:api - surface:iam - gate:mfa-provider-posture - gate:security-review - work-type:authz-gate risk_level: high migration_type: mfa-sensitive-operation-gate depends_on: - IAM-MFA-KEYCLOAK-FLOW-001 - IAM-MFA-POSTURE-READMODEL-001 acceptance_checks: - Decision evidence proves whether Keycloak emits reliable amr/acr MFA claims for browser/API sessions before any operation gate is enabled. - Sensitive-operation MFA gates are added only for approved operations and return canonical ErrorResponse envelopes with correlation_id. - If reliable MFA claims are unavailable, task records deferral evidence instead of adding brittle or provider-calling gates. - id: IAM-MFA-PRODUCT-COMPLETE-READINESS-001 title: Drive MFA from drill-complete to product-complete readiness kind: boundary-guard role: orchestrator profile: platform-foundation parent_id: IAM-MFA-EPIC owning_domain: iam owning_layer: product-readiness source_paths: - doc/architecture/IAM_MFA_Policy_and_Keycloak_Enforcement_v1.md - doc/operations/runbooks/IAM_MFA_Enrollment_Reset_and_Breakglass_Runbook.md - doc/operations/Product_Quality_Flow_Coverage_Matrix_v1.md - packages/web/src/components/v3/v3-account-subpages.tsx - packages/web/e2e - .fairway/artifacts/iam-mfa-closeout-20260614/rollup.md target_paths: - doc/product - doc/operations - doc/architecture/IAM_MFA_Policy_and_Keycloak_Enforcement_v1.md - packages/web - scripts/ops - scripts/ci - .fairway/artifacts review_domains: - architecture - product-quality - security - ops tags: - program:mfa - program:production-readiness - surface:iam - surface:web - surface:keycloak - work-type:readiness - gate:critical-flow risk_level: high migration_type: mfa-product-complete-readiness depends_on: - IAM-MFA-KEYCLOAK-FLOW-001 - IAM-MFA-POSTURE-READMODEL-001 - IAM-MFA-ACCOUNT-UX-001 acceptance_checks: - Product-complete definition separates drill completion from real user/admin/operator functionality and lists every remaining blocker. - Account UX, admin/ops configuration, reset/break-glass operations, claim proof, sensitive-operation policy, and UAT coverage are either implemented with evidence or explicitly deferred with owner, reason, and expiry. - No page claims MFA is fully enforced unless provider/session/token evidence proves that posture for the current environment. - Orchestrator uses grouped evidence and risk-scaled review; child tasks do not require ceremonial full-matrix review unless they cross a live/source/prod/credential/public/sensitive-operation boundary. - id: IAM-MFA-PRODUCT-FLOW-GAP-AUDIT-001 title: Audit MFA user, admin, and ops flows for product-complete coverage kind: task role: governance profile: platform-foundation parent_id: IAM-MFA-PRODUCT-COMPLETE-READINESS-001 owning_domain: product-quality owning_layer: flow-coverage source_paths: - doc/operations/Product_Quality_Flow_Coverage_Matrix_v1.md - doc/operations/MFA_Flow_Contract_Product_Quality_Review_Model_v1.md - doc/operations/MFA_User_Factor_Setup_Manage_Flow_Coverage_v1.md - doc/operations/MFA_Factor_Lifecycle_UAT_Coverage_v1.md - doc/architecture/IAM_MFA_Policy_and_Keycloak_Enforcement_v1.md - packages/web/src/components/v3/v3-account-subpages.tsx - packages/web/e2e target_paths: - doc/operations/Product_Quality_Flow_Coverage_Matrix_v1.md - doc/operations/MFA_Flow_Contract_Product_Quality_Review_Model_v1.md - doc/operations/MFA_User_Factor_Setup_Manage_Flow_Coverage_v1.md - doc/operations/MFA_Factor_Lifecycle_UAT_Coverage_v1.md - .fairway/artifacts review_domains: - product-quality - architecture - security tags: - program:mfa - program:uat-hardening - work-type:flow-coverage - surface:iam risk_level: medium migration_type: mfa-product-flow-gap-audit acceptance_checks: - Flow audit covers normal user setup, existing-factor manage/remove, lost-phone/app-upgrade recovery, provider return states, admin/ops required MFA, break-glass, rollback, provider unavailable, expired/weak session, non-human/API-key exclusion, and sensitive-operation step-up. - Audit maps each flow to existing UX/API/CLI/admin/ops surface and UAT/e2e evidence or creates a scoped follow-up. - Audit identifies whether a dedicated admin/config/ops page is needed or whether existing Account, Access, Platform, and runbook surfaces are sufficient. - Accepted gaps have task IDs, owners, proof commands, and stop conditions before implementation starts. - id: PRODUCT-GAP-IAM-MFA-PROVIDER-FACTOR-READBACK-001 title: Add provider factor readback state for Account Security MFA kind: task role: backend profile: platform-foundation parent_id: IAM-MFA-PRODUCT-FLOW-GAP-AUDIT-001 owning_domain: identity owning_layer: read-model source_paths: - doc/operations/MFA_User_Factor_Setup_Manage_Flow_Coverage_v1.md - cmd/api/routes_v3_readmodels.go - doc/api/openapi.draft.yaml target_paths: - cmd/api/routes_v3_readmodels.go - cmd/api/routes_v3_readmodels_test.go - doc/api/openapi.draft.yaml - packages/web/src/lib/gen/openapi.types.ts - packages/shared/gen/openapi_types.gen.go review_domains: - backend - security tags: - program:mfa - work-type:product-gap - surface:account-security risk_level: medium migration_type: mfa-provider-factor-readback acceptance_checks: - Account Security can distinguish enrolled, unenrolled, unknown, unavailable, and unqueried provider factor states without exposing factor secrets. - Readback evidence is sanitized and does not store OTP secrets, QR payloads, recovery codes, bearer tokens, cookies, or raw provider bodies. - UI no longer relies on provider_unqueried as the only state after a user completes setup. - id: PRODUCT-GAP-IAM-MFA-FACTOR-MANAGE-FLOW-001 title: Define and implement existing-factor MFA manage flow kind: task role: frontend profile: platform-foundation parent_id: IAM-MFA-PRODUCT-FLOW-GAP-AUDIT-001 owning_domain: product-quality owning_layer: ux-flow source_paths: - doc/operations/MFA_User_Factor_Setup_Manage_Flow_Coverage_v1.md - packages/web/src/components/v3/v3-account-subpages.tsx - packages/web/app/auth/mfa/setup/page.tsx target_paths: - packages/web/src/components/v3/v3-account-subpages.tsx - packages/web/app/auth/mfa - packages/web/e2e review_domains: - product-quality - frontend tags: - program:mfa - work-type:product-gap - surface:account-security risk_level: medium migration_type: mfa-existing-factor-manage-flow acceptance_checks: - Product decision states whether manage routes to a provider account surface, an AI Cloud wrapper, or explicit no-manage support guidance. - UI does not use manage wording unless the action can manage an existing factor. - User flow covers no-factor, existing-factor, unavailable, cancel, success, and provider-error states. - id: UAT-BUG-IAM-MFA-PROVIDER-RETURN-FLOW-001 title: Cover MFA provider setup and manage return states kind: task role: product-quality profile: platform-foundation parent_id: IAM-MFA-PRODUCT-FLOW-GAP-AUDIT-001 owning_domain: product-quality owning_layer: uat source_paths: - doc/operations/MFA_User_Factor_Setup_Manage_Flow_Coverage_v1.md - packages/web/e2e target_paths: - packages/web/e2e - doc/operations/Product_Quality_Flow_Coverage_Matrix_v1.md review_domains: - product-quality tags: - program:mfa - work-type:uat-gap - surface:account-security risk_level: low migration_type: mfa-provider-return-flow-uat acceptance_checks: - UAT/e2e evidence covers setup success, setup cancel, provider error, already-enrolled, and return-to-account-security states. - Failures show AI Cloud-owned copy and do not expose raw Keycloak diagnostics as the primary user experience. - id: PRODUCT-GAP-IAM-MFA-FACTOR-REMOVE-DISABLE-FLOW-001 title: Define and implement MFA factor remove and disable flow kind: task role: frontend profile: platform-foundation parent_id: IAM-MFA-PRODUCT-FLOW-GAP-AUDIT-001 owning_domain: product-quality owning_layer: ux-flow source_paths: - doc/operations/MFA_User_Factor_Setup_Manage_Flow_Coverage_v1.md - packages/web/src/components/v3/v3-account-subpages.tsx - doc/operations/runbooks/IAM_MFA_Enrollment_Reset_and_Breakglass_Runbook.md target_paths: - packages/web/src/components/v3/v3-account-subpages.tsx - packages/web/e2e - doc/operations/runbooks/IAM_MFA_Enrollment_Reset_and_Breakglass_Runbook.md review_domains: - product-quality - security tags: - program:mfa - work-type:product-gap - surface:account-security risk_level: medium migration_type: mfa-factor-remove-disable-flow acceptance_checks: - Product decision states whether users can remove/disable factors through AI Cloud, a provider manage surface, or support-assisted recovery only. - Flow blocks or warns on removing the last usable factor, with stricter controls for platform_admin, platform_ops, and platform_superadmin. - Factor remove/disable writes audit/notification evidence and stores no factor secrets, OTP seeds, QR payloads, recovery codes, tokens, cookies, or raw provider bodies. - id: PRODUCT-GAP-IAM-MFA-FACTOR-RECOVERY-FLOW-001 title: Define lost-phone and app-upgrade MFA recovery flow kind: task role: product-quality profile: platform-foundation parent_id: IAM-MFA-PRODUCT-FLOW-GAP-AUDIT-001 owning_domain: identity owning_layer: recovery-flow source_paths: - doc/operations/MFA_User_Factor_Setup_Manage_Flow_Coverage_v1.md - doc/operations/runbooks/IAM_MFA_Enrollment_Reset_and_Breakglass_Runbook.md target_paths: - doc/operations/runbooks/IAM_MFA_Enrollment_Reset_and_Breakglass_Runbook.md - packages/web/src/components/v3 - packages/web/e2e review_domains: - product-quality - security - ops tags: - program:mfa - work-type:product-gap - surface:account-security risk_level: high migration_type: mfa-factor-recovery-flow acceptance_checks: - Flow covers phone upgrade, lost authenticator app, still-signed-in replacement, locked-out recovery, and admin-assisted reset. - Privileged-human recovery requires independent approval, audit, expiry, notification, and no silent MFA bypass. - Recovery outcome returns users to Account Security with updated readback or honest pending/unqueried state. - id: PRODUCT-GAP-IAM-MFA-ADMIN-BREAKGLASS-POLICY-FLOW-001 title: Separate daily admin MFA from monitored break-glass policy kind: task role: architecture profile: platform-foundation parent_id: IAM-MFA-PRODUCT-FLOW-GAP-AUDIT-001 owning_domain: security owning_layer: policy-flow source_paths: - doc/operations/MFA_User_Factor_Setup_Manage_Flow_Coverage_v1.md - doc/architecture/IAM_MFA_Policy_and_Keycloak_Enforcement_v1.md - doc/operations/runbooks/IAM_MFA_Enrollment_Reset_and_Breakglass_Runbook.md target_paths: - doc/architecture/IAM_MFA_Policy_and_Keycloak_Enforcement_v1.md - doc/operations/runbooks/IAM_MFA_Enrollment_Reset_and_Breakglass_Runbook.md - doc/operations/Product_Quality_Flow_Coverage_Matrix_v1.md review_domains: - architecture - security - ops tags: - program:mfa - work-type:policy-flow - surface:platform-iam risk_level: high migration_type: mfa-admin-breakglass-policy-flow acceptance_checks: - Daily platform_admin and platform_ops humans remain MFA-required; platform_superadmin has stronger/phishing-resistant expectations where supported. - Break-glass is modeled as a separate emergency account class, not a daily admin MFA exemption. - Break-glass exclusions from lockout-causing policy require custody, monitoring, test cadence, alerting, post-use review, and credential reseal/rotation rules. - id: PRODUCT-GAP-IAM-MFA-USER-FACING-BRANDING-SCAN-001 title: Scan MFA user-facing copy for AI Cloud branding boundaries kind: task role: frontend profile: platform-foundation parent_id: IAM-MFA-PRODUCT-FLOW-GAP-AUDIT-001 owning_domain: product-quality owning_layer: ux-copy source_paths: - doc/operations/MFA_User_Factor_Setup_Manage_Flow_Coverage_v1.md - packages/web/src - packages/web/e2e target_paths: - packages/web/src - packages/web/e2e - doc/operations/Product_Quality_Flow_Coverage_Matrix_v1.md review_domains: - product-quality tags: - program:mfa - work-type:ux-copy - surface:account-security risk_level: low migration_type: mfa-user-facing-branding-scan acceptance_checks: - User-facing MFA/account/security copy uses AI Cloud language and avoids GPUaaS/internal repo naming except on developer or technical docs surfaces. - Account Security, auth setup, provider return, and e2e fixtures are covered by tests or explicit accepted gaps. - id: PRODUCT-GAP-IAM-MFA-WORKFLOW-FIRST-HELP-AFFORDANCE-001 title: Trim MFA page prose into workflow-first help affordances kind: task role: frontend profile: platform-foundation parent_id: IAM-MFA-PRODUCT-FLOW-GAP-AUDIT-001 owning_domain: product-quality owning_layer: ux-copy source_paths: - doc/product/UX_Implementation_Spec.md - doc/operations/MFA_User_Factor_Setup_Manage_Flow_Coverage_v1.md - packages/web/src/components/v3/v3-account-subpages.tsx target_paths: - packages/web/src/components/v3 - packages/web/e2e - doc/operations/Product_Quality_Flow_Coverage_Matrix_v1.md - tmp-ux/gpuaas-program-execution-memory-2026-06-16.md review_domains: - product-quality - frontend tags: - program:mfa - work-type:ux-copy - surface:account-security - backlog:deferred risk_level: low migration_type: mfa-workflow-first-help-affordance acceptance_checks: - Account Security MFA emphasizes primary actions and state first; long explanatory prose moves behind help affordances, tooltips, drawers, or collapsed technical details. - User-facing MFA cards avoid documentation-like paragraphs in the primary surface while preserving recovery, support, and provider-boundary guidance through secondary help. - The resulting pattern is documented so the same workflow-first help-affordance treatment can be reused on other user/admin surfaces instead of remaining MFA-only. - id: IAM-MFA-ADMIN-OPS-SURFACE-GAP-001 title: Define and implement required MFA admin, config, and ops surfaces kind: frontend-contract role: frontend profile: platform-foundation parent_id: IAM-MFA-PRODUCT-COMPLETE-READINESS-001 owning_domain: iam owning_layer: admin-ops-ux source_paths: - doc/architecture/IAM_MFA_Policy_and_Keycloak_Enforcement_v1.md - doc/product/UX_Implementation_Spec.md - doc/product/UX_Journeys.md - packages/web/src/components/v3 - doc/operations/runbooks/IAM_MFA_Enrollment_Reset_and_Breakglass_Runbook.md target_paths: - doc/product - packages/web - doc/api - cmd/api - scripts/ops review_domains: - frontend - product-quality - security - ops tags: - program:mfa - surface:web - surface:iam - work-type:ux - gate:frontend-e2e risk_level: medium migration_type: mfa-admin-ops-surface-gap depends_on: - IAM-MFA-PRODUCT-FLOW-GAP-AUDIT-001 acceptance_checks: - Decision records whether MFA admin/config/ops capabilities belong in existing Platform/Access/Account pages, CLI/runbook only, or a new page. - Required surfaces expose policy posture, provider configuration state, reset/break-glass evidence, and rollout/rollback readiness without collecting factor secrets in GPUaaS. - Any new API or frontend surface is contract-first and covered by focused unit/e2e tests. - If no new page is needed, docs name the existing surface and UAT path that proves the workflow. - id: IAM-MFA-FULL-FUNCTIONAL-UAT-001 title: Prove full MFA functionality through UAT and e2e workflows kind: release-evidence role: governance profile: platform-foundation parent_id: IAM-MFA-PRODUCT-COMPLETE-READINESS-001 owning_domain: product-quality owning_layer: uat-evidence source_paths: - packages/web/e2e - scripts/ci/frontend_e2e.sh - scripts/ops - doc/operations/Product_Quality_Flow_Coverage_Matrix_v1.md - doc/operations/MFA_Factor_Lifecycle_UAT_Coverage_v1.md - doc/operations/runbooks/IAM_MFA_Enrollment_Reset_and_Breakglass_Runbook.md target_paths: - packages/web/e2e - scripts/ci - scripts/ops - doc/operations - .fairway/artifacts review_domains: - product-quality - security - ops tags: - program:mfa - program:uat-hardening - work-type:uat - surface:iam - gate:frontend-e2e risk_level: high migration_type: mfa-full-functional-uat depends_on: - IAM-MFA-PRODUCT-FLOW-GAP-AUDIT-001 - IAM-MFA-ADMIN-OPS-SURFACE-GAP-001 acceptance_checks: - UAT proves current-environment MFA behavior for user, admin, ops, reset, unavailable, rollback, and non-human exclusion flows. - Browser/e2e evidence covers the visible account/security and any admin/ops surfaces; API/CLI evidence covers operations not exposed in UI. - The UAT matrix marks any deferred production-only behavior as blocked/deferred with owner, residual risk, and expiry instead of treating it as pass. - Final evidence supports an Architecture Control decision on whether MFA is product-complete for kind/dev or still blocked by named production-readiness gaps. - id: IAM-MFA-KIND-DEV-UAT-DEPLOY-CLOSEOUT-001 title: Close MFA kind and dev deployment UAT evidence kind: release-evidence role: orchestrator profile: platform-foundation parent_id: IAM-MFA-PRODUCT-COMPLETE-READINESS-001 owning_domain: product-quality owning_layer: deploy-uat-closeout source_paths: - packages/web/e2e - scripts/ci/frontend_e2e.sh - scripts/ci - scripts/ops - doc/operations/MFA_Factor_Lifecycle_UAT_Coverage_v1.md - doc/operations/Product_Quality_Flow_Coverage_Matrix_v1.md - .fairway/artifacts target_paths: - .fairway/artifacts - doc/operations/MFA_Factor_Lifecycle_UAT_Coverage_v1.md - doc/operations/Product_Quality_Flow_Coverage_Matrix_v1.md - scripts/ops - scripts/ci review_domains: - product-quality - ops tags: - program:mfa - program:uat-hardening - environment:kind - environment:dev - work-type:deploy-uat - gate:frontend-e2e risk_level: medium migration_type: mfa-kind-dev-uat-deploy-closeout depends_on: - IAM-MFA-FULL-FUNCTIONAL-UAT-001 acceptance_checks: - Kind runs the MFA user journey evidence for setup, existing-factor state, add-backup, recovery/request-removal, cancel/error handling, provider unavailable/unknown, and branding/internal-boundary checks. - Dev deploy uses a committed SHA and records service image/git-sha readback for API and web. - Dev UAT records the same user/admin/ops MFA subpaths as kind or explicitly marks environment-only gaps with owner, expiry, and residual risk. - CI pipeline status is recorded; any CI/CD failure creates or updates a scoped CI-FIX or CD-FIX task instead of blocking silently. - id: OPS-PLATFORM-SERVICE-VERSION-SURFACE-001 title: Add platform service version and deployment readback surface kind: frontend-contract role: backend profile: platform-foundation parent_id: IAM-MFA-PRODUCT-COMPLETE-READINESS-001 owning_domain: platform-operations owning_layer: release-readback source_paths: - cmd/api - packages/web/src/components/v3 - scripts/ops - doc/operations/V3_Post_Deploy_Smoke_Runbook.md target_paths: - doc/api - cmd/api - packages/web - scripts/ops - doc/operations review_domains: - ops - backend - frontend tags: - program:production-readiness - surface:platform - surface:ops - work-type:read-model risk_level: medium migration_type: platform-service-version-surface acceptance_checks: - Platform admin/ops can see the deployed version, git SHA, image, build time, and environment for API, web, and core workers where available. - Surface uses API/read-model evidence and Kubernetes annotations or release metadata, not direct SQL or hardcoded values. - UAT/deploy runbooks record the service-version readback before declaring an environment updated. - id: PSSM-R6-SCOPE-KEY-READMODEL-READINESS-001 title: Prepare product scope and API-key read-model readiness kind: architecture-map role: architecture profile: platform-foundation parent_id: PSSM-R6-FUTURE-PRODUCT-READINESS owning_domain: iam owning_layer: platform-iam source_paths: - doc/architecture/Unified_IAM_Billing_Across_Products_v1.md - doc/architecture/Platform_IAM_Model_v1.md - doc/architecture/Service_Account_Model.md - doc/governance/Agent_Work_Queue.yaml target_paths: - packages/platform/iam - packages/platform/auth - doc/api/openapi.draft.yaml - scripts/seed.sql review_domains: - architecture - backend - security risk_level: medium migration_type: readiness-contract depends_on: - PSSM-R6-SOURCE-DOC-RECONCILIATION-001 acceptance_checks: - Scope/API-key readiness maps to existing A-IAM-MULTIPRODUCT-SCOPE-REGISTRY-001 and does not create product-specific keys. - id: PSSM-R6-USAGE-RATING-READINESS-001 title: Prepare multi-product usage and rating readiness kind: architecture-map role: architecture profile: platform-foundation parent_id: PSSM-R6-FUTURE-PRODUCT-READINESS owning_domain: billing owning_layer: platform-billing source_paths: - doc/architecture/Unified_IAM_Billing_Across_Products_v1.md - doc/architecture/Billing_Platform_Overhaul_v1.md - doc/architecture/Billing_Current_State_Gap_Matrix_v1.md - doc/governance/Agent_Work_Queue.yaml target_paths: - packages/platform/billing - packages/shared/events - doc/api/asyncapi.draft.yaml - scripts/seed.sql review_domains: - architecture - backend - governance risk_level: medium migration_type: readiness-contract depends_on: - PSSM-R6-SOURCE-DOC-RECONCILIATION-001 acceptance_checks: - Usage/rating readiness maps to existing A-BILLING-MULTIPRODUCT-USAGE-UNITS-001 and keeps ledger mutation in platform billing. - id: PSSM-R6-GATEWAY-ADR-READINESS-001 title: Prepare future product gateway ADR readiness kind: architecture-map role: architecture profile: platform-foundation parent_id: PSSM-R6-FUTURE-PRODUCT-READINESS owning_domain: product-gateway owning_layer: product-boundary source_paths: - doc/architecture/API_Gateway_Evaluation_v1.md - doc/architecture/Token_Factory_Gateway_Product_Model_v1.md - doc/architecture/token-factory/Token_Factory_Readiness_Decision_Packet_v1.md - doc/governance/Agent_Work_Queue.yaml target_paths: - doc/architecture/adrs - doc/architecture/token-factory review_domains: - architecture - security - ops risk_level: medium migration_type: future-adr-readiness depends_on: - PSSM-R6-SOURCE-DOC-RECONCILIATION-001 acceptance_checks: - Gateway readiness preserves Pomerium/platform authority and defers gateway implementation until future product activation. - id: PSSM-R6-UNIFIED-API-KEY-UX-READINESS-001 title: Prepare unified API key UX readiness kind: frontend-contract role: frontend profile: platform-foundation parent_id: PSSM-R6-FUTURE-PRODUCT-READINESS owning_domain: access owning_layer: frontend source_paths: - doc/architecture/Unified_IAM_Billing_Across_Products_v1.md - doc/product/UX_Implementation_Spec.md - doc/product/UX_Journeys.md - doc/governance/Agent_Work_Queue.yaml target_paths: - doc/product - packages/web - packages/docs/docs review_domains: - frontend - product - security risk_level: medium migration_type: frontend-contract depends_on: - PSSM-R6-SCOPE-KEY-READMODEL-READINESS-001 acceptance_checks: - Unified API key UX readiness maps to existing B-UX-UNIFIED-API-KEYS-SERVICE-ACCOUNTS-001 and avoids separate product key UX. - id: PSSM-R6-SECRETS-CUSTODY-READINESS-001 title: Prepare API key and gateway secret custody readiness kind: architecture-map role: security profile: platform-foundation parent_id: PSSM-R6-FUTURE-PRODUCT-READINESS owning_domain: secrets-pki owning_layer: platform-security source_paths: - doc/architecture/platform-foundation/Secrets_PKI_Runtime_Trust_Model_v1.md - doc/architecture/Platform_Vault_Secrets_Baseline_v1.md - doc/operations/runbooks/Key_Rotation_and_Compromise_Response_Runbook.md target_paths: - packages/platform/secrets - doc/operations/evidence - doc/operations/runbooks review_domains: - security - ops - architecture risk_level: high migration_type: readiness-contract depends_on: - PSSM-R6-SOURCE-DOC-RECONCILIATION-001 acceptance_checks: - Secret custody readiness identifies storage, rotation, audit, and one-time reveal rules without adding product gateway secrets today. - id: PSSM-R6-ANALYTICS-BOUNDARY-READINESS-001 title: Prepare OLTP/OLAP analytics boundary readiness kind: architecture-map role: architecture profile: platform-foundation parent_id: PSSM-R6-FUTURE-PRODUCT-READINESS owning_domain: data-platform owning_layer: analytics source_paths: - doc/architecture/Data_Tiering_and_Database_Operations_Work_Plan_v1.md - doc/architecture/platform-foundation/Platform_Architecture_Gap_Register_v1.md - doc/architecture/Unified_IAM_Billing_Across_Products_v1.md target_paths: - doc/architecture - packages/platform/billing - packages/platform/evidence review_domains: - architecture - backend - ops risk_level: medium migration_type: readiness-contract depends_on: - PSSM-R6-USAGE-RATING-READINESS-001 acceptance_checks: - Analytics readiness identifies hot OLTP versus rollup/warehouse boundaries before high-volume token/request dashboards. - id: PSSM-R6-RELEASE-EVIDENCE-PRODUCT-PROOF-001 title: Prepare future product release evidence proof gates kind: release-evidence role: ops profile: platform-foundation parent_id: PSSM-R6-FUTURE-PRODUCT-READINESS owning_domain: release-engineering owning_layer: ops source_paths: - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md - doc/operations/Platform_Control_CI_CD_Target_Model_v1.md - doc/operations/GPUaaS_Security_CD_Current_State_Gap_Roadmap_v1.md target_paths: - doc/operations - packages/platform/evidence - packages/platform/statusops - scripts/ci review_domains: - ops - security - governance risk_level: medium migration_type: release-evidence depends_on: - PSSM-R6-SOURCE-DOC-RECONCILIATION-001 acceptance_checks: - Future product release evidence gates prove IAM, billing, policy, gateway, runtime, and portal invariants before production exposure. - id: PSSM-PRODUCTION-COMPLETION-BACKLOG title: Backlog post-IAM platform shared services production completion kind: epic role: orchestrator profile: platform-foundation parent_id: PSSM-R6-FUTURE-PRODUCT-READINESS owning_domain: platform-foundation owning_layer: production-completion source_paths: - doc/architecture/platform-foundation/Platform_Shared_Services_Model_v2.md - doc/architecture/platform-foundation/Platform_Architecture_Gap_Register_v1.md - doc/architecture/IAM_Department_Hierarchy_Implementation_Plan_v1.md - doc/architecture/Unified_IAM_Billing_Across_Products_v1.md target_paths: - .fairway/platform-foundation-implementation-track.yaml - doc/architecture/platform-foundation - packages/platform - doc/api - scripts/ci review_domains: - architecture - backend - frontend - ops - security - governance risk_level: medium migration_type: deferred-production-completion-backlog depends_on: - IAM-DEPARTMENT-HIERARCHY-EPIC acceptance_checks: - This epic remains a deferred backlog anchor until the IAM department hierarchy slice is complete. - Post-IAM planning breaks this into actionable tasks only after current IAM outputs clarify remaining shared-service gaps. - Follow-up organization covers registry maturity, credential custody, product onboarding, analytics/OLAP boundary, provider/runtime reconciliation, status/evidence maturity, facade depth replacement, and release/profile gates. - id: PSSM-PROD-C0-PLAN-001 title: Define post-IAM PSSM production completion plan kind: architecture-map role: architecture profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: platform-foundation owning_layer: production-completion source_paths: - doc/architecture/platform-foundation/Platform_Shared_Services_Completion_Roadmap_v1.md - doc/architecture/platform-foundation/Platform_Architecture_Gap_Register_v1.md - doc/architecture/platform-foundation/Platform_Shared_Services_Model_v2.md target_paths: - doc/architecture/platform-foundation/Platform_Shared_Services_Completion_Roadmap_v1.md - .fairway/platform-foundation-implementation-track.yaml review_domains: - architecture - governance - ops risk_level: medium migration_type: production-completion-plan depends_on: - PSSM-PRODUCTION-COMPLETION-BACKLOG acceptance_checks: - Post-IAM PSSM completion lanes are ordered, Fairway-visible, and mapped to open or partial gap-register items. - The plan distinguishes product-facing contracts, runtime proof, and physical extraction decisions. - The backlog remains scoped to production-completion work, not another platform-foundation reshuffle. - id: PSSM-PROD-C1-REGISTRY-MATURITY-001 title: Mature platform registry to versioned production contracts kind: architecture-map role: architecture profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: registry-artifacts owning_layer: platform-registry source_paths: - doc/architecture/platform-foundation/Platform_Registry_Contract_v1.md - doc/architecture/platform-foundation/Platform_Registry_Runtime_Verification_v1.md - packages/platform/registry target_paths: - doc/architecture/platform-foundation - doc/api - packages/platform/registry - scripts/seed.sql review_domains: - architecture - backend - governance risk_level: high migration_type: registry-maturity depends_on: - PSSM-PROD-C0-PLAN-001 acceptance_checks: - Registry maturity plan covers schema-backed entries, seed import, lifecycle state, version snapshots, drift checks, and read/API surfaces. - Scope, usage-unit, audit-action, notification-template, evidence-type, artifact-type, policy/quota, portal-track, and SDK-contract entries have snapshot rules. - Unknown, disabled, or untrusted registry entries fail closed on authority, billing, promotion, credential delivery, and release-blocking paths. - id: PSSM-PROD-C2-CREDENTIAL-CUSTODY-001 title: Define production credential custody and rotation model kind: architecture-map role: security profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: secrets-pki owning_layer: platform-security source_paths: - doc/architecture/platform-foundation/Secrets_PKI_Runtime_Trust_Model_v1.md - doc/architecture/Platform_Vault_Secrets_Baseline_v1.md - doc/operations/runbooks/Key_Rotation_and_Compromise_Response_Runbook.md - packages/platform/secrets - packages/platform/auth target_paths: - doc/architecture/platform-foundation - doc/operations/runbooks - packages/platform/secrets - packages/platform/auth review_domains: - security - ops - architecture - backend risk_level: high migration_type: credential-custody depends_on: - PSSM-PROD-C0-PLAN-001 acceptance_checks: - API keys, service-account keys, recovery tokens, OIDC secrets, gateway credentials, certs, and runtime secrets have storage tiers and rotation owners. - One-time reveal, revoke, emergency disable, compromise response, and audit/evidence rules are defined. - Product-specific secret custody is explicitly disallowed unless approved by security architecture. - id: PSSM-PROD-C3-PRODUCT-ONBOARDING-CONTRACT-001 title: Convert product onboarding checklist into executable packet kind: architecture-map role: architecture profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: product-onboarding owning_layer: platform-architecture source_paths: - doc/architecture/platform-foundation/Product_Onboarding_Checklist_v1.md - doc/architecture/platform-foundation/Second_Product_Onboarding_Packet_App_SDK_JupyterLab_v1.md - doc/architecture/Unified_IAM_Billing_Across_Products_v1.md target_paths: - doc/architecture/platform-foundation - .fairway/artifacts - packages/docs review_domains: - architecture - frontend - backend - security - ops risk_level: high migration_type: product-onboarding-contract depends_on: - PSSM-PROD-C1-REGISTRY-MATURITY-001 acceptance_checks: - Product onboarding packet requires product ID, scopes, usage units, resource types, audit actions, notification templates, evidence types, status components, billing posture, docs, and UAT proof. - Product onboarding fails closed when required platform-shared service contracts are missing or explicitly not applicable. - Token Factory or the next product can onboard without product-owned IAM, billing, audit, notification, status, policy, registry, or credential forks. - id: PSSM-PROD-C4-POLICY-QUOTA-CAPACITY-001 title: Define cross-product policy, quota, and capacity composition kind: architecture-map role: backend profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: policy-entitlements owning_layer: platform-policy source_paths: - doc/architecture/Tenant_Admin_Quota_Delegation_v1.md - doc/architecture/Unified_IAM_Billing_Across_Products_v1.md - packages/platform/policy - scripts/seed.sql target_paths: - doc/architecture/platform-foundation - doc/architecture - packages/platform/policy - packages/platform/billing review_domains: - backend - architecture - security risk_level: high migration_type: policy-quota-capacity depends_on: - PSSM-PROD-C0-PLAN-001 acceptance_checks: - Quota dimensions cover GPU, app runtime, token/request, storage, network, and capacity reservation semantics. - Effective policy and quota decisions use global -> plan -> organization -> department -> project scope ordering. - Capacity reservation and entitlement posture is explicit for compute and future model-serving resources. - id: PSSM-PROD-C5-ANALYTICS-OLAP-BOUNDARY-001 title: Define usage analytics OLTP and OLAP boundary kind: architecture-map role: architecture profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: data-platform owning_layer: analytics source_paths: - doc/architecture/Data_Tiering_and_Database_Operations_Work_Plan_v1.md - doc/architecture/Unified_IAM_Billing_Across_Products_v1.md - packages/platform/billing target_paths: - doc/architecture/platform-foundation - doc/architecture - packages/platform/billing - packages/platform/evidence review_domains: - architecture - backend - ops risk_level: medium migration_type: analytics-boundary depends_on: - PSSM-PROD-C0-PLAN-001 acceptance_checks: - Usage analytics separates hot OLTP ingestion/rating from department/project/API-key/model rollups. - Token/request analytics has a rollup or warehouse path before high-volume dashboards. - Customer dashboards do not query hot ledger or usage ingestion tables directly. - id: PSSM-PROD-C6-RECONCILIATION-EVIDENCE-001 title: Define provider and runtime reconciliation evidence model kind: architecture-map role: ops profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: runtime-ops owning_layer: reconciliation source_paths: - doc/architecture/platform-foundation/Platform_Architecture_Gap_Register_v1.md - packages/products/gpuaas/provisioning - packages/products/appplatform/runtime - cmd/provider-reconciler target_paths: - doc/architecture/platform-foundation - packages/platform/evidence - packages/platform/statusops - cmd/provider-reconciler review_domains: - ops - backend - architecture - security risk_level: high migration_type: reconciliation-evidence depends_on: - PSSM-PROD-C0-PLAN-001 acceptance_checks: - Provider/runtime resources that outlive platform records have orphan detection, quarantine, cleanup, retry, and evidence rules. - Reconciliation posture covers GPUaaS, App Platform runtime, storage, and future model-serving resources. - Operator verification uses APIs/read models by default rather than repeated direct SQL. - id: PSSM-PROD-C7-STATUS-EVIDENCE-MATURITY-001 title: Mature Status/Ops and evidence into shared operating record kind: release-evidence role: ops profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: status-evidence owning_layer: platform-ops source_paths: - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md - doc/architecture/platform-foundation/Platform_Evidence_Status_Schema_v1.md - doc/architecture/platform-foundation/Platform_Evidence_Input_Mapping_v1.md - packages/platform/evidence - packages/platform/statusops target_paths: - doc/architecture/platform-foundation - packages/platform/evidence - packages/platform/statusops - scripts/ci review_domains: - ops - architecture - security - governance risk_level: high migration_type: status-evidence-maturity depends_on: - PSSM-PROD-C0-PLAN-001 acceptance_checks: - Status/Ops exposes service health, component freshness, release readiness, incident state, SLO evidence, and degradation posture. - Evidence bundles prove IAM, billing, policy, registry, notification, runtime, security, and release invariants. - Customer-safe and internal-only status surfaces are explicitly separated. - id: PSSM-PROD-C8-FACADE-DEPTH-REPLACEMENT-001 title: Replace thin compatibility facades with platform-owned contracts kind: facade role: backend profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: platform-foundation owning_layer: backend-architecture source_paths: - doc/architecture/platform-foundation/Platform_Facade_Callsite_Migration_Map_v1.md - packages/platform - packages/products target_paths: - packages/platform - packages/products - doc/architecture/platform-foundation review_domains: - backend - architecture - governance risk_level: medium migration_type: facade-depth-replacement depends_on: - PSSM-PROD-C0-PLAN-001 acceptance_checks: - Remaining adapter/legacyimpl facades are classified by owner, maturity, risk, and removal or hardening path. - High-risk shared-service contracts use platform-owned types, errors, backend interfaces, tests, and route/service call sites. - Boundary guards remain clean in blocking_new mode after facade-depth changes. - id: PSSM-PROD-C9-RELEASE-PROFILE-GATES-001 title: Define environment and release profile gates for shared services kind: release-evidence role: ops profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: release-engineering owning_layer: ops source_paths: - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md - doc/operations/Platform_Control_CI_CD_Target_Model_v1.md - doc/governance/Platform_Control_Release_Promotion_Policy.md - scripts/ci target_paths: - doc/operations - doc/governance - scripts/ci - packages/platform/evidence - packages/platform/statusops review_domains: - ops - security - governance - architecture risk_level: high migration_type: release-profile-gates depends_on: - PSSM-PROD-C7-STATUS-EVIDENCE-MATURITY-001 acceptance_checks: - Platform-control and future-product releases validate profile-specific hosts, DNS/TLS, secrets, package/registry values, migrations, contracts, UAT, and rollback posture. - Release evidence gates are non-optional for production-impacting shared-service claims. - Profile gate failures produce operator-visible evidence and a clear forward-fix or rollback path. - id: PSSM-PROD-C10-EXTRACTION-DECISION-PACKETS-001 title: Produce extraction decision packets for mature shared services kind: architecture-map role: ops profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: platform-foundation owning_layer: extraction-readiness source_paths: - doc/architecture/platform-foundation/Platform_Deployment_Extraction_Readiness_v1.md - doc/architecture/platform-foundation/Platform_Shared_Services_Completion_Roadmap_v1.md - .fairway/artifacts/platform-shared-services-extraction-packets.yaml target_paths: - .fairway/artifacts - doc/architecture/platform-foundation - doc/operations review_domains: - ops - architecture - security - backend risk_level: medium migration_type: extraction-decision-packets depends_on: - PSSM-PROD-C7-STATUS-EVIDENCE-MATURITY-001 - PSSM-PROD-C8-FACADE-DEPTH-REPLACEMENT-001 - PSSM-PROD-C9-RELEASE-PROFILE-GATES-001 acceptance_checks: - Evidence/status, billing usage ingestion, notification dispatch, artifact trust, service auth, and Secrets/PKI have keep/split/extract recommendations. - Extraction packets include owner, consumer, contract, service auth, degradation, data boundary, event boundary, operations, SLO, migration, and backout answers. - No physical extraction is authorized without smoke, rollback, service-auth, and degradation evidence. - id: PSSM-PROD-C11-SERVICE-LEVEL-CICD-OPERATING-MODE-001 title: Define service-level CI/CD operating model after PSSM maturity kind: architecture-map role: ops profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: release-engineering owning_layer: ci-cd source_paths: - doc/architecture/platform-foundation/Platform_Shared_Services_Completion_Roadmap_v1.md - doc/architecture/platform-foundation/Platform_Foundation_Guard_Graduation_Plan_v1.md - doc/architecture/platform-foundation/Platform_Deployment_Extraction_Readiness_v1.md - scripts/ci target_paths: - doc/operations - doc/governance - scripts/ci - .fairway/platform-foundation-implementation-track.yaml review_domains: - ops - architecture - governance - security risk_level: medium migration_type: service-level-cicd-operating-mode depends_on: - PSSM-PROD-C1-REGISTRY-MATURITY-001 - PSSM-PROD-C7-STATUS-EVIDENCE-MATURITY-001 - PSSM-PROD-C9-RELEASE-PROFILE-GATES-001 - PSSM-PROD-C10-EXTRACTION-DECISION-PACKETS-001 acceptance_checks: - CI/CD operating model separates global contract gates, domain-local tests, consumer contract smokes, and service-level evidence bundles. - Independent promotion is allowed only for domains with keep/split/extract decision, service auth, rollback, smoke, and degradation evidence. - Path ownership maps drive selective test, security, and review routing without hiding cross-domain regressions. - id: PSSM-PROD-C12-ERROR-OBSERVABILITY-SWEEP-001 title: Sweep API and worker error observability after PSSM maturity kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: platform-foundation owning_layer: error-observability source_paths: - doc/architecture/platform-foundation/Platform_Shared_Services_Completion_Roadmap_v1.md - doc/governance/Coding_Standards.md - doc/governance/Testing_Standards.md - doc/architecture/Error_Code_Catalog.md - .fairway/artifacts/platform-control-deploy-2256-lessons.md - packages/shared/errors - packages/shared/middleware - cmd/api - packages/platform - packages/products target_paths: - cmd/api - cmd/*-worker - packages/platform - packages/products - packages/shared/errors - doc/governance - doc/architecture review_domains: - backend - ops - governance - security risk_level: medium migration_type: error-observability-sweep depends_on: - PSSM-PROD-C0-PLAN-001 - PSSM-PROD-C7-STATUS-EVIDENCE-MATURITY-001 - PSSM-PROD-C9-RELEASE-PROFILE-GATES-001 acceptance_checks: - Every public API error response uses the canonical ErrorResponse envelope with a non-empty correlation_id and user-safe message. - Representative 5xx paths log the underlying sanitized cause with correlation_id, owning domain, and failure classification instead of requiring database logs to diagnose. - Bootstrap, authz, IAM, billing, and worker setup failures preserve domain sentinel errors and classify upstream dependency versus local defect paths. - Regression tests cover correlation IDs in error envelopes and cause-bearing sanitized logs for representative 4xx and 5xx paths. - id: PSSM-PROD-C13-ERROR-OBSERVABILITY-AUDIT-GATE-001 title: Run exhaustive production error observability audit gate kind: release-evidence role: backend profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: platform-foundation owning_layer: production-error-observability source_paths: - doc/architecture/platform-foundation/Platform_Shared_Services_Completion_Roadmap_v1.md - doc/governance/Error_Traceability_DNA_Standard.md - doc/governance/Backend_Error_Observability_Sweep_Plan_v1.md - doc/governance/Coding_Standards.md - doc/governance/Testing_Standards.md - doc/architecture/Error_Code_Catalog.md - cmd/api - cmd/*-worker - cmd/terminal-gateway - cmd/node-log-gateway - packages/platform - packages/products - packages/shared - scripts/ci target_paths: - .fairway/artifacts - doc/governance - doc/operations - scripts/ci - cmd/api - cmd/*-worker - packages/platform - packages/products - packages/shared review_domains: - backend - ops - governance - security risk_level: high migration_type: production-error-observability-audit-gate depends_on: - PSSM-PROD-C12-ERROR-OBSERVABILITY-SWEEP-001 - PSSM-PROD-C9-RELEASE-PROFILE-GATES-001 acceptance_checks: - Audit report inventories every API, gateway, worker, relay, bootstrap, and privileged mutation failure path with owner, file/function, response status/code/message, cause classification, log fields, and test or guard coverage. - Every audited public/API failure response uses canonical ErrorResponse with non-empty correlation_id, or has a tracked fix task and is not waived silently. - Every audited 5xx path logs sanitized underlying cause with correlation_id, owning domain, actor/scope/resource identifiers where available, and local defect versus upstream dependency classification. - Production readiness has no open S1 or S2 error-observability findings; any deferred S3 finding has an owner, rationale, and removal criteria. - id: PSSM-PROD-C14-POMERIUM-CONSOLIDATION-SWEEP-001 title: Revisit Pomerium consolidation and custom proxy reduction after PSSM kind: architecture-map role: architecture profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: platform-proxy owning_layer: edge-routing source_paths: - doc/architecture/Pomerium_Consolidation_Candidate_Sweep_v1.md - doc/architecture/API_Edge_Consolidation_After_Managed_Ingress_v1.md - doc/architecture/Platform_Proxy_Authz_Caching_and_Extraction_v1.md - doc/architecture/Managed_Ingress_Tenant_Isolation_and_Scaling_v1.md - doc/operations/proxy/Pomerium_Runtime_GA_Checkpoint_2026_05_18.md - cmd/api/routes_platform_proxy_authz.go - cmd/terminal-gateway - packages/products/gpuaas/inventory - packages/products/appplatform/runtime - packages/web - scripts/ops target_paths: - doc/architecture/Pomerium_Consolidation_Candidate_Sweep_v1.md - doc/architecture/platform-foundation - .fairway/artifacts - .fairway/platform-foundation-implementation-track.yaml review_domains: - architecture - backend - ops - security - frontend - governance risk_level: high migration_type: pomerium-edge-consolidation depends_on: - PSSM-PROD-C0-PLAN-001 - PSSM-PROD-C9-RELEASE-PROFILE-GATES-001 - PSSM-PROD-C13-ERROR-OBSERVABILITY-AUDIT-GATE-001 acceptance_checks: - Sweep reclassifies remaining custom edge, browser-session, proxy-launch, tool-route, terminal, notification, and managed-ingress code as already migrated, Pomerium candidate, delete candidate, keep internal, or blocked. - Pomerium-owned responsibilities remain limited to TLS, host routing, browser OIDC/session enforcement, WebSocket edge handling, request/header normalization, and edge observability where parity is proven. - GPUaaS-owned responsibilities remain explicit for route intent, org/project/app/allocation authorization, API bearer validation, terminal session binding, billing/metering, audit, and product lifecycle state. - Netdata ops access is explicitly classified as ops-only host-route access when configured by profile, not tenant/product self-service and not a reason to restore path-prefix or browser-session proxy code. - Any proposed deletion or migration has local-kind and target-environment smoke evidence, rollback posture, no-legacy canary coverage, and user-safe failure behavior with correlation IDs. - id: PSSM-PROD-C15-LEGACY-QUEUE-PROMOTION-SWEEP-001 title: Review old governance queue and promote still-valid post-PSSM tasks into Fairway kind: architecture-map role: governance profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: platform-foundation owning_layer: fairway-governance source_paths: - doc/governance/Agent_Work_Queue.yaml - .fairway/platform-foundation-implementation-track.yaml - .fairway/platform-foundation-config.toml - doc/architecture/platform-foundation/Documentation_Source_Of_Truth_Map_v1.md - .fairway/artifacts/docs-pssm-classification.yaml - doc/architecture/platform-foundation - doc/operations - doc/product target_paths: - .fairway/artifacts/legacy-queue-post-pssm-sweep.yaml - .fairway/platform-foundation-implementation-track.yaml - doc/architecture/platform-foundation/Documentation_Source_Of_Truth_Map_v1.md review_domains: - governance - architecture - ops - backend - frontend - security risk_level: high migration_type: legacy-queue-post-pssm-promotion depends_on: - DOCS-PSSM-SOURCE-OF-TRUTH-MAP-001 - PSSM-PROD-C0-PLAN-001 acceptance_checks: - Sweep inventories unfinished, partially completed, and historically closed tasks from doc/governance/Agent_Work_Queue.yaml that may still matter after PSSM, v3, platform proxy, terminal, metrics, and Fairway reshuffles. - Each legacy task is classified as promote-to-Fairway, already-covered, obsolete/superseded, historical-reference, or needs-architecture-decision, with replacement task IDs or source-of-truth docs recorded. - Promoted tasks are added to the active Fairway queue with current parent, dependencies, source/target paths, review domains, risk level, and acceptance checks; obsolete tasks are not copied forward silently. - The resulting artifact makes clear that Agent_Work_Queue.yaml remains historical context and that active execution lives in .fairway/platform-foundation-implementation-track.yaml and the Fairway DB. - id: PSSM-PROD-C16-CROSS-DOMAIN-DB-BOUNDARY-GUARD-001 title: Harden shared-service cross-domain database access guard after PSSM kind: boundary-guard role: governance profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: platform-foundation owning_layer: boundary-guards source_paths: - doc/architecture/platform-foundation/ownership-maps/schema-ownership.md - doc/architecture/platform-foundation/Platform_Foundation_Boundary_Guards_v1.md - doc/architecture/platform-foundation/guard-allowed-debt.tsv - packages/platform - packages/products - cmd/api - cmd/*-worker - scripts/ci target_paths: - scripts/ci/platform_foundation_boundary_report.sh - doc/architecture/platform-foundation/guard-allowed-debt.tsv - .fairway/artifacts review_domains: - governance - backend - architecture - security risk_level: high migration_type: cross-domain-db-boundary-guard depends_on: - PSSM-PROD-C8-FACADE-DEPTH-REPLACEMENT-001 - PSSM-PROD-C15-LEGACY-QUEUE-PROMOTION-SWEEP-001 acceptance_checks: - Guard identifies direct reads or writes from product code into IAM, billing, audit, notification, status/evidence, policy, registry, and credential tables owned by platform shared services. - Existing approved debt is listed with owner, rationale, expiry, and removal task; new high-risk cross-domain DB access fails blocking-new mode. - Guard evidence can be attached to release/profile gates without requiring manual SQL review. - id: PSSM-PROD-C17-EDGE-ERROR-PRESENTATION-GATE-001 title: Add production gate for user-safe edge and app error presentation kind: release-evidence role: ops profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: platform-proxy owning_layer: edge-error-presentation source_paths: - doc/operations/runbooks/Edge_And_App_Error_Presentation_Runbook.md - doc/architecture/Pomerium_Consolidation_Candidate_Sweep_v1.md - packages/web/app/edge-error - scripts/ops/edge_error_presentation_smoke.sh - infra/k8s/base/platform-proxy - cmd/api target_paths: - doc/operations/runbooks/Edge_And_App_Error_Presentation_Runbook.md - scripts/ops - packages/web/app/edge-error - .fairway/artifacts review_domains: - ops - frontend - backend - security - architecture risk_level: high migration_type: edge-error-presentation-gate depends_on: - PSSM-PROD-C13-ERROR-OBSERVABILITY-AUDIT-GATE-001 - PSSM-PROD-C14-POMERIUM-CONSOLIDATION-SWEEP-001 - PSSM-PROD-C9-RELEASE-PROFILE-GATES-001 acceptance_checks: - Release/profile evidence proves Cloudflare, Pomerium, IdP callback, upstream unavailable, app runtime failure, and browser client exception paths show user-safe product error surfaces. - Operator logs and runbooks preserve provider/Pomerium/request IDs for diagnosis without exposing implementation details to normal users. - Smoke output classifies edge-provider, Pomerium/OIDC, GPUaaS route-intent, upstream, and frontend failure classes with correlation or request IDs where available. - id: PSSM-PROD-C18-NODE-AGENT-RECOVERY-UPDATE-BOUNDARY-001 title: Define node-agent recovery, update, and drift boundary for production kind: architecture-map role: ops profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: node-runtime owning_layer: recovery-update source_paths: - doc/architecture/Node_Agent_Drift_And_Recovery_Model_v1.md - doc/architecture/Node_Agent_Spec.md - doc/architecture/platform-foundation/Secrets_PKI_Runtime_Trust_Model_v1.md - doc/architecture/platform-foundation/Platform_Runtime_Reconciliation_Evidence_Model_v1.md - cmd/node-agent - cmd/terminal-gateway - packages/products/gpuaas/terminal - scripts/ops/node_agent_terminal_preflight.sh target_paths: - doc/architecture/platform-foundation - doc/operations/runbooks - scripts/ops - .fairway/artifacts review_domains: - ops - backend - security - architecture risk_level: high migration_type: node-agent-recovery-update-boundary depends_on: - PSSM-PROD-C2-CREDENTIAL-CUSTODY-001 - PSSM-PROD-C6-RECONCILIATION-EVIDENCE-001 - PROD-STRESS-TERMINAL-001 acceptance_checks: - Decision packet defines what node-agent self-update may do versus what requires rebootstrap, recovery token rotation, manual repair, or full reimage. - Drift and recovery evidence separates node-agent/control-plane failure from workload downtime and tenant/customer impact. - Terminal, app runtime, provider lifecycle, cert/credential rotation, and release/profile gates have explicit recovery and rollback expectations. - id: PSSM-PROD-C19-API-BEARER-PROXY-AUTHZ-SCALING-001 title: Decide api_bearer route-forward scaling and proxy-authz extraction boundary kind: architecture-map role: backend profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: platform-proxy owning_layer: api-bearer-authz source_paths: - doc/architecture/Platform_Proxy_Authz_Caching_and_Extraction_v1.md - doc/architecture/Managed_Ingress_Tenant_Isolation_and_Scaling_v1.md - doc/architecture/Pomerium_Consolidation_Candidate_Sweep_v1.md - cmd/api/routes_platform_proxy_authz.go - packages/products/gpuaas/inventory/legacyimpl/proxy_route_access.go - packages/platform/billing - scripts/ops/proxy_authz_api_bearer_load_smoke.sh target_paths: - doc/architecture/platform-foundation - scripts/ops - .fairway/artifacts - cmd/api - cmd/proxy-authz review_domains: - backend - ops - security - architecture risk_level: high migration_type: api-bearer-proxy-authz-scaling depends_on: - PSSM-PROD-C14-POMERIUM-CONSOLIDATION-SWEEP-001 - PROD-STRESS-SCENARIOS-001 - PSSM-PROD-C5-ANALYTICS-OLAP-BOUNDARY-001 acceptance_checks: - Decision packet states whether api_bearer route-forward remains in cmd/api for the next production slice or must extract to cmd/proxy-authz before high-RPS customers. - Load and revocation evidence covers cache hit ratio, p99 authz latency, DB wait, route version change, service-account disable, and no IdP HTML on invalid API clients. - Extraction criteria preserve GPUaaS authority over bearer validation, route/project/app checks, trusted header injection, managed-ingress metering, and audit-grade denies. - id: PSSM-PROD-C20-NETDATA-OPS-HOST-ROUTE-ENABLEMENT-001 title: Enable Netdata ops-only host route by profile after node-local edge parity kind: release-evidence role: ops profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: platform-proxy owning_layer: platform-tool-routes source_paths: - doc/architecture/Pomerium_Consolidation_Candidate_Sweep_v1.md - doc/operations/Release_Smoke_Checklist.md - doc/operations/runbooks/Kind_Demo_Environment_Readiness_Runbook.md - scripts/ops/env_profiles.json - scripts/ops/gpuaas_worker_node_parity_check.sh - scripts/ops/gpuaas_netdata_edge_converge.sh - scripts/ops/platform_proxy_no_legacy_canary.sh - cmd/api/routes_v3_readmodels_platform.go - packages/web/src/shared/observability/links.ts - packages/web/src/components/v3 target_paths: - scripts/ops - doc/operations - .fairway/artifacts - scripts/ops/env_profiles.json review_domains: - ops - security - frontend - backend - architecture risk_level: medium migration_type: netdata-ops-host-route-enablement depends_on: - PSSM-PROD-C14-POMERIUM-CONSOLIDATION-SWEEP-001 - PSSM-PROD-C9-RELEASE-PROFILE-GATES-001 - PSSM-PROD-C18-NODE-AGENT-RECOVERY-UPDATE-BOUNDARY-001 acceptance_checks: - Decision artifact confirms Netdata remains ops-only and disabled by default in profiles where NEXT_PUBLIC_NETDATA_BASE_URL is empty. - Worker-node parity evidence proves Netdata backend listens on 127.0.0.1:19998, nginx telemetry edge listens on 0.0.0.0:19999, /gpuaas/telemetry/health returns 200, and /gpuaas/telemetry/netdata/ redirects to the detected dashboard path. - Profile enablement sets NEXT_PUBLIC_NETDATA_BASE_URL only for environments with proven node-local edge parity and a non-legacy Pomerium host route. - V3 /platform/ops and node-detail launch surfaces require platform.ops.read, render unavailable when the route is missing, and never expose Netdata as tenant/product self-service. - No-legacy canary covers /p/netdata and /backend/p/netdata in addition to existing Grafana/Jupyter/OpenAI retired path checks. - id: OPS-PROD-SRE-TOOL-ACCESS-MATRIX-001 title: Define SRE tool access matrix and API-first ops surface policy kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: sre-tool-access source_paths: - doc/architecture/Production_Deployment_Readiness_v1.md - doc/operations/Ops_Runbook_Architecture.md - doc/operations/SRE_Runbook_Index.md - doc/architecture/Pomerium_Consolidation_Candidate_Sweep_v1.md - doc/architecture/Old_Proxy_Retirement_Execution_Plan_v1.md - cmd/api/routes_v3_readmodels_platform.go - packages/web/src/components/v3/v3-platform-pages.tsx - scripts/ops/platform_proxy_dns_validate.sh - scripts/ops/pomerium_edge_profile_smoke.sh target_paths: - doc/operations - doc/architecture/Pomerium_Consolidation_Candidate_Sweep_v1.md - .fairway/artifacts - scripts/ops - cmd/api - packages/web/src/components/v3 review_domains: - ops - security - architecture - backend - frontend risk_level: medium migration_type: sre-tool-access-api-first-policy depends_on: - OPS-PROD-OBSERVABILITY-ONCALL-001 - PSSM-PROD-C14-POMERIUM-CONSOLIDATION-SWEEP-001 - PSSM-PROD-C7-STATUS-EVIDENCE-MATURITY-001 acceptance_checks: - Matrix classifies Grafana, Temporal UI, Netdata, Swagger/Redoc, registry, Vault, Keycloak admin, Prometheus/Loki/Tempo, Kubernetes dashboards, and provider consoles as API/read-model-first, direct-UI-allowed, internal-only, or disabled. - For each direct UI that remains allowed, the matrix states the operator use case that cannot yet be satisfied through platform APIs/read models. - Direct UI exposure requires Pomerium/browser OIDC, platform.ops.read or stronger authorization, DNS/TLS evidence, smoke coverage, audit/correlation where possible, and unavailable-state handling in /platform/ops. - Missing API/read-model surfaces become scoped follow-up tasks instead of silently expanding direct tool exposure. - Retired legacy proxy paths remain negative-tested; /p/* and /backend/p/* do not become the access model again. - id: OPS-PROD-OBSERVABILITY-READMODEL-GAPS-001 title: Convert observability direct UI gaps into platform read-model tasks kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: sre-tool-access source_paths: - doc/operations/SRE_Tool_Access_Matrix_v1.md - doc/operations/Observability_Baseline.md - doc/operations/Observability_Read_Model_Gap_Map_v1.md - cmd/api/routes_v3_readmodels_platform.go - packages/web/src/components/v3/v3-platform-pages.tsx target_paths: - doc/operations - cmd/api - packages/web/src/components/v3 - .fairway/artifacts review_domains: - ops - architecture - backend - frontend risk_level: medium migration_type: observability-readmodel-gap-burndown depends_on: - OPS-PROD-SRE-TOOL-ACCESS-MATRIX-001 acceptance_checks: - Grafana, Prometheus, Loki, and Tempo direct UI use cases are grouped by operator question. - Each use case is marked covered by existing platform status/evidence/read model or assigned a scoped follow-up task. - Direct UI access remains an escape hatch and not the first operator path. - id: OPS-PROD-OBSERVABILITY-HEALTH-SNAPSHOT-001 title: Define platform observability health snapshot read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: observability-readmodels source_paths: - doc/operations/Observability_Read_Model_Gap_Map_v1.md - doc/operations/Observability_Baseline.md - cmd/api/routes_v3_readmodels_platform.go - packages/web/src/components/v3/v3-platform-pages.tsx target_paths: - doc/api - cmd/api - packages/web/src/components/v3 - .fairway/artifacts review_domains: - backend - ops - frontend - architecture risk_level: high migration_type: observability-health-snapshot-readmodel depends_on: - OPS-PROD-OBSERVABILITY-READMODEL-GAPS-001 acceptance_checks: - Health snapshot contract covers service, worker, queue, runtime, scrape freshness, and degradation reason rollups. - Direct Grafana/Prometheus use is secondary to platform health snapshot for initial triage. - id: OPS-PROD-OBSERVABILITY-CORRELATION-TIMELINE-001 title: Define observability correlation timeline read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: observability-readmodels source_paths: - doc/operations/Observability_Read_Model_Gap_Map_v1.md - doc/operations/Observability_Baseline.md - cmd/api/routes_v3_readmodels_platform.go - packages/web/src/components/v3/v3-platform-pages.tsx target_paths: - doc/api - cmd/api - packages/web/src/components/v3 - .fairway/artifacts review_domains: - backend - ops - frontend - security - architecture risk_level: high migration_type: observability-correlation-timeline-readmodel depends_on: - OPS-PROD-OBSERVABILITY-READMODEL-GAPS-001 acceptance_checks: - Correlation timeline contract covers audit rows, structured logs, trace IDs, task IDs, workflow IDs, events, and owning resources. - Raw log payloads are redacted/summarized before leaving platform evidence surfaces. - id: OPS-PROD-OBSERVABILITY-HEALTH-SNAPSHOT-IMPLEMENTATION-001 title: Implement platform observability health snapshot read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: observability-readmodels source_paths: - doc/operations/Observability_Health_Snapshot_Read_Model_Contract_v1.md - doc/api/openapi/domains/v3-read-models.yaml - cmd/api/routes_v3_readmodels_platform.go - packages/web/src/components/v3/v3-platform-pages.tsx target_paths: - doc/api - cmd/api - packages/web/src/components/v3 - .fairway/artifacts review_domains: - backend - ops - frontend - architecture risk_level: high migration_type: observability-health-snapshot-implementation depends_on: - OPS-PROD-OBSERVABILITY-HEALTH-SNAPSHOT-001 acceptance_checks: - OpenAPI and generated artifacts expose the health snapshot contract. - Backend projection returns service, worker, queue, runtime, scrape freshness, and degradation reason rollups without raw telemetry payloads. - Platform ops UI shows the snapshot before direct Grafana or Prometheus pivots. - Tests cover authorization, stale evidence, queue degradation, missing observability evidence, and excluded raw telemetry. - id: OPS-PROD-OBSERVABILITY-CORRELATION-TIMELINE-IMPLEMENTATION-001 title: Implement observability correlation timeline read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: observability-readmodels source_paths: - doc/operations/Observability_Correlation_Timeline_Read_Model_Contract_v1.md - doc/api/openapi/domains/v3-read-models.yaml - cmd/api/routes_v3_readmodels_platform.go - packages/web/src/components/v3/v3-platform-pages.tsx target_paths: - doc/api - cmd/api - packages/web/src/components/v3 - .fairway/artifacts review_domains: - backend - ops - frontend - security - architecture risk_level: high migration_type: observability-correlation-timeline-implementation depends_on: - OPS-PROD-OBSERVABILITY-CORRELATION-TIMELINE-001 acceptance_checks: - OpenAPI and generated artifacts expose the correlation timeline contract. - Backend projection joins audit rows, evidence items, structured-log summaries, trace summaries, task events, domain events, workflows, and owning resources without raw telemetry payloads. - Platform ops and evidence UI surfaces link to the timeline from correlation IDs, trace IDs, task IDs, workflow IDs, event IDs, and target resources. - Tests cover authorization, broad-query rejection, target filtering, pagination, source ordering, missing source reporting, and raw-payload exclusion. - id: OPS-PROD-OBSERVABILITY-LOG-TRACE-PIVOTS-001 title: Define bounded log and trace pivot read models kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: observability-readmodels source_paths: - doc/operations/Observability_Read_Model_Gap_Map_v1.md - doc/operations/Observability_Baseline.md - doc/governance/Observability_Standards.md - cmd/api/routes_v3_readmodels_platform.go target_paths: - doc/api - cmd/api - packages/web/src/components/v3 - .fairway/artifacts review_domains: - backend - ops - security - architecture risk_level: high migration_type: observability-log-trace-pivots depends_on: - OPS-PROD-OBSERVABILITY-READMODEL-GAPS-001 acceptance_checks: - Log excerpt and trace summary contracts define redaction, pagination, retention metadata, source labels, and evidence links. - Direct Loki/Tempo access remains an SRE escape hatch after correlation/resource scope is known. - id: OPS-PROD-OBSERVABILITY-LOG-TRACE-PIVOTS-IMPLEMENTATION-001 title: Implement bounded log and trace pivot read models kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: observability-readmodels source_paths: - doc/operations/Observability_Log_Trace_Pivot_Read_Model_Contract_v1.md - doc/api/openapi/domains/v3-read-models.yaml - cmd/api/routes_v3_readmodels_platform.go - packages/web/src/components/v3/v3-platform-pages.tsx target_paths: - doc/api - cmd/api - packages/web/src/components/v3 - .fairway/artifacts review_domains: - backend - ops - frontend - security - architecture risk_level: high migration_type: observability-log-trace-pivots-implementation depends_on: - OPS-PROD-OBSERVABILITY-LOG-TRACE-PIVOTS-001 acceptance_checks: - OpenAPI and generated artifacts expose bounded log excerpt and trace summary contracts. - Backend projection enforces narrowing pivots, pagination, retention metadata, source labels, direct-UI escape-hatch links, and raw payload exclusion. - Platform ops, evidence, resource detail, and correlation timeline UI surfaces link to the log/trace pivots without making Loki or Tempo the first operator path. - Tests cover authorization, broad-query rejection, sanitization, retention metadata, pagination, direct-UI link gating, and raw payload exclusion. - id: OPS-PROD-OBSERVABILITY-ALERT-SLO-EVIDENCE-001 title: Define alert routing and SLO evidence read model kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: observability-readmodels source_paths: - doc/operations/Observability_Read_Model_Gap_Map_v1.md - doc/operations/Observability_Baseline.md - doc/operations/local-dev/observability/prometheus-alerts.yaml - doc/operations/evidence target_paths: - doc/operations - scripts/ops - scripts/ci - .fairway/artifacts review_domains: - ops - governance - architecture risk_level: high migration_type: observability-alert-slo-evidence depends_on: - OPS-PROD-OBSERVABILITY-READMODEL-GAPS-001 acceptance_checks: - Alert/runbook routing and SLO/error-budget evidence can be exported without screenshots or manual Grafana dashboard capture. - Release readiness can attach machine-readable observability evidence. - id: OPS-PROD-OBSERVABILITY-ALERT-SLO-EVIDENCE-IMPLEMENTATION-001 title: Implement alert routing and SLO evidence read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: observability-readmodels source_paths: - doc/operations/Observability_Alert_SLO_Evidence_Read_Model_Contract_v1.md - doc/api/openapi/domains/v3-read-models.yaml - cmd/api/routes_v3_readmodels_platform.go - scripts/ops/observability_oncall_readiness.sh - scripts/ci/platform_status_snapshot.sh - packages/web/src/components/v3/v3-platform-pages.tsx target_paths: - doc/api - cmd/api - packages/web/src/components/v3 - .fairway/artifacts review_domains: - backend - ops - frontend - security - architecture risk_level: high migration_type: observability-alert-slo-evidence-implementation depends_on: - OPS-PROD-OBSERVABILITY-ALERT-SLO-EVIDENCE-001 acceptance_checks: - OpenAPI and generated artifacts expose alert routing and SLO evidence contracts. - Backend projection returns alert state, route ownership, runbook mapping, drill freshness, SLO/error-budget state, and release gate state without raw Prometheus samples or notification secrets. - Platform ops and release evidence UI surfaces can attach machine-readable SLO evidence without dashboard screenshots. - Tests cover authorization, missing alert route, stale drill evidence, blocked release gate, pagination, and raw sample/secret exclusion. - id: OPS-PROD-REGISTRY-OPS-READMODEL-001 title: Define registry operator read-model coverage before broad registry UI exposure kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-registry owning_layer: sre-tool-access source_paths: - doc/operations/SRE_Tool_Access_Matrix_v1.md - doc/architecture/platform-foundation/Platform_Registry_Contract_v1.md - doc/operations/Registry_Ops_Read_Model_Gap_Map_v1.md - cmd/api target_paths: - doc/operations - doc/architecture/platform-foundation - cmd/api - .fairway/artifacts review_domains: - ops - security - backend risk_level: medium migration_type: registry-ops-readmodel depends_on: - OPS-PROD-SRE-TOOL-ACCESS-MATRIX-001 acceptance_checks: - Registry operator questions are covered by artifact/release evidence or explicit read-model gaps. - Direct registry UI remains internal-only or Pomerium-protected until digest, signature, and promotion evidence are visible in platform surfaces. - Credential exposure and pull-secret visibility are explicitly excluded from UI/read-model outputs. - id: OPS-PROD-REGISTRY-ENV-ARTIFACT-INVENTORY-001 title: Define environment artifact inventory read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-registry owning_layer: registry-ops-readmodels source_paths: - doc/operations/Registry_Ops_Read_Model_Gap_Map_v1.md - doc/operations/Reproducible_Environment_Automation_v1.md - scripts/ci - infra/k8s target_paths: - doc/api - cmd/api - packages/web/src/components/v3 - scripts/ops - .fairway/artifacts review_domains: - backend - ops - security - architecture risk_level: high migration_type: registry-env-artifact-inventory depends_on: - OPS-PROD-REGISTRY-OPS-READMODEL-001 acceptance_checks: - Contract exposes service/app, image ref, digest, source SHA, environment, rollout revision, and release evidence link. - Mutable tags are not treated as authority when digest evidence exists. - id: OPS-PROD-REGISTRY-ENV-ARTIFACT-INVENTORY-IMPLEMENTATION-001 title: Implement environment artifact inventory read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-registry owning_layer: registry-ops-readmodels source_paths: - doc/operations/Registry_Environment_Artifact_Inventory_Read_Model_Contract_v1.md - doc/api/openapi/domains/v3-read-models.yaml - cmd/api/routes_v3_readmodels_platform.go - scripts/ci - infra/k8s target_paths: - doc/api - cmd/api - packages/web/src/components/v3 - scripts/ops - .fairway/artifacts review_domains: - backend - ops - security - architecture risk_level: high migration_type: registry-env-artifact-inventory-implementation depends_on: - OPS-PROD-REGISTRY-ENV-ARTIFACT-INVENTORY-001 acceptance_checks: - OpenAPI and generated artifacts expose the environment artifact inventory contract. - Backend projection returns service/app, image ref, digest, source SHA, environment, rollout revision, and release evidence link. - Digest evidence is authoritative over mutable tags, and missing digest/source/release evidence is explicitly classified. - Tests cover authorization, digest authority, mutable tag fallback, pagination, missing source SHA, missing release evidence, and secret exclusion. - id: OPS-PROD-REGISTRY-ARTIFACT-TRUST-STATUS-001 title: Define artifact trust status read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-registry owning_layer: registry-ops-readmodels source_paths: - doc/operations/Registry_Ops_Read_Model_Gap_Map_v1.md - doc/operations/Supply_Chain_Evidence_Gate_Runbook.md - scripts/ci/supply_chain_evidence_gate.sh - scripts/ci/security_promotion_gate.sh target_paths: - doc/api - cmd/api - packages/web/src/components/v3 - scripts/ci - .fairway/artifacts review_domains: - backend - ops - security - architecture risk_level: high migration_type: registry-artifact-trust-status depends_on: - OPS-PROD-REGISTRY-OPS-READMODEL-001 acceptance_checks: - Contract covers signature, SBOM, provenance, scanner summary, waiver state, promotion eligibility, and expiry. - Missing evidence creates explicit non-ready status and does not silently pass. - id: OPS-PROD-REGISTRY-ARTIFACT-TRUST-STATUS-IMPLEMENTATION-001 title: Implement artifact trust status read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-registry owning_layer: registry-ops-readmodels source_paths: - doc/operations/Registry_Artifact_Trust_Status_Read_Model_Contract_v1.md - doc/api/openapi/domains/v3-read-models.yaml - cmd/api/routes_v3_readmodels_platform.go - scripts/ci/supply_chain_evidence_gate.sh - scripts/ci/security_promotion_gate.sh target_paths: - doc/api - cmd/api - packages/web/src/components/v3 - scripts/ci - .fairway/artifacts review_domains: - backend - ops - security - architecture risk_level: high migration_type: registry-artifact-trust-status-implementation depends_on: - OPS-PROD-REGISTRY-ARTIFACT-TRUST-STATUS-001 acceptance_checks: - OpenAPI and generated artifacts expose artifact trust status contract. - Backend projection returns signature, SBOM, provenance, scanner summary, waiver state, promotion eligibility, and expiry. - Missing evidence creates explicit non-ready status and does not silently pass. - Tests cover missing SBOM, missing provenance, local-sha256 production rejection, scanner block, valid waiver, expired waiver, pagination, and secret/raw-output exclusion. - id: OPS-PROD-REGISTRY-APP-ARTIFACT-OPS-STATUS-001 title: Define app artifact operator status read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-registry owning_layer: registry-ops-readmodels source_paths: - doc/operations/Registry_Ops_Read_Model_Gap_Map_v1.md - cmd/api/routes_v3_launch_submit.go - packages/products/appplatform target_paths: - doc/api - cmd/api - packages/web/src/components/v3 - .fairway/artifacts review_domains: - backend - ops - security - architecture risk_level: high migration_type: registry-app-artifact-ops-status depends_on: - OPS-PROD-REGISTRY-OPS-READMODEL-001 acceptance_checks: - Contract exposes app slug, version, artifact name, target arch, source type, digest, trust state, and launch eligibility. - Credential material and pull secrets are excluded. - id: OPS-PROD-REGISTRY-APP-ARTIFACT-OPS-STATUS-IMPLEMENTATION-001 title: Implement app artifact operator status read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-registry owning_layer: registry-ops-readmodels source_paths: - doc/operations/Registry_App_Artifact_Ops_Status_Read_Model_Contract_v1.md - doc/api/openapi/domains/v3-read-models.yaml - cmd/api/routes_v3_launch_submit.go - packages/products/appplatform target_paths: - doc/api - cmd/api - packages/web/src/components/v3 - .fairway/artifacts review_domains: - backend - ops - security - architecture risk_level: high migration_type: registry-app-artifact-ops-status-implementation depends_on: - OPS-PROD-REGISTRY-APP-ARTIFACT-OPS-STATUS-001 acceptance_checks: - OpenAPI and generated artifacts expose app artifact operator status contract. - Backend projection returns app slug, version, artifact name, target arch, source type, digest, trust state, and launch eligibility. - Eligibility reasons match launch-path behavior for missing digest, trust-not-verified, arch mismatch, and missing manifest artifact. - Tests cover authorization, project scoping, launch eligibility, missing digest, trust-not-verified, arch mismatch, missing manifest artifact, pagination, and credential exclusion. - id: OPS-PROD-REGISTRY-PULL-DIAGNOSIS-001 title: Define registry pull failure diagnosis read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-registry owning_layer: registry-ops-readmodels source_paths: - doc/operations/Registry_Ops_Read_Model_Gap_Map_v1.md - doc/operations/runbooks/Node_Onboarding_Runbook.md - packages/products/appplatform/runtime - cmd/node-agent target_paths: - doc/api - cmd/api - packages/web/src/components/v3 - .fairway/artifacts review_domains: - backend - ops - security - architecture risk_level: high migration_type: registry-pull-diagnosis depends_on: - OPS-PROD-REGISTRY-OPS-READMODEL-001 acceptance_checks: - Contract exposes artifact ref, target environment/node/workload, error class, credential purpose ID, next action, and redacted evidence. - Pull secrets, registry passwords, bearer tokens, and private keys are never exposed. - id: OPS-PROD-REGISTRY-PULL-DIAGNOSIS-IMPLEMENTATION-001 title: Implement registry pull failure diagnosis read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-registry owning_layer: registry-ops-readmodels source_paths: - doc/operations/Registry_Pull_Diagnosis_Read_Model_Contract_v1.md - doc/api/openapi/domains/v3-read-models.yaml - packages/products/appplatform/runtime - cmd/node-agent target_paths: - doc/api - cmd/api - packages/platform - packages/products/appplatform - packages/web/src/components/v3 - .fairway/artifacts review_domains: - backend - ops - security - architecture risk_level: high migration_type: registry-pull-diagnosis-implementation depends_on: - OPS-PROD-REGISTRY-PULL-DIAGNOSIS-001 acceptance_checks: - OpenAPI and generated artifacts expose registry pull diagnosis contract. - Backend projection returns artifact ref, target environment/node/workload, error class, credential purpose ID, next action, and redacted evidence. - Pull diagnosis links to node task evidence, sanitized logs, app artifact status, and artifact trust status. - Tests cover authorization, tenant/project scoping, required query filter, error classes, credential purpose exposure, secret redaction, pagination, and evidence links. - id: OPS-PROD-SECRETS-PKI-OPS-READMODEL-001 title: Define secrets PKI operator read-model coverage before expanding Vault direct use kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-secrets-pki owning_layer: sre-tool-access source_paths: - doc/operations/SRE_Tool_Access_Matrix_v1.md - doc/architecture/Platform_Vault_Secrets_Baseline_v1.md - doc/operations/Secrets_PKI_Ops_Read_Model_Gap_Map_v1.md - doc/operations/runbooks/Vault_Bootstrap_and_Root_Token_Runbook.md target_paths: - doc/operations - doc/architecture - .fairway/artifacts review_domains: - ops - security - architecture risk_level: medium migration_type: secrets-pki-ops-readmodel depends_on: - OPS-PROD-SRE-TOOL-ACCESS-MATRIX-001 acceptance_checks: - Secrets/PKI custody, rotation, certificate lifecycle, and break-glass operator questions are mapped to platform evidence or explicit gaps. - Vault direct UI remains internal-only/break-glass and is not exposed as a normal ops route. - Live secret rotation remains approval-gated. - id: OPS-PROD-SECRETS-PKI-PURPOSE-INVENTORY-001 title: Define secrets PKI purpose inventory read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-secrets-pki owning_layer: secrets-pki-readmodels source_paths: - doc/operations/Secrets_PKI_Ops_Read_Model_Gap_Map_v1.md - packages/platform/secrets - doc/architecture/platform-foundation/Secrets_PKI_Runtime_Trust_Model_v1.md target_paths: - doc/api - cmd/api - packages/web/src/components/v3 - .fairway/artifacts review_domains: - backend - ops - security - architecture risk_level: high migration_type: secrets-pki-purpose-inventory depends_on: - OPS-PROD-SECRETS-PKI-OPS-READMODEL-001 acceptance_checks: - Contract exposes purpose ID, material kind, custody tool, delivery mode, rotation owner, cadence, evidence component, and status. - No secret values, private keys, tokens, or raw Vault material are exposed. - id: OPS-PROD-SECRETS-PKI-PURPOSE-INVENTORY-IMPLEMENTATION-001 title: Implement secrets PKI purpose inventory read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-secrets-pki owning_layer: secrets-pki-readmodels source_paths: - doc/operations/Secrets_PKI_Purpose_Inventory_Read_Model_Contract_v1.md - doc/api/openapi/domains/v3-read-models.yaml - packages/platform/secrets - doc/architecture/platform-foundation/Secrets_PKI_Runtime_Trust_Model_v1.md target_paths: - doc/api - cmd/api - packages/platform - packages/web/src/components/v3 - .fairway/artifacts review_domains: - backend - ops - security - architecture risk_level: high migration_type: secrets-pki-purpose-inventory-implementation depends_on: - OPS-PROD-SECRETS-PKI-PURPOSE-INVENTORY-001 acceptance_checks: - OpenAPI and generated artifacts expose the secrets PKI purpose inventory contract. - Backend projection returns purpose ID, material kind, custody tool, delivery mode, rotation owner, cadence, evidence component, and status. - Missing runtime-trust evidence is classified as unknown or unhealthy, not healthy. - Tests cover authorization, filters, enum values, missing evidence classification, one-time reveal metadata, product-custody exception visibility, pagination, and secret redaction. - id: OPS-PROD-SECRETS-PKI-VAULT-READINESS-001 title: Define Vault readiness evidence read model kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-secrets-pki owning_layer: secrets-pki-readmodels source_paths: - doc/operations/Secrets_PKI_Ops_Read_Model_Gap_Map_v1.md - doc/architecture/Platform_Vault_Secrets_Baseline_v1.md - doc/operations/runbooks/Vault_Bootstrap_and_Root_Token_Runbook.md - scripts/ci/platform_control_deploy.sh target_paths: - doc/api - cmd/api - scripts/ci - scripts/ops - .fairway/artifacts review_domains: - ops - security - architecture risk_level: high migration_type: secrets-pki-vault-readiness depends_on: - OPS-PROD-SECRETS-PKI-OPS-READMODEL-001 acceptance_checks: - Contract exposes initialized, sealed, mount, policy, and read-check status only. - Root token, unseal key, operational token, registry password, and secret values are never logged or returned. - id: OPS-PROD-SECRETS-PKI-VAULT-READINESS-IMPLEMENTATION-001 title: Implement Vault readiness evidence read model kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-secrets-pki owning_layer: secrets-pki-readmodels source_paths: - doc/operations/Secrets_PKI_Vault_Readiness_Read_Model_Contract_v1.md - doc/api/openapi/domains/v3-read-models.yaml - doc/architecture/Platform_Vault_Secrets_Baseline_v1.md - doc/operations/runbooks/Vault_Bootstrap_and_Root_Token_Runbook.md - scripts/ci/platform_control_deploy.sh target_paths: - doc/api - cmd/api - scripts/ci - scripts/ops - packages/web/src/components/v3 - .fairway/artifacts review_domains: - ops - security - architecture risk_level: high migration_type: secrets-pki-vault-readiness-implementation depends_on: - OPS-PROD-SECRETS-PKI-VAULT-READINESS-001 acceptance_checks: - OpenAPI and generated artifacts expose Vault readiness evidence contract. - Projection returns initialized, sealed, mount, policy, read-check status, deploy preflight status, evidence links, and next action only. - Root token, unseal key, operational token, registry password, and secret values are never logged or returned. - Tests cover authorization, environment filtering, initialized/sealed combinations, missing mount, missing policy, failed read check, stale preflight evidence, pagination, and token/secret redaction. - id: OPS-PROD-SECRETS-PKI-CERT-LIFECYCLE-001 title: Define certificate lifecycle read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-secrets-pki owning_layer: secrets-pki-readmodels source_paths: - doc/operations/Secrets_PKI_Ops_Read_Model_Gap_Map_v1.md - packages/platform/secrets - packages/shared/pki - doc/architecture/PKI_Spec.md target_paths: - doc/api - cmd/api - packages/web/src/components/v3 - .fairway/artifacts review_domains: - backend - ops - security - architecture risk_level: high migration_type: secrets-pki-cert-lifecycle depends_on: - OPS-PROD-SECRETS-PKI-OPS-READMODEL-001 acceptance_checks: - Contract exposes issuer, subject class, not-after, renewal status, revocation status, owner domain, and evidence link. - Certificate private keys and CSR private material are never exposed. - id: OPS-PROD-SECRETS-PKI-CERT-LIFECYCLE-IMPLEMENTATION-001 title: Implement certificate lifecycle read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-secrets-pki owning_layer: secrets-pki-readmodels source_paths: - doc/operations/Secrets_PKI_Certificate_Lifecycle_Read_Model_Contract_v1.md - doc/api/openapi/domains/v3-read-models.yaml - packages/platform/secrets - packages/shared/pki - doc/architecture/PKI_Spec.md target_paths: - doc/api - cmd/api - packages/platform - packages/web/src/components/v3 - .fairway/artifacts review_domains: - backend - ops - security - architecture risk_level: high migration_type: secrets-pki-cert-lifecycle-implementation depends_on: - OPS-PROD-SECRETS-PKI-CERT-LIFECYCLE-001 acceptance_checks: - OpenAPI and generated artifacts expose the certificate lifecycle contract. - Projection returns issuer, subject class, not-after, renewal status, revocation status, owner domain, and evidence link. - Certificate private keys, CSR private material, CA private material, and raw key PEM are never exposed. - Tests cover authorization, purpose and subject-class filters, due-soon classification, expired classification, revoked classification, missing evidence, pagination, and private-key/CSR redaction. - id: OPS-PROD-SECRETS-PKI-ROTATION-EVIDENCE-001 title: Define secrets PKI rotation evidence read model kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-secrets-pki owning_layer: secrets-pki-readmodels source_paths: - doc/operations/Secrets_PKI_Ops_Read_Model_Gap_Map_v1.md - packages/platform/secrets - doc/operations/evidence/secrets_key_ops.md target_paths: - doc/api - cmd/api - doc/operations - scripts/ops - .fairway/artifacts review_domains: - ops - security - architecture risk_level: high migration_type: secrets-pki-rotation-evidence depends_on: - OPS-PROD-SECRETS-PKI-OPS-READMODEL-001 acceptance_checks: - Contract exposes purpose, actor, approval ref, old/new version refs, validation checks, audit action, result, and next due date. - Live rotation remains approval-gated; initial work may define non-destructive evidence format. - id: OPS-PROD-SECRETS-PKI-ROTATION-EVIDENCE-IMPLEMENTATION-001 title: Implement secrets PKI rotation evidence read model kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-secrets-pki owning_layer: secrets-pki-readmodels source_paths: - doc/operations/Secrets_PKI_Rotation_Evidence_Read_Model_Contract_v1.md - doc/api/openapi/domains/v3-read-models.yaml - packages/platform/secrets - doc/operations/evidence/secrets_key_ops.md target_paths: - doc/api - cmd/api - doc/operations - scripts/ops - packages/web/src/components/v3 - .fairway/artifacts review_domains: - ops - security - architecture risk_level: high migration_type: secrets-pki-rotation-evidence-implementation depends_on: - OPS-PROD-SECRETS-PKI-ROTATION-EVIDENCE-001 acceptance_checks: - OpenAPI and generated artifacts expose the rotation evidence contract. - Projection returns purpose, actor, approval ref, version refs, validation checks, audit action, result, next due date, and evidence links. - Live rotation remains approval-gated; endpoint and scripts do not execute live rotation. - Tests cover authorization, required filters, result classification, missing audit evidence, missing validation evidence, grace exceptions, pagination, and secret/provider-output redaction. - id: OPS-PROD-SECRETS-PKI-BREAKGLASS-EVIDENCE-001 title: Define secrets PKI break-glass evidence read model kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-secrets-pki owning_layer: secrets-pki-readmodels source_paths: - doc/operations/Secrets_PKI_Ops_Read_Model_Gap_Map_v1.md - doc/operations/runbooks/Vault_Bootstrap_and_Root_Token_Runbook.md - doc/operations/evidence/secrets_key_ops.md target_paths: - doc/api - cmd/api - doc/operations - scripts/ops - .fairway/artifacts review_domains: - ops - security - governance - architecture risk_level: high migration_type: secrets-pki-breakglass-evidence depends_on: - OPS-PROD-SECRETS-PKI-OPS-READMODEL-001 acceptance_checks: - Contract exposes approval ref, actor, scope, time window, post-action remediation, and root-token replacement status. - Evidence modeling does not perform live break-glass unless explicit approval exists. - id: OPS-PROD-SECRETS-PKI-BREAKGLASS-EVIDENCE-IMPLEMENTATION-001 title: Implement secrets PKI break-glass evidence read model kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-secrets-pki owning_layer: secrets-pki-readmodels source_paths: - doc/operations/Secrets_PKI_Breakglass_Evidence_Read_Model_Contract_v1.md - doc/api/openapi/domains/v3-read-models.yaml - doc/operations/runbooks/Vault_Bootstrap_and_Root_Token_Runbook.md - doc/operations/evidence/secrets_key_ops.md target_paths: - doc/api - cmd/api - doc/operations - scripts/ops - packages/web/src/components/v3 - .fairway/artifacts review_domains: - ops - security - governance - architecture risk_level: high migration_type: secrets-pki-breakglass-evidence-implementation depends_on: - OPS-PROD-SECRETS-PKI-BREAKGLASS-EVIDENCE-001 acceptance_checks: - OpenAPI and generated artifacts expose the break-glass evidence contract. - Projection returns approval ref, actor, scope, time window, post-action remediation, root-token replacement status, audit link, and evidence links. - Endpoint and scripts do not execute live break-glass unless explicit approval exists. - Tests cover authorization, required filters, open/remediating/closed/overdue classification, missing approval, missing audit, missing remediation, pagination, and root/unseal/token/secret redaction. - id: OPS-PROD-PROVIDER-CONSOLE-BREAKGLASS-001 title: Define provider console break-glass access and evidence expectations kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: provider-console-access source_paths: - doc/operations/SRE_Tool_Access_Matrix_v1.md - doc/operations/runbooks/Provider_VM_Ops_Readiness_Runbook.md - doc/operations/runbooks/Platform_Control_Dev_Cloudflare_Reset_Runbook.md target_paths: - doc/operations - .fairway/artifacts review_domains: - ops - security - governance risk_level: medium migration_type: provider-console-breakglass depends_on: - OPS-PROD-SRE-TOOL-ACCESS-MATRIX-001 acceptance_checks: - Proxmox, MAAS, Cloudflare, DNS, registry-provider, and similar consoles have named break-glass use cases and owner groups. - Provider console changes require runbook evidence, before/after state capture, and follow-up platform read-model gaps where repeated direct access is needed. - No provider console is made a tenant/product self-service surface. - id: OPS-PROD-TOOL-ROUTE-SMOKE-COVERAGE-001 title: Keep direct and disabled SRE tool routes covered by smoke evidence kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: sre-tool-access source_paths: - doc/operations/SRE_Tool_Access_Matrix_v1.md - scripts/ops/platform_proxy_dns_validate.sh - scripts/ops/pomerium_edge_profile_smoke.sh - scripts/ops/platform_proxy_no_legacy_canary.sh target_paths: - scripts/ops - doc/operations - .fairway/artifacts review_domains: - ops - security - frontend risk_level: medium migration_type: sre-tool-route-smoke-coverage depends_on: - OPS-PROD-SRE-TOOL-ACCESS-MATRIX-001 acceptance_checks: - Configured direct UI routes have DNS/TLS/auth smoke coverage. - Disabled tools have profile verification and UI unavailable-state evidence. - Retired legacy paths remain negative-tested for each enabled or disabled platform tool family. - id: OPS-PROD-PROVIDER-CONSOLE-ACCESS-EVIDENCE-001 title: Define provider console access evidence packet kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: provider-console-access source_paths: - doc/operations/Provider_Console_Breakglass_Access_Model_v1.md - doc/operations/SRE_Tool_Access_Matrix_v1.md target_paths: - doc/operations - scripts/ops - .fairway/artifacts review_domains: - ops - security - governance risk_level: medium migration_type: provider-console-evidence depends_on: - OPS-PROD-PROVIDER-CONSOLE-BREAKGLASS-001 acceptance_checks: - Provider-console access evidence fields are represented in a reusable evidence packet or runbook template. - Mutating access records before state, change summary, after state, approval ref, rollback owner, and secret-redaction requirement. - Read-only console use that changes operator decisions has a lightweight evidence path. - id: OPS-PROD-PROVIDER-CAPACITY-READMODEL-GAPS-001 title: Convert recurring provider capacity console checks into read-model gaps kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: provider-readmodels source_paths: - doc/operations/Provider_Console_Breakglass_Access_Model_v1.md - doc/operations/runbooks/Provider_VM_Ops_Readiness_Runbook.md target_paths: - doc/api - cmd/api - packages/web/src/components/v3 - doc/operations - .fairway/artifacts review_domains: - ops - backend - architecture risk_level: medium migration_type: provider-capacity-readmodel-gap-burndown depends_on: - OPS-PROD-PROVIDER-CONSOLE-BREAKGLASS-001 acceptance_checks: - Proxmox and MAAS capacity questions that currently force console/API inspection are mapped to existing surfaces or scoped read-model tasks. - Required fields cover provider id, environment profile, total/free capacity, freshness, source timestamp, and last failed reconciliation. - Console access remains documented as an escape hatch, not the normal capacity planning path. - id: OPS-PROD-PROVIDER-CAPACITY-POOL-SCHEMA-001 title: Normalize provider capacity pool schema kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: provider-readmodels source_paths: - doc/operations/Provider_Capacity_Read_Model_Gap_Map_v1.md - doc/api/openapi.draft.yaml - cmd/api/routes_v3_provider_capacity.go - packages/products/gpuaas/inventory/ - packages/web/src/components/v3/ target_paths: - doc/api - cmd/api - packages/products/gpuaas/inventory - packages/web/src/components/v3 - scripts/ops - .fairway/artifacts review_domains: - backend - ops - architecture risk_level: medium migration_type: provider-capacity-pool-schema depends_on: - OPS-PROD-PROVIDER-CAPACITY-READMODEL-GAPS-001 acceptance_checks: - Capacity pool shape is normalized for Proxmox, MAAS-LXD, and MAAS bare metal with total, used, reserved, free, maintenance, stale, source timestamp, and cleanup safety fields. - Contract, backend validation, generated SDK artifacts, operator smoke, and UI rendering agree on the normalized fields. - Existing flexible raw evidence remains available for provider-specific details without replacing normalized fields. - id: OPS-PROD-PROVIDER-CAPACITY-RECONCILIATION-EVIDENCE-001 title: Expose provider capacity reconciliation failure evidence kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: provider-readmodels source_paths: - doc/operations/Provider_Capacity_Read_Model_Gap_Map_v1.md - cmd/provider-reconciler/main.go - cmd/api/routes_v3_provider_capacity.go - packages/products/gpuaas/inventory/ target_paths: - doc/api - cmd/api - cmd/provider-reconciler - packages/products/gpuaas/inventory - .fairway/artifacts review_domains: - backend - ops - architecture risk_level: medium migration_type: provider-capacity-reconciliation-evidence depends_on: - OPS-PROD-PROVIDER-CAPACITY-READMODEL-GAPS-001 acceptance_checks: - Capacity inventory response exposes last failed reconciliation code, message, timestamp, or canonical provider-resource timeline link. - Provider reconciler records enough sanitized evidence to distinguish auth, network, provider API, capacity, and bootstrap handoff failures. - Operator runbooks no longer require provider-console lookup to classify the last failed capacity refresh. - id: OPS-PROD-PROVIDER-CAPACITY-UI-FRESHNESS-001 title: Render provider capacity freshness and launch policy in platform ops UI kind: release-evidence role: frontend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: provider-readmodels source_paths: - doc/operations/Provider_Capacity_Read_Model_Gap_Map_v1.md - packages/web/src/components/v3/ - packages/web/src/lib/v3/api.ts target_paths: - packages/web/src/components/v3 - packages/web/src/lib/v3 - doc/operations - .fairway/artifacts review_domains: - frontend - ops - architecture risk_level: medium migration_type: provider-capacity-ui-freshness depends_on: - OPS-PROD-PROVIDER-CAPACITY-POOL-SCHEMA-001 - OPS-PROD-PROVIDER-CAPACITY-RECONCILIATION-EVIDENCE-001 acceptance_checks: - Platform ops UI shows observed age, freshness policy, stale launch policy, maintenance mode, disabled SKUs, and degraded capacity behavior. - UI distinguishes launch-blocking stale capacity from ops-only degraded visibility. - Tests cover healthy, stale, maintenance, degraded, disabled-SKU, and last-refresh-failed states. - id: OPS-PROD-CLOUDFLARE-DNS-CHANGE-EVIDENCE-001 title: Define Cloudflare and DNS change evidence gate kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: edge-dns-operations source_paths: - doc/operations/Provider_Console_Breakglass_Access_Model_v1.md - doc/operations/runbooks/Platform_Control_Dev_Cloudflare_Reset_Runbook.md - doc/architecture/Platform_DNS_Cert_Endpoint_Model_v1.md target_paths: - doc/operations - scripts/ops - .fairway/artifacts review_domains: - ops - security - governance risk_level: medium migration_type: cloudflare-dns-change-evidence depends_on: - OPS-PROD-PROVIDER-CONSOLE-BREAKGLASS-001 acceptance_checks: - DNS and Cloudflare mutations require zone/hostname/record identifiers, before resolver output, route smoke, after resolver output, and rollback owner. - Evidence never prints Cloudflare tokens or provider credentials. - Repeated manual DNS/route checks are converted into edge/DNS read-model or smoke follow-ups. - id: OPS-PROD-EDGE-DNS-READMODEL-GAPS-001 title: Convert repeated edge DNS checks into read-model gaps kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: edge-dns-operations source_paths: - doc/operations/Cloudflare_DNS_Change_Evidence_Gate_v1.md - doc/architecture/Platform_DNS_Cert_Endpoint_Model_v1.md - doc/architecture/Platform_Proxy_Provider_Neutral_Edge_Model_v1.md - scripts/ops/pomerium_edge_profile_smoke.sh target_paths: - doc/api - cmd/api - packages/web/src/components/v3 - doc/operations - .fairway/artifacts review_domains: - ops - architecture - security risk_level: medium migration_type: edge-dns-readmodel-gaps depends_on: - OPS-PROD-CLOUDFLARE-DNS-CHANGE-EVIDENCE-001 acceptance_checks: - Repeated manual DNS, TLS, Cloudflare tunnel, Pomerium route, and upstream route checks are mapped to existing platform status surfaces or scoped read-model tasks. - Read-model candidates include hostname, edge profile, resolver result, TLS/cert posture, Pomerium route state, tunnel/ingress state, upstream status, observed timestamp, and last failed route reconciliation. - Cloudflare-specific implementation remains environment automation, not product contract. - id: OPS-PROD-EDGE-ROUTE-SMOKE-EVIDENCE-001 title: Standardize edge route smoke evidence across profiles kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: edge-dns-operations source_paths: - doc/operations/Cloudflare_DNS_Change_Evidence_Gate_v1.md - scripts/ops/pomerium_edge_profile_smoke.sh - scripts/ops/pre_uat_user_safe_error_gate.sh - doc/architecture/Platform_Proxy_Provider_Neutral_Edge_Model_v1.md target_paths: - scripts/ops - scripts/ci - doc/operations - .fairway/artifacts review_domains: - ops - security - governance risk_level: medium migration_type: edge-route-smoke-evidence depends_on: - OPS-PROD-CLOUDFLARE-DNS-CHANGE-EVIDENCE-001 acceptance_checks: - Resolver, TLS, Pomerium, upstream, branded-error, and rollback smoke evidence is standardized for kind Cloudflare, local DNS, public ingress, private ingress, and air-gapped profiles where applicable. - Failure output includes hostname, edge profile, last HTTP status, edge request ID or Ray ID when available, and next operator action. - Smoke evidence is token-safe and does not require printing Cloudflare or DNS provider credentials. - id: OPS-PROD-TEMPORAL-UI-OPS-ACCESS-001 title: Decide and wire Temporal UI as an ops-only Pomerium surface or disable the link kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: sre-tool-access source_paths: - infra/k8s/base/infra/temporal.yaml - infra/k8s/base/infra/ingress.yaml - infra/k8s/overlays/dev-control-rke2/patches/infra-ingress-dev-control-rke2.yaml - infra/k8s/overlays/demo-rke2/patches/infra-ingress-demo.yaml - infra/k8s/overlays/dev-control-rke2/configmap.yaml - infra/k8s/overlays/demo-rke2/configmap.yaml - scripts/ci/dev_control_rke2_release_env.sh - scripts/ci/demo_rke2_release_env.sh - scripts/ops/env_profiles.json - scripts/ops/platform_proxy_dns_validate.sh - scripts/ops/pomerium_edge_profile_smoke.sh - scripts/ci/temporal_ui_ops_access_guard.sh - doc/operations/Temporal_UI_Ops_Access_Decision_v1.md - cmd/api/routes_v3_readmodels_platform.go - packages/web/src/shared/observability/links.ts - packages/web/src/components/v3/v3-platform-pages.tsx target_paths: - infra/k8s - scripts/ops - scripts/ci - doc/operations - .fairway/artifacts - cmd/api - packages/web/src/components/v3 review_domains: - ops - security - frontend - backend - architecture risk_level: medium migration_type: temporal-ui-ops-access depends_on: - OPS-PROD-SRE-TOOL-ACCESS-MATRIX-001 - PSSM-PROD-C14-POMERIUM-CONSOLIDATION-SWEEP-001 - PSSM-PROD-C9-RELEASE-PROFILE-GATES-001 acceptance_checks: - Decision artifact states whether Temporal UI remains directly exposed to ops or is disabled until platform workflow APIs/read models cover the use case. - If enabled, Temporal UI is protected by the Pomerium host-route model with DNS/TLS/auth smoke evidence for dev/demo and no reliance on legacy /backend/p/temporal. - If disabled, NEXT_PUBLIC_TEMPORAL_UI_BASE_URL is empty for affected profiles and /platform/ops renders Temporal unavailable instead of a dead link. - Smoke coverage verifies Temporal UI host reachability or explicit disabled state, and profile verification fails on unresolved configured Temporal hosts. - Follow-up API/read-model tasks are created for common SRE needs such as workflow search, retry history, stuck activity diagnosis, and schedule status if Temporal UI is only a temporary operator escape hatch. - id: OPS-PROD-TEMPORAL-WORKFLOW-READMODEL-GAPS-001 title: Convert Temporal UI escape-hatch needs into platform workflow read models kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: temporal-ops-readmodels source_paths: - doc/operations/Temporal_UI_Ops_Access_Decision_v1.md - doc/operations/SRE_Tool_Access_Matrix_v1.md - cmd/api/temporal.go - cmd/api/routes_v3_readmodels_platform.go - packages/web/src/components/v3/v3-platform-pages.tsx target_paths: - doc/operations - cmd/api - packages/web/src/components/v3 - .fairway/artifacts review_domains: - ops - backend - frontend - architecture risk_level: medium migration_type: temporal-workflow-readmodel-gap-burndown depends_on: - OPS-PROD-TEMPORAL-UI-OPS-ACCESS-001 - SEC-ARCH-TEMPORAL-SEARCH-ATTRIBUTE-REGISTRY-001 acceptance_checks: - Workflow search, retry history, stuck activity diagnosis, and schedule status operator questions are mapped to existing platform surfaces or scoped read-model follow-up tasks. - Temporal UI remains documented as an escape hatch, not the first operator path. - Production enablement remains approval-gated until read-model gaps and route controls have security/ops review. - id: OPS-PROD-TEMPORAL-WORKFLOW-SEARCH-READMODEL-001 title: Define Temporal workflow search read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: temporal-ops-readmodels source_paths: - doc/operations/Temporal_Workflow_Read_Model_Gap_Map_v1.md - doc/operations/Temporal_Workflow_Search_Read_Model_Contract_v1.md - doc/operations/Temporal_Search_Attribute_Registry.md - cmd/api/routes_v3_readmodels_platform.go - cmd/api/temporal.go target_paths: - doc/api - cmd/api - packages/web/src/components/v3 - .fairway/artifacts review_domains: - backend - ops - architecture - security risk_level: medium migration_type: temporal-workflow-search-readmodel depends_on: - OPS-PROD-TEMPORAL-WORKFLOW-READMODEL-GAPS-001 acceptance_checks: - Workflow search contract covers family, workflow ID, run ID, org/project, allocation, node, actor, correlation ID, and status filters. - Implementation uses persisted product/platform records and safe memo/static-summary metadata before relying on Temporal search attributes. - Response excludes raw payloads, credentials, tokens, secrets, private diagnostics, and payment references. - id: OPS-PROD-TEMPORAL-WORKFLOW-SEARCH-IMPLEMENTATION-001 title: Implement Temporal workflow search read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: temporal-ops-readmodels source_paths: - doc/operations/Temporal_Workflow_Search_Read_Model_Contract_v1.md - doc/api/openapi/domains/v3-read-models.yaml - cmd/api/routes_v3_readmodels_platform.go - cmd/api/temporal.go target_paths: - doc/api/openapi/domains/v3-read-models.yaml - doc/api/openapi.draft.yaml - packages/web/src/lib/gen/openapi.types.ts - cmd/api - packages/web/src/components/v3 - .fairway/artifacts review_domains: - backend - frontend - ops - security - architecture risk_level: high migration_type: temporal-workflow-search-readmodel-implementation depends_on: - OPS-PROD-TEMPORAL-WORKFLOW-SEARCH-READMODEL-001 acceptance_checks: - OpenAPI is updated and generated artifacts are current before handler implementation. - Handler requires platform.ops.read and rejects broad unfiltered searches. - Initial implementation uses product/platform records and safe workflow metadata, not live Temporal SearchAttributes. - Tests cover authorization, empty-filter rejection, all supported filters, pagination, and excluded-field redaction. - id: OPS-PROD-TEMPORAL-RETRY-HISTORY-READMODEL-001 title: Define Temporal retry and rerun history read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: temporal-ops-readmodels source_paths: - doc/operations/Temporal_Workflow_Read_Model_Gap_Map_v1.md - doc/operations/Temporal_Retry_History_Read_Model_Contract_v1.md - packages/platform/maas - packages/platform/adminops - cmd/api/routes_v3_readmodels_platform.go target_paths: - doc/api - cmd/api - packages/web/src/components/v3 - .fairway/artifacts review_domains: - backend - ops - architecture risk_level: medium migration_type: temporal-retry-history-readmodel depends_on: - OPS-PROD-TEMPORAL-WORKFLOW-SEARCH-READMODEL-001 acceptance_checks: - Retry history contract exposes attempts, reruns, resume-from-stage, prior workflow IDs/runs, actor, reason, result, and timestamps. - MAAS onboarding/decommission and node-agent lifecycle are the first covered workflow families. - Retry history is derived from product records, audit logs, and safe workflow metadata instead of direct database edits or raw Temporal payloads. - id: OPS-PROD-TEMPORAL-RETRY-HISTORY-IMPLEMENTATION-001 title: Implement Temporal retry history read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: temporal-ops-readmodels source_paths: - doc/operations/Temporal_Retry_History_Read_Model_Contract_v1.md - doc/api/openapi/domains/v3-read-models.yaml - packages/platform/maas - packages/platform/adminops - cmd/api/routes_v3_readmodels_platform.go target_paths: - doc/api/openapi/domains/v3-read-models.yaml - doc/api/openapi.draft.yaml - packages/web/src/lib/gen/openapi.types.ts - cmd/api - packages/web/src/components/v3 - .fairway/artifacts review_domains: - backend - frontend - ops - architecture risk_level: high migration_type: temporal-retry-history-readmodel-implementation depends_on: - OPS-PROD-TEMPORAL-RETRY-HISTORY-READMODEL-001 acceptance_checks: - OpenAPI is updated and generated artifacts are current before handler implementation. - MAAS onboarding/decommission and node-agent lifecycle are the first covered workflow families. - Tests cover authorization, missing workflow, family mismatch, pagination, superseded attempts, and excluded-field redaction. - id: OPS-PROD-TEMPORAL-SCHEDULE-STATUS-READMODEL-001 title: Generalize Temporal schedule status read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: temporal-ops-readmodels source_paths: - doc/operations/Temporal_Workflow_Read_Model_Gap_Map_v1.md - doc/operations/Temporal_Schedule_Status_Read_Model_Contract_v1.md - cmd/api/temporal.go - packages/platform/maas target_paths: - doc/api - cmd/api - packages/web/src/components/v3 - .fairway/artifacts review_domains: - backend - ops - architecture risk_level: medium migration_type: temporal-schedule-status-readmodel depends_on: - OPS-PROD-TEMPORAL-WORKFLOW-SEARCH-READMODEL-001 acceptance_checks: - Schedule status contract covers present, paused, next action, missed catch-up, skipped overlap, recent runs, and error state. - Existing MAAS reconciliation schedule status is mapped as the first implementation source. - Production live Temporal schedule inspection remains approval-gated until non-prod evidence exists. - id: OPS-PROD-TEMPORAL-SCHEDULE-STATUS-IMPLEMENTATION-001 title: Implement Temporal schedule status read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: temporal-ops-readmodels source_paths: - doc/operations/Temporal_Schedule_Status_Read_Model_Contract_v1.md - doc/api/openapi/domains/v3-read-models.yaml - cmd/api/temporal.go - cmd/api/routes_v3_readmodels_platform.go - packages/platform/maas target_paths: - doc/api/openapi/domains/v3-read-models.yaml - doc/api/openapi.draft.yaml - packages/web/src/lib/gen/openapi.types.ts - cmd/api - packages/web/src/components/v3 - .fairway/artifacts review_domains: - backend - frontend - ops - architecture risk_level: high migration_type: temporal-schedule-status-readmodel-implementation depends_on: - OPS-PROD-TEMPORAL-SCHEDULE-STATUS-READMODEL-001 acceptance_checks: - OpenAPI is updated and generated artifacts are current before handler implementation. - Existing MAAS reconciliation schedule status is exposed as the first implementation source. - Tests cover authorization, schedule missing, schedule paused, engine unavailable, engine error, and environment-profile expected-disabled cases. - id: OPS-PROD-TEMPORAL-STUCK-ACTIVITY-READMODEL-001 title: Define Temporal stuck activity diagnostic read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: temporal-ops-readmodels source_paths: - doc/operations/Temporal_Workflow_Read_Model_Gap_Map_v1.md - doc/operations/Temporal_Stuck_Activity_Read_Model_Contract_v1.md - cmd/api/temporal.go - packages/platform/maas - packages/products/appplatform/runtime target_paths: - doc/api - cmd/api - packages/web/src/components/v3 - .fairway/artifacts review_domains: - backend - ops - architecture - security risk_level: medium migration_type: temporal-stuck-activity-readmodel depends_on: - OPS-PROD-TEMPORAL-WORKFLOW-SEARCH-READMODEL-001 acceptance_checks: - Diagnostic contract identifies workflow family, activity name, last heartbeat/update age, retry state, owner domain, and next operator action. - Contract starts from product/runtime evidence and excludes raw activity payloads. - Live Temporal activity inspection is proven in non-production before any production dependency is introduced. - id: OPS-PROD-TEMPORAL-STUCK-ACTIVITY-IMPLEMENTATION-001 title: Implement Temporal stuck activity diagnostic read model kind: release-evidence role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: temporal-ops-readmodels source_paths: - doc/operations/Temporal_Stuck_Activity_Read_Model_Contract_v1.md - doc/api/openapi/domains/v3-read-models.yaml - cmd/api/temporal.go - cmd/api/routes_v3_readmodels_platform.go - packages/platform/maas - packages/products/appplatform/runtime target_paths: - doc/api/openapi/domains/v3-read-models.yaml - doc/api/openapi.draft.yaml - packages/web/src/lib/gen/openapi.types.ts - cmd/api - packages/web/src/components/v3 - .fairway/artifacts review_domains: - backend - frontend - ops - architecture - security risk_level: high migration_type: temporal-stuck-activity-readmodel-implementation depends_on: - OPS-PROD-TEMPORAL-STUCK-ACTIVITY-READMODEL-001 acceptance_checks: - OpenAPI is updated and generated artifacts are current before handler implementation. - MAAS onboarding/decommission are the first implemented families using product records and events. - Tests cover authorization, age threshold filtering, retryable failure, manual intervention, waiting external dependency, unknown classification, pagination, and excluded-field redaction. - id: OPS-PROD-READINESS-BACKLOG title: Execute operational production readiness backlog kind: epic role: ops profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: platform-operations owning_layer: production-readiness source_paths: - doc/architecture/Production_Deployment_Readiness_v1.md - doc/operations/Production_Platform_Baseline.md - doc/operations/Parallel_Ops_Track.md - doc/operations/Enterprise_Readiness_Gap_Work_Plan_v1.md - doc/operations/Platform_Control_CI_CD_Target_Model_v1.md - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md - doc/architecture/platform-foundation/Platform_Evidence_Status_Frontend_Contract_v1.md target_paths: - doc/operations - doc/operations/evidence - doc/operations/runbooks - scripts/ops - scripts/ci - infra/k8s - .fairway/artifacts review_domains: - ops - security - governance - architecture - backend - frontend tags: - program:production-readiness - program:stabilization - surface:ops - gate:readiness - work-type:backlog risk_level: high migration_type: operational-production-readiness depends_on: - PSSM-PROD-C0-PLAN-001 - PSSM-PROD-C7-STATUS-EVIDENCE-MATURITY-001 - PSSM-PROD-C9-RELEASE-PROFILE-GATES-001 acceptance_checks: - Production readiness operational controls are tracked as ops-owned tasks with evidence, not left as architecture-document observations. - Each P0/P1 operational gap from `Production_Deployment_Readiness_v1.md` is mapped to a Fairway task, existing task, or explicit deferred/non-goal entry. - Public-launch readiness separates code changes, infra/config changes, runbooks, drills, evidence, and approval gates. - Status/Ops surfaces receive readiness evidence for deployed-image freshness, database operations, backup/restore, Kubernetes baseline, IAM/Keycloak posture, observability, secrets/certs, environment parity, and incident posture. - id: PSSM-STABILIZATION-FIRST-EXIT-GATE-001 title: Gate new feature work on post-PSSM stabilization exit criteria kind: release-evidence role: orchestrator profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: platform-foundation owning_layer: stabilization-governance source_paths: - .fairway/platform-foundation-implementation-track.yaml - doc/operations/Fairway_Agent_Operating_Model.md - doc/operations/Parallel_Ops_Track.md - doc/architecture/Production_Deployment_Readiness_v1.md - .fairway/artifacts/pssm-post-uat-retrospective-2026-06-04.md - .fairway/artifacts/pssm-uat-readiness-code-sweep-2026-06-04.md target_paths: - .fairway/artifacts - doc/operations - scripts/ci - scripts/ops review_domains: - ops - governance - architecture - backend - frontend - security risk_level: high migration_type: stabilization-first-exit-gate depends_on: - PSSM-UAT-READINESS-GATES - PROD-STRESS-READINESS-HARNESS - OPS-PROD-READINESS-BACKLOG acceptance_checks: - New product feature tracks are not started while UAT readiness, production stress readiness, or operational readiness have open launch-blocking gaps without owner-approved exception. - Stabilization exit report classifies remaining work as launch blocker, confidence hardening, future scale hardening, or explicitly deferred non-goal. - Required pre-UAT gates, stress evidence, and ops readiness evidence are linked from one Fairway artifact before new feature planning resumes. - Any exception to start a new feature records owner, reason, blast radius, expiry, and rollback/stabilization impact. - id: FAIRWAY-PROVIDER-SESSION-LIFECYCLE-VALIDATION-001 title: Validate external provider session lifecycle across tmux, Claude, Codex, and provider events kind: boundary-guard role: governance profile: platform-foundation parent_id: PSSM-STABILIZATION-FIRST-EXIT-GATE-001 owning_domain: platform-foundation owning_layer: fairway-orchestration source_paths: - doc/operations/Fairway_Agent_Operating_Model.md - ../fairway/examples/session-adapters/provider-event.sh - ../fairway/examples/session-adapters/tmux.sh - ../fairway/docs/agent-guide.md - ../fairway/docs/design/session-launch.md target_paths: - doc/operations/Fairway_Agent_Operating_Model.md - .fairway/artifacts - ../fairway/examples/session-adapters - ../fairway/docs review_domains: - governance - ops - architecture risk_level: medium migration_type: fairway-provider-session-validation depends_on: - PSSM-STABILIZATION-FIRST-EXIT-GATE-001 acceptance_checks: - Validation matrix covers tmux plus `claude -p`, tmux plus interactive Claude, tmux plus Codex CLI, Codex thread provider sessions, and shell fallback sessions. - Provider-specific command-line flags and transcript behavior are documented, including buffered-output modes where transcript files may stay empty until completion. - Provider-event lifecycle checkpoints are validated for started, running/heartbeat, waiting on approval/input, stale/no-progress, failed, and completed states. - Completed provider work no longer leaves active Fairway session rows marked `running`; adapter, docs, or operator runbook covers `session end` and `session reconcile` behavior. - Liveness checks use process or provider-session state plus provider events, not transcript byte growth alone. - id: OPS-PROD-READINESS-MAP-001 title: Map production readiness gaps to executable ops tasks kind: architecture-map role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: readiness-planning source_paths: - doc/architecture/Production_Deployment_Readiness_v1.md - doc/operations/Production_Platform_Baseline.md - doc/operations/Parallel_Ops_Track.md - doc/operations/Enterprise_Readiness_Gap_Work_Plan_v1.md target_paths: - doc/operations/Parallel_Ops_Track.md - doc/operations/evidence - .fairway/artifacts review_domains: - ops - architecture - governance - security risk_level: high migration_type: production-readiness-gap-map depends_on: - OPS-PROD-READINESS-BACKLOG acceptance_checks: - Readiness map classifies every P0/P1 item as operational control, code change, platform-service contract, external provider dependency, or deferred production-scaling item. - Existing PSSM, security, UAT, and ops tasks are linked before new tasks are added. - Launch blockers have owners, environment profile, evidence artifact, target date or dependency, and pass/fail/waiver criteria. - id: OPS-PROD-DATA-RESILIENCE-001 title: Operationalize database backup restore and DR readiness kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: data-resilience source_paths: - doc/architecture/Production_Deployment_Readiness_v1.md - doc/operations/Parallel_Ops_Track.md - doc/operations/evidence/backup_restore_dr.md - doc/operations/evidence/backup_restore_rehearsal_report.md - scripts/ops/backup_restore_smoke.sh - doc/architecture/db_schema_v1.sql target_paths: - doc/operations/evidence - doc/operations/runbooks - scripts/ops - scripts/ci review_domains: - ops - security - governance risk_level: high migration_type: backup-restore-dr-readiness depends_on: - OPS-PROD-READINESS-MAP-001 acceptance_checks: - Automated backup schedule, retention, restore command, and ownership are documented for target environment profiles. - Restore drill evidence includes measured RTO/RPO, restored schema/table posture, and failure remediation. - Production launch remains blocked unless backup/restore evidence is current or an explicit owner-approved risk exception exists. - id: OPS-PROD-DATABASE-OPERATIONS-001 title: Operationalize database migration HA pooling and runtime readiness kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: database-operations source_paths: - doc/architecture/Production_Deployment_Readiness_v1.md - doc/architecture/Schema_Migration_Plan.md - doc/architecture/db_schema_v1.sql - scripts/ci - scripts/ops - infra/k8s target_paths: - doc/operations - doc/operations/evidence - doc/operations/runbooks - scripts/ci - scripts/ops - infra/k8s review_domains: - ops - backend - governance - security risk_level: high migration_type: database-operations-readiness depends_on: - OPS-PROD-READINESS-MAP-001 - OPS-PROD-DATA-RESILIENCE-001 acceptance_checks: - Production database path has migration versioning, dry-run/apply evidence, rollback posture, and schema drift detection before application deploy. - HA/replication posture, failover approach, connection pooling, pool limits, and saturation alerts are documented with target profile evidence. - Status/Ops evidence reports database migration state, backup freshness, connection-pool posture, and replication/failover posture. - Any deferred database HA or pooling item has explicit owner-approved risk acceptance, expiry, and follow-up task. - id: OPS-PROD-K8S-RUNTIME-BASELINE-001 title: Operationalize Kubernetes runtime HA resource and policy baseline kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: kubernetes-runtime-baseline source_paths: - doc/architecture/Production_Deployment_Readiness_v1.md - doc/operations/Production_Platform_Baseline.md - infra/k8s - scripts/ci - scripts/ops target_paths: - infra/k8s - scripts/ci - scripts/ops - doc/operations - doc/operations/evidence review_domains: - ops - security - backend - governance risk_level: high migration_type: kubernetes-runtime-baseline-readiness depends_on: - OPS-PROD-READINESS-MAP-001 - OPS-PROD-EDGE-NETWORK-SECURITY-001 - OPS-PROD-ENV-PARITY-STAGING-001 acceptance_checks: - Runtime baseline covers control-plane topology, worker redundancy, resource requests/limits, PodDisruptionBudgets, probes, restart budgets, NetworkPolicies, and HPA/scale posture for critical deployments. - Production profile cannot promote manifests with missing required requests/limits, readiness/liveness probes, or approved network-policy exceptions. - Status/Ops evidence reports workload replica health, restart posture, resource pressure, policy coverage, and any approved single-node or no-HPA exception. - id: OPS-FIX-K8S-CRITICAL-RESOURCES-PROBES-001 title: Add critical deployment resource and probe baseline kind: task role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: kubernetes-runtime-baseline source_paths: - infra/k8s/base/core - infra/k8s/overlays/dev-control-rke2 - infra/k8s/overlays/demo-rke2 - scripts/ci/k8s_runtime_baseline_gate.sh target_paths: - infra/k8s - .fairway/artifacts review_domains: - ops - backend - security risk_level: high migration_type: k8s-critical-resources-probes depends_on: - OPS-PROD-K8S-RUNTIME-BASELINE-001 acceptance_checks: - Critical control-plane deployments define CPU/memory requests and limits. - Critical worker/reconciler deployments define readiness and liveness probes or explicit approved exceptions. - K8s runtime baseline gate blocker count decreases for resource/probe findings. - id: OPS-FIX-K8S-PDB-COVERAGE-001 title: Add PodDisruptionBudget coverage for critical services kind: task role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: kubernetes-runtime-baseline source_paths: - infra/k8s/base/core - infra/k8s/overlays/dev-control-rke2 - infra/k8s/overlays/demo-rke2 - scripts/ci/k8s_runtime_baseline_gate.sh target_paths: - infra/k8s - .fairway/artifacts review_domains: - ops - backend risk_level: high migration_type: k8s-pdb-coverage depends_on: - OPS-PROD-K8S-RUNTIME-BASELINE-001 - OPS-FIX-K8S-CRITICAL-RESOURCES-PROBES-001 acceptance_checks: - Critical API, web, terminal, worker, relay, and reconciler deployments have PodDisruptionBudgets or explicit no-PDB exceptions. - PDB policy is compatible with current replica counts and rollout behavior. - K8s runtime baseline gate blocker count decreases for PDB findings. - id: OPS-FIX-K8S-WORKER-HEALTH-ENDPOINTS-001 title: Add first-class health endpoints for worker and reconciler binaries kind: task role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: kubernetes-runtime-baseline source_paths: - cmd/provisioning-worker - cmd/app-runtime-worker - cmd/outbox-relay - cmd/notification-relay - cmd/proxy-runtime-reconciler - infra/k8s/base/core - scripts/ci/k8s_runtime_baseline_gate.sh target_paths: - cmd/provisioning-worker - cmd/app-runtime-worker - cmd/outbox-relay - cmd/notification-relay - cmd/proxy-runtime-reconciler - infra/k8s/base/core - .fairway/artifacts review_domains: - backend - ops risk_level: high migration_type: worker-health-endpoints depends_on: - OPS-FIX-K8S-CRITICAL-RESOURCES-PROBES-001 acceptance_checks: - Worker and reconciler binaries expose lightweight readiness and liveness endpoints or an equivalent first-class health surface. - Kubernetes manifests replace approved probe exceptions with real readiness and liveness probes. - K8s runtime baseline gate continues to pass resource/probe checks without probe exceptions for these deployments. - id: CI-FIX-K8S-RUNTIME-GATE-KUBECTL-OPTIONAL-001 title: Keep generic CI smoke green when kubectl is unavailable kind: task role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: ci-smoke source_paths: - scripts/ci/ci_script_smoke.sh - scripts/ci/k8s_runtime_baseline_gate.sh target_paths: - scripts/ci/ci_script_smoke.sh - .fairway/artifacts review_domains: - ops - governance risk_level: medium migration_type: ci-k8s-gate-runner-prereq depends_on: - OPS-PROD-K8S-RUNTIME-BASELINE-001 acceptance_checks: - Generic CI smoke syntax-checks the K8s runtime baseline gate. - Generic CI smoke skips render-based K8s gate execution when kubectl is not installed. - Deployment/ops jobs can still run the K8s runtime baseline gate in report or strict mode where kubectl is available. - id: OPS-FIX-K8S-NETWORKPOLICY-BASELINE-001 title: Add default-deny and allow-list NetworkPolicy baseline kind: task role: security profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: kubernetes-runtime-baseline source_paths: - doc/operations/evidence/network_policy_baseline.yaml - infra/k8s/base - infra/k8s/overlays/dev-control-rke2 - infra/k8s/overlays/demo-rke2 - scripts/ci/k8s_runtime_baseline_gate.sh target_paths: - infra/k8s - doc/operations/evidence - .fairway/artifacts review_domains: - security - ops - backend risk_level: high migration_type: k8s-networkpolicy-baseline depends_on: - OPS-PROD-K8S-RUNTIME-BASELINE-001 acceptance_checks: - Namespaces have default-deny NetworkPolicies. - Required east/west flows are represented as explicit allow-list policies. - Current network policy evidence uses live namespace names gpuaas-core, gpuaas-infra, and gpuaas-observability. - K8s runtime baseline gate no longer reports missing NetworkPolicy coverage. - id: OPS-FIX-K8S-HPA-POSTURE-001 title: Define HPA or approved no-HPA posture for critical services kind: task role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: kubernetes-runtime-baseline source_paths: - infra/k8s/base/core - infra/k8s/overlays/dev-control-rke2 - infra/k8s/overlays/demo-rke2 - scripts/ci/k8s_runtime_baseline_gate.sh target_paths: - infra/k8s - .fairway/artifacts review_domains: - ops - backend risk_level: medium migration_type: k8s-hpa-posture depends_on: - OPS-PROD-K8S-RUNTIME-BASELINE-001 - OPS-FIX-K8S-CRITICAL-RESOURCES-PROBES-001 acceptance_checks: - API, terminal gateway, and stream/runtime-heavy services have HPA definitions or explicit no-HPA exceptions. - HPA metrics are compatible with requests/limits and metrics-server availability. - Status/Ops evidence reports HPA coverage and exceptions. - id: OPS-FIX-K8S-PROD-TOPOLOGY-WAIVER-001 title: Document production topology target or approved single-node waiver kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: kubernetes-runtime-baseline source_paths: - doc/architecture/Production_Deployment_Readiness_v1.md - doc/operations/Reproducible_Environment_Automation_v1.md - doc/operations/env-automation target_paths: - doc/operations - .fairway/artifacts review_domains: - ops - security - architecture risk_level: high migration_type: k8s-production-topology-waiver depends_on: - OPS-PROD-K8S-RUNTIME-BASELINE-001 acceptance_checks: - Production topology target states control-plane node count, worker redundancy, ingress/LB HA, and failure-domain assumptions. - Any single-node pilot profile has explicit waiver, expiry, owner, and non-production/customer-impact constraints. - Status/Ops evidence can report whether a target environment matches the topology target or is operating under waiver. - id: OPS-PROD-EDGE-NETWORK-SECURITY-001 title: Operationalize public edge network and ingress security readiness kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: edge-network-security source_paths: - doc/architecture/Production_Deployment_Readiness_v1.md - doc/operations/Production_Platform_Baseline.md - doc/operations/runbooks/Pomerium_Host_Proxy_Incident_Runbook.md - doc/operations/runbooks/Edge_And_App_Error_Presentation_Runbook.md - infra/k8s - cmd/api - cmd/terminal-gateway target_paths: - doc/operations - doc/operations/runbooks - infra/k8s - scripts/ops - scripts/ci review_domains: - ops - security - backend - frontend - architecture risk_level: high migration_type: edge-network-security-readiness depends_on: - OPS-PROD-READINESS-MAP-001 - PSSM-PROD-C14-POMERIUM-CONSOLIDATION-SWEEP-001 - PSSM-PROD-C17-EDGE-ERROR-PRESENTATION-GATE-001 acceptance_checks: - Edge readiness covers DNS, TLS, WAF/rate-limit policy, request-size/time limits, CORS/origin policy, public/internal ingress separation, and WebSocket limits. - Code-owned middleware gaps are linked to backend/frontend tasks rather than silently absorbed by ops runbooks. - Smoke evidence proves user-safe errors and operator-visible correlation/request IDs for representative edge and upstream failure classes. - id: OPS-PROD-CERT-MANAGER-LIFECYCLE-001 title: Operationalize cert-manager and certificate lifecycle readiness kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: certificate-lifecycle source_paths: - doc/architecture/Production_Deployment_Readiness_v1.md - doc/architecture/Cert_Manager_Integration_v1.md - doc/architecture/Platform_DNS_Cert_Endpoint_Model_v1.md - doc/architecture/Platform_Proxy_Host_Routing_DNS_TLS_v1.md - doc/operations/Reproducible_Environment_Automation_v1.md - scripts/ops/platform_proxy_dns_validate.sh - scripts/ops/platform_proxy_dns_render_secret.sh - scripts/ops/cert_expiry_check.sh - infra/k8s/base/platform-proxy target_paths: - doc/operations - doc/operations/evidence - doc/operations/runbooks - scripts/ops - scripts/ci - infra/k8s review_domains: - ops - security - architecture - governance risk_level: high migration_type: cert-manager-certificate-lifecycle-readiness depends_on: - OPS-PROD-READINESS-MAP-001 - OPS-PROD-EDGE-NETWORK-SECURITY-001 - OPS-PROD-SECRETS-PKI-ROTATION-001 acceptance_checks: - Environment profiles state when cert-manager is required, which issuer is used, and which profiles intentionally use a private or manually supplied certificate path. - Public ingress certificate evidence covers ClusterIssuer/Issuer readiness, certificate Ready state, expiry window, renewal mailbox, DNS-01/token custody, and rollback. - cert-manager remains scoped to Kubernetes/edge certificate lifecycle and is not treated as the node-agent PKI recovery mechanism. - Status/Ops evidence reports certificate freshness and renewal failures before launch or promotion. - id: OPS-PROD-CERT-MANAGER-LIVE-EVIDENCE-001 title: Capture live cert-manager issuer and certificate readiness evidence kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-CERT-MANAGER-LIFECYCLE-001 owning_domain: platform-operations owning_layer: certificate-lifecycle source_paths: - scripts/ci/cert_manager_lifecycle_readiness.sh - scripts/ops/platform_proxy_dns_validate.sh - scripts/ops/platform_proxy_dns_render_secret.sh - scripts/ops/platform_proxy_dns_rollback.sh - infra/k8s/base/platform-proxy target_paths: - doc/operations/evidence - .fairway/artifacts review_domains: - ops - security - architecture tags: - program:production-readiness - surface:cert-manager - gate:live-evidence - work-type:ops-evidence risk_level: high migration_type: cert-manager-live-evidence depends_on: - OPS-PROD-CERT-MANAGER-LIFECYCLE-001 acceptance_checks: - Live ClusterIssuer or Issuer JSON evidence is captured from the target public-ingress environment without printing DNS provider tokens. - Live Certificate JSON evidence proves Ready=True, expiry window, secret names, and renewal status for platform, apps, and authn certificate surfaces. - The strict cert-manager lifecycle readiness gate passes with the live evidence and is attached to the deploy or launch readiness record. - id: OPS-PROD-CODE-CORS-MIDDLEWARE-001 title: Add production CORS and WebSocket origin enforcement kind: bug role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: edge-network-security source_paths: - cmd/api - cmd/terminal-gateway - doc/architecture/Production_Deployment_Readiness_v1.md - .fairway/artifacts/ops-prod-readiness-map-2026-06-04.md target_paths: - cmd/api - cmd/terminal-gateway - scripts/ci - .fairway/artifacts review_domains: - backend - security - ops risk_level: high migration_type: production-edge-code-hardening depends_on: - OPS-PROD-READINESS-MAP-001 - OPS-PROD-EDGE-NETWORK-SECURITY-001 acceptance_checks: - API CORS middleware restricts origins, methods, and headers by environment profile. - Terminal gateway WebSocket origin checks no longer accept every origin. - Regression coverage proves allowed and denied origins for HTTP and WebSocket paths. - Failure responses remain product-owned and include correlation/request evidence where applicable. - id: OPS-PROD-CODE-HTTP-SERVER-HARDENING-001 title: Add HTTP server timeout and request body limit hardening kind: bug role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: edge-network-security source_paths: - cmd/api - doc/architecture/Production_Deployment_Readiness_v1.md - .fairway/artifacts/ops-prod-readiness-map-2026-06-04.md target_paths: - cmd/api - scripts/ci - .fairway/artifacts review_domains: - backend - security - ops risk_level: high migration_type: production-http-server-hardening depends_on: - OPS-PROD-READINESS-MAP-001 - OPS-PROD-EDGE-NETWORK-SECURITY-001 acceptance_checks: - API server sets explicit read, write, idle, and header timeouts. - Request body size limits protect unauthenticated and authenticated JSON endpoints without breaking documented upload paths. - Regression or smoke coverage proves oversize request handling returns a controlled error. - The production readiness map links this code-owned gap to executable evidence. - id: OPS-PROD-CODE-WS-CONNECTION-LIMITS-001 title: Add terminal WebSocket connection limits and idle timeout kind: bug role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: terminal-edge-security source_paths: - cmd/terminal-gateway - cmd/api - doc/architecture/Production_Deployment_Readiness_v1.md - .fairway/artifacts/ops-prod-readiness-map-2026-06-04.md target_paths: - cmd/terminal-gateway - scripts/ops - scripts/ci - .fairway/artifacts review_domains: - backend - ops - security risk_level: medium migration_type: production-terminal-ws-hardening depends_on: - OPS-PROD-READINESS-MAP-001 - OPS-PROD-CODE-CORS-MIDDLEWARE-001 acceptance_checks: - Terminal gateway enforces per-user or per-allocation WebSocket connection limits. - Idle sessions close with controlled status and audit/evidence where appropriate. - Regression or smoke coverage proves limit, idle-timeout, and normal session behavior. - Limits are configurable by policy or environment profile and do not hardcode production constants. - id: OPS-PROD-CODE-TERMINAL-DRAIN-POLICY-001 title: Implement terminal gateway drain-before-kill shutdown policy kind: bug role: backend profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: terminal-runtime-operations source_paths: - cmd/terminal-gateway - infra/k8s - doc/architecture/Production_Deployment_Readiness_v1.md - .fairway/artifacts/ops-prod-readiness-map-2026-06-04.md target_paths: - cmd/terminal-gateway - infra/k8s - scripts/ops - .fairway/artifacts review_domains: - backend - ops risk_level: medium migration_type: production-terminal-drain-policy depends_on: - OPS-PROD-READINESS-MAP-001 - OPS-PROD-CODE-WS-CONNECTION-LIMITS-001 acceptance_checks: - Terminal gateway handles SIGTERM by refusing new sessions, draining active sessions, and exiting before SIGKILL. - Kubernetes termination grace period and probes align with the drain window. - Evidence proves pod restart or deploy does not silently sever terminal sessions without controlled close behavior. - Runbook states operator expectations for active terminal sessions during deploy and rollback. - id: OPS-PROD-GITOPS-ADOPTION-DECISION-001 title: Decide ArgoCD or Flux adoption path for production deployment control kind: architecture-map role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: deployment-control source_paths: - doc/architecture/Production_Deployment_Readiness_v1.md - doc/architecture/Next_Environment_Release_and_GitOps_Model_v1.md - doc/operations/Platform_Control_CI_CD_Target_Model_v1.md - doc/operations/Platform_Control_CI_CD_Multi_Environment_Model_v1.md - doc/governance/Platform_Control_Release_Promotion_Policy.md - scripts/ci/platform_control_deploy.sh - scripts/ci/platform_control_release_conformance.sh - infra/k8s target_paths: - doc/operations - doc/governance - doc/operations/GitOps_Adoption_Decision_v1.md - scripts/ci - infra/k8s - .fairway/artifacts review_domains: - ops - governance - security - architecture risk_level: high migration_type: gitops-deployment-control-decision depends_on: - OPS-PROD-READINESS-MAP-001 - OPS-PROD-RELEASE-RUNTIME-PARITY-001 - OPS-PROD-ENV-PARITY-STAGING-001 acceptance_checks: - "Decision packet compares ArgoCD and Flux for platform-control needs: desired-state reconciliation, drift visibility, approvals, rollback, secret integration, image digest handling, and evidence export." - Current deploy-script release hardening is mapped to the GitOps model so image freshness, rendered config validation, smoke, and status evidence are not lost. - Recommendation classifies GitOps as launch blocker, confidence hardening, or future scale hardening with explicit trigger criteria. - No GitOps migration starts until release/runtime parity and environment profile gates have a stable evidence source. - id: OPS-PROD-RELEASE-RUNTIME-PARITY-001 title: Make deployed image freshness and release parity an ops status gate kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: release-runtime-parity source_paths: - doc/architecture/Production_Deployment_Readiness_v1.md - scripts/ci/platform_control_release_conformance.sh - scripts/ci/platform_control_node_agent_version_conformance.sh - scripts/ci/platform_status_snapshot.sh - .fairway/artifacts/pssm-uat-readiness-code-sweep-2026-06-04.md target_paths: - scripts/ci - scripts/ops - packages/platform/statusops - doc/operations/evidence - .fairway/artifacts review_domains: - ops - governance - backend - architecture risk_level: high migration_type: release-runtime-parity-status-gate depends_on: - OPS-PROD-READINESS-MAP-001 - PSSM-UAT-PREDEPLOY-SERVICE-FRESHNESS-GATE-001 - PSSM-PROD-C7-STATUS-EVIDENCE-MATURITY-001 acceptance_checks: - Release/runtime parity gate reports expected versus actual image ref, digest, git SHA, ready replicas, node-agent package version, and checked_at for touched services. - Stale service evidence blocks UAT/release before expensive validation starts. - The same evidence is ingested or exported as Status/Ops component-status data for the operator status page. - id: OPS-PROD-OBSERVABILITY-ONCALL-001 title: Complete observability alerting runbooks and on-call readiness evidence kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: observability-oncall source_paths: - doc/operations/Parallel_Ops_Track.md - doc/operations/Observability_Baseline.md - doc/operations/SRE_Runbook_Index.md - doc/operations/evidence/slo_alert_pack.md - doc/operations/evidence/runbooks_oncall_readiness.md - scripts/ops/observability_smoke.sh - scripts/ci/platform_status_snapshot.sh target_paths: - doc/operations/evidence - doc/operations/runbooks - scripts/ops - scripts/ci review_domains: - ops - governance - security risk_level: high migration_type: observability-oncall-readiness depends_on: - OPS-PROD-READINESS-MAP-001 - PSSM-PROD-C7-STATUS-EVIDENCE-MATURITY-001 - PSSM-PROD-C13-ERROR-OBSERVABILITY-AUDIT-GATE-001 acceptance_checks: - Alert destinations, SLO alerts, queue/worker/billing/webhook alerts, and escalation paths have evidence and owner. - Runbook index covers API, queue/outbox, billing, provisioning, app runtime, terminal, edge, database, Keycloak/IAM, and provider failures. - Status/Ops evidence identifies missing alert destinations, stale runbooks, failed smoke checks, and drill gaps. - id: OPS-PROD-SECRETS-PKI-ROTATION-001 title: Complete secrets PKI and runtime trust operations readiness kind: release-evidence role: security profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-security owning_layer: secrets-pki-operations source_paths: - doc/operations/Parallel_Ops_Track.md - doc/operations/Production_Platform_Baseline.md - doc/architecture/platform-foundation/Secrets_PKI_Runtime_Trust_Model_v1.md - doc/architecture/PKI_Spec.md - doc/operations/evidence/secrets_key_ops.md - doc/operations/evidence/east_west_security_certs.md - scripts/ops/cert_expiry_check.sh target_paths: - doc/operations/evidence - doc/operations/runbooks - scripts/ops - scripts/ci - infra/k8s review_domains: - security - ops - backend - architecture tags: - program:production-readiness - program:security-review - surface:secrets-pki - gate:readiness - work-type:ops-readiness risk_level: high migration_type: secrets-pki-operations-readiness depends_on: - OPS-PROD-READINESS-MAP-001 - PSSM-PROD-C2-CREDENTIAL-CUSTODY-001 - PSSM-PROD-C18-NODE-AGENT-RECOVERY-UPDATE-BOUNDARY-001 acceptance_checks: - Runtime secrets, API/service-account credentials, OIDC/Keycloak secrets, node-agent trust material, and certs have custody, rotation, revocation, expiry alerting, and break-glass procedures. - Placeholder/bootstrap trust material cannot pass release/profile gates. - Status/Ops evidence reports cert freshness, secret rotation posture, and unresolved high-risk custody gaps. - id: OPS-PROD-SECRETS-PKI-RUNTIME-TRUST-GATE-001 title: Add secrets PKI runtime trust posture gate kind: release-evidence role: security profile: platform-foundation parent_id: OPS-PROD-SECRETS-PKI-ROTATION-001 owning_domain: platform-security owning_layer: secrets-pki-operations source_paths: - doc/architecture/platform-foundation/Secrets_PKI_Runtime_Trust_Model_v1.md - doc/operations/evidence/secrets_key_ops.md - doc/operations/evidence/east_west_security_certs.md - scripts/ci/platform_status_snapshot.sh target_paths: - scripts/ci/secrets_pki_runtime_trust_gate.sh - scripts/ci/ci_script_smoke.sh - doc/operations/evidence/secrets_key_ops.md - doc/operations/evidence/east_west_security_certs.md - .fairway/artifacts/ops-prod-secrets-pki-rotation-20260605 review_domains: - security - ops - architecture risk_level: high migration_type: secrets-pki-release-gate acceptance_checks: - A CI-safe gate validates runtime cert freshness, renewal failures, secret age, rotation failures, grace exceptions, and unresolved bootstrap trust placeholders without printing secret values. - Strict mode fails when posture metrics are missing, unhealthy, rendered/release artifacts are unavailable, or unresolved bootstrap trust placeholders are detected. - Gate evidence maps to Status/Ops `runtime-cert-rotation`, `secret-rotation`, and `placeholder-bootstrap-trust` components. - id: OPS-PROD-SECRETS-PKI-CUSTODY-EVIDENCE-001 title: Capture production secrets custody and expiry evidence kind: release-evidence role: security profile: platform-foundation parent_id: OPS-PROD-SECRETS-PKI-ROTATION-001 owning_domain: platform-security owning_layer: secrets-pki-operations source_paths: - doc/architecture/platform-foundation/Secrets_PKI_Runtime_Trust_Model_v1.md - doc/operations/evidence/secrets_key_ops.md target_paths: - doc/operations/evidence - scripts/ops - scripts/ci review_domains: - security - ops - architecture risk_level: high migration_type: secrets-custody-evidence depends_on: - OPS-PROD-SECRETS-PKI-RUNTIME-TRUST-GATE-001 acceptance_checks: - Runtime secrets, API/service-account credentials, OIDC/Keycloak secrets, node-agent trust material, and certs have a current custody owner, backend system, rotation cadence, expiry, and evidence link. - Evidence is sanitized and does not expose secret values. - Status/Ops can distinguish unknown custody evidence from healthy rotation posture. - id: OPS-PROD-SECRETS-PKI-LIVE-ROTATION-DRILL-001 title: Run approval-gated secrets PKI live rotation drill kind: release-evidence role: security profile: platform-foundation parent_id: OPS-PROD-SECRETS-PKI-ROTATION-001 owning_domain: platform-security owning_layer: secrets-pki-operations source_paths: - doc/operations/runbooks/Key_Rotation_and_Compromise_Response_Runbook.md - doc/operations/runbooks/JWKS_Compromise_Breakglass_Runbook.md - doc/architecture/platform-foundation/Secrets_PKI_Runtime_Trust_Model_v1.md target_paths: - doc/operations/evidence - scripts/ops review_domains: - security - ops - architecture tags: - program:production-readiness - program:security-review - surface:secrets-pki - gate:approval-required - work-type:drill risk_level: critical migration_type: live-secret-rotation-drill depends_on: - OPS-PROD-SECRETS-PKI-CUSTODY-EVIDENCE-001 acceptance_checks: - Drill scope, target environment, rollback path, and customer/runtime blast radius are approved before live rotation. - Rotation, revocation, expiry alerting, rollback, and post-rotation status evidence are captured without exposing secrets. - Any live-prod action has explicit approval evidence before execution. - id: OPS-PROD-SECRETS-PKI-BREAKGLASS-DRILL-001 title: Validate secrets PKI break-glass and compromise response kind: release-evidence role: security profile: platform-foundation parent_id: OPS-PROD-SECRETS-PKI-ROTATION-001 owning_domain: platform-security owning_layer: secrets-pki-operations source_paths: - doc/operations/runbooks/Key_Rotation_and_Compromise_Response_Runbook.md - doc/operations/runbooks/Vault_Bootstrap_and_Root_Token_Runbook.md - doc/operations/runbooks/JWKS_Compromise_Breakglass_Runbook.md target_paths: - doc/operations/evidence - doc/operations/runbooks review_domains: - security - ops - architecture tags: - program:production-readiness - program:security-review - surface:secrets-pki - gate:approval-required - work-type:drill risk_level: critical migration_type: breakglass-drill depends_on: - OPS-PROD-SECRETS-PKI-CUSTODY-EVIDENCE-001 acceptance_checks: - Break-glass access, audit trail, revocation, and recovery steps are exercised or explicitly waived with expiry. - Root-token/unseal or managed secret-store equivalent procedures have sanitized evidence. - Status/Ops reports unresolved break-glass and custody gaps as non-healthy until evidence exists. - id: OPS-PROD-IAM-KEYCLOAK-HA-001 title: Operationalize Keycloak IAM HA drift and recovery readiness kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-security owning_layer: iam-runtime-operations source_paths: - doc/architecture/Production_Deployment_Readiness_v1.md - doc/architecture/Unified_IAM_and_Billing_Across_Products_v1.md - doc/operations/Production_Platform_Baseline.md - doc/operations/local-dev/keycloak - infra/k8s - scripts/ops target_paths: - doc/operations - doc/operations/evidence - doc/operations/runbooks - scripts/ops - scripts/ci - infra/k8s review_domains: - ops - security - governance - backend risk_level: high migration_type: keycloak-iam-runtime-readiness depends_on: - OPS-PROD-READINESS-MAP-001 - OPS-PROD-SECRETS-PKI-ROTATION-001 - IAM-MFA-EPIC acceptance_checks: - IAM runtime posture covers Keycloak HA or managed-IdP decision, realm configuration drift detection, backup/export, restore, break-glass admin, and token/JWKS outage behavior. - Production profile cannot rely on one-time realm import or single-instance Keycloak without explicit risk acceptance and expiry. - Status/Ops evidence reports IdP health, JWKS freshness, realm drift posture, MFA enforcement posture, and recovery drill evidence. - id: OPS-PROD-ENV-PARITY-STAGING-001 title: Establish staging and environment parity readiness gates kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: platform-operations owning_layer: environment-parity source_paths: - doc/architecture/Production_Deployment_Readiness_v1.md - doc/operations/Platform_Control_CI_CD_Multi_Environment_Model_v1.md - doc/operations/Platform_Control_CI_CD_Target_Model_v1.md - doc/operations/Environment_Promotion_Policy.md - scripts/ops/env_profile_verify.sh - scripts/ops/env_profiles.json target_paths: - doc/operations - scripts/ops - scripts/ci - .fairway/artifacts review_domains: - ops - governance - security - architecture risk_level: high migration_type: environment-parity-staging-readiness depends_on: - OPS-PROD-READINESS-MAP-001 - PSSM-PROD-C9-RELEASE-PROFILE-GATES-001 acceptance_checks: - Staging/profile readiness defines required host, DNS/TLS, registry, secrets, database, observability, backup, and provider prerequisites. - Environment diff evidence separates approved profile differences from drift. - Production-impacting promotion requires staging or approved production-like evidence with the same image digests and config class. - id: OPS-STAGING-TWO-NODE-REPEATABLE-SETUP-001 title: Build repeatable two-node staging setup kind: boundary-guard role: ops profile: platform-foundation parent_id: OPS-PROD-ENV-PARITY-STAGING-001 owning_domain: platform-operations owning_layer: environment-automation source_paths: - doc/operations/env-automation - doc/operations/Platform_Control_CI_CD_Multi_Environment_Model_v1.md - doc/operations/Kubernetes_Runtime_Topology_Target_v1.md - scripts/ops - infra target_paths: - doc/operations/env-automation/environments/staging - scripts/ops - infra - .fairway/artifacts review_domains: - ops - architecture - security tags: - program:environment-parity - environment:staging - work-type:env-automation - topology:two-node risk_level: high migration_type: staging-two-node-repeatable-setup depends_on: - OPS-PROD-ENV-PARITY-STAGING-001 acceptance_checks: - Staging setup is config-driven and can create/recreate a two-node profile without laptop-specific paths. - Runbook names node inventory, DNS/TLS, registry, secrets, Keycloak/IAM, storage, observability, backup, and rollback prerequisites. - Setup evidence includes a dry-run or non-destructive plan, then a successful applied run with Kubernetes readiness and service-version readback. - The profile is reusable for production-like validation and does not depend on demo-only shortcuts. - id: OPS-DEMO-FRESH-ENV-SUPPORTED-APPS-UAT-001 title: Create fresh demo environment with supported apps and UAT kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-ENV-PARITY-STAGING-001 owning_domain: product-operations owning_layer: demo-environment source_paths: - doc/operations/env-automation/environments/demo/runbook.md - doc/operations/Demo_UAT_Package_v1.md - doc/operations/Demo_UAT_Flow_Coverage_Matrix_v1.md - scripts/ops/demo_uat_package.sh - scripts/ops/demo_supported_app_matrix.sh - scripts/ops target_paths: - doc/operations/env-automation/environments/demo - doc/operations/Demo_UAT_Package_v1.md - doc/operations/Demo_UAT_Flow_Coverage_Matrix_v1.md - scripts/ops - .fairway/artifacts review_domains: - ops - product-quality tags: - program:demo-readiness - environment:demo - work-type:env-automation - work-type:uat risk_level: high migration_type: demo-fresh-env-supported-apps-uat acceptance_checks: - Demo environment can be freshly created or rebuilt from documented config and runbooks. - Supported app catalog is seeded or installed through repeatable scripts, not manual browser-only setup. - Demo UAT proves login, platform navigation, app catalog, supported app launch/connect paths, terminal/API smoke where applicable, and cleanup. - Demo handoff document names URL, personas, supported apps, known gaps, reset/cleanup procedure, and evidence artifact locations. - id: V3-NAMESPACE-RETIREMENT title: Retire v3 namespace from canonical product and API paths kind: epic role: orchestrator profile: platform-foundation parent_id: PLATFORM-FOUNDATION-OWNERSHIP owning_domain: platform-foundation owning_layer: architecture source_paths: - doc/product/V3_Migration_Execution_Tracker_v1.md - doc/product/V3_V1_Retirement_Guardrails_v1.md - doc/product/V3_Cutover_Route_Map_v1.md - doc/api/openapi/domains/v3-read-models.yaml - packages/web/src/lib/v3/api.ts - packages/web/src/lib/cutover/route-map.ts target_paths: - doc/architecture/API_Route_Modularization_and_V1_Freeze_v1.md - doc/api/openapi/domains/ - cmd/api - packages/web review_domains: - architecture - backend - frontend - product - security - governance risk_level: high migration_type: namespace-retirement depends_on: - PLATFORM-FOUNDATION-OWNERSHIP - PF-EVIDENCE-FRONTEND-001 - FRONTEND-BOUNDARY-GUARD-001 acceptance_checks: - Canonical user-visible paths do not require a v3 prefix. - Backend API namespace retirement is contract-first and keeps a documented compatibility window. - Old v3 paths are either redirected, aliased, or explicitly retained as temporary compatibility endpoints with removal criteria. - Internal naming cleanup happens after path and contract behavior is stable. - id: V3-NAMESPACE-INVENTORY-001 title: Inventory remaining v3 namespace usage kind: architecture-map role: architecture profile: platform-foundation parent_id: V3-NAMESPACE-RETIREMENT owning_domain: platform-foundation owning_layer: architecture source_paths: - doc - cmd/api - packages/web - packages target_paths: - doc/architecture/platform-foundation/ownership-maps/v3-namespace-inventory.md review_domains: - architecture - frontend - backend risk_level: medium migration_type: namespace-inventory depends_on: - V3-NAMESPACE-RETIREMENT acceptance_checks: - Inventory separates user-visible routes, backend API paths, generated contract names, code symbols, test IDs, query keys, and historical docs. - Inventory marks each finding as rename now, alias first, retain as compatibility, or historical reference. - id: V3-NAMESPACE-SCOPE-001 title: Decide namespace retirement scope and compatibility policy kind: architecture-map role: architecture profile: platform-foundation parent_id: V3-NAMESPACE-RETIREMENT owning_domain: platform-foundation owning_layer: architecture source_paths: - doc/architecture/platform-foundation/ownership-maps/v3-namespace-inventory.md - doc/product/V3_V1_Retirement_Guardrails_v1.md - doc/architecture/API_Domain_Authoring_Model_v1.md - doc/architecture/API_Route_Modularization_and_V1_Freeze_v1.md target_paths: - doc/architecture/platform-foundation/V3_Namespace_Retirement_Plan_v1.md review_domains: - architecture - product - security - governance risk_level: high migration_type: namespace-plan depends_on: - V3-NAMESPACE-INVENTORY-001 acceptance_checks: - Plan states whether this phase covers frontend paths only, backend API paths, internal code symbols, or all three. - Plan defines redirect/alias behavior, deprecation window, telemetry expectations, and rollback posture. - Plan avoids breaking bookmarked UI routes, API clients, UAT automation, or generated SDK consumers. - id: V3-NAMESPACE-FRONTEND-001 title: Remove v3 from canonical frontend navigation and redirects kind: frontend-contract role: frontend profile: platform-foundation parent_id: V3-NAMESPACE-RETIREMENT owning_domain: platform-foundation owning_layer: frontend source_paths: - packages/web/app - packages/web/src/lib/cutover/route-map.ts - packages/web/src/lib/session/session.ts - packages/web/src/components/v3 target_paths: - packages/web/app - packages/web/src/lib/cutover/route-map.ts - packages/web/src/lib/session/session.ts review_domains: - frontend - product risk_level: medium migration_type: frontend-route-cutover depends_on: - V3-NAMESPACE-SCOPE-001 acceptance_checks: - Canonical navigation and redirects land on non-v3 product paths. - Retired /v3 frontend paths still redirect to canonical paths during the compatibility window. - Frontend tests cover root, login next targets, and representative product/platform routes. - id: V3-NAMESPACE-API-ALIAS-001 title: Add non-v3 API aliases before client cutover kind: facade role: backend profile: platform-foundation parent_id: V3-NAMESPACE-RETIREMENT owning_domain: platform-foundation owning_layer: routes source_paths: - doc/api/openapi/domains/v3-read-models.yaml - doc/api/openapi.draft.yaml - cmd/api - packages/platform - packages/products target_paths: - doc/api/openapi/domains/ - cmd/api review_domains: - architecture - backend - security risk_level: high migration_type: api-route-alias depends_on: - V3-NAMESPACE-SCOPE-001 acceptance_checks: - Non-v3 API paths are added contract-first before frontend client cutover. - Existing /api/v1/v3 paths continue to work as aliases or documented compatibility routes. - Route ownership and OpenAPI operation naming avoid introducing another temporary namespace. - id: V3-NAMESPACE-CLIENT-CUTOVER-001 title: Cut frontend API client to canonical non-v3 API paths kind: frontend-contract role: frontend profile: platform-foundation parent_id: V3-NAMESPACE-RETIREMENT owning_domain: platform-foundation owning_layer: frontend source_paths: - packages/web/src/lib/v3/api.ts - packages/web/src/components/v3 - packages/web/app target_paths: - packages/web/src/lib - packages/web/src/components - packages/web/app review_domains: - frontend - backend risk_level: high migration_type: frontend-api-cutover depends_on: - V3-NAMESPACE-API-ALIAS-001 acceptance_checks: - Frontend API calls use canonical non-v3 paths once backend aliases exist. - Query keys and component/test identifiers are renamed only where it improves long-term clarity and does not hide compatibility behavior. - UAT and product-shell smoke tests pass against canonical paths. - id: V3-NAMESPACE-COMPAT-GUARD-001 title: Add compatibility and namespace regression guards kind: boundary-guard role: governance profile: platform-foundation parent_id: V3-NAMESPACE-RETIREMENT owning_domain: platform-foundation owning_layer: guard source_paths: - packages/web - cmd/api - doc/api - scripts/ci target_paths: - scripts/ci - doc/architecture/platform-foundation/V3_Namespace_Retirement_Plan_v1.md review_domains: - governance - frontend - backend - architecture risk_level: medium migration_type: namespace-guard depends_on: - V3-NAMESPACE-FRONTEND-001 - V3-NAMESPACE-CLIENT-CUTOVER-001 acceptance_checks: - CI/report-only guard identifies new canonical product paths that reintroduce /v3. - Compatibility tests prove selected old /v3 routes and /api/v1/v3 routes redirect or alias as planned. - Guard has graduation criteria before compatibility routes are removed. - id: DOCS-PSSM-ARCHIVE-AND-PORTAL-REFRESH title: Archive superseded docs and refresh portal after PSSM/Fairway reshuffle kind: epic role: architecture profile: platform-foundation parent_id: PLATFORM-FOUNDATION-OWNERSHIP owning_domain: platform-foundation owning_layer: documentation source_paths: - doc - packages/docs/docs - packages/docs/static/portal/source-doc-inventory.json - .fairway/platform-foundation-implementation-track.yaml - .fairway/platform-foundation-config.toml target_paths: - doc/architecture/platform-foundation/Documentation_Archive_And_Portal_Refresh_Plan_v1.md - doc/architecture/platform-foundation/Documentation_Source_Of_Truth_Map_v1.md - doc/archive - packages/docs/docs - packages/docs/static/portal review_domains: - architecture - governance - ops - product - frontend risk_level: high migration_type: documentation-archive-portal-refresh depends_on: - PSSM-PRODUCTION-COMPLETION-BACKLOG - V3-NAMESPACE-RETIREMENT acceptance_checks: - Docs cleanup runs before broad Docusaurus portal refresh. - PSSM, Fairway, platform proxy, v3 UX, terminal, metrics/observability, and future-state docs are classified for current, migration, future, superseded, or historical use. - Superseded or historical docs are archived or labeled with replacement pointers before portal pages link to current material. - Portal refresh passes docs-portal-check and does not expose stale docs as current source of truth. - id: DOCS-PSSM-INVENTORY-001 title: Inventory docs impacted by PSSM, Fairway, and major iteration history kind: architecture-map role: architecture profile: platform-foundation parent_id: DOCS-PSSM-ARCHIVE-AND-PORTAL-REFRESH owning_domain: platform-foundation owning_layer: documentation source_paths: - doc - packages/docs/docs - packages/docs/static/portal/source-doc-inventory.json - .fairway target_paths: - .fairway/artifacts/docs-pssm-inventory.yaml - doc/architecture/platform-foundation/Documentation_Archive_And_Portal_Refresh_Plan_v1.md review_domains: - architecture - governance - ops risk_level: medium migration_type: docs-inventory depends_on: - DOCS-PSSM-ARCHIVE-AND-PORTAL-REFRESH acceptance_checks: - Inventory covers platform-foundation/PSSM, Fairway/governance queues, platform proxy/edge, v3 UX/routes, terminal/node access, metrics/observability/evidence, release ops, provider/provisioning, and product onboarding. - Inventory separates canonical docs, generated artifacts, portal pages, runbooks, historical reports, and future-state proposals. - Inventory identifies docs currently exposed through Docusaurus source_docs. - id: DOCS-PSSM-CLASSIFY-001 title: Classify current, migration, future, superseded, and portal-blocked docs kind: architecture-map role: architecture profile: platform-foundation parent_id: DOCS-PSSM-ARCHIVE-AND-PORTAL-REFRESH owning_domain: platform-foundation owning_layer: documentation source_paths: - .fairway/artifacts/docs-pssm-inventory.yaml - doc/architecture/platform-foundation/Documentation_Archive_And_Portal_Refresh_Plan_v1.md target_paths: - .fairway/artifacts/docs-pssm-classification.yaml review_domains: - architecture - governance - product - ops risk_level: high migration_type: docs-classification depends_on: - DOCS-PSSM-INVENTORY-001 acceptance_checks: - Each reviewed doc is classified as canonical-current, implementation-current, migration-state, future-state, superseded, historical-reference, portal-current, or portal-blocked. - Classification records replacement document or owner for every superseded or portal-blocked item. - Future-state docs are clearly separated from current implementation authority. - id: DOCS-PSSM-ARCHIVE-SUPERSEDED-001 title: Archive or label superseded and historical docs with replacement pointers kind: architecture-map role: governance profile: platform-foundation parent_id: DOCS-PSSM-ARCHIVE-AND-PORTAL-REFRESH owning_domain: platform-foundation owning_layer: documentation source_paths: - .fairway/artifacts/docs-pssm-classification.yaml - doc target_paths: - doc/archive - doc/architecture/platform-foundation - doc/governance - doc/operations - doc/product review_domains: - governance - architecture - ops - product risk_level: high migration_type: docs-archive depends_on: - DOCS-PSSM-CLASSIFY-001 acceptance_checks: - Superseded docs are moved to archive or labeled with a superseded header and replacement pointer. - Historical docs retain useful decision context without presenting as current operational guidance. - Archive index records reason, replacement, owner, and date for each moved document. - id: DOCS-PSSM-SOURCE-OF-TRUTH-MAP-001 title: Publish current source-of-truth map for architecture and operations kind: architecture-map role: architecture profile: platform-foundation parent_id: DOCS-PSSM-ARCHIVE-AND-PORTAL-REFRESH owning_domain: platform-foundation owning_layer: documentation source_paths: - .fairway/artifacts/docs-pssm-classification.yaml - doc/architecture/platform-foundation/Documentation_Archive_And_Portal_Refresh_Plan_v1.md - doc/architecture/platform-foundation - doc/operations - doc/governance target_paths: - doc/architecture/platform-foundation/Documentation_Source_Of_Truth_Map_v1.md - doc/README.md review_domains: - architecture - governance - ops - product risk_level: medium migration_type: docs-source-of-truth-map depends_on: - DOCS-PSSM-ARCHIVE-SUPERSEDED-001 acceptance_checks: - Map identifies current source of truth for PSSM, Fairway, IAM/billing hierarchy, product onboarding, proxy/edge, v3 namespace, terminal, metrics/observability, release/evidence, and provider/provisioning. - doc/README.md no longer points to retired execution queues or superseded docs as active authority. - Map distinguishes current behavior from migration and future-state documents. - id: DOCS-PSSM-PORTAL-REFRESH-001 title: Refresh Docusaurus portal from current source-of-truth map kind: architecture-map role: frontend profile: platform-foundation parent_id: DOCS-PSSM-ARCHIVE-AND-PORTAL-REFRESH owning_domain: docs-portal owning_layer: docusaurus source_paths: - doc/architecture/platform-foundation/Documentation_Source_Of_Truth_Map_v1.md - packages/docs/docs - packages/docs/sidebars.ts - packages/docs/scripts target_paths: - packages/docs/docs - packages/docs/sidebars.ts - packages/docs/static/portal review_domains: - frontend - architecture - product - ops - governance risk_level: medium migration_type: docusaurus-portal-refresh depends_on: - DOCS-PSSM-SOURCE-OF-TRUTH-MAP-001 acceptance_checks: - Portal pages summarize current source-of-truth docs and do not present superseded docs as current. - Portal roadmaps clearly label future-state and migration-state material. - make docs-portal-check passes after source inventory and contract sync. - id: DOCS-PORTAL-COMPLETION-EPIC title: Complete Docusaurus documentation portal for production readiness kind: epic role: architecture profile: platform-foundation parent_id: PLATFORM-FOUNDATION-OWNERSHIP owning_domain: docs-portal owning_layer: docusaurus source_paths: - packages/docs/ - doc/ - .fairway/platform-foundation-implementation-track.yaml target_paths: - packages/docs/docs/ - packages/docs/static/ - packages/docs/sidebars.ts - packages/docs/docusaurus.config.ts - doc/PORTAL_SYNC.md - doc/operations/ - .fairway/artifacts/ review_domains: - architecture - product - frontend - ops - governance - security risk_level: high migration_type: docs-portal-completion depends_on: - DOCS-PSSM-ARCHIVE-AND-PORTAL-REFRESH acceptance_checks: - Portal is usable as the primary curated entry point for product, user, developer, operator, security, architecture, governance, and agent audiences. - Portal separates public/customer/partner/internal material and does not expose internal-only implementation, secrets, private URLs, or stale historical content as current guidance. - Portal includes enough diagrams, flows, sequence views, and persona paths that readers do not need to inspect raw architecture docs first. - API, SDK, App Platform, release, operations, and production-readiness entry points are current and linked to canonical source docs. - Portal build, source-doc validation, publication-track validation, and link checks run as CI-safe gates. - Deployment path for the portal is documented and ready for Cloudflare/fairway-style static hosting when credentials are provided. - id: DOCS-PORTAL-PERSONA-IA-001 title: Define persona-first portal IA and navigation completion map kind: architecture-map role: architecture profile: platform-foundation parent_id: DOCS-PORTAL-COMPLETION-EPIC owning_domain: docs-portal owning_layer: persona-ia source_paths: - doc/product/ - doc/architecture/platform-foundation/Documentation_Source_Of_Truth_Map_v1.md - packages/docs/docs/ - packages/docs/sidebars.ts target_paths: - packages/docs/docs/start-here/ - packages/docs/docs/external-viewers/ - packages/docs/docs/internal-teams/ - packages/docs/sidebars.ts - .fairway/artifacts/ review_domains: - product - architecture - governance risk_level: medium migration_type: docs-portal-persona-ia depends_on: - DOCS-PORTAL-COMPLETION-EPIC acceptance_checks: - Each primary audience has a first-page path, expected questions, current pages, missing pages, and canonical source docs mapped. - Portal navigation distinguishes external/product-facing pages from internal operator/agent/governance pages. - Sidebar and landing pages prioritize user flows over raw folder mirrors. - Missing pages are converted into child tasks or explicit deferred items. - id: DOCS-PORTAL-CURRENT-CONTENT-REFRESH-001 title: Refresh portal content from current production-readiness source docs kind: architecture-map role: architecture profile: platform-foundation parent_id: DOCS-PORTAL-COMPLETION-EPIC owning_domain: docs-portal owning_layer: content source_paths: - doc/architecture/platform-foundation/ - doc/operations/ - doc/product/ - doc/governance/ - packages/docs/docs/ target_paths: - packages/docs/docs/ - packages/docs/static/portal/ - .fairway/artifacts/ review_domains: - architecture - product - ops - governance risk_level: high migration_type: docs-portal-current-content-refresh depends_on: - DOCS-PORTAL-PERSONA-IA-001 acceptance_checks: - Portal pages reflect current PSSM, IAM/billing hierarchy, App SDK, ops readiness, release, proxy/Pomerium, observability, and Fairway operating model. - Future-state material is labeled as future or roadmap and not presented as current deployed behavior. - Security-sensitive and internal-only material is either omitted from public/customer tracks or clearly scoped to internal audiences. - "`make docs-portal-check` passes after the content refresh." - id: DOCS-PORTAL-DIAGRAMS-FLOWS-001 title: Add portal diagrams flows and sequence views kind: architecture-map role: architecture profile: platform-foundation parent_id: DOCS-PORTAL-COMPLETION-EPIC owning_domain: docs-portal owning_layer: visual-explanation source_paths: - doc/architecture/ - doc/product/ - doc/operations/ - packages/docs/docs/ target_paths: - packages/docs/docs/ - packages/docs/static/img/portal/ - .fairway/artifacts/ review_domains: - architecture - product - frontend risk_level: medium migration_type: docs-portal-diagrams-flows depends_on: - DOCS-PORTAL-PERSONA-IA-001 acceptance_checks: - Portal includes diagrams for platform shared services, org/dept/project hierarchy, usage/billing attribution, IAM/service accounts, App SDK onboarding, release/deploy flow, UAT/stabilization flow, and operator incident flow. - Diagrams are reviewable source artifacts, preferably Mermaid or maintained static assets with source docs. - Sequence views explain at least user login/project context, app launch/connect, usage metering, release promotion, and provider/session coordination. - Visual pages pass portal build and do not create layout or mobile overflow regressions. - id: DOCS-PORTAL-API-SDK-REFERENCE-001 title: Complete API SDK and App Platform portal reference kind: architecture-map role: frontend profile: platform-foundation parent_id: DOCS-PORTAL-COMPLETION-EPIC owning_domain: docs-portal owning_layer: developer-reference source_paths: - doc/api/ - packages/docs/scripts/ - packages/docs/docs/developer-apis/ - packages/docs/docs/build-on-gpuaas/ - packages/products/appplatform/ target_paths: - packages/docs/docs/developer-apis/ - packages/docs/docs/build-on-gpuaas/ - packages/docs/static/api/ - .fairway/artifacts/ review_domains: - frontend - backend - architecture - product risk_level: medium migration_type: docs-portal-api-sdk-reference depends_on: - DOCS-PORTAL-CURRENT-CONTENT-REFRESH-001 acceptance_checks: - REST and AsyncAPI references are generated or linked from committed contracts, not hand-copied fragments. - App SDK pages explain manifest, publish, promote, launch, connect, decommission, examples, and smoke validation paths. - Developer examples do not require reading seed SQL or backend internals to understand supported behavior. - API/SDK pages pass source-doc validation and contract sync. - id: DOCS-PORTAL-PUBLICATION-TRACKS-001 title: Define portal publication tracks and redaction gates kind: boundary-guard role: governance profile: platform-foundation parent_id: DOCS-PORTAL-COMPLETION-EPIC owning_domain: docs-portal owning_layer: publication-governance source_paths: - doc/architecture/platform-foundation/Platform_Registry_Contract_v1.md - doc/architecture/platform-foundation/Notification_Policy_Portal_Surface_Model_v1.md - packages/docs/docs/ - packages/docs/scripts/ target_paths: - packages/docs/docs/portal-roadmap/publication-tracks/ - packages/docs/scripts/ - doc/PORTAL_SYNC.md - .fairway/artifacts/ review_domains: - governance - security - product - ops risk_level: high migration_type: docs-portal-publication-tracks depends_on: - DOCS-PORTAL-CURRENT-CONTENT-REFRESH-001 acceptance_checks: - Portal page metadata supports public, customer, partner, internal, ops, and governance tracks. - Publication check fails when public/customer tracks reference internal-only sources, private URLs, tenant data, secrets, credentials, raw keys, or unsupported future-state claims. - Security and governance review requirements are documented for publication-track changes. - Portal check produces evidence suitable for release and security review. - id: DOCS-PORTAL-CLOUDFLARE-DEPLOYMENT-001 title: Prepare Cloudflare static deployment path for docs portal kind: boundary-guard role: ops profile: platform-foundation parent_id: DOCS-PORTAL-COMPLETION-EPIC owning_domain: docs-portal owning_layer: static-hosting source_paths: - packages/docs/ - scripts/ci/ - doc/operations/ target_paths: - packages/docs/ - scripts/ci/ - doc/operations/ - .fairway/artifacts/ review_domains: - ops - security - governance - frontend risk_level: high migration_type: docs-portal-cloudflare-deploy depends_on: - DOCS-PORTAL-PUBLICATION-TRACKS-001 acceptance_checks: - Deployment model uses static Cloudflare Pages or equivalent static hosting and does not expose the dev host directly. - Required Cloudflare token scopes, zone/account assumptions, DNS target, cache/security settings, and rollback path are documented without storing secrets. - CI or local deploy wrapper builds the portal, validates publication gates, and emits evidence before upload. - Bot/WAF/cache/security posture is documented for the selected portal hostname. - id: DOCS-PORTAL-CONTINUOUS-GATES-001 title: Add continuous portal freshness and quality gates kind: boundary-guard role: governance profile: platform-foundation parent_id: DOCS-PORTAL-COMPLETION-EPIC owning_domain: docs-portal owning_layer: quality-gates source_paths: - packages/docs/scripts/ - scripts/ci/ - doc/operations/ - .gitlab-ci.yml target_paths: - packages/docs/scripts/ - scripts/ci/ - doc/operations/ - .fairway/artifacts/ review_domains: - governance - frontend - architecture - ops risk_level: medium migration_type: docs-portal-continuous-gates depends_on: - DOCS-PORTAL-CURRENT-CONTENT-REFRESH-001 - DOCS-PORTAL-PUBLICATION-TRACKS-001 acceptance_checks: - Portal CI checks include build, source-doc link validation, contract sync, publication-track validation, stale-source detection, and broken-link checks. - Docs-only architecture changes run the portal gate when they affect portal source docs or publication metadata. - Gate output includes actionable file/page/source information and Fairway evidence text. - Documentation defines when portal gate failures are DOC-FIX, HARNESS-FIX, CI-FIX, or publication-blocking governance findings. - id: DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC title: Expand docs portal for current audience handoff and publication closeout kind: epic role: architecture profile: platform-foundation parent_id: PLATFORM-FOUNDATION-OWNERSHIP owning_domain: docs-portal owning_layer: audience-handoff source_paths: - packages/docs/ - doc/ - tmp-ux/gpuaas-program-execution-memory-2026-06-16.md - .fairway/platform-foundation-implementation-track.yaml target_paths: - packages/docs/docs/ - packages/docs/static/ - packages/docs/sidebars.ts - doc/PORTAL_SYNC.md - .fairway/artifacts/ review_domains: - architecture - product-quality - frontend - ops risk_level: medium migration_type: docs-portal-audience-closeout depends_on: - DOCS-PORTAL-COMPLETION-EPIC acceptance_checks: - Portal has explicit current audience paths for product, architecture, security, developers, app/sdk builders, IAM, infra, operations, and end users. - Product-facing pages distinguish current implemented behavior, active queue, roadmap, and competitive context without turning the portal into a second backlog. - User-guide content covers primary user/admin flows and can support screenshot-backed navigation help without exposing internal-only implementation details. - Initial publication/deployment path for the current portal is explicit and does not rely on an ambiguous unfinished hosting model. - id: DOCS-PORTAL-PRODUCT-HANDBACK-001 title: Add product team handoff path to the docs portal kind: architecture-map role: product-quality profile: platform-foundation parent_id: DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC owning_domain: docs-portal owning_layer: product-handoff source_paths: - doc/product/ - packages/docs/docs/product/ - packages/docs/docs/portal-roadmap/ - packages/docs/docs/use-gpuaas/ target_paths: - packages/docs/docs/product/ - packages/docs/docs/portal-roadmap/ - packages/docs/sidebars.ts - .fairway/artifacts/ review_domains: - product-quality - architecture - frontend risk_level: medium migration_type: docs-portal-product-handback depends_on: - DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC acceptance_checks: - Product team has a direct landing path for user flows, competitive context, roadmap, current implemented state, and active queue/backlog interpretation. - Product pages clearly separate current product behavior from future-state roadmap material. - Product-facing pages point to canonical source docs and Fairway-backed execution views without duplicating ownership. - id: DOCS-PORTAL-AUDIENCE-HANDBOOKS-001 title: Add audience handbooks for platform teams and builders kind: architecture-map role: architecture profile: platform-foundation parent_id: DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC owning_domain: docs-portal owning_layer: audience-handbooks source_paths: - doc/architecture/ - doc/operations/ - doc/governance/ - packages/docs/docs/ target_paths: - packages/docs/docs/internal-teams/ - packages/docs/docs/build-on-gpuaas/ - packages/docs/docs/operators/ - packages/docs/docs/security-readiness/ - .fairway/artifacts/ review_domains: - architecture - ops - security - product-quality risk_level: medium migration_type: docs-portal-audience-handbooks depends_on: - DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC acceptance_checks: - Dedicated or clearly routed handbooks exist for architecture, CISO/security, developers, app/sdk developers, IAM, infra, operations, and token-factory/shared-platform builders. - Audience pages answer “how do I use or operate this platform” before forcing readers into raw source docs. - Internal-only versus publication-safe content remains clearly scoped. - id: DOCS-PORTAL-USER-GUIDE-FLOWS-001 title: Build end-user and admin guide flow coverage in the portal kind: architecture-map role: product-quality profile: platform-foundation parent_id: DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC owning_domain: docs-portal owning_layer: user-guide source_paths: - doc/product/ - doc/operations/ - packages/docs/docs/use-gpuaas/ - packages/docs/static/img/portal/ target_paths: - packages/docs/docs/use-gpuaas/ - packages/docs/static/img/portal/ - .fairway/artifacts/ review_domains: - product-quality - frontend - ops risk_level: medium migration_type: docs-portal-user-guide-flows depends_on: - DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC acceptance_checks: - User/admin guide covers primary navigation, launch, access, billing/storage, account/security, troubleshooting, and recovery flows. - Content is flow-oriented and screenshot-ready, with screenshots or image placeholders only where they materially help navigation. - User-guide copy avoids leaking internal implementation details or raw operational prose. - id: DOCS-PORTAL-PUBLISH-PATH-001 title: Make the current docs portal publication path explicit kind: boundary-guard role: ops profile: platform-foundation parent_id: DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC owning_domain: docs-portal owning_layer: publication-path source_paths: - packages/docs/ - scripts/ci/ - doc/operations/ target_paths: - packages/docs/ - scripts/ci/ - doc/operations/ - .fairway/artifacts/ review_domains: - ops - frontend - architecture risk_level: medium migration_type: docs-portal-publish-path depends_on: - DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC acceptance_checks: - "Portal has one explicit current publication path for this iteration: static Cloudflare Pages or a clearly documented authenticated dev-host alternative." - Build, publish, rollback, and persona/visibility assumptions are documented for the chosen first iteration. - The path can be executed without requiring a separate architectural rediscovery step. - id: DOCS-PORTAL-ENGINEERING-SYSTEM-001 title: Document how GPUaaS is built with coding agents and controlled execution kind: architecture-map role: architecture profile: platform-foundation parent_id: DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC owning_domain: docs-portal owning_layer: engineering-system source_paths: - AGENTS.md - doc/operations/Fairway_Agent_Operating_Model.md - doc/operations/Fairway_Review_Operating_Model.md - doc/operations/Shared_Service_Lane_Worktree_Model_v1.md - doc/governance/ - packages/docs/docs/governance-agents/ target_paths: - packages/docs/docs/governance-agents/ - packages/docs/docs/internal-teams/ - packages/docs/sidebars.ts - .fairway/artifacts/ review_domains: - architecture - governance - ops risk_level: medium migration_type: docs-portal-engineering-system depends_on: - DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC acceptance_checks: - Portal explains the delivery system itself, including Fairway, orchestrator/control roles, provider sessions, tmux execution lanes, and durable evidence/checkpoint behavior. - Readers can distinguish durable coordination state from transient provider chat state. - Architecture, governance, and engineering audiences have a reviewable explanation of how AI-assisted delivery is controlled. - id: DOCS-PORTAL-CONTRACT-FIRST-SDLC-001 title: Document contract-first delivery lifecycle and design-before-code model kind: architecture-map role: architecture profile: platform-foundation parent_id: DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC owning_domain: docs-portal owning_layer: contract-first-sdlc source_paths: - AGENTS.md - doc/api/ - doc/product/ - doc/governance/ - packages/docs/docs/architecture/ - packages/docs/docs/developer-apis/ target_paths: - packages/docs/docs/architecture/ - packages/docs/docs/developer-apis/ - packages/docs/docs/product/ - packages/docs/sidebars.ts - .fairway/artifacts/ review_domains: - architecture - governance - product-quality - backend - frontend risk_level: medium migration_type: docs-portal-contract-first-sdlc depends_on: - DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC acceptance_checks: - Portal shows the required lifecycle from UX and flow mapping through contract authoring, codegen, implementation, e2e/UAT, and deploy evidence. - Developers can see why code comes after UX and contract shape rather than treating contracts as generated after the fact. - Product, architecture, and engineering audiences can review the same lifecycle without reading scattered governance docs. - id: DOCS-PORTAL-CI-CD-DELIVERY-SYSTEM-001 title: Document the end-to-end CI/CD and environment promotion system kind: boundary-guard role: ops profile: platform-foundation parent_id: DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC owning_domain: docs-portal owning_layer: ci-cd-delivery source_paths: - scripts/ci/ - Makefile - doc/operations/ - doc/governance/ - packages/docs/docs/operators/ - packages/docs/docs/governance-agents/ target_paths: - packages/docs/docs/operators/ - packages/docs/docs/governance-agents/ - packages/docs/docs/internal-teams/ - packages/docs/sidebars.ts - .fairway/artifacts/ review_domains: - ops - architecture - governance - backend - frontend risk_level: medium migration_type: docs-portal-ci-cd-delivery depends_on: - DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC acceptance_checks: - Portal explains the real CI/CD gate stack, canonical scripts, deploy/readback model, and environment progression across kind, dev, demo, staging, and production-like targets. - Readers can tell which parts of the delivery system already exist versus which remain planned or partial. - The portal makes non-coding engineering work visible as part of the release system rather than burying it in runbooks. - id: DOCS-PORTAL-EVIDENCE-READINESS-MODEL-001 title: Document evidence, readiness, and non-code engineering outputs as first-class work kind: architecture-map role: governance profile: platform-foundation parent_id: DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC owning_domain: docs-portal owning_layer: evidence-readiness source_paths: - doc/governance/ - doc/operations/ - .fairway/artifacts/ - packages/docs/docs/security-readiness/ - packages/docs/docs/governance-agents/ target_paths: - packages/docs/docs/security-readiness/ - packages/docs/docs/governance-agents/ - packages/docs/docs/internal-teams/ - packages/docs/sidebars.ts - .fairway/artifacts/ review_domains: - governance - security - architecture - ops risk_level: medium migration_type: docs-portal-evidence-readiness depends_on: - DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC acceptance_checks: - Portal explains what evidence is collected, what is deliberately excluded, how readiness claims are made, and how release/UAT/security proof fits together. - The portal makes contracts, runbooks, UAT flow coverage, evidence models, and operating-model docs visible as engineering output, not supporting trivia. - Security, architecture, and operations readers can review claim-to-proof posture without reconstructing it from task artifacts alone. - id: DOCS-PORTAL-APP-SDK-PROOF-001 title: Add concrete App SDK proof page with Slurm and RKE2 first-class examples kind: architecture-map role: architecture profile: platform-foundation parent_id: DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC owning_domain: docs-portal owning_layer: app-sdk-proof source_paths: - cmd/slurm-reference-controller/ - cmd/rke2-self-managed-controller/ - doc/architecture/platform-foundation/App_SDK_Readiness_Matrix_v1.md - packages/docs/docs/build-on-gpuaas/ target_paths: - packages/docs/docs/build-on-gpuaas/ - packages/docs/docs/architecture/ - packages/docs/sidebars.ts - .fairway/artifacts/ review_domains: - architecture - app-developer - product-quality risk_level: medium migration_type: docs-portal-app-sdk-proof depends_on: - DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC acceptance_checks: - Portal has a standalone proof page showing how Slurm and RKE2 validate the App SDK and shared-platform composition model. - The page distinguishes platform-owned responsibilities from app-team-owned responsibilities with examples developers can act on. - Builders can understand the runtime, promotion, and evidence path without repo archaeology. - id: DOCS-PORTAL-ARCH-GUARD-CI-ENFORCEMENT-001 title: Add architecture guard and CI enforcement page kind: boundary-guard role: governance profile: platform-foundation parent_id: DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC owning_domain: docs-portal owning_layer: architecture-guard-enforcement source_paths: - AGENTS.md - scripts/ci/ - doc/operations/Platform_Service_Level_CI_CD_Operating_Model_v1.md - doc/operations/Local_Automation_Utility_Layer_v1.md - packages/docs/docs/architecture/ - packages/docs/docs/operators/ target_paths: - packages/docs/docs/architecture/ - packages/docs/docs/operators/ - packages/docs/docs/governance-agents/ - packages/docs/sidebars.ts - .fairway/artifacts/ review_domains: - governance - architecture - ops - backend - frontend risk_level: medium migration_type: docs-portal-architecture-guard-ci depends_on: - DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC acceptance_checks: - Portal explains the major guard families, what each gate proves, and where failures are expected to surface. - Developers and reviewers can map a change to required local/CI gates without relying only on AGENTS.md. - The page makes executable architecture enforcement visible as platform capability, not hidden implementation detail. - id: DOCS-PORTAL-PLATFORM-CAPABILITY-SUMMARY-001 title: Add reviewer-grade platform capability summary and implemented-versus-deferred posture kind: architecture-map role: architecture profile: platform-foundation parent_id: DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC owning_domain: docs-portal owning_layer: capability-summary source_paths: - packages/docs/docs/architecture/ - packages/docs/docs/security-readiness/ - packages/docs/docs/product/ - doc/architecture/platform-foundation/ target_paths: - packages/docs/docs/architecture/ - packages/docs/docs/product/ - packages/docs/docs/security-readiness/ - packages/docs/sidebars.ts - .fairway/artifacts/ review_domains: - architecture - product-quality - security - ops risk_level: medium migration_type: docs-portal-capability-summary depends_on: - DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC acceptance_checks: - Portal has a strong reviewer-first page that separates implemented, production-shaped, partial, deferred, and queue-backed capabilities. - Product, architecture, and security readers can quickly see what is true today without reading many lower-level pages first. - The page links each major capability claim to supporting proof or caution pages. - id: DOCS-PORTAL-VISUAL-DEPTH-001 title: Add missing visual depth for shared-platform, scheduler, runtime, and environment progression pages kind: architecture-map role: architecture profile: platform-foundation parent_id: DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC owning_domain: docs-portal owning_layer: visual-depth source_paths: - packages/docs/docs/architecture/ - packages/docs/docs/build-on-gpuaas/ - packages/docs/docs/operators/ - packages/docs/docs/product/ target_paths: - packages/docs/docs/architecture/ - packages/docs/docs/build-on-gpuaas/ - packages/docs/docs/operators/ - packages/docs/docs/product/ - packages/docs/static/img/portal/ - .fairway/artifacts/ review_domains: - architecture - frontend - product-quality risk_level: medium migration_type: docs-portal-visual-depth depends_on: - DOCS-PORTAL-AUDIENCE-CLOSEOUT-EPIC acceptance_checks: - The portal adds missing diagrams for scheduler/control-plane split, app SDK composition, environment progression, and shared-platform capability shape. - Visuals reduce narrative overload and make the platform easier to review from product, architecture, and operations perspectives. - Added visuals remain Mermaid or maintainable checked-in assets and pass portal build without layout regressions. - id: PSSM-DEV-DEPLOY-CREDENTIAL-HANDOFF-001 title: Restore dev-control CI deploy credential handoff kind: boundary-guard role: ops profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: platform-control owning_layer: ci-cd source_paths: - scripts/ci/dev_control_rke2_release_*.sh - scripts/ci/gitlab_pipeline_trigger.sh - .env.gitlab.local - doc/operations/env-automation/environments/dev/runbook.md target_paths: - scripts/ci/dev_control_rke2_release_require_key.sh - GitLab CI/CD variables for release/platform-control review_domains: - ops - security - governance risk_level: high migration_type: deploy-credential-handoff depends_on: - V3-NAMESPACE-COMPAT-GUARD-001 acceptance_checks: - Local dev-control release wrappers refuse to trigger GitLab deploy pipelines when the dev-control-specific key is absent. - GitLab receives DEV_CONTROL_RKE2_SSH_PRIVATE_KEY_B64 or an equivalent file variable for dev-control-rke2 deploy jobs. - API-fast and web-fast dev-control deploy pipelines reach the deploy stage without failing the credential gate. - id: PSSM-CI-FAILURE-CLASSIFIER-404-001 title: Fix platform-control CI failure classifier GitLab API 404 kind: boundary-guard role: ops profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: platform-control owning_layer: ci-cd source_paths: - scripts/ci/platform_control_ci_failure_classifier.sh - .gitlab-ci.yml - .env.gitlab.local target_paths: - scripts/ci/platform_control_ci_failure_classifier.sh - scripts/ci - .fairway/artifacts review_domains: - ops - governance risk_level: medium migration_type: ci-post-deploy-classifier-fix depends_on: - PSSM-DEV-DEPLOY-CREDENTIAL-HANDOFF-001 acceptance_checks: - Classifier handles release/platform-control pipeline/job lookup without GitLab API 404. - Classifier emits dist/platform-control-ci-failure-classification.json and .md on failed pipelines. - A post-deploy classifier job succeeds or degrades to an explicit skipped/partial report instead of failing with curl 404. - id: PROD-STRESS-READINESS-HARNESS title: Build production stress readiness harness kind: epic role: ops profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: platform-foundation owning_layer: production-readiness source_paths: - doc/architecture/platform-foundation/Production_Stress_Readiness_Harness_v1.md - doc/architecture/platform-foundation/Platform_Release_Profile_Gates_v1.md - doc/governance/Error_Traceability_DNA_Standard.md - doc/operations - scripts/ci - scripts/ops - cmd/api - cmd/*-worker - cmd/terminal-gateway - packages/platform - packages/products - packages/web target_paths: - doc/architecture/platform-foundation/Production_Stress_Readiness_Harness_v1.md - doc/operations - scripts/ci - scripts/ops - packages/web/e2e - .fairway/artifacts review_domains: - ops - backend - frontend - architecture - security - governance risk_level: high migration_type: production-stress-readiness-harness depends_on: - PSSM-PROD-C9-RELEASE-PROFILE-GATES-001 - PSSM-PROD-C13-ERROR-OBSERVABILITY-AUDIT-GATE-001 acceptance_checks: - Production stress readiness plan defines API, mutation, worker/event, terminal/WebSocket, database, failure-injection, and frontend journey stress domains. - Harness outputs release/status evidence with scenario parameters, thresholds, metrics, correlation IDs, failure classification, and pass/block recommendation. - Production readiness cannot be signed off while S1/S2 stress findings remain open. - id: PROD-STRESS-SCENARIOS-001 title: Define production stress scenarios and thresholds kind: architecture-map role: architecture profile: platform-foundation parent_id: PROD-STRESS-READINESS-HARNESS owning_domain: platform-foundation owning_layer: production-readiness source_paths: - doc/architecture/platform-foundation/Production_Stress_Readiness_Harness_v1.md - doc/operations - doc/architecture/platform-foundation/Platform_Release_Profile_Gates_v1.md target_paths: - .fairway/artifacts/prod-stress-scenario-catalog.yaml - doc/architecture/platform-foundation/Production_Stress_Readiness_Harness_v1.md review_domains: - architecture - ops - backend - frontend - security risk_level: high migration_type: stress-scenario-catalog depends_on: - PROD-STRESS-READINESS-HARNESS acceptance_checks: - Scenario catalog defines owners, target environment, prerequisites, concurrency/rate/duration, pass/fail thresholds, and evidence outputs. - Scenarios cover API load, idempotent mutations, workers/events, terminal/WebSocket, database hot paths, failure injection, and frontend journeys. - Thresholds distinguish warning, S2 production blocker, and S1 production blocker conditions. - id: PROD-STRESS-API-LOAD-001 title: Add API load and idempotency stress suite kind: boundary-guard role: backend profile: platform-foundation parent_id: PROD-STRESS-READINESS-HARNESS owning_domain: platform-foundation owning_layer: api-load source_paths: - .fairway/artifacts/prod-stress-scenario-catalog.yaml - cmd/api - packages/platform - packages/products - scripts/ci - scripts/ops target_paths: - scripts/ci - scripts/ops - .fairway/artifacts review_domains: - backend - ops - security risk_level: high migration_type: api-load-idempotency-stress depends_on: - PROD-STRESS-SCENARIOS-001 acceptance_checks: - API stress scripts cover auth/session, context resolution, read models, catalog, launch precheck, status/evidence, and admin surfaces. - Idempotency stress proves repeated and concurrent mutations do not duplicate side effects and preserve audit/outbox consistency. - Failed requests return canonical ErrorResponse envelopes with correlation_id under load. - id: PROD-STRESS-API-CANONICAL-405-001 title: Return canonical ErrorResponse for unsupported API methods under stress kind: bug role: backend profile: platform-foundation parent_id: PROD-STRESS-READINESS-HARNESS owning_domain: platform-foundation owning_layer: api-load source_paths: - dist/prod-stress-api-load-kind-live-auth/prod-stress-evidence-gate.json - dist/prod-stress-api-load-kind-live-auth/api-read-results.jsonl - cmd/api/routes.go - cmd/api/routes_platform_core.go - packages/shared/errors target_paths: - cmd/api - cmd/api/routes_test.go review_domains: - backend - governance risk_level: medium migration_type: canonical-error-envelope depends_on: - PROD-STRESS-SCENARIOS-001 acceptance_checks: - Unsupported-method API responses use the shared ErrorResponse shape with code, message, and correlation_id. - Regression coverage includes the stress-discovered project route case that returned raw 405. - PROD-STRESS-API-LOAD-001 can be rerun without canonical_error_missing blockers. - id: PROD-STRESS-WORKER-EVENT-001 title: Add worker, event, billing, and provisioning stress suite kind: boundary-guard role: backend profile: platform-foundation parent_id: PROD-STRESS-READINESS-HARNESS owning_domain: platform-foundation owning_layer: worker-event-stress source_paths: - .fairway/artifacts/prod-stress-scenario-catalog.yaml - cmd/billing-worker - cmd/provisioning-worker - cmd/webhook-worker - cmd/outbox-relay - cmd/notification-relay - packages/shared/events - packages/shared/outbox - packages/platform/billing - packages/products/gpuaas/provisioning target_paths: - scripts/ci - scripts/ops - .fairway/artifacts review_domains: - backend - ops - architecture risk_level: high migration_type: worker-event-stress depends_on: - PROD-STRESS-SCENARIOS-001 acceptance_checks: - Stress suite covers NATS/outbox relay, DLQ behavior, billing usage replay, provisioning bursts, webhook replay, and notification dispatch. - Evidence records throughput, lag, retry posture, DLQ counts, ledger/rating invariants, and correlation IDs. - Worker failures classify dependency outage versus local defect and recover without corrupting ledger, outbox, or provisioning state. - id: PROD-STRESS-TERMINAL-001 title: Add terminal and WebSocket concurrency stress suite kind: boundary-guard role: backend profile: platform-foundation parent_id: PROD-STRESS-READINESS-HARNESS owning_domain: platform-foundation owning_layer: terminal-stress source_paths: - .fairway/artifacts/prod-stress-scenario-catalog.yaml - cmd/terminal-gateway - cmd/node-agent - cmd/api - packages/products/gpuaas/terminal - packages/web/e2e target_paths: - scripts/ci - scripts/ops - packages/web/e2e - .fairway/artifacts review_domains: - backend - frontend - ops - security risk_level: high migration_type: terminal-websocket-stress depends_on: - PROD-STRESS-SCENARIOS-001 acceptance_checks: - Stress suite covers token mint rate limits, concurrent browser terminal sessions, stale token rejection, gateway timeout, and node-agent disconnect/reconnect. - User-visible terminal failures are explicit and do not silently hang. - Evidence records session success rate, cleanup behavior, rate-limit behavior, correlation IDs, and node/gateway failure classification. - id: PROD-STRESS-FAILURE-INJECTION-001 title: Add dependency degradation and recovery stress suite kind: boundary-guard role: ops profile: platform-foundation parent_id: PROD-STRESS-READINESS-HARNESS owning_domain: platform-foundation owning_layer: failure-injection source_paths: - .fairway/artifacts/prod-stress-scenario-catalog.yaml - doc/governance/Error_Traceability_DNA_Standard.md - doc/operations - scripts/ci - scripts/ops - cmd/api - cmd/*-worker target_paths: - scripts/ci - scripts/ops - doc/operations - .fairway/artifacts review_domains: - ops - backend - security - governance risk_level: high migration_type: failure-injection-stress depends_on: - PROD-STRESS-SCENARIOS-001 - PSSM-PROD-C13-ERROR-OBSERVABILITY-AUDIT-GATE-001 acceptance_checks: - Failure injection covers Postgres, Redis, NATS, Keycloak/JWKS, provider capacity, node-agent, and release profile mismatch. - Degraded paths return user-safe canonical errors and log sanitized root cause with correlation_id and classification. - Recovery evidence proves services return to healthy state without manual database repair for supported scenarios. - id: PROD-STRESS-EVIDENCE-GATE-001 title: Publish stress evidence and production readiness gate kind: release-evidence role: ops profile: platform-foundation parent_id: PROD-STRESS-READINESS-HARNESS owning_domain: platform-foundation owning_layer: release-evidence source_paths: - .fairway/artifacts/prod-stress-scenario-catalog.yaml - doc/architecture/platform-foundation/Production_Stress_Readiness_Harness_v1.md - doc/architecture/platform-foundation/Platform_Release_Profile_Gates_v1.md - packages/platform/evidence - packages/platform/statusops - scripts/ci target_paths: - .fairway/artifacts - scripts/ci - doc/operations - packages/platform/evidence - packages/platform/statusops review_domains: - ops - architecture - backend - governance risk_level: high migration_type: stress-evidence-gate depends_on: - PROD-STRESS-API-LOAD-001 - PROD-STRESS-WORKER-EVENT-001 - PROD-STRESS-TERMINAL-001 - PROD-STRESS-FAILURE-INJECTION-001 acceptance_checks: - Stress evidence packet records environment, commit/images, scenario parameters, thresholds, observed metrics, failure classification, correlation IDs, and recommendation. - Status/Ops or release evidence surfaces stress posture as pass, warning, retry, investigate, or block production. - Production readiness gate blocks when S1/S2 stress findings are open. - id: PROD-STRESS-DEV-ENV-RUN-001 title: Run production stress harness against dev after kind slices pass kind: release-evidence role: ops profile: platform-foundation parent_id: PROD-STRESS-READINESS-HARNESS owning_domain: platform-foundation owning_layer: production-readiness source_paths: - .fairway/artifacts/prod-stress-scenario-catalog.yaml - scripts/ops/prod_stress_harness.sh - scripts/ops/prod_stress_api_load.sh - scripts/ci/prod_stress_evidence_gate.sh - doc/architecture/platform-foundation/Production_Stress_Readiness_Harness_v1.md target_paths: - dist/prod-stress-dev - .fairway/artifacts review_domains: - ops - backend - security - governance tags: - program:uat-hardening - program:production-readiness - environment:dev - surface:stress - gate:stress - work-type:run risk_level: high migration_type: dev-stress-readiness-run depends_on: - PROD-STRESS-EVIDENCE-GATE-001 acceptance_checks: - Dev stress run uses dev-control endpoints and credentials without printing secrets. - API-load/read/error-envelope/idempotency evidence passes enforce mode against dev. - Worker/event, terminal/WebSocket, and failure-injection evidence is either passed in dev or explicitly scoped to kind-only with owner disposition. - Any S1/S2 findings become Fairway follow-up tasks before this task is marked done. - id: PROD-STRESS-DEV-WORKER-EVENT-LIVE-001 title: Add live dev worker and event stress execution kind: task role: backend profile: platform-foundation parent_id: PROD-STRESS-DEV-ENV-RUN-001 owning_domain: platform-foundation owning_layer: worker-event-stress source_paths: - scripts/ops/prod_stress_worker_event.sh - scripts/ops/prod_stress_harness.sh - scripts/ci/prod_stress_evidence_gate.sh - .fairway/artifacts/prod-stress-scenario-catalog.yaml target_paths: - scripts/ops - scripts/ci - dist/prod-stress-dev - .fairway/artifacts review_domains: - backend - ops - security tags: - program:uat-hardening - program:production-readiness - environment:dev - surface:worker-events - gate:stress - work-type:live-test risk_level: high migration_type: dev-stress-live-execution acceptance_checks: - Worker/event stress supports live dev execution or explicitly documents why a scenario remains non-mutating or dry-run only. - Evidence covers outbox/NATS, DLQ, billing usage replay, provisioning burst, webhook replay, and notification dispatch posture against dev. - Evidence gate passes enforce mode or creates scoped S1/S2 follow-up tasks. - id: PROD-STRESS-DEV-TERMINAL-WS-LIVE-001 title: Add live dev terminal and websocket stress execution kind: task role: backend profile: platform-foundation parent_id: PROD-STRESS-DEV-ENV-RUN-001 owning_domain: platform-foundation owning_layer: terminal-stress source_paths: - scripts/ops/prod_stress_terminal_ws.sh - cmd/terminal-gateway - cmd/node-agent - packages/products/gpuaas/terminal - packages/web/e2e target_paths: - scripts/ops - scripts/ci - packages/web/e2e - dist/prod-stress-dev - .fairway/artifacts review_domains: - backend - frontend - ops - security tags: - program:uat-hardening - program:production-readiness - environment:dev - surface:terminal - gate:stress - work-type:live-test risk_level: high migration_type: dev-stress-live-execution depends_on: - UAT-BUG-DEV-TERMINAL-NODEPORT-REACHABILITY-001 acceptance_checks: - Terminal/WebSocket stress supports live dev execution once terminal node transport prerequisite is available. - Evidence covers token mint, concurrent sessions, stale token rejection, gateway timeout, node-agent disconnect/reconnect, and cleanup. - User-visible failures are explicit and do not silently hang. - id: PROD-STRESS-DEV-FAILURE-INJECTION-APPROVAL-GATE-001 title: Define approval gate for dev failure-injection stress kind: task role: ops profile: platform-foundation parent_id: PROD-STRESS-DEV-ENV-RUN-001 owning_domain: platform-foundation owning_layer: failure-injection source_paths: - scripts/ops/prod_stress_failure_injection.sh - scripts/ci/prod_stress_evidence_gate.sh - doc/operations target_paths: - scripts/ops - scripts/ci - doc/operations - .fairway/artifacts review_domains: - ops - backend - security - governance risk_level: high migration_type: dev-stress-approval-gate acceptance_checks: - Failure-injection stress remains kind-only unless a dev approval gate names allowed scenarios, blast radius, rollback, and maintenance window. - Dev readiness reports classify failure injection as intentionally deferred, not silently missing. - Any approved dev scenario records recovery evidence and no manual database repair requirement. - id: PROD-STRESS-DEV-UAT-REGRESSION-001 title: Run dev UAT regression after latest dev stress readiness deploy kind: release-evidence role: frontend profile: platform-foundation parent_id: PROD-STRESS-READINESS-HARNESS owning_domain: platform-foundation owning_layer: uat-regression source_paths: - doc/operations/V3_Post_Deploy_Smoke_Runbook.md - doc/operations/V3_Read_Model_Smoke_Runbook.md - scripts/ops/demo_uat_package.sh - packages/web/e2e - scripts/smoke/v3_post_deploy_smoke.sh target_paths: - dist/uat/dev - .fairway/artifacts review_domains: - frontend - product - ops - backend risk_level: high migration_type: dev-uat-regression depends_on: - PROD-STRESS-DEV-ENV-RUN-001 acceptance_checks: - Dev is confirmed deployed to the target commit before UAT starts. - UAT covers the user-facing flows affected by the `/v3` namespace retirement and platform-foundation backend changes. - Evidence includes pass/fail summary, failing route/API details, screenshots or traces where relevant, and correlation IDs for API failures. - Any user-facing regression becomes a Fairway task before this task is marked done. - id: PROD-STRESS-DEV-UAT-ACTIVE-WORKLOAD-FIXTURE-001 title: Restore dev UAT active workload and managed-route fixture kind: release-evidence role: ops profile: platform-foundation parent_id: PROD-STRESS-DEV-UAT-REGRESSION-001 owning_domain: platform-foundation owning_layer: dev-uat-fixture source_paths: - scripts/ops/demo_uat_package.sh - scripts/ops/demo_supported_app_matrix.sh - scripts/ops/demo_app_browser_smoke.sh - doc/operations/V3_Post_Deploy_Smoke_Runbook.md target_paths: - dist/uat/dev - .fairway/artifacts review_domains: - ops - frontend - product risk_level: high migration_type: dev-uat-fixture depends_on: - PROD-STRESS-DEV-UAT-REGRESSION-001 acceptance_checks: - "Dev has at least one active compute allocation usable for app placement prechecks." - "Required runtime apps have active or idle workloads with managed routes, or the UAT package is rerun with an explicitly approved missing-app mode." - "scripts/ops/demo_uat_package.sh --env dev --phase read-only no longer fails on supported app matrix, app browser managed-route smoke, or CLI app route helper." - "Evidence records whether the fixture was created by bounded mutating UAT, restored from existing workloads, or intentionally skipped with owner approval." - id: PROD-STRESS-DEV-UAT-RUNTIME-ROUTE-FIXTURE-001 title: Create dev runtime workload and managed-route fixture for app route UAT kind: release-evidence role: ops profile: platform-foundation parent_id: PROD-STRESS-DEV-UAT-ACTIVE-WORKLOAD-FIXTURE-001 owning_domain: appplatform owning_layer: runtime-route-fixture source_paths: - scripts/ops/demo_app_browser_smoke.sh - scripts/ops/demo_supported_app_matrix.sh - scripts/ops/demo_uat_package.sh - packages/products/appplatform target_paths: - dist/uat/dev - .fairway/artifacts review_domains: - ops - frontend - product risk_level: high migration_type: dev-runtime-route-fixture depends_on: - PROD-STRESS-DEV-UAT-ACTIVE-WORKLOAD-FIXTURE-001 acceptance_checks: - Dev has at least one active runtime workload with an active managed route for a supported browser app. - App browser managed-route smoke passes against dev without using stale or demo resources. - CLI app route helper passes against the same fixture. - Evidence records app instance id, route id, public URL, proxy pool id, and cleanup/retention decision. - id: PROD-STRESS-DEV-UAT-SCHEDULER-HEADLAMP-FIXTURE-001 title: Create dev scheduler and Headlamp fixture for RKE2/Slurm UAT kind: release-evidence role: ops profile: platform-foundation parent_id: PROD-STRESS-DEV-UAT-ACTIVE-WORKLOAD-FIXTURE-001 owning_domain: appplatform owning_layer: scheduler-headlamp-fixture source_paths: - scripts/ops/demo_scheduler_uat.sh - scripts/ops/demo_supported_app_matrix.sh - cmd/rke2-self-managed-controller - cmd/slurm-reference-controller target_paths: - dist/uat/dev - .fairway/artifacts review_domains: - ops - backend - product tags: - program:uat-hardening - program:stabilization - environment:dev - surface:scheduler - surface:headlamp - gate:uat - work-type:fixture risk_level: high migration_type: dev-scheduler-headlamp-fixture depends_on: - PSSM-DEV-SCHEDULER-SERVICE-ACCOUNT-CONFIG-001 - PROD-STRESS-DEV-UAT-ACTIVE-WORKLOAD-FIXTURE-001 acceptance_checks: - Dev has valid scheduler service-account config and no unresolved controller placeholders. - RKE2/Headlamp route returns an expected reachable status instead of 404. - Scheduler matrix no longer reports missing `rke2-self-managed` and `slurm-reference` workloads unless explicitly owner-skipped. - Evidence records scheduler app instance ids, route status, controller logs, and cleanup/retention decision. - id: PROD-STRESS-DEV-UAT-OPENAI-ENDPOINT-FIXTURE-001 title: Create dev vLLM/OpenAI endpoint fixture for service-account UAT kind: release-evidence role: ops profile: platform-foundation parent_id: PROD-STRESS-DEV-UAT-ACTIVE-WORKLOAD-FIXTURE-001 owning_domain: appplatform owning_layer: openai-endpoint-fixture source_paths: - scripts/ops/demo_openai_endpoint_smoke.sh - scripts/ops/demo_supported_app_matrix.sh - packages/products/appplatform target_paths: - dist/uat/dev - .fairway/artifacts review_domains: - ops - app-developer - product tags: - program:uat-hardening - program:stabilization - environment:dev - surface:openai-endpoint - gate:uat - work-type:fixture risk_level: high migration_type: dev-openai-endpoint-fixture depends_on: - PROD-STRESS-DEV-UAT-RUNTIME-ROUTE-FIXTURE-001 acceptance_checks: - Dev has a CPU-viable vLLM/OpenAI app artifact and active managed route, or records an approved fixture-unavailable decision. - OpenAI-compatible endpoint service-account UAT passes using a project-scoped service account. - Failure evidence distinguishes missing model/artifact/route from auth, proxy, or runtime contract defects. - Evidence records app instance id, route URL, service-account key id, request classification, and cleanup/retention decision without printing secrets. - id: PSSM-DEV-VLLM-COMPOSE-RUNTIME-DIAGNOSTICS-001 title: Expose dev vLLM Compose runtime logs through node-agent task output kind: bug role: backend profile: platform-foundation parent_id: PROD-STRESS-DEV-UAT-OPENAI-ENDPOINT-FIXTURE-001 owning_domain: appplatform owning_layer: node-agent-compose-runtime source_paths: - cmd/node-agent/compose_workload.go - cmd/node-agent/catalog_test.go - scripts/ops/demo_openai_endpoint_smoke.sh - .fairway/artifacts/post-pssm-uat-learning-gaps.md target_paths: - cmd/node-agent/compose_workload.go - cmd/node-agent/catalog_test.go - dist/uat/dev - .fairway/artifacts review_domains: - backend - ops - security risk_level: high migration_type: runtime-diagnostics depends_on: - PROD-STRESS-DEV-UAT-OPENAI-ENDPOINT-FIXTURE-001 acceptance_checks: - Compose workload task output includes sanitized service log tails when `docker compose ps` reports restarting, exited, or unhealthy services. - Unit coverage proves URL tokens and server tokens are redacted from Compose logs. - Dev vLLM retry evidence can classify the actual container restart cause without raw SSH or direct Docker socket access. - id: PSSM-DEV-APP-RUNTIME-COMPOSE-READINESS-001 title: Prevent Compose app route readiness before service health is proven kind: bug role: backend profile: platform-foundation parent_id: PROD-STRESS-DEV-UAT-OPENAI-ENDPOINT-FIXTURE-001 owning_domain: appplatform owning_layer: app-runtime-readiness source_paths: - packages/products/appplatform/runtime - cmd/node-agent/compose_workload.go - scripts/ops/demo_openai_endpoint_smoke.sh - .fairway/artifacts/post-pssm-uat-learning-gaps.md target_paths: - packages/products/appplatform/runtime - cmd/node-agent - dist/uat/dev - .fairway/artifacts review_domains: - backend - ops - product risk_level: high migration_type: app-runtime-readiness depends_on: - PSSM-DEV-VLLM-COMPOSE-RUNTIME-DIAGNOSTICS-001 acceptance_checks: - App Runtime treats Compose services in restarting, exited, or unhealthy states as not ready before exposing route health as usable. - Route/read-model evidence cannot show a user-facing app route as healthy while the owning Compose service is already unhealthy. - Regression coverage proves a restarting Compose service becomes a failed/not-ready app instance with useful runtime evidence. - id: PSSM-DEV-PROXMOX-BOOTSTRAP-RETRY-001 title: Make dev Proxmox provider bootstrap recover from transient control-plane reachability failures kind: bug role: ops profile: platform-foundation parent_id: PROD-STRESS-DEV-UAT-REGRESSION-001 owning_domain: gpuaas owning_layer: provider-bootstrap source_paths: - cmd/provider-reconciler - cmd/api - infra/k8s/overlays/dev-control-rke2 - scripts/ops/demo_uat_package.sh - scripts/ops/env_profile_verify.sh target_paths: - cmd/provider-reconciler - scripts/ops - infra/k8s/overlays/dev-control-rke2 - dist/uat/dev - .fairway/artifacts review_domains: - ops - backend - governance tags: - program:uat-hardening - program:stabilization - environment:dev - surface:proxmox - gate:uat - work-type:provider-bootstrap risk_level: high migration_type: dev-proxmox-bootstrap-retry depends_on: - PROD-STRESS-DEV-UAT-REGRESSION-001 acceptance_checks: - Dev Proxmox provider bootstrap preflight proves a worker VM can reach the configured bootstrap fetch/runtime URL before mutating compute UAT starts. - If cloud-init fails before node-agent install, provider lifecycle records a classified bootstrap failure and recreates/retries or quarantines the VM instead of leaving the allocation indefinitely provisioning. - Evidence includes VMID, allocation id, bootstrap URL reachability from the guest, provider resource state, and API/provisioning logs without secrets. - A fresh dev compute allocation reaches active after the fix, then releases or decommissions cleanly. - id: DEPLOY-DEV-RUN-20260605-001 title: Deploy dev-control validation run for post-PSSM stabilization commits kind: task role: ops profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: gpuaas owning_layer: deploy-validation source_paths: - scripts/ci/dev_control_rke2_release_api_fast.sh - scripts/ci/platform_control_promote_release_branch.sh - .env.gitlab.local target_paths: - dist/uat/dev - .fairway/artifacts review_domains: - ops - backend - governance risk_level: high migration_type: deploy-run depends_on: - PSSM-DEV-PROXMOX-BOOTSTRAP-RETRY-001 acceptance_checks: - Source SHA, CI result, dev deploy result, smoke/UAT result, evidence paths, final status, and next action are recorded. - Any CI, CD, UAT, ops, harness, or docs findings from the run have scoped follow-up Fairway tasks instead of being buried in notes. - id: DEPLOY-CI-RUN-20260605-OPS-SECRETS-PKI-001 title: Monitor master CI for secrets PKI runtime trust gate slice kind: task role: ops profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: gpuaas owning_layer: ci-validation source_paths: - scripts/ci/secrets_pki_runtime_trust_gate.sh - scripts/ci/ci_script_smoke.sh - doc/operations/evidence/secrets_key_ops.md - doc/operations/evidence/east_west_security_certs.md target_paths: - .fairway/artifacts review_domains: - ops - security - architecture risk_level: high migration_type: deploy-run depends_on: - OPS-PROD-SECRETS-PKI-RUNTIME-TRUST-GATE-001 acceptance_checks: - Source SHA `a7b0e2d4453dd7811fc40084a8c2a8576f46adcc`, pipeline `2341`, target `master`, expected completion window, and safe wait action are recorded. - CI result is recorded as pass/fail/partial/blocked. - Any actionable CI/CD/UAT/ops finding from the run has a scoped follow-up Fairway task. - id: CD-FIX-DEV-NODE-BOOTSTRAP-PACKAGE-503-001 title: Fix dev node bootstrap package endpoint returning 503 kind: task role: backend profile: platform-foundation parent_id: DEPLOY-DEV-RUN-20260605-001 owning_domain: gpuaas owning_layer: node-bootstrap-package source_paths: - cmd/api - infra/k8s/overlays/dev-control-rke2 - scripts/ci - scripts/ops target_paths: - cmd/api - infra/k8s/overlays/dev-control-rke2 - scripts/ops - dist/uat/dev - .fairway/artifacts review_domains: - backend - ops - governance risk_level: high migration_type: cd-fix depends_on: - DEPLOY-DEV-RUN-20260605-001 acceptance_checks: - Dev API bootstrap package endpoint returns the node-agent bootstrap tarball for AMD64 during the cloud-init retry window. - Package availability is covered by dev deploy or pre-UAT freshness checks before fresh Proxmox allocation UAT runs. - Fresh dev Proxmox compute allocation reaches active and then releases or decommissions cleanly. - Evidence includes API package logs, guest package probe, allocation id, VMID, and sanitized release cleanup result. - id: OPS-FIX-DEV-BOOTSTRAP-PACKAGE-CLEANUP-EVIDENCE-SANITIZE-001 title: Sanitize dev bootstrap package cleanup evidence for review closeout kind: task role: ops profile: platform-foundation parent_id: CD-FIX-DEV-NODE-BOOTSTRAP-PACKAGE-503-001 owning_domain: gpuaas owning_layer: node-bootstrap-package source_paths: - dist/uat/dev/20260605T124701Z-dev-bootstrap-package-503-rerun/logs/provider-cleanup-evidence-filtered.json target_paths: - .fairway/artifacts/cd-fix-dev-node-bootstrap-package-503-sanitized-evidence-20260610 review_domains: - ops - governance tags: - program:stabilization - environment:dev - surface:node-bootstrap - gate:review - work-type:evidence-cleanup risk_level: medium migration_type: ops-fix depends_on: - CD-FIX-DEV-NODE-BOOTSTRAP-PACKAGE-503-001 acceptance_checks: - Sanitized replacement cleanup evidence redacts bootstrap tokens, credential-bearing URLs, deploy user data, and auth material. - Sanitized evidence preserves allocation id, node id, VMID/provider object id, lifecycle state, release state, and cleanup result needed for review. - Parent task `CD-FIX-DEV-NODE-BOOTSTRAP-PACKAGE-503-001` is rerouted for ops review after sanitized evidence is recorded. - id: UAT-BUG-DEV-TERMINAL-WS-NODE-STREAM-TIMEOUT-001 title: Fix dev browser terminal node-agent stream timeout after compute reaches active kind: task role: backend profile: platform-foundation parent_id: CD-FIX-DEV-NODE-BOOTSTRAP-PACKAGE-503-001 owning_domain: gpuaas owning_layer: terminal-runtime source_paths: - cmd/terminal-gateway - cmd/api - cmd/node-agent - packages/products/gpuaas/terminal - scripts/ops/demo_uat_mutating.sh target_paths: - cmd/terminal-gateway - cmd/api - cmd/node-agent - packages/products/gpuaas/terminal - dist/uat/dev - .fairway/artifacts review_domains: - backend - ops - governance tags: - program:uat-hardening - program:stabilization - environment:dev - surface:terminal - gate:uat - work-type:bugfix risk_level: high migration_type: uat-bug depends_on: - CD-FIX-DEV-NODE-BOOTSTRAP-PACKAGE-503-001 acceptance_checks: - Dev mutating UAT browser terminal websocket smoke receives an interactive terminal frame instead of `session_error code=node_stream_timeout`. - Evidence distinguishes terminal-gateway, API node stream relay, and node-agent stream readiness failures. - Regression coverage or targeted smoke prevents active allocations from reporting terminal-ready before node-agent stream path is available. - id: UAT-BUG-DEV-TERMINAL-NODEPORT-REACHABILITY-001 title: Fix dev worker-to-terminal internal websocket reachability kind: task role: ops profile: platform-foundation parent_id: UAT-BUG-DEV-TERMINAL-WS-NODE-STREAM-TIMEOUT-001 owning_domain: gpuaas owning_layer: terminal-runtime source_paths: - infra/k8s/overlays/dev-control-rke2 - cmd/terminal-gateway - cmd/api - cmd/node-agent - scripts/ops target_paths: - infra/k8s/overlays/dev-control-rke2 - scripts/ops - dist/uat/dev - .fairway/artifacts review_domains: - ops - backend - governance tags: - program:uat-hardening - program:stabilization - environment:dev - surface:terminal - gate:uat - work-type:bugfix risk_level: high migration_type: uat-bug depends_on: - CD-FIX-DEV-NODE-BOOTSTRAP-PACKAGE-503-001 acceptance_checks: - A fresh dev Proxmox worker can reach the configured terminal internal websocket endpoint from the node-agent network before terminal smoke starts. - Dev mutating UAT browser terminal websocket smoke receives an interactive terminal frame. - Evidence includes terminal-gateway logs, API node task timing, node-agent terminal.open result, and a worker-side reachability probe without printing secrets. - id: UAT-GATE-TERMINAL-TRANSPORT-PREREQ-001 title: Add live prerequisite gate for terminal transport reachability kind: task role: ops profile: platform-foundation parent_id: PSSM-UAT-LIVE-PREREQ-GATE-001 owning_domain: gpuaas owning_layer: uat-prereq source_paths: - scripts/ops - cmd/node-agent - cmd/terminal-gateway - doc/operations target_paths: - scripts/ops - doc/operations - .fairway/artifacts review_domains: - ops - backend - governance risk_level: high migration_type: uat-gate depends_on: - CD-FIX-DEV-NODE-BOOTSTRAP-PACKAGE-503-001 acceptance_checks: - Pre-UAT live prerequisite checks fail fast when a worker/node-agent cannot reach the terminal internal websocket endpoint. - The gate reports the failing layer as config, network, terminal-gateway service, API node-task dispatch, or node-agent reachability. - Full mutating UAT is not the first place this class of terminal transport defect appears. - id: CD-FIX-DEV-PROVISIONING-WORKER-LOCAL-IMAGE-ROLLOUT-001 title: Fix dev runtime rollout drift from local placeholder images kind: task role: ops profile: platform-foundation parent_id: CD-FIX-DEV-NODE-BOOTSTRAP-PACKAGE-503-001 owning_domain: gpuaas owning_layer: cd-rollout source_paths: - infra/k8s/base/core/provisioning-worker.yaml - infra/k8s/overlays/dev-control-rke2 - scripts/ci/platform_control_update_node_bootstrap_metadata.sh - scripts/ci/platform_control_deploy_release_candidate.sh target_paths: - infra/k8s - scripts/ci - .fairway/artifacts review_domains: - ops - backend - governance risk_level: medium migration_type: cd-fix depends_on: - CD-FIX-DEV-NODE-BOOTSTRAP-PACKAGE-503-001 acceptance_checks: - Dev provisioning-worker rollout restart does not create a pod that attempts to pull `docker.io/library/gpuaas-provisioning-worker:dev-control-local`. - Metadata-only bootstrap package updates either avoid unnecessary provisioning-worker restart or preserve the last deployed registry digest image. - Evidence includes deployment image, rollout status, and image pull event check. - id: OPS-FIX-DEV-RUNTIME-LOCAL-IMAGE-CLEANUP-001 title: Clean up dev runtime deployments still pinned to local placeholder images kind: task role: ops profile: platform-foundation parent_id: DEPLOY-DEV-RUN-20260605-001 owning_domain: gpuaas owning_layer: cd-rollout source_paths: - infra/k8s - scripts/ci - scripts/ops target_paths: - scripts/ci - scripts/ops - .fairway/artifacts review_domains: - ops - backend risk_level: medium migration_type: ops-fix depends_on: - CD-FIX-DEV-PROVISIONING-WORKER-LOCAL-IMAGE-ROLLOUT-001 acceptance_checks: - Dev deployments with `gpuaas.dev/image-ref` digest annotations no longer have pod templates using `*:dev-control-local` or `*:dev-control-rke2-local`. - Existing ImagePullBackOff pods caused by prior local placeholder rollouts are cleared by rollout to the annotated registry digest or by an explicit safe cleanup runbook. - Evidence includes before/after deployment images, pods, and image pull events for every corrected runtime. - id: OPS-FIX-DEV-NODE-BOOTSTRAP-ARM64-METADATA-001 title: Populate or intentionally gate dev ARM64 node bootstrap package metadata kind: task role: ops profile: platform-foundation parent_id: DEPLOY-DEV-RUN-20260605-001 owning_domain: gpuaas owning_layer: env-profile source_paths: - infra/k8s/overlays/dev-control-rke2 - scripts/ops/env_profile_verify.sh - scripts/ci target_paths: - infra/k8s/overlays/dev-control-rke2 - scripts/ops - dist/uat/dev - .fairway/artifacts review_domains: - ops - backend - governance risk_level: medium migration_type: ops-fix depends_on: - DEPLOY-DEV-RUN-20260605-001 acceptance_checks: - Dev profile verification either has ARM64 bootstrap package ref, digest, and tag populated or explicitly gates ARM64 as unsupported for the profile. - The env-profile report distinguishes unsupported architecture from missing required package metadata. - Evidence includes sanitized env-profile verification output. - id: PSSM-DEV-SCHEDULER-SERVICE-ACCOUNT-CONFIG-001 title: Resolve dev scheduler controller service-account placeholders kind: bug role: ops profile: platform-foundation parent_id: PROD-STRESS-DEV-UAT-REGRESSION-001 owning_domain: appplatform owning_layer: scheduler-controller-config source_paths: - infra/k8s/overlays/dev-control-rke2 - infra/k8s/overlays/dev-control - cmd/rke2-self-managed-controller - cmd/slurm-reference-controller - scripts/ops/demo_scheduler_headlamp_uat.sh target_paths: - infra/k8s/overlays/dev-control-rke2 - scripts/ops - dist/uat/dev - .fairway/artifacts review_domains: - ops - backend - security risk_level: high migration_type: dev-scheduler-service-account-config depends_on: - PROD-STRESS-DEV-UAT-REGRESSION-001 acceptance_checks: - Dev scheduler controller environment no longer contains unresolved `__RKE2_CONTROLLER_SERVICE_ACCOUNT_*` or `__SLURM_REFERENCE_SERVICE_ACCOUNT_*` placeholders. - Controller token minting failures are classified before UAT and do not surface as generic API 500s. - RKE2 and Slurm scheduler UAT either launches with valid service accounts or reports a prerequisite-missing blocker before controller pods start. - Evidence includes sanitized controller env presence checks, API correlation IDs for previous failures, and rerun scheduler/headlamp UAT status. - id: PSSM-DEV-ENV-PROFILE-UAT-GATE-001 title: Gate dev UAT on environment profile bootstrap and fixture readiness kind: boundary-guard role: governance profile: platform-foundation parent_id: PROD-STRESS-DEV-UAT-REGRESSION-001 owning_domain: platform-foundation owning_layer: uat-harness source_paths: - scripts/ops/env_profile_verify.sh - scripts/ops/demo_uat_package.sh - doc/operations/V3_Post_Deploy_Smoke_Runbook.md target_paths: - scripts/ops - dist/uat/dev - .fairway/artifacts review_domains: - governance - ops - product tags: - program:uat-hardening - program:stabilization - environment:dev - surface:uat - gate:env-profile - work-type:gate risk_level: high migration_type: dev-uat-profile-gate depends_on: - PSSM-DEV-PROXMOX-BOOTSTRAP-RETRY-001 - PSSM-DEV-SCHEDULER-SERVICE-ACCOUNT-CONFIG-001 - PROD-STRESS-DEV-UAT-ACTIVE-WORKLOAD-FIXTURE-001 acceptance_checks: - Dev UAT defaults to running env-profile verification or records an explicit owner-approved skip with reason. - Env-profile verification checks bootstrap NodePort/public API reachability from the provider worker network when Proxmox handoff is enabled. - UAT read-only phase distinguishes missing fixture prerequisites from product regressions and links to the owning Fairway task. - Future post-deploy UAT cannot proceed into mutating workflows when basic provider bootstrap, scheduler credential, or managed-route fixture gates are failing. - id: SEC-ARCH-REVIEW-EPIC title: Triage security review feedback against current GPUaaS architecture kind: epic role: orchestrator profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: platform-foundation owning_layer: security-architecture source_paths: - doc/architecture/platform-foundation/Security_Architecture_Review_Triage_v1.md - doc/operations/Enterprise_Readiness_Gap_Work_Plan_v1.md - doc/architecture/platform-foundation/Platform_Shared_Services_Model_v2.md - doc/architecture/platform-foundation/Platform_Shared_Services_Completion_Roadmap_v1.md - doc/architecture/Production_Deployment_Readiness_v1.md target_paths: - doc/architecture/platform-foundation - doc/operations - doc/governance - scripts/ci - .fairway/artifacts review_domains: - architecture - security - ops - governance - backend tags: - program:security-review - surface:architecture - gate:security-review - work-type:backlog risk_level: high migration_type: security-architecture-review-triage depends_on: - PSSM-PRODUCTION-COMPLETION-BACKLOG acceptance_checks: - Security review feedback is assessed against the current PSSM-era GPUaaS architecture, not the stale `Core42_GPUaaS_Cloud.pdf` whitepaper. - Valid current gaps become concrete Fairway tasks with owners, scope, dependencies, and evidence expectations. - Stale or overbroad compliance/security claims are retired, qualified, or moved into future regulated-profile work. - Existing `IAM-MFA-EPIC` remains the MFA implementation owner and is not duplicated by this epic. - id: SEC-ARCH-REVIEW-TRIAGE-001 title: Classify external security review findings against current architecture kind: architecture-map role: architecture profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: platform-foundation owning_layer: security-architecture-triage source_paths: - doc/architecture/platform-foundation/Security_Architecture_Review_Triage_v1.md - doc/operations/Enterprise_Readiness_Gap_Work_Plan_v1.md - doc/architecture/IAM_MFA_Policy_and_Keycloak_Enforcement_v1.md - doc/architecture/Node_Agent_Spec.md - doc/architecture/MAAS_Bare_Metal_Lifecycle_v1.md - doc/architecture/Allocation_Capacity_Shapes_and_GPU_Slices_v1.md target_paths: - doc/architecture/platform-foundation/Security_Architecture_Review_Triage_v1.md - .fairway/platform-foundation-implementation-track.yaml review_domains: - architecture - security - governance risk_level: high migration_type: security-review-triage-map depends_on: - SEC-ARCH-REVIEW-EPIC acceptance_checks: - Triage doc separates correct-against-stale-PDF findings, current repo gaps, stale assumptions, and production action items. - Compliance claims are classified as current baseline, future enterprise baseline, future regulated profile, or explicit non-claim. - Fairway child tasks exist for the current gaps and link MFA back to `IAM-MFA-EPIC`. - id: SEC-ARCH-REVIEW-CURRENT-STATE-DOC-001 title: Replace stale security whitepaper with current-state security architecture package kind: architecture-map role: architecture profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: platform-foundation owning_layer: security-architecture-docs source_paths: - doc/architecture/platform-foundation/Security_Architecture_Review_Triage_v1.md - doc/architecture/platform-foundation/Platform_Shared_Services_Model_v2.md - doc/architecture/platform-foundation/Platform_Shared_Services_Completion_Roadmap_v1.md - doc/architecture/Production_Deployment_Readiness_v1.md - doc/architecture/Platform_IAM_Model_v1.md - doc/architecture/Node_Agent_Spec.md - doc/architecture/PKI_Spec.md - doc/architecture/MAAS_Bare_Metal_Lifecycle_v1.md - doc/architecture/Allocation_Capacity_Shapes_and_GPU_Slices_v1.md target_paths: - doc/architecture/platform-foundation/Security_Architecture_Current_State_v1.md - doc/architecture/platform-foundation/Documentation_Source_Of_Truth_Map_v1.md - doc/architecture/platform-foundation/README.md - doc/operations/Enterprise_Readiness_Gap_Work_Plan_v1.md review_domains: - architecture - security - ops - governance risk_level: high migration_type: current-security-architecture-package depends_on: - SEC-ARCH-REVIEW-TRIAGE-001 acceptance_checks: - Current-state security architecture doc identifies active controls, partial controls, future regulated-profile controls, and explicit non-claims. - Stale `Core42_GPUaaS_Cloud.pdf` assumptions are marked superseded in source-of-truth documentation and are not used as active architecture evidence. - Document covers identity/IAM, tenant/project isolation, node-agent trust, Pomerium/managed ingress, terminal/proxy flows, audit/evidence, secrets/PKI, billing/payment boundary, and operational monitoring. - id: SEC-ARCH-COMPLIANCE-SCOPE-MATRIX-001 title: Define compliance claims, non-claims, and scope responsibility matrix kind: architecture-map role: governance profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: governance owning_layer: compliance-posture source_paths: - doc/architecture/platform-foundation/Security_Architecture_Review_Triage_v1.md - doc/operations/Enterprise_Readiness_Gap_Work_Plan_v1.md - doc/architecture/Production_Deployment_Readiness_v1.md - doc/architecture/Billing_Platform_Overhaul_v1.md - packages/platform/payments target_paths: - doc/governance/Compliance_Claims_And_Scope_Matrix_v1.md - doc/architecture/platform-foundation/Security_Architecture_Current_State_v1.md - doc/operations/Enterprise_Readiness_Gap_Work_Plan_v1.md review_domains: - governance - security - architecture - billing - ops risk_level: high migration_type: compliance-claims-scope-matrix depends_on: - SEC-ARCH-REVIEW-CURRENT-STATE-DOC-001 acceptance_checks: - Matrix states current claims, explicit non-claims, and future readiness posture for FedRAMP, PCI DSS, HIPAA, SOC 2, ISO 27001, GDPR/UAE PDPL, and customer responsibility boundaries. - PCI scope is explicitly classified as in-scope or out-of-scope based on payment data flow and Stripe/provider handling. - Regulated-profile requirements are separated from the baseline production-readiness path. - id: SEC-ARCH-TENANT-WORKLOAD-ISOLATION-EVIDENCE-001 title: Produce tenant and GPU workload isolation evidence package kind: release-evidence role: security profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: platform-foundation owning_layer: tenant-workload-isolation source_paths: - doc/architecture/platform-foundation/Security_Architecture_Review_Triage_v1.md - doc/architecture/IAM_Department_Hierarchy_Implementation_Plan_v1.md - doc/architecture/Platform_IAM_Model_v1.md - doc/architecture/Unified_IAM_Billing_Across_Products_v1.md - doc/architecture/Allocation_Capacity_Shapes_and_GPU_Slices_v1.md - doc/architecture/Managed_Ingress_Tenant_Isolation_and_Scaling_v1.md - doc/architecture/Node_Agent_Spec.md - doc/architecture/db_schema_v1.sql - cmd/api - packages/platform - packages/products - packages/shared target_paths: - doc/architecture/platform-foundation/Tenant_And_Workload_Isolation_Evidence_v1.md - .fairway/artifacts - scripts/ci - cmd/api - packages/platform - packages/products review_domains: - security - architecture - backend - ops - governance risk_level: high migration_type: tenant-workload-isolation-evidence depends_on: - SEC-ARCH-REVIEW-CURRENT-STATE-DOC-001 - IAM-DEPARTMENT-HIERARCHY-EPIC acceptance_checks: - Evidence package covers IAM org/department/project/resource scoping, negative authz tests, DB constraints/query boundaries, Redis/NATS/Temporal/cache isolation, and terminal/proxy/app runtime tenant boundaries. - GPU workload isolation model distinguishes bare metal, full reimage, user-revoke, VM slice, PCI passthrough, and fabric/RDMA assumptions with explicit residual risks. - Any missing test or read-model evidence becomes a named Fairway follow-up before this task is closed. - id: SEC-ARCH-TENANT-AUTHZ-NEGATIVE-MATRIX-001 title: Build tenant and project negative authorization matrix kind: release-evidence role: backend profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: platform-iam owning_layer: tenant-workload-isolation source_paths: - doc/architecture/platform-foundation/Tenant_And_Workload_Isolation_Evidence_v1.md - cmd/api - packages/platform/iam - packages/platform/auth - packages/products target_paths: - cmd/api - packages/platform - packages/products - scripts/ci - .fairway/artifacts review_domains: - backend - security - governance risk_level: high migration_type: tenant-authz-negative-matrix depends_on: - SEC-ARCH-TENANT-WORKLOAD-ISOLATION-EVIDENCE-001 acceptance_checks: - Negative authorization matrix covers v3 compute, app launch, app runtime credentials, storage grants, terminal token mint/open, managed ingress, billing/audit, and admin read-model surfaces. - Matrix distinguishes human user and service-account callers, missing membership, wrong project, wrong organization, disabled actor, stale route, and revoked credential cases. - The matrix is runnable locally or in CI and fails closed when a covered route family lacks a project-scope or equivalent platform authorization check. - id: SEC-ARCH-EVENT-WORKFLOW-ISOLATION-EVIDENCE-001 title: Produce event and workflow tenant isolation evidence kind: release-evidence role: backend profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: platform-events owning_layer: tenant-workload-isolation source_paths: - doc/architecture/platform-foundation/Tenant_And_Workload_Isolation_Evidence_v1.md - doc/architecture/NATS_Stream_Config.md - doc/architecture/Intent_Control_And_Reconciliation_Model_v1.md - packages/shared/events - packages/products - cmd target_paths: - doc/architecture/platform-foundation/Tenant_And_Workload_Isolation_Evidence_v1.md - scripts/ci - packages/shared/events - packages/products - .fairway/artifacts review_domains: - backend - ops - security - architecture risk_level: high migration_type: event-workflow-isolation-evidence depends_on: - SEC-ARCH-TENANT-WORKLOAD-ISOLATION-EVIDENCE-001 acceptance_checks: - NATS subjects, event payload owner fields, consumers, DLQ handling, and operator visibility are mapped for tenant/project-sensitive events. - Temporal workflow IDs, task queues, persisted workflow state, and payload ownership fields are mapped for tenant/project-sensitive workflows. - Missing event or workflow owner fields become contract/code follow-up tasks before claiming tenant isolation completeness. - id: SEC-ARCH-PROVISIONING-EVENT-PROJECT-OWNER-FIELDS-001 title: Add project owner fields to provisioning lifecycle events kind: task role: backend profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: platform-events owning_layer: tenant-workload-isolation source_paths: - packages/shared/events/types.go - doc/api/asyncapi.draft.yaml - packages/products/gpuaas/provisioning - cmd/provisioning-worker target_paths: - packages/shared/events/types.go - doc/api/asyncapi.draft.yaml - packages/products/gpuaas/provisioning - cmd/provisioning-worker - scripts/ci review_domains: - backend - security - ops risk_level: high migration_type: provisioning-event-owner-fields depends_on: - SEC-ARCH-EVENT-WORKFLOW-ISOLATION-EVIDENCE-001 acceptance_checks: - Provisioning lifecycle events include project_id where allocation/project ownership is required, producers populate it, consumers preserve it, and regression tests prove missing or mismatched owner fields do not authorize cross-project processing. - id: SEC-ARCH-TEMPORAL-WORKFLOW-OWNER-SCOPE-VISIBILITY-001 title: Make Temporal workflow owner scope visible in IDs and payload evidence kind: task role: backend profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: temporal-workflows owning_layer: tenant-workload-isolation source_paths: - cmd/provisioning-worker - packages/platform/maas - packages/platform/adminops - doc/architecture/Intent_Control_And_Reconciliation_Model_v1.md target_paths: - cmd/provisioning-worker - packages/platform/maas - packages/platform/adminops - doc/architecture - scripts/ci review_domains: - backend - ops - security - architecture tags: - program:security-review - surface:temporal - gate:tenant-isolation - work-type:readmodel risk_level: high migration_type: workflow-owner-scope-visibility depends_on: - SEC-ARCH-EVENT-WORKFLOW-ISOLATION-EVIDENCE-001 acceptance_checks: - Tenant/project-sensitive Temporal workflows have documented owner-scope fields in persisted records and workflow input, workflow IDs or search attributes expose safe owner/target scope for operations, and tests prove stale or wrong-scope workflow reruns cannot cross tenant/project boundaries. - id: SEC-ARCH-TEMPORAL-PROVISIONING-WORKFLOW-MEMO-001 title: Add safe owner and target memo to provisioning Temporal workflows kind: task role: backend profile: platform-foundation parent_id: SEC-ARCH-TEMPORAL-WORKFLOW-OWNER-SCOPE-VISIBILITY-001 owning_domain: temporal-workflows owning_layer: tenant-workload-isolation source_paths: - cmd/provisioning-worker/worker.go - cmd/provisioning-worker/worker_test.go - doc/architecture/platform-foundation/Tenant_And_Workload_Isolation_Evidence_v1.md target_paths: - cmd/provisioning-worker/worker.go - cmd/provisioning-worker/worker_test.go - doc/architecture/platform-foundation/Tenant_And_Workload_Isolation_Evidence_v1.md review_domains: - backend - ops - security - architecture risk_level: high migration_type: workflow-owner-scope-visibility depends_on: - SEC-ARCH-PROVISIONING-EVENT-PROJECT-OWNER-FIELDS-001 acceptance_checks: - Provisioning Temporal workflow start options expose safe allocation/org/project/user/node owner fields in workflow memo/static summary without changing workflow ID idempotency. - Tests prove project_id survives the event-to-workflow handoff and appears in workflow operator metadata. - id: SEC-ARCH-TEMPORAL-MAAS-WORKFLOW-OPS-METADATA-001 title: Add safe owner and target metadata to MAAS Temporal workflows kind: task role: backend profile: platform-foundation parent_id: SEC-ARCH-TEMPORAL-WORKFLOW-OWNER-SCOPE-VISIBILITY-001 owning_domain: temporal-workflows owning_layer: tenant-workload-isolation source_paths: - packages/platform/maas - cmd/provisioning-worker/temporal.go - doc/architecture/Intent_Control_And_Reconciliation_Model_v1.md target_paths: - packages/platform/maas - doc/architecture/platform-foundation/Tenant_And_Workload_Isolation_Evidence_v1.md review_domains: - backend - ops - security - architecture risk_level: high migration_type: workflow-owner-scope-visibility depends_on: - SEC-ARCH-TEMPORAL-WORKFLOW-OWNER-SCOPE-VISIBILITY-001 acceptance_checks: - MAAS onboarding and decommission workflow inputs, persisted records, workflow IDs, or safe metadata expose site/profile/node/decommission scope for operator visibility without introducing cross-tenant authorization decisions into Temporal. - Existing rerun/resume tests prove stale workflow recovery remains tied to persisted onboarding/decommission IDs. - id: SEC-ARCH-TEMPORAL-SEARCH-ATTRIBUTE-REGISTRY-001 title: Define registered Temporal search attributes for safe owner-scope visibility kind: task role: ops profile: platform-foundation parent_id: SEC-ARCH-TEMPORAL-WORKFLOW-OWNER-SCOPE-VISIBILITY-001 owning_domain: temporal-workflows owning_layer: tenant-workload-isolation source_paths: - cmd/provisioning-worker - packages/platform/maas - packages/platform/adminops - doc/architecture/Intent_Control_And_Reconciliation_Model_v1.md target_paths: - doc/operations - scripts/ci - doc/architecture/platform-foundation/Tenant_And_Workload_Isolation_Evidence_v1.md review_domains: - ops - backend - security - architecture risk_level: high migration_type: temporal-search-attributes depends_on: - SEC-ARCH-TEMPORAL-WORKFLOW-OWNER-SCOPE-VISIBILITY-001 acceptance_checks: - Registered Temporal search attributes for safe owner/target scope are defined, provisioned, and validated before code uses indexed search attributes. - Workflow start options do not depend on unregistered custom search attributes that could fail workflow starts at runtime. - id: SEC-ARCH-TEMPORAL-SEARCH-ATTRIBUTE-LIVE-PROVISION-001 title: Apply Temporal search attributes to live namespaces after approval kind: task role: ops profile: platform-foundation parent_id: SEC-ARCH-TEMPORAL-WORKFLOW-OWNER-SCOPE-VISIBILITY-001 owning_domain: temporal-workflows owning_layer: tenant-workload-isolation source_paths: - doc/operations/Temporal_Search_Attribute_Registry.md - scripts/ci/temporal_search_attribute_registry.sh target_paths: - doc/operations - cmd/api - cmd/provisioning-worker review_domains: - ops - backend - security - architecture tags: - program:security-review - environment:temporal - surface:temporal - gate:approval-required - work-type:ops-change risk_level: high migration_type: temporal-search-attributes-live-provision depends_on: - SEC-ARCH-TEMPORAL-SEARCH-ATTRIBUTE-REGISTRY-001 acceptance_checks: - Approved non-prod/prod Temporal namespace provisioning evidence exists, attributes are listed after apply, and code using SearchAttributes is only enabled for provisioned namespaces. - id: SEC-ARCH-TEMPORAL-NODE-AGENT-LIFECYCLE-OPS-METADATA-001 title: Add safe owner and target metadata to node-agent lifecycle workflows kind: task role: backend profile: platform-foundation parent_id: SEC-ARCH-TEMPORAL-WORKFLOW-OWNER-SCOPE-VISIBILITY-001 owning_domain: temporal-workflows owning_layer: tenant-workload-isolation source_paths: - packages/platform/adminops - cmd/provisioning-worker/temporal.go - doc/architecture/Intent_Control_And_Reconciliation_Model_v1.md target_paths: - packages/platform/adminops - doc/architecture/platform-foundation/Tenant_And_Workload_Isolation_Evidence_v1.md review_domains: - backend - ops - security - architecture risk_level: high migration_type: workflow-owner-scope-visibility depends_on: - SEC-ARCH-TEMPORAL-WORKFLOW-OWNER-SCOPE-VISIBILITY-001 acceptance_checks: - Node-agent lifecycle workflow input, persisted run record, workflow ID, or safe metadata expose node/lifecycle/actor scope for operator visibility without exposing secrets or credential material. - Tests prove lifecycle execution remains tied to the persisted lifecycle ID and node ID during rerun/recovery paths. - id: SEC-ARCH-REDIS-CACHE-KEYSPACE-EVIDENCE-001 title: Prove Redis cache and session keyspace isolation kind: release-evidence role: backend profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: platform-cache owning_layer: tenant-workload-isolation source_paths: - doc/architecture/platform-foundation/Tenant_And_Workload_Isolation_Evidence_v1.md - packages/shared/readcache - cmd/terminal-gateway - packages/platform - packages/products target_paths: - packages/shared/readcache - cmd/terminal-gateway - scripts/ci - .fairway/artifacts review_domains: - backend - ops - security risk_level: high migration_type: redis-cache-keyspace-evidence depends_on: - SEC-ARCH-TENANT-WORKLOAD-ISOLATION-EVIDENCE-001 acceptance_checks: - High-risk Redis keys for read models, terminal tokens/session bindings, proxy/authz cache, and notification/session state are inventoried with owner-scope dimensions. - Tests or guard scripts prove tenant/project/session prefixes cannot delete, read, or reuse unrelated tenant/project/session data. - Any unscoped Redis key that can affect tenant-visible state becomes a named fix task. - id: SEC-ARCH-APP-RUNTIME-CROSS-PROJECT-NEGATIVE-TESTS-001 title: Add app runtime cross-project negative tests kind: release-evidence role: backend profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: appplatform owning_layer: tenant-workload-isolation source_paths: - doc/architecture/platform-foundation/Tenant_And_Workload_Isolation_Evidence_v1.md - cmd/api/routes_v3_app_runtime_credentials.go - cmd/api/routes_v3_launch_submit.go - packages/products/appplatform/runtime - packages/products/gpuaas/inventory target_paths: - cmd/api - packages/products/appplatform/runtime - packages/products/gpuaas/inventory - .fairway/artifacts review_domains: - backend - security risk_level: high migration_type: app-runtime-cross-project-negative-tests depends_on: - SEC-ARCH-TENANT-WORKLOAD-ISOLATION-EVIDENCE-001 acceptance_checks: - Negative tests cover cross-project app instance read, runtime credential issuance, route access, member operations, bootstrap SSH reconcile, and artifact/runtime secret paths. - Tests cover both human project member callers and project-scoped service-account callers. - Failures return canonical authorization errors and do not leak target resource metadata. - id: SEC-ARCH-APP-RUNTIME-CREDENTIAL-SA-ALLOWLIST-DECISION-001 title: Decide and test service-account access for v3 app runtime credential operations kind: release-evidence role: security profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: appplatform owning_layer: service-account-allowlist source_paths: - packages/shared/middleware/auth.go - cmd/api/routes_v3_app_runtime_credentials.go - doc/architecture/Service_Account_Model.md - doc/architecture/App_Runtime_External_Worker_Contract_v1.md - doc/api/API_Surface.md - doc/architecture/platform-foundation/Tenant_Authorization_Negative_Matrix_v1.json target_paths: - packages/shared/middleware/auth.go - cmd/api/routes_test.go - doc/architecture - doc/api - .fairway/artifacts review_domains: - security - backend - architecture risk_level: high migration_type: app-runtime-credential-service-account-allowlist depends_on: - SEC-ARCH-APP-RUNTIME-CROSS-PROJECT-NEGATIVE-TESTS-001 acceptance_checks: - Decision packet states whether project-scoped service accounts may call `/api/v1/v3/workloads/{workload_id}/credentials/*` operations. - If allowed, service-account allowlist and contracts are updated together and same-project/cross-project regression tests prove scope enforcement before inventory calls. - If denied, product/API docs explain the human-only or alternate machine-identity path and matrix evidence records the explicit denial behavior. - Responses remain canonical and never expose raw credential material or target workload metadata on denied calls. - id: SEC-ARCH-COMPUTE-CROSS-PROJECT-NEGATIVE-TESTS-001 title: Add compute launch cross-project negative tests kind: release-evidence role: backend profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: gpuaas-provisioning owning_layer: tenant-workload-isolation source_paths: - doc/architecture/platform-foundation/Tenant_Authorization_Negative_Matrix_v1.json - cmd/api/routes_v3_launch_submit.go - cmd/api/routes_v3_launch_precheck.go - packages/products/gpuaas/provisioning target_paths: - cmd/api - packages/products/gpuaas/provisioning - .fairway/artifacts review_domains: - backend - security risk_level: high migration_type: compute-cross-project-negative-tests depends_on: - SEC-ARCH-TENANT-AUTHZ-NEGATIVE-MATRIX-001 acceptance_checks: - Negative tests prove compute precheck and submit deny wrong project, wrong org, missing membership, disabled actor, and service-account scope mismatch cases. - Denials return canonical authorization errors and do not leak target allocation, SKU, node, or capacity metadata. - Matrix entry `v3_compute_launch` is updated from partial to covered only after tests exist. - id: SEC-ARCH-STORAGE-BILLING-AUDIT-CROSS-PROJECT-NEGATIVE-TESTS-001 title: Seed storage billing and audit cross-project negative tests kind: release-evidence role: backend profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: platform-readmodels owning_layer: tenant-workload-isolation source_paths: - doc/architecture/platform-foundation/Tenant_Authorization_Negative_Matrix_v1.json - cmd/api/routes_v3_storage_grants.go - cmd/api/routes_v3_readmodels.go - packages/platform/billing - packages/platform/audit target_paths: - cmd/api - packages/platform/billing - packages/platform/audit - packages/platform/storage - .fairway/artifacts review_domains: - backend - security - governance risk_level: high migration_type: storage-billing-audit-cross-project-negative-tests depends_on: - SEC-ARCH-TENANT-AUTHZ-NEGATIVE-MATRIX-001 acceptance_checks: - First-pass negative tests cover storage grant subject-project rejection, storage grant list scope SQL, billing invoice/rated-usage claim-org normalization, and audit/access-evidence resolved query scope. - Any remaining bucket/attachment or deep billing/audit scope gaps are represented by concrete follow-up tasks before this task closes. - Matrix entries `storage_grants` and `billing_audit_readmodels` remain partial until the follow-up tasks attach full coverage evidence. - id: SEC-ARCH-STORAGE-BUCKET-ATTACHMENT-SCOPE-NEGATIVE-TESTS-001 title: Add storage bucket and attachment tenant-scope negative tests kind: release-evidence role: backend profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: platform-storage owning_layer: tenant-workload-isolation source_paths: - doc/architecture/platform-foundation/Tenant_Authorization_Negative_Matrix_v1.json - cmd/api/routes_v3_readmodels.go - cmd/api/routes_v3_storage_attachments.go - cmd/api/routes_v3_storage_mutations.go target_paths: - cmd/api - doc/architecture/platform-foundation/Tenant_Authorization_Negative_Matrix_v1.json - .fairway/artifacts review_domains: - backend - security risk_level: high migration_type: storage-bucket-attachment-scope-negative-tests depends_on: - SEC-ARCH-STORAGE-BILLING-AUDIT-CROSS-PROJECT-NEGATIVE-TESTS-001 acceptance_checks: - Negative tests prove storage bucket list/detail/event queries use resolved project scope, not caller-supplied project or organization filters. - Negative tests prove storage attachment list/get/detach queries are constrained by resolved project, bucket, and attachment id. - Matrix entry `storage_grants` remains partial until these tests are attached or is marked covered only with matching evidence. - id: SEC-ARCH-BILLING-AUDIT-DEEP-SCOPE-NEGATIVE-TESTS-001 title: Add billing and audit deep-scope negative tests kind: release-evidence role: backend profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: platform-billing-audit owning_layer: tenant-workload-isolation source_paths: - doc/architecture/platform-foundation/Tenant_Authorization_Negative_Matrix_v1.json - cmd/api/routes.go - cmd/api/routes_v3_readmodels.go - packages/platform/billing/legacyimpl - packages/platform/audit target_paths: - cmd/api - packages/platform/billing/legacyimpl - packages/platform/audit - doc/architecture/platform-foundation/Tenant_Authorization_Negative_Matrix_v1.json - .fairway/artifacts review_domains: - backend - security risk_level: high migration_type: billing-audit-deep-scope-negative-tests depends_on: - SEC-ARCH-STORAGE-BILLING-AUDIT-CROSS-PROJECT-NEGATIVE-TESTS-001 acceptance_checks: - Negative tests prove billing usage, rated usage, invoice list/get, and budget read models ignore caller-supplied org/project overrides and use resolved claim or membership scope. - Package-level billing/audit SQL tests prove organization/project filters are enforced in query builders or repository calls. - Matrix entry `billing_audit_readmodels` is updated from partial to covered only after deep-scope tests exist. - id: SEC-ARCH-MANAGED-INGRESS-ROUTE-FAMILY-NEGATIVE-TESTS-001 title: Add managed-ingress route-family negative tests kind: release-evidence role: backend profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: managed-ingress owning_layer: tenant-workload-isolation source_paths: - doc/architecture/platform-foundation/Tenant_Authorization_Negative_Matrix_v1.json - doc/architecture/Managed_Ingress_Tenant_Isolation_and_Scaling_v1.md - cmd/api - packages/products/gpuaas/inventory target_paths: - cmd/api - packages/products/gpuaas/inventory - scripts/ci - .fairway/artifacts review_domains: - backend - ops - security risk_level: high migration_type: managed-ingress-route-family-negative-tests depends_on: - SEC-ARCH-TENANT-AUTHZ-NEGATIVE-MATRIX-001 acceptance_checks: - Negative tests cover `api_app`, `browser_app`, `terminal_ws`, and `platform_admin` route-family denial behavior where routed through managed ingress or proxy authz. - Tests include stale route, wrong client auth mode, spoofed identity headers, revoked service account, and project mismatch. - Matrix entry `managed_ingress` is updated from partial to covered only after route-family coverage exists. - id: SEC-ARCH-TERMINAL-CROSS-PROJECT-NEGATIVE-TESTS-001 title: Add terminal cross-project negative tests kind: release-evidence role: backend profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: gpuaas-terminal owning_layer: tenant-workload-isolation source_paths: - doc/architecture/platform-foundation/Tenant_And_Workload_Isolation_Evidence_v1.md - cmd/api - cmd/terminal-gateway - packages/products/gpuaas/terminal target_paths: - cmd/api - cmd/terminal-gateway - packages/products/gpuaas/terminal - .fairway/artifacts review_domains: - backend - ops - security risk_level: high migration_type: terminal-cross-project-negative-tests depends_on: - SEC-ARCH-TENANT-WORKLOAD-ISOLATION-EVIDENCE-001 acceptance_checks: - Negative tests prove a caller cannot mint or open terminal access for another project's allocation or stale/released allocation. - Terminal-gateway session binding rejects cross-allocation/session mismatch and reports user-safe denial. - Redis/session state remains allocation/session scoped and cannot be reused across project boundaries. - id: SEC-ARCH-GPU-SLICE-ISOLATION-EVIDENCE-001 title: Produce GPU slice isolation evidence package kind: architecture-map role: architecture profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: gpuaas-capacity owning_layer: tenant-workload-isolation source_paths: - doc/architecture/platform-foundation/Tenant_And_Workload_Isolation_Evidence_v1.md - doc/architecture/Allocation_Capacity_Shapes_and_GPU_Slices_v1.md - doc/architecture/GPU_Slice_End_to_End_Readiness_Decisions_v1.md - doc/architecture/Node_Agent_Spec.md - packages/products/gpuaas - cmd/node-agent target_paths: - doc/architecture/platform-foundation/GPU_Slice_Isolation_Evidence_v1.md - scripts/ci - .fairway/artifacts review_domains: - architecture - ops - backend - security risk_level: high migration_type: gpu-slice-isolation-evidence depends_on: - SEC-ARCH-TENANT-WORKLOAD-ISOLATION-EVIDENCE-001 acceptance_checks: - Evidence covers approved slot inventory, VFIO/IOMMU group validation, PCI passthrough restrictions, storage/NVMe wipe proof, network identity, and cleanup before slot reuse. - Bare-metal, full-reimage, user-revoke, VM-slice, and future shared GPU shapes have explicit residual-risk language. - Unsupported shapes such as MIG, vGPU, MPS, or arbitrary shared GPU are marked non-current until mechanism and tests exist. - id: SEC-ARCH-FABRIC-RDMA-ISOLATION-EVIDENCE-001 title: Produce fabric and RDMA tenant isolation evidence kind: architecture-map role: architecture profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: gpuaas-network owning_layer: tenant-workload-isolation source_paths: - doc/architecture/platform-foundation/Tenant_And_Workload_Isolation_Evidence_v1.md - doc/architecture/Allocation_Capacity_Shapes_and_GPU_Slices_v1.md - doc/architecture/Network_Attachment_Contract_v1.md - doc/architecture/Slice_Networking_Architecture_v1.md - packages/products/gpuaas target_paths: - doc/architecture/platform-foundation/Fabric_RDMA_Isolation_Evidence_v1.md - scripts/ci - .fairway/artifacts review_domains: - architecture - ops - security - backend risk_level: high migration_type: fabric-rdma-isolation-evidence depends_on: - SEC-ARCH-TENANT-WORKLOAD-ISOLATION-EVIDENCE-001 acceptance_checks: - Evidence states the current IB/RoCE fabric posture, what is isolated by network/device assignment, and what is not yet proven. - No-cross-tenant reachability, VF assignment, route/network policy, and observability checks are defined before dedicated or regulated fabric claims. - Unsupported or environment-specific assumptions become explicit non-claims or follow-up implementation tasks. - id: SEC-ARCH-AUDIT-TAMPER-EVIDENCE-001 title: Design tamper-evident audit and WORM retention maturity path kind: architecture-map role: security profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: platform-audit owning_layer: audit-integrity source_paths: - doc/architecture/platform-foundation/Security_Architecture_Review_Triage_v1.md - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md - doc/architecture/platform-foundation/Platform_Evidence_Status_Schema_v1.md - doc/architecture/db_schema_v1.sql - packages/platform/audit - packages/platform/evidence target_paths: - doc/architecture/platform-foundation/Audit_Tamper_Evidence_and_WORM_Retention_v1.md - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md - packages/platform/audit - packages/platform/evidence - .fairway/artifacts review_domains: - security - architecture - backend - ops - governance risk_level: high migration_type: audit-tamper-evidence-design depends_on: - SEC-ARCH-REVIEW-CURRENT-STATE-DOC-001 - PSSM-PROD-C7-STATUS-EVIDENCE-MATURITY-001 acceptance_checks: - Design distinguishes append-only audit rows from cryptographic immutability and does not overclaim current posture. - Target maturity includes hash-chained batches, signing key custody, external replication, WORM/Object Lock retention profile, separation of duties, and alerting on audit pipeline control changes. - Implementation sequencing identifies baseline production work versus regulated-profile hardening. - id: SEC-ARCH-AUDIT-APPEND-ONLY-DB-GUARD-001 title: Add append-only database guard evidence for platform audit rows kind: boundary-guard role: backend profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: platform-audit owning_layer: audit-integrity source_paths: - doc/architecture/platform-foundation/Audit_Tamper_Evidence_and_WORM_Retention_v1.md - doc/architecture/db_schema_v1.sql - packages/platform/audit - scripts/ci target_paths: - doc/architecture/db_schema_v1.sql - packages/platform/audit - scripts/ci - .fairway/artifacts review_domains: - backend - security - ops - governance risk_level: high migration_type: audit-append-only-db-guard depends_on: - SEC-ARCH-AUDIT-TAMPER-EVIDENCE-001 acceptance_checks: - Application roles cannot update or delete `platform_audit_logs` without an explicit maintenance path. - CI or schema smoke proves the append-only guard exists and fails if it is removed. - Documentation states that this guard reduces mutation risk but is not cryptographic immutability. - id: SEC-ARCH-AUDIT-HASH-CHAIN-BATCH-WORKER-001 title: Implement hash-chained audit batch manifests and verifier evidence kind: release-evidence role: backend profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: platform-audit owning_layer: audit-integrity source_paths: - doc/architecture/platform-foundation/Audit_Tamper_Evidence_and_WORM_Retention_v1.md - packages/platform/audit - packages/platform/evidence target_paths: - packages/platform/audit - packages/platform/evidence - scripts/ci - doc/operations - .fairway/artifacts review_domains: - backend - security - architecture - ops risk_level: high migration_type: audit-hash-chain-batch-worker depends_on: - SEC-ARCH-AUDIT-APPEND-ONLY-DB-GUARD-001 acceptance_checks: - Audit rows can be canonicalized into deterministic record digests with tests. - Batch manifests include sequence, previous hash, root hash, covered row range, and verifier result. - Status/evidence surfaces report batch freshness and hash-chain continuity. - id: SEC-ARCH-AUDIT-WORM-REPLICATION-GATE-001 title: Add signed audit replication and WORM retention readiness gate kind: release-evidence role: ops profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: platform-audit owning_layer: audit-integrity source_paths: - doc/architecture/platform-foundation/Audit_Tamper_Evidence_and_WORM_Retention_v1.md - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md - packages/platform/evidence - scripts/ci target_paths: - packages/platform/evidence - scripts/ci - doc/operations - .fairway/artifacts review_domains: - ops - security - architecture - governance risk_level: high migration_type: audit-worm-replication-gate depends_on: - SEC-ARCH-AUDIT-HASH-CHAIN-BATCH-WORKER-001 acceptance_checks: - Signed audit batch manifests are replicated outside the primary database control plane. - Evidence records replication URI, signer key id, replication freshness, and retention profile. - WORM/Object Lock claims require retention policy evidence, separation-of-duties evidence, and alert coverage. - id: SEC-ARCH-NODE-TRUST-HARDENING-001 title: Define node trust hardening roadmap for enrollment, TPM, secure boot, and attestation kind: architecture-map role: architecture profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: node-runtime owning_layer: node-trust source_paths: - doc/architecture/platform-foundation/Security_Architecture_Review_Triage_v1.md - doc/architecture/Node_Agent_Spec.md - doc/architecture/PKI_Spec.md - doc/architecture/Node_Task_Signing_Lifecycle_v1.md - doc/architecture/MAAS_Bare_Metal_Lifecycle_v1.md - packages/platform/maas - cmd/node-agent target_paths: - doc/architecture/platform-foundation/Node_Trust_Hardening_Roadmap_v1.md - doc/architecture/Node_Agent_Spec.md - doc/architecture/PKI_Spec.md - doc/operations/runbooks - .fairway/artifacts review_domains: - architecture - security - ops - backend risk_level: high migration_type: node-trust-hardening-roadmap depends_on: - SEC-ARCH-REVIEW-CURRENT-STATE-DOC-001 - PSSM-PROD-C2-CREDENTIAL-CUSTODY-001 acceptance_checks: - Roadmap classifies current enrollment token and mTLS controls, known residual risk, and target posture for TPM key storage, secure/measured boot, attestation, firmware/BMC trust, node quarantine, and re-enrollment. - Baseline production requirements are separated from regulated-profile hardware-root requirements. - Any code or runbook tasks needed for token approval, quarantine, or cert recovery are created as follow-ups. - id: SEC-ARCH-REGULATED-CRYPTO-KEY-CUSTODY-001 title: Define regulated-profile crypto and key-custody decision package kind: architecture-map role: security profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: platform-security owning_layer: regulated-crypto-key-custody source_paths: - doc/architecture/platform-foundation/Security_Architecture_Review_Triage_v1.md - doc/architecture/Encryption_Envelope_Spec.md - doc/architecture/Platform_Access_Credential_Model_v1.md - doc/architecture/platform-foundation/Secrets_PKI_Runtime_Trust_Model_v1.md - doc/architecture/Platform_Vault_Secrets_Baseline_v1.md - doc/architecture/Cert_Manager_Integration_v1.md target_paths: - doc/architecture/platform-foundation/Regulated_Crypto_And_Key_Custody_Decision_Package_v1.md - doc/architecture/Encryption_Envelope_Spec.md - doc/architecture/platform-foundation/Secrets_PKI_Runtime_Trust_Model_v1.md - doc/operations/runbooks review_domains: - security - architecture - ops - governance risk_level: high migration_type: regulated-crypto-key-custody depends_on: - SEC-ARCH-COMPLIANCE-SCOPE-MATRIX-001 - SEC-ARCH-NODE-TRUST-HARDENING-001 acceptance_checks: - Decision package states which crypto/key-custody requirements apply to baseline production versus regulated profiles. - FIPS modules, HSM-backed KEKs, Vault Enterprise/FIPS or managed KMS/HSM, WireGuard versus IPsec, and CMVP evidence expectations are explicitly dispositioned. - Current docs stop implying FIPS/HSM/FedRAMP crypto posture until corresponding evidence exists. - id: SEC-ARCH-RETENTION-ERASURE-MATRIX-001 title: Create data classification, retention, legal hold, and erasure matrix kind: architecture-map role: governance profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: data-governance owning_layer: retention-erasure source_paths: - doc/architecture/platform-foundation/Security_Architecture_Review_Triage_v1.md - doc/operations/Enterprise_Readiness_Gap_Work_Plan_v1.md - doc/architecture/Data_Tiering_and_Database_Operations_Work_Plan_v1.md - doc/architecture/Billing_Platform_Overhaul_v1.md - doc/architecture/db_schema_v1.sql - doc/architecture/Managed_Ingress_Tenant_Isolation_and_Scaling_v1.md target_paths: - doc/governance/Data_Classification_Retention_And_Erasure_Matrix_v1.md - doc/architecture/Data_Tiering_and_Database_Operations_Work_Plan_v1.md - doc/operations review_domains: - governance - security - architecture - billing - ops risk_level: high migration_type: retention-erasure-matrix depends_on: - SEC-ARCH-COMPLIANCE-SCOPE-MATRIX-001 acceptance_checks: - Matrix covers audit logs, usage/rating/ledger lines, payment records, support/incident data, runtime/app logs, backups, object/storage data, legal hold, deletion, and pseudonymization behavior. - Retention language reconciles privacy erasure with audit/ledger/legal retention instead of promising blanket deletion where compliance metadata remains. - Open implementation gaps become Fairway tasks with owner and profile scope. - id: SEC-ARCH-INCIDENT-SOC-MODEL-001 title: Define incident notification and SOC operating model kind: architecture-map role: ops profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: platform-ops owning_layer: incident-soc source_paths: - doc/architecture/platform-foundation/Security_Architecture_Review_Triage_v1.md - doc/operations/Enterprise_Readiness_Gap_Work_Plan_v1.md - doc/operations/Ops_Runbook_Architecture.md - doc/operations/SRE_Runbook_Index.md - doc/operations/Incident_Severity_Model.md - doc/operations/runbooks - packages/platform/statusops target_paths: - doc/operations/Incident_Notification_And_SOC_Operating_Model_v1.md - doc/operations/SRE_Runbook_Index.md - packages/platform/statusops - .fairway/artifacts review_domains: - ops - security - governance - architecture risk_level: medium migration_type: incident-soc-operating-model depends_on: - SEC-ARCH-COMPLIANCE-SCOPE-MATRIX-001 - PSSM-PROD-C7-STATUS-EVIDENCE-MATURITY-001 acceptance_checks: - Operating model defines severity, SOC/on-call coverage assumptions, MTTA/MTTD targets, customer/regulator notification matrix, evidence custody, and post-incident review requirements. - Existing runbooks are linked into the model and gaps become named follow-up tasks. - Status/Ops evidence model can represent incident posture without relying on direct SQL. - id: SEC-ARCH-INCIDENT-STATUSOPS-POSTURE-001 title: Add incident posture fields to Status/Ops evidence model kind: architecture-map role: backend profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: platform-ops owning_layer: incident-soc source_paths: - doc/operations/Incident_Notification_And_SOC_Operating_Model_v1.md - packages/platform/statusops - scripts/ci/platform_status_snapshot.sh target_paths: - doc/api - packages/platform/statusops - scripts/ci - doc/operations - .fairway/artifacts review_domains: - backend - ops - security - architecture risk_level: medium migration_type: incident-statusops-posture depends_on: - SEC-ARCH-INCIDENT-SOC-MODEL-001 acceptance_checks: - Status/Ops evidence/read-model can represent incident id, severity, status, classification, affected surfaces, timestamps, owner domains, runbook ids, notification state, and post-incident review state. - Operators can inspect incident posture without direct SQL. - Evidence is sanitized and does not expose secrets, raw customer data, or unapproved incident material. - id: SEC-ARCH-INCIDENT-NOTIFICATION-TEMPLATE-001 title: Create incident notification templates and approval gates kind: architecture-map role: governance profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: platform-ops owning_layer: incident-soc source_paths: - doc/operations/Incident_Notification_And_SOC_Operating_Model_v1.md - doc/operations/runbooks/Incident_Communication_Runbook.md target_paths: - doc/operations - .fairway/artifacts review_domains: - governance - ops - security risk_level: medium migration_type: incident-notification-template depends_on: - SEC-ARCH-INCIDENT-SOC-MODEL-001 acceptance_checks: - Internal, customer, security, legal, and regulator notification templates exist with approval gates and redaction rules. - Templates distinguish outage, security incident, tenant isolation, secret exposure, and billing/ledger integrity scenarios. - Templates avoid unapproved compliance claims and jurisdiction-specific legal commitments. - id: SEC-ARCH-INCIDENT-RUNBOOK-CATALOG-GAP-001 title: Verify incident runbook catalog coverage for SOC model kind: architecture-map role: ops profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: platform-ops owning_layer: incident-soc source_paths: - doc/operations/Incident_Notification_And_SOC_Operating_Model_v1.md - doc/operations/Ops_Runbook_Architecture.md - doc/operations/runbooks target_paths: - doc/operations/runbooks/runbooks.catalog.json - doc/operations - .fairway/artifacts review_domains: - ops - governance - architecture risk_level: medium migration_type: incident-runbook-catalog-gap depends_on: - SEC-ARCH-INCIDENT-SOC-MODEL-001 acceptance_checks: - Runbook filenames, stable runbook ids, severity hints, signal mappings, owner teams, and last-reviewed dates cover the incident/SOC model. - Missing incident classes become scoped runbook tasks. - Admin Ops/runbook catalog can route incident classes without direct SQL or ad hoc file lookup. - id: SEC-ARCH-SUPPLY-CHAIN-EVIDENCE-GATE-001 title: Complete supply-chain SBOM, provenance, signing, and release evidence gate kind: release-evidence role: ops profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: release-engineering owning_layer: supply-chain-evidence source_paths: - doc/architecture/platform-foundation/Security_Architecture_Review_Triage_v1.md - doc/operations/GPUaaS_Security_CD_Current_State_Gap_Roadmap_v1.md - doc/architecture/Next_Environment_Release_and_GitOps_Model_v1.md - doc/architecture/App_Artifact_Trust_and_Promotion_v1.md - scripts/ci/package_and_attest.sh - scripts/ci target_paths: - scripts/ci/package_and_attest.sh - scripts/ci - doc/operations/GPUaaS_Security_CD_Current_State_Gap_Roadmap_v1.md - .fairway/artifacts review_domains: - ops - security - governance - architecture risk_level: high migration_type: supply-chain-evidence-gate depends_on: - PSSM-PROD-C9-RELEASE-PROFILE-GATES-001 - SEC-ARCH-COMPLIANCE-SCOPE-MATRIX-001 acceptance_checks: - Release packaging produces SBOM, signed SBOM, image/artifact signature, provenance attestation, and release evidence references for supported artifacts. - CI runner/secrets exposure assumptions and exception handling are documented. - Release/profile gate can block production promotion when required supply-chain evidence is missing. - id: SEC-PROD-SCAN-ENFORCEMENT-GATE-001 title: Enforce SAST, SCA, secrets, image, and DAST findings in production promotion gates kind: release-evidence role: security profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: appsec owning_layer: security-scan-enforcement source_paths: - .fairway/artifacts/group42-devsecops-policy-gap-map-2026-06-04.md - doc/operations/GPUaaS_Security_CD_Current_State_Gap_Roadmap_v1.md - doc/operations/Security_Scan_Triage_2026-04-01.md - doc/operations/Platform_Control_Release_Pipeline_Model.md - doc/governance/CI_Enforcement_Checklist.md - scripts/ci - .gitlab-ci.yml target_paths: - scripts/ci - .gitlab-ci.yml - doc/operations/GPUaaS_Security_CD_Current_State_Gap_Roadmap_v1.md - doc/governance/CI_Enforcement_Checklist.md - .fairway/artifacts review_domains: - security - ops - governance - backend - frontend risk_level: high migration_type: security-scan-promotion-enforcement depends_on: - SEC-ARCH-COMPLIANCE-SCOPE-MATRIX-001 - OPS-PROD-READINESS-MAP-001 acceptance_checks: - SAST, SCA/dependency, secret, image/container, and DAST scan outputs are wired into release/profile evidence with machine-readable summaries. - Critical and high findings fail production promotion unless an approved exception exists with owner, expiry, impact, and compensating control. - Skipped or unavailable scanners produce explicit blocked/waived evidence instead of silently passing. - CI/local reproduction commands are documented and scan artifacts are attached to Fairway evidence. - id: SEC-PROD-VULNERABILITY-SLA-001 title: Define vulnerability remediation SLA, escalation, and evidence model kind: architecture-map role: security profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: appsec owning_layer: vulnerability-governance source_paths: - .fairway/artifacts/group42-devsecops-policy-gap-map-2026-06-04.md - doc/operations/GPUaaS_Security_CD_Current_State_Gap_Roadmap_v1.md - doc/operations/Security_Scan_Triage_2026-04-01.md - doc/operations/Parallel_Ops_Track.md - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md target_paths: - doc/operations/Vulnerability_Remediation_SLA_v1.md - doc/operations/GPUaaS_Security_CD_Current_State_Gap_Roadmap_v1.md - .fairway/artifacts review_domains: - security - ops - governance - architecture risk_level: high migration_type: vulnerability-sla-governance depends_on: - SEC-PROD-SCAN-ENFORCEMENT-GATE-001 acceptance_checks: - Severity model defines remediation clocks, including critical vulnerability target, clock start/stop rules, owner assignment, escalation, and accepted-risk path. - SLA evidence reports open, overdue, remediated, waived, and resurfaced vulnerabilities by owner and environment profile. - Release gates can distinguish new critical/high findings from existing approved exceptions. - Runbook states how security, ops, and product owners triage and close vulnerability findings. - id: SEC-PROD-VULNERABILITY-SLA-SUMMARY-PRODUCER-001 title: Produce machine-readable vulnerability SLA posture from scan and exception evidence kind: release-evidence role: security profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: appsec owning_layer: vulnerability-governance source_paths: - doc/operations/Vulnerability_Remediation_SLA_v1.md - scripts/ci/security_promotion_gate.sh - doc/governance/security_scan_exceptions.json - dist/security - dist/release-hardening target_paths: - scripts/ci - doc/operations/Vulnerability_Remediation_SLA_v1.md - .fairway/artifacts review_domains: - security - ops - governance - backend risk_level: high migration_type: vulnerability-sla-evidence-producer depends_on: - SEC-PROD-VULNERABILITY-SLA-001 - SEC-PROD-WAIVER-GOVERNANCE-001 acceptance_checks: - CI/local helper emits vulnerability SLA JSON and Markdown summaries from scanner summaries and the exception registry. - Summary includes open, overdue, remediated, waived, resurfaced, and false-positive counts by owner and environment profile. - High/critical overdue or expired-exception findings are classified as release-blocking in enforce mode. - Smoke fixtures cover clean, overdue, waived, expired-waiver, and resurfaced cases. - id: SEC-PROD-PRIVILEGED-JIT-ACCESS-001 title: Define privileged JIT access, elevation, and break-glass operating model kind: architecture-map role: security profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: platform-security owning_layer: privileged-access source_paths: - .fairway/artifacts/group42-devsecops-policy-gap-map-2026-06-04.md - doc/architecture/IAM_MFA_Policy_and_Keycloak_Enforcement_v1.md - doc/architecture/Platform_IAM_Model_v1.md - doc/operations/runbooks/IAM_MFA_Enrollment_Reset_and_Breakglass_Runbook.md - doc/architecture/platform-foundation/Security_Architecture_Review_Triage_v1.md target_paths: - doc/architecture/platform-foundation/Privileged_JIT_Access_Model_v1.md - doc/operations/runbooks - .fairway/artifacts review_domains: - security - ops - governance - architecture - backend risk_level: high migration_type: privileged-jit-access-model depends_on: - IAM-MFA-EPIC - OPS-PROD-IAM-KEYCLOAK-HA-001 acceptance_checks: - Model separates MFA authentication from time-bound privileged elevation and maps platform_superadmin, platform_admin, platform_ops, tenant admin, service account, and break-glass paths. - Sensitive privileged operations define required approval, maximum elevation duration, audit fields, revocation behavior, and emergency rollback. - Break-glass access is documented with owner, storage/custody, use approval, post-use review, and evidence expectations. - Implementation gaps for Keycloak, policy, audit, or UX become named follow-up tasks before closure. - id: SEC-PROD-WAIVER-GOVERNANCE-001 title: Define security waiver governance, expiry, and release-blocking evidence kind: architecture-map role: governance profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: governance owning_layer: waiver-governance source_paths: - .fairway/artifacts/group42-devsecops-policy-gap-map-2026-06-04.md - doc/architecture/platform-foundation/Platform_Foundation_Guard_Graduation_Plan_v1.md - doc/governance/CI_Enforcement_Checklist.md - doc/operations/GPUaaS_Security_CD_Current_State_Gap_Roadmap_v1.md - .fairway/platform-foundation-implementation-track.yaml target_paths: - doc/governance/Security_Waiver_Governance_v1.md - doc/operations/GPUaaS_Security_CD_Current_State_Gap_Roadmap_v1.md - .fairway/artifacts review_domains: - governance - security - ops - architecture risk_level: high migration_type: security-waiver-governance depends_on: - SEC-PROD-SCAN-ENFORCEMENT-GATE-001 - PSSM-STABILIZATION-FIRST-EXIT-GATE-001 acceptance_checks: - Waiver schema includes control, finding, owner, approver, reason, expiry, environment scope, compensating control, and follow-up task. - Monthly review and expired-waiver handling are documented, including release-blocking behavior for expired critical/high waivers. - Fairway evidence can distinguish pass, blocked, waived, expired, and deferred controls without relying on chat history. - Existing stabilization exceptions and guard acknowledgements are reconciled with the waiver model or explicitly scoped out. - id: SEC-PROD-WAIVER-SUMMARY-CHECK-001 title: Produce waiver summary and expiry check evidence for release packets kind: release-evidence role: governance profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: governance owning_layer: waiver-governance source_paths: - doc/governance/Security_Waiver_Governance_v1.md - doc/governance/security_scan_exceptions.json - doc/architecture/platform-foundation/guard-allowed-debt.tsv - scripts/ci target_paths: - scripts/ci - doc/governance/Security_Waiver_Governance_v1.md - .fairway/artifacts review_domains: - governance - security - ops - backend risk_level: high migration_type: waiver-summary-evidence-producer depends_on: - SEC-PROD-WAIVER-GOVERNANCE-001 acceptance_checks: - CI/local helper emits waiver summary JSON and Markdown with active, expired, deferred, invalid, and not_applicable counts. - Expired critical/high or launch-sensitive waivers are classified as release-blocking in enforce mode. - Helper validates required waiver fields, environment scope, follow-up task, and approver. - Smoke fixtures cover active, expired, invalid, deferred, and out-of-scope waiver records. - id: SEC-PROD-DEVSECOPS-METRICS-DASHBOARD-001 title: Define DevSecOps control metrics and risk burn-down dashboard kind: frontend-contract role: security profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: platform-security owning_layer: devsecops-metrics source_paths: - .fairway/artifacts/group42-devsecops-policy-gap-map-2026-06-04.md - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md - doc/architecture/platform-foundation/Platform_Evidence_Status_Frontend_Contract_v1.md - doc/operations/GPUaaS_Security_CD_Current_State_Gap_Roadmap_v1.md - doc/operations/Parallel_Ops_Track.md target_paths: - doc/architecture/platform-foundation/DevSecOps_Control_Metrics_Dashboard_v1.md - doc/architecture/platform-foundation/Platform_Evidence_Status_Frontend_Contract_v1.md - .fairway/artifacts review_domains: - security - ops - governance - frontend - architecture risk_level: medium migration_type: devsecops-metrics-dashboard depends_on: - SEC-PROD-SCAN-ENFORCEMENT-GATE-001 - SEC-PROD-VULNERABILITY-SLA-001 - SEC-PROD-WAIVER-GOVERNANCE-001 - SEC-ARCH-SUPPLY-CHAIN-EVIDENCE-GATE-001 acceptance_checks: - Metrics model covers enforced pipeline adoption, SBOM/signature coverage, vulnerability SLA posture, expired waivers, risk arrival, burn-down, survival, and escape rates. - Dashboard/read-model source of truth is mapped to platform evidence/status, CI artifacts, scan summaries, and waiver records. - Monthly and quarterly reporting expectations are documented with owners and stale-data handling. - Implementation work is split into follow-up API/frontend tasks if existing evidence/status surfaces cannot represent the metrics. - id: PSSM-APP-SDK-POST-UAT-GAP-SWEEP-001 title: Revalidate UAT app fixes against App SDK contract ownership kind: architecture-map role: architecture profile: platform-foundation owning_domain: appplatform owning_layer: sdk-contract source_paths: - doc/architecture/platform-foundation/App_SDK_Readiness_Matrix_v1.md - doc/architecture/App_SDK_Design_Principles_v1.md - doc/architecture/Launchable_OCI_Workload_Profile_Contract_v1.md - doc/architecture/App_Artifact_Trust_and_Promotion_v1.md - doc/operations/Demo_UAT_Flow_Coverage_Matrix_v1.md - packages/products/appplatform/sdk - packages/products/appplatform/catalog - packages/products/appplatform/runtime - scripts/ops - scripts/seed.sql target_paths: - doc/architecture/platform-foundation/App_SDK_Readiness_Matrix_v1.md - packages/products/appplatform/sdk - packages/docs/docs/build-on-gpuaas - scripts/ops - .fairway/artifacts review_domains: - architecture - backend - product - app-developer - ops risk_level: high migration_type: app-sdk-post-uat-gap-sweep depends_on: - PF-APP-SDK-READINESS-MATRIX-001 - PSS-APP-SDK-READINESS-EXECUTION-001 acceptance_checks: - UAT app fixes are classified as runtime fix, catalog/manifest change, or SDK/developer contract change. - Any catalog/manifest or SDK/developer contract change has a matching manifest fixture, validator, SDK example, portal page, or named follow-up task. - Remaining seed/runtime-only app assumptions are listed with owner, app slug, contract family, and production impact. - Failure-contract gaps for app-auth, upstream 503, missing token, bad route, unavailable artifact, and node-task timeout are dispositioned. - Recommended next implementation tasks are ordered without reopening completed PSSM foundation slices. - id: PSSM-DEV-AUTH-SCHEMA-DRIFT-LOGIN-001 title: Repair dev/kind OIDC login schema drift kind: bug role: ops profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: platform-auth owning_layer: schema-ops source_paths: - doc/architecture/db_schema_v1.sql - packages/platform/auth/legacyimpl/service.go - cmd/api/routes.go - scripts/ops/platform_auth_schema_repair.sh target_paths: - scripts/ops/platform_auth_schema_repair.sh - dist/uat/dev - dist/uat/kind - .fairway/artifacts review_domains: - ops - backend - security risk_level: high migration_type: auth-schema-drift acceptance_checks: - Dev and kind have the OIDC identity and account-session partial unique indexes required by the auth callback exchange path. - Browser SSO login as dev-admin reaches the authenticated shell instead of the Sign in required callback error. - Evidence captures the original correlation ID, schema drift repair output, and post-repair login/API verification. - The repair path is idempotent and limited to indexes already present in canonical db_schema_v1.sql. - id: PSSM-SCHEMA-CONFLICT-TARGET-GUARD-001 title: Add schema guard for ON CONFLICT targets after PSSM migration kind: boundary-guard role: governance profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: platform-foundation owning_layer: schema-ci source_paths: - doc/architecture/db_schema_v1.sql - cmd - packages - scripts target_paths: - scripts/ci/postgres_conflict_target_guard.sh - .fairway/artifacts - dist/uat/kind - dist/uat/dev review_domains: - backend - ops - governance risk_level: high migration_type: schema-contract-guard depends_on: - PSSM-DEV-AUTH-SCHEMA-DRIFT-LOGIN-001 acceptance_checks: - Guard verifies every critical runtime ON CONFLICT target has a matching unique or primary-key index on the active physical table. - Guard checks partial-index predicates for deleted-at, provider-session, OIDC identity, idempotency, and active-runtime conflict targets. - Guard runs successfully against kind and dev after the auth schema repair. - CI/local evidence records the guard output before any further UAT run. - id: PSSM-LEGACY-TABLE-RETIREMENT-001 title: Retire legacy tables after PSSM physical ownership split kind: boundary-guard role: governance profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: platform-foundation owning_layer: schema-migration source_paths: - doc/architecture/db_schema_v1.sql - packages - cmd - scripts target_paths: - scripts/ci - scripts/ops - dist/uat/kind - dist/uat/dev - .fairway/artifacts review_domains: - backend - ops - governance - security tags: - program:pssm-closeout - program:stabilization - surface:schema - gate:schema-owner - work-type:migration risk_level: high migration_type: legacy-table-retirement depends_on: - PSSM-SCHEMA-CONFLICT-TARGET-GUARD-001 acceptance_checks: - Inventory every legacy table that coexists with a platform/product-owned replacement. - Prove active code has no direct references to retired legacy table names outside approved migration/repair scripts. - Produce row-count and key-parity evidence before any destructive action. - Quarantine legacy tables in kind first using rename or access revocation, then run smoke/UAT. - Apply the same retirement path to dev only after kind passes. - Do not drop legacy tables until backup/parity evidence and rollback steps are recorded. - id: PSSM-POST-UAT-STABILIZATION-RUN-20260604 title: Complete post-PSSM kind and dev UAT stabilization run kind: release-evidence role: orchestrator profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: platform-foundation owning_layer: uat-evidence status: done completed_at: "2026-06-04" source_paths: - .fairway/artifacts/post-pssm-uat-learning-gaps.md - .fairway/artifacts/pssm-post-uat-retrospective-2026-06-04.md - dist/uat/kind - dist/uat/dev - scripts/ops/demo_uat_package.sh - scripts/ops/demo_uat_mutating.sh - scripts/ops/demo_openai_endpoint_smoke.sh - scripts/ops/kind_uat_prereq_baseline.sh target_paths: - dist/uat/kind - dist/uat/dev - .fairway/artifacts/post-pssm-uat-learning-gaps.md - .fairway/artifacts/pssm-post-uat-retrospective-2026-06-04.md review_domains: - orchestrator - ops - backend - frontend - product - architecture risk_level: high migration_type: post-pssm-uat-stabilization-run depends_on: - PSSM-SCHEMA-CONFLICT-TARGET-GUARD-001 acceptance_checks: - Completed the long post-PSSM kind/dev UAT stabilization loop after the platform/shared-service migration. - Repaired and verified issues across login/schema drift, stale deployed images, MAAS-LXD and Proxmox provider handoff, compute lifecycle, terminal, app runtime, private OCI pull, managed ingress, OpenAI endpoint, billing/usage attribution, scheduler prerequisites, and clean-log findings. - Captured learning gaps showing why expensive full UAT exposed defects that should move into pre-UAT gates. - Created follow-up readiness and completeness tasks so future UAT is an integrated validation step, not the first detector for deployment, fixture, schema, SDK/runtime, route, or harness defects. - Evidence and retrospective are recorded under `dist/uat/`, `.fairway/artifacts/post-pssm-uat-learning-gaps.md`, and `.fairway/artifacts/pssm-post-uat-retrospective-2026-06-04.md`. - id: PSSM-UAT-READINESS-GATES title: Build blocking pre-UAT readiness gates after post-PSSM UAT learnings kind: epic role: orchestrator profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: platform-foundation owning_layer: uat-readiness source_paths: - .fairway/artifacts/post-pssm-uat-learning-gaps.md - .fairway/artifacts/pssm-uat-readiness-code-sweep-2026-06-04.md - .fairway/artifacts/pssm-post-uat-retrospective-2026-06-04.md - scripts/ci - scripts/ops - packages/web/e2e - packages/products/appplatform - cmd - infra/k8s target_paths: - scripts/ci - scripts/ops - packages/web/e2e - doc/operations - .fairway/artifacts - dist/uat review_domains: - architecture - ops - backend - frontend - governance risk_level: high migration_type: post-pssm-uat-readiness depends_on: - PSSM-PRODUCTION-COMPLETION-BACKLOG acceptance_checks: - Current UAT runbook failures are classified into prevention layers before the next full UAT starts. - UAT completeness is defined by persona/workflow/invariant coverage, not only by whether the current shell package exits green. - Pre-UAT readiness has explicit pass/fail/blocked/skip semantics and writes durable evidence. - Full UAT is not the first place that deployed image freshness, baseline prerequisites, SDK/runtime contracts, route data-plane, or clean-log assertions are evaluated. - Any approved bypass records owner, reason, expiry, and follow-up Fairway task. - id: PSSM-UAT-RUNBOOK-GAP-TAXONOMY-001 title: Classify post-PSSM UAT runbook failures into prevention layers kind: architecture-map role: architecture profile: platform-foundation parent_id: PSSM-UAT-READINESS-GATES owning_domain: platform-foundation owning_layer: uat-readiness source_paths: - .fairway/artifacts/post-pssm-uat-learning-gaps.md - .fairway/artifacts/pssm-uat-readiness-code-sweep-2026-06-04.md - .fairway/artifacts/pssm-post-uat-retrospective-2026-06-04.md - dist/uat - scripts/ops/demo_uat_package.sh target_paths: - .fairway/artifacts/post-pssm-uat-learning-gaps.md - doc/operations/runbooks review_domains: - architecture - ops - governance risk_level: high migration_type: uat-gap-taxonomy depends_on: - PSSM-UAT-READINESS-GATES acceptance_checks: - Each UAT-discovered issue is classified as missing unit/component regression, static contract/config guard, deployed-image freshness check, live prerequisite gate, SDK/runtime proof, observability clean-log assertion, harness defect, or true UAT-only workflow issue. - The runbook identifies which failures should have blocked before deploy, before UAT, or during targeted smoke. - Every non-UAT-only issue has a Fairway follow-up task or is linked to an existing one. - id: PSSM-UAT-COVERAGE-COMPLETENESS-MATRIX-001 title: Define post-PSSM UAT completeness matrix for kind and dev kind: architecture-map role: architecture profile: platform-foundation parent_id: PSSM-UAT-READINESS-GATES owning_domain: platform-foundation owning_layer: uat-coverage source_paths: - doc/operations/Demo_UAT_Flow_Coverage_Matrix_v1.md - .fairway/artifacts/post-pssm-uat-learning-gaps.md - .fairway/artifacts/pssm-uat-readiness-code-sweep-2026-06-04.md - dist/uat - scripts/ops/demo_uat_package.sh - packages/web/e2e target_paths: - doc/operations/Platform_UAT_Completeness_Matrix_v1.md - scripts/ops - .fairway/artifacts - dist/uat review_domains: - product - architecture - ops - backend - frontend - app-developer risk_level: high migration_type: uat-coverage-completeness depends_on: - PSSM-UAT-RUNBOOK-GAP-TAXONOMY-001 acceptance_checks: - Completeness matrix names required personas, workflows, product invariants, automation layer, environment lane, and evidence artifact for kind and dev. - Matrix distinguishes required coverage from environment-conditional coverage, approved skips, and future/demo-only coverage. - Current UAT package gaps are listed with Fairway task IDs before any full UAT run is called complete. - Full UAT summary can be mapped back to the matrix so a green script exit cannot hide untested critical workflows. - id: PSSM-UAT-PREDEPLOY-SERVICE-FRESHNESS-GATE-001 title: Add touched-service deployed image freshness gate before UAT kind: boundary-guard role: ops profile: platform-foundation parent_id: PSSM-UAT-READINESS-GATES owning_domain: platform-foundation owning_layer: deploy-readiness source_paths: - scripts/ci/platform_control_fast_preflight.sh - scripts/ci/platform_control_remote_preflight.sh - scripts/ci/platform_control_remote_validation.sh - scripts/ci/platform_control_change_aware_preflight.sh - scripts/ci/platform_control_release_conformance.sh - scripts/ci/platform_control_node_agent_version_conformance.sh - scripts/ci/platform_status_snapshot.sh - doc/architecture/Production_Deployment_Readiness_v1.md - doc/architecture/platform-foundation/Platform_Evidence_Status_Slice_v1.md - doc/architecture/platform-foundation/Platform_Evidence_Status_Frontend_Contract_v1.md - .fairway/artifacts/pssm-uat-readiness-code-sweep-2026-06-04.md - infra/k8s - cmd - packages target_paths: - scripts/ci - scripts/ops - dist/uat - .fairway/artifacts review_domains: - ops - backend - governance risk_level: high migration_type: deployed-image-freshness depends_on: - PSSM-UAT-RUNBOOK-GAP-TAXONOMY-001 acceptance_checks: - Pre-UAT gate maps changed files/packages to impacted binaries, including API, workers, terminal gateway, node-agent, app-runtime, controllers, and web. - Gate verifies deployed pods or runtime endpoints report the expected source SHA/image digest for every impacted binary. - Stale deployed image evidence fails before UAT starts and names the binary, expected digest/SHA, actual digest/SHA, and remediation command. - Freshness result is represented as Status/Ops component-status evidence so the operator status page can show expected-vs-actual SHA/digest drift for touched services. - Existing release conformance and node-agent version conformance scripts are reused or extended rather than creating an unrelated UAT-only checker. - Kind and dev profiles are covered without requiring direct SQL. - id: PSSM-UAT-BLOCKING-INTEGRATION-SMOKE-001 title: Convert critical integration and trace smokes from warn-only to readiness-gated kind: boundary-guard role: governance profile: platform-foundation parent_id: PSSM-UAT-READINESS-GATES owning_domain: platform-foundation owning_layer: ci-readiness source_paths: - scripts/ci/integration_smoke.sh - scripts/ops/allocation_trace_path_smoke.sh - scripts/ops/app_runtime_trace_smoke.sh - scripts/ci/README.md target_paths: - scripts/ci - scripts/ops - .fairway/artifacts review_domains: - governance - ops - backend risk_level: high migration_type: integration-smoke-hardening depends_on: - PSSM-UAT-RUNBOOK-GAP-TAXONOMY-001 acceptance_checks: - CI distinguishes intentionally skipped integration tests from unavailable infrastructure and records the reason. - Pre-UAT mode fails when DB-backed integration, allocation trace, or app-runtime trace smoke prerequisites are unavailable. - Allocation and app-runtime trace smokes can remain report-only in ordinary PR CI but are blocking in pre-UAT readiness mode. - Documentation states which mode is required before full UAT. - id: PSSM-UAT-LIVE-PREREQ-GATE-001 title: Promote live UAT prerequisite setup into a named blocking readiness phase kind: boundary-guard role: ops profile: platform-foundation parent_id: PSSM-UAT-READINESS-GATES owning_domain: platform-foundation owning_layer: uat-prerequisites source_paths: - scripts/ops/kind_uat_prereq_baseline.sh - scripts/ops/demo_uat_package.sh - scripts/ops/demo_supported_app_matrix.sh - scripts/ops/demo_openai_endpoint_smoke.sh - scripts/ops/env_profile_verify.sh target_paths: - scripts/ops - doc/operations/runbooks - dist/uat - .fairway/artifacts review_domains: - ops - product - backend - frontend risk_level: high migration_type: uat-prereq-gate depends_on: - PSSM-UAT-RUNBOOK-GAP-TAXONOMY-001 acceptance_checks: - UAT has a separate setup/prereq phase that creates or verifies SSH key, project, storage, service account, capacity, app artifact, app route, and environment profile prerequisites. - Missing prerequisites are reported as BLOCKED/SKIP with owning layer and follow-up task, not as product workflow failures. - Read-only and mutating UAT phases consume the prereq evidence instead of re-discovering baseline state. - Cleanup/retention decisions for prerequisite resources are explicit. - id: PSSM-UAT-APP-SDK-LIVE-CONTRACT-GATE-001 title: Add live App SDK launch/connect/decommission readiness proof kind: boundary-guard role: backend profile: platform-foundation parent_id: PSSM-UAT-READINESS-GATES owning_domain: appplatform owning_layer: app-sdk-runtime-contract source_paths: - scripts/ops/app_sdk_launch_connect_decommission_smoke.sh - scripts/ops/app_sdk_live_launch_connect_decommission_smoke.sh - packages/products/appplatform/sdk - packages/products/appplatform/runtime - cmd/node-agent - packages/web/e2e/v3-live-app-runtime-smoke.spec.ts target_paths: - scripts/ops - packages/products/appplatform/sdk - packages/products/appplatform/runtime - dist/uat - .fairway/artifacts review_domains: - backend - app-developer - ops - product risk_level: high migration_type: app-sdk-live-readiness depends_on: - PSSM-UAT-LIVE-PREREQ-GATE-001 acceptance_checks: - App SDK readiness evidence separates contract-only proof from live runtime proof. - At least one launchable OCI app proves manifest defaults, artifact pull, launch, route readiness, connect, billing/usage metadata, and decommission through public APIs. - Failures are classified by SDK contract, app-runtime, node-agent, managed ingress, artifact registry, or environment prerequisite. - Evidence does not print credentials or tokens. - id: PSSM-APP-SDK-MANAGED-INGRESS-ROUTE-UNIQUENESS-001 title: Fix App SDK live managed-ingress duplicate route intent kind: bug role: backend profile: platform-foundation parent_id: PSSM-UAT-APP-SDK-LIVE-CONTRACT-GATE-001 owning_domain: appplatform owning_layer: managed-ingress source_paths: - packages/products/appplatform/runtime - cmd/api/routes_v3_launch_precheck.go - cmd/api/routes_v3_launch_submit.go - scripts/ops/app_sdk_live_launch_connect_decommission_smoke.sh target_paths: - cmd/api - packages/products/appplatform/runtime - scripts/ops - .fairway/artifacts review_domains: - backend - ops - architecture risk_level: high migration_type: app-sdk-live-managed-ingress-blocker acceptance_checks: - App launch precheck detects active host-mode managed-ingress public host ownership before creating another app instance. - App launch submit rejects stale-client duplicate managed-ingress host ownership with cataloged error response. - Kind live evidence shows duplicate Jupyter public host blocks at precheck instead of timing out in proxy runtime reconciliation. - id: PSSM-KIND-APP-SDK-STATIC-HOST-CLEANUP-001 title: Clean stale kind static managed-ingress app host owners before App SDK live gate kind: release-evidence role: ops profile: platform-foundation parent_id: PSSM-UAT-APP-SDK-LIVE-CONTRACT-GATE-001 owning_domain: appplatform owning_layer: kind-uat-environment-cleanup source_paths: - scripts/ops/app_sdk_live_launch_connect_decommission_smoke.sh - scripts/ops/kind_uat_prereq_baseline.sh - packages/products/appplatform/runtime target_paths: - dist/uat/kind - .fairway/artifacts review_domains: - ops - backend - app-developer risk_level: medium migration_type: app-sdk-live-kind-env-cleanup depends_on: - PSSM-APP-SDK-MANAGED-INGRESS-ROUTE-UNIQUENESS-001 acceptance_checks: - Kind App SDK live gate starts from a route-host-clean baseline or explicitly records active host owners as a blocked prerequisite. - Cleanup uses public app/decommission APIs and does not touch dev or demo. - Evidence lists cleaned app instance IDs, public hosts, final app states, and any allocations released. - id: PSSM-APP-SDK-LIVE-ARTIFACT-ARCH-PARITY-001 title: Fix App SDK live artifact architecture mismatch on kind compute targets kind: bug role: backend profile: platform-foundation parent_id: PSSM-UAT-APP-SDK-LIVE-CONTRACT-GATE-001 owning_domain: appplatform owning_layer: app-artifact-selection source_paths: - cmd/api/routes_v3_launch_submit.go - cmd/api/routes_v3_launch_precheck.go - packages/products/appplatform/runtime - scripts/seed.sql - scripts/ops/app_sdk_live_launch_connect_decommission_smoke.sh target_paths: - cmd/api - packages/products/appplatform/runtime - scripts/ops - .fairway/artifacts review_domains: - backend - ops - app-developer risk_level: high migration_type: app-sdk-live-artifact-arch-blocker depends_on: - PSSM-KIND-APP-SDK-STATIC-HOST-CLEANUP-001 acceptance_checks: - App SDK live Jupyter launch selects an artifact compatible with the target allocation platform architecture. - Precheck and submit agree on artifact architecture compatibility. - Kind evidence proves launch progresses past artifact architecture validation or records a clear missing-artifact blocker with owner. - id: PSSM-APP-SDK-LIVE-HARNESS-TERMINAL-STATE-001 title: Make App SDK live smoke fail fast on terminal app states kind: boundary-guard role: governance profile: platform-foundation parent_id: PSSM-UAT-APP-SDK-LIVE-CONTRACT-GATE-001 owning_domain: platform-foundation owning_layer: uat-harness source_paths: - scripts/ops/app_sdk_live_launch_connect_decommission_smoke.sh target_paths: - scripts/ops/app_sdk_live_launch_connect_decommission_smoke.sh - .fairway/artifacts review_domains: - governance - ops - backend risk_level: medium migration_type: app-sdk-live-harness-accuracy depends_on: - PSSM-APP-SDK-LIVE-ARTIFACT-ARCH-PARITY-001 acceptance_checks: - Live smoke exits nonzero immediately when an app reaches terminal failed/decommissioned/deleted before connect readiness. - Failure evidence includes app id, status, failure reason, and latest proxy route summary. - Deferred cleanup still runs for created app instances. - id: PSSM-APP-SDK-LIVE-ROUTE-READINESS-001 title: Fix App SDK live route readiness for kind managed-ingress Jupyter kind: bug status: done role: backend profile: platform-foundation parent_id: PSSM-UAT-APP-SDK-LIVE-CONTRACT-GATE-001 owning_domain: appplatform owning_layer: app-runtime-route-readiness source_paths: - packages/products/appplatform/runtime/lifecycle_backend.go - packages/products/gpuaas/inventory/legacyimpl/proxy_runtime.go - scripts/ops/app_sdk_live_launch_connect_decommission_smoke.sh - scripts/ops/kind_maas_lxd_app_route_bridge.sh target_paths: - packages/products/appplatform/runtime - packages/products/gpuaas/inventory/legacyimpl - scripts/ops - .fairway/artifacts review_domains: - backend - ops - app-developer risk_level: high migration_type: app-sdk-live-route-readiness-blocker depends_on: - PSSM-APP-SDK-LIVE-ARTIFACT-ARCH-PARITY-001 - PSSM-APP-SDK-LIVE-HARNESS-TERMINAL-STATE-001 acceptance_checks: - Kind App SDK live Jupyter launch reaches running with an active managed-ingress route URL. - Runtime failure reason is preserved when route readiness fails before decommission. - Route readiness evidence identifies whether the blocker is target_host/port, node-agent container health, Pomerium publish, or environment bridge configuration. evidence: - kind App SDK live Jupyter smoke passed after refreshing MAAS-LXD bridge target; summary /tmp/gpuaas-app-sdk-live-kind-route-readiness-after-bridge/jupyterlab-20260604T215355Z.summary.json - route-readiness failure classified as stale kind MAAS-LXD bridge DNAT, not artifact/runtime/Pomerium; details .fairway/artifacts/app-sdk-live-route-readiness-kind-2026-06-04.md - id: PSSM-UAT-CLEAN-LOG-OBSERVABILITY-GATE-001 title: Add clean-log and correlation assertions to pre-UAT readiness kind: boundary-guard role: ops profile: platform-foundation parent_id: PSSM-UAT-READINESS-GATES owning_domain: platform-foundation owning_layer: observability source_paths: - scripts/ci/platform_error_observability_audit_gate.sh - scripts/ops/log_correlation_smoke.sh - scripts/ops/correlation_lookup.sh - scripts/ops/demo_uat_package.sh - cmd/api - packages/platform/audit - packages/platform/evidence target_paths: - scripts/ci - scripts/ops - doc/operations/runbooks - dist/uat - .fairway/artifacts review_domains: - ops - backend - security - governance risk_level: high migration_type: clean-log-observability-gate depends_on: - PSSM-UAT-BLOCKING-INTEGRATION-SMOKE-001 acceptance_checks: - Successful UAT prerequisite and smoke phases fail or block on audit/evidence/usage-capture warnings that indicate hidden platform defects. - API 5xx and user-safe errors have correlation IDs and matching server logs with underlying cause. - Clean-log checks can scope by run window, correlation ID, namespace, service, and known approved warnings. - Approved warnings require owner, expiry, and Fairway follow-up task. - id: PSSM-UAT-BILLING-RECONCILIATION-CLEANLOG-001 title: Fix billing reconciliation mismatch warnings surfaced by clean-log gate kind: bug role: backend profile: platform-foundation parent_id: PSSM-UAT-CLEAN-LOG-OBSERVABILITY-GATE-001 owning_domain: platform-billing owning_layer: billing-reconciliation source_paths: - cmd/billing-worker - packages/platform/billing - doc/operations/Platform_UAT_Completeness_Matrix_v1.md - scripts/ops/pre_uat_clean_log_gate.sh target_paths: - cmd/billing-worker - packages/platform/billing - dist/uat - .fairway/artifacts review_domains: - backend - ops - governance risk_level: high migration_type: billing-cleanlog-defect depends_on: - PSSM-UAT-CLEAN-LOG-OBSERVABILITY-GATE-001 acceptance_checks: - Billing worker no longer emits repeated `billing reconciliation mismatch detected` warnings during a successful UAT prerequisite/smoke window. - If existing local/dev data is intentionally inconsistent, the cleanup or waiver is explicit with owner, expiry, and Fairway task reference. - Clean-log gate evidence after the fix has no unapproved billing reconciliation findings. - id: PSSM-UAT-USER-SAFE-ERROR-PRESENTATION-GATE-001 title: Block UAT on raw provider framework and client error pages kind: boundary-guard role: frontend profile: platform-foundation parent_id: PSSM-UAT-READINESS-GATES owning_domain: platform-foundation owning_layer: user-visible-error-presentation source_paths: - packages/web/app/error.tsx - packages/web/app/global-error.tsx - packages/web/app/edge-error - scripts/ops/edge_error_presentation_smoke.sh - scripts/ops/demo_uat_package.sh - packages/web/e2e - doc/operations/runbooks/Edge_And_App_Error_Presentation_Runbook.md - .fairway/artifacts/pssm-uat-readiness-code-sweep-2026-06-04.md target_paths: - packages/web - scripts/ops - doc/operations/runbooks - dist/uat - .fairway/artifacts review_domains: - frontend - ops - backend - security - product risk_level: high migration_type: user-safe-error-presentation-gate depends_on: - PSSM-UAT-CLEAN-LOG-OBSERVABILITY-GATE-001 - PSSM-PROD-C17-EDGE-ERROR-PRESENTATION-GATE-001 acceptance_checks: - Pre-UAT browser and negative-route smokes fail when users can see raw Next.js client exception text, Cloudflare/Pomerium provider pages, upstream app errors, or browser console implementation text. - Login, shell load, app route, proxy route, auth callback, upstream unavailable, and forced client exception cases render product-owned error surfaces with safe copy and reference/correlation ID. - UAT artifacts include captured page text or screenshots plus classification output from `scripts/ops/edge_error_presentation_smoke.sh`. - Product-owned error surfaces do not expose provider internals, stack traces, tokens, service URLs, or implementation-specific diagnostics to normal users. - id: PSSM-UAT-HARNESS-FAILURE-INJECTION-001 title: Add forced-failure tests for UAT harness result accuracy kind: boundary-guard role: governance profile: platform-foundation parent_id: PSSM-UAT-READINESS-GATES owning_domain: platform-foundation owning_layer: uat-harness source_paths: - scripts/ops/demo_uat_package.sh - scripts/ops/demo_uat_mutating.sh - scripts/ops/demo_openai_endpoint_smoke.sh - scripts/ws_terminal_smoke.go - scripts/ci/ci_script_smoke.sh target_paths: - scripts/ops - scripts/ci - .fairway/artifacts review_domains: - governance - ops - backend - frontend risk_level: high migration_type: uat-harness-failure-injection depends_on: - PSSM-UAT-HARNESS-EXIT-ACCURACY-001 acceptance_checks: - Harness smoke tests inject representative HTTP, WebSocket, Playwright, app-route, and cleanup failures. - For each injected failure, exit code, summary markdown, results.jsonl, captured response body, and cleanup continuation behavior agree. - Harness tests prove terminal/connect failures do not hide safe release/cleanup evidence. - CI can run the harness failure-injection suite without mutating live environments. - id: PSSM-UAT-CI-PROMOTION-WIRING-001 title: Wire pre-UAT readiness gates into release and Fairway promotion flow kind: release-evidence role: orchestrator profile: platform-foundation parent_id: PSSM-UAT-READINESS-GATES owning_domain: platform-foundation owning_layer: release-readiness source_paths: - .gitlab-ci.yml - scripts/ci - scripts/ops - scripts/ci/README.md - .fairway/platform-foundation-implementation-track.yaml target_paths: - .gitlab-ci.yml - scripts/ci - scripts/ci/README.md - .fairway/artifacts review_domains: - orchestrator - ops - governance - architecture risk_level: high migration_type: uat-readiness-promotion-wiring depends_on: - PSSM-UAT-PREDEPLOY-SERVICE-FRESHNESS-GATE-001 - PSSM-UAT-BLOCKING-INTEGRATION-SMOKE-001 - PSSM-UAT-LIVE-PREREQ-GATE-001 - PSSM-UAT-APP-SDK-LIVE-CONTRACT-GATE-001 - PSSM-UAT-CLEAN-LOG-OBSERVABILITY-GATE-001 - PSSM-UAT-USER-SAFE-ERROR-PRESENTATION-GATE-001 - PSSM-UAT-HARNESS-FAILURE-INJECTION-001 - PSSM-UAT-COVERAGE-COMPLETENESS-MATRIX-001 acceptance_checks: - Release/UAT runbook names the exact gate command sequence before full UAT starts. - CI or Fairway promotion evidence records readiness pass/fail/blocked status and artifact paths. - UAT completion evidence references the post-PSSM coverage matrix and identifies any missing required row. - Full UAT cannot be marked ready when any required pre-UAT gate is missing, failed, blocked without approved exception, or stale. - The final wiring preserves faster PR CI while making pre-UAT readiness strict. - id: PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 title: Run kind UAT after PSSM schema guard repairs kind: release-evidence role: ops profile: platform-foundation parent_id: PSSM-PRODUCTION-COMPLETION-BACKLOG owning_domain: platform-foundation owning_layer: uat-evidence source_paths: - scripts/ops - scripts/ci - packages/web - cmd/api - doc/operations target_paths: - dist/uat/kind - .fairway/artifacts review_domains: - ops - backend - frontend - product risk_level: high migration_type: post-pssm-kind-uat depends_on: - PSSM-SCHEMA-CONFLICT-TARGET-GUARD-001 acceptance_checks: - Kind schema conflict-target guard passes before UAT starts. - Basic login as dev-admin succeeds through the kind OIDC callback/exchange path. - UAT scope is compute-only and does not require WEKA or GPU nodes. - User-facing core flows are exercised after PSSM module/schema migration, including shell load, project context, compute inventory, launch or fixture provisioning where supported, connect/readiness checks, and cleanup. - Any failure is recorded with correlation ID, owning layer, and a follow-up Fairway task before continuing deeper UAT. - Evidence is written under dist/uat/kind and recorded in Fairway. - id: PSSM-KIND-MAAS-LXD-CAPACITY-READINESS-001 title: Restore kind MAAS-LXD provider capacity for compute UAT kind: bug role: ops profile: platform-foundation parent_id: PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 owning_domain: gpuaas owning_layer: provider-capacity source_paths: - scripts/ops - scripts/k8s - doc/operations - packages/products/gpuaas/inventory - packages/products/gpuaas/provisioning target_paths: - scripts/ops - dist/uat/kind - .fairway/artifacts review_domains: - ops - backend risk_level: high migration_type: kind-capacity-readiness depends_on: - PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 acceptance_checks: - Kind provider capacity inventory has provider-backed compute capacity for compute-vm-small. - Launch precheck for compute-vm-small has no capacity blocker. - MAAS-LXD configuration is explicit and documented for kind, or a supported seed path is used for compute-only UAT. - Evidence is written under dist/uat/kind and recorded in Fairway before compute lifecycle UAT resumes. - id: PSSM-KIND-PROVIDER-MISSING-CLEANUP-GUARD-001 title: Fix kind MAAS-LXD provider-missing cleanup guard for stale UAT workers kind: bug role: backend profile: platform-foundation parent_id: PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 owning_domain: gpuaas owning_layer: provider-lifecycle source_paths: - packages/products/gpuaas/inventory - cmd/api/routes_v3_provider_resources.go - scripts/ops/kind_maas_lxd_provider_uat_prep.sh - .fairway/artifacts/post-pssm-uat-learning-gaps.md - dist/uat/kind target_paths: - packages/products/gpuaas/inventory - cmd/api/routes_v3_provider_resources.go - scripts/ops - .fairway/artifacts review_domains: - backend - ops - governance risk_level: medium migration_type: kind-provider-missing-cleanup-guard depends_on: - PSSM-KIND-MAAS-LXD-CAPACITY-READINESS-001 acceptance_checks: - Provider resources in `ready/provider_missing` for retired or failed UAT worker nodes can be cleaned, quarantined, or marked external with accurate product-owned state. - "`request-delete` does not return `node_in_use` when public API state shows only historical failed/released allocations and retired nodes." - Regression coverage proves missing MAAS-LXD provider workers do not remain visible as ready usable capacity. - Operator evidence names affected provider resource id, provider object id, node id, action taken, and correlation id. - id: PSSM-KIND-PROVIDER-MISSING-CLEANUP-RUNBOOK-001 title: Add repeatable cleanup runbook for stale kind MAAS-LXD provider rows kind: boundary-guard role: ops profile: platform-foundation parent_id: PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 owning_domain: gpuaas owning_layer: provider-lifecycle source_paths: - scripts/ops/kind_maas_lxd_provider_uat_prep.sh - scripts/ops/maas_lxd_machine_cleanup.sh - cmd/api/routes_v3_provider_resources.go - .fairway/artifacts/post-pssm-uat-learning-gaps.md - dist/uat/kind target_paths: - scripts/ops - doc/operations/runbooks - .fairway/artifacts - dist/uat/kind review_domains: - ops - backend - governance risk_level: medium migration_type: kind-provider-missing-cleanup-runbook depends_on: - PSSM-KIND-PROVIDER-MISSING-CLEANUP-GUARD-001 acceptance_checks: - A documented operator cleanup command identifies kind MAAS-LXD provider rows where `observed_state=provider_missing` and the backing MAAS machine no longer exists. - "Cleanup uses public/admin APIs first: quarantine, retry-cleanup, request-delete, or mark-external according to safe state transitions." - The cleanup command refuses to touch active provider workers, active allocations, or non-kind/demo/dev environments without explicit operator override. - Evidence records before/after provider rows, allocation/node references, actions taken, API status codes, and correlation IDs without direct SQL or secrets. - The runbook states this is an operational cleanup bridge until `PSSM-KIND-PROVIDER-MISSING-CLEANUP-GUARD-001` closes the product-state bug. - id: PSSM-KIND-MAAS-LXD-BOOTSTRAP-HANDOFF-001 title: Complete kind MAAS-LXD bootstrap handoff for composed worker VMs kind: bug role: ops profile: platform-foundation parent_id: PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 owning_domain: gpuaas owning_layer: provider-bootstrap source_paths: - cmd/provider-reconciler - packages/products/gpuaas/inventory - packages/products/gpuaas/provisioning - scripts/ops - infra/k8s/overlays/local-kind target_paths: - cmd/provider-reconciler - scripts/ops - dist/uat/kind - .fairway/artifacts review_domains: - ops - backend risk_level: high migration_type: kind-maas-lxd-bootstrap-handoff depends_on: - PSSM-KIND-MAAS-LXD-CAPACITY-READINESS-001 acceptance_checks: - Composed MAAS-LXD worker machines receive provider VM bootstrap handoff data through GPUaaS, not manual host edits. - Provider resource lifecycle advances past composed/creating into bootstrapping/ready or records a classified blocker with correlation evidence. - Node-agent readiness is visible through API/read model evidence for the composed kind workers. - Full compute lifecycle UAT can launch against the MAAS-LXD-backed capacity or produces an owning-layer follow-up with evidence. - id: PSSM-KIND-PROVISIONING-POSIX-IDENTITY-SCHEMA-001 title: Repair kind provisioning POSIX identity contract after PSSM migration kind: bug role: backend profile: platform-foundation parent_id: PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 owning_domain: platform-iam owning_layer: provisioning-identity source_paths: - packages/products/gpuaas/provisioning - packages/platform/iam - doc/architecture/db_schema_v1.sql - scripts/seed.sql - scripts/ops target_paths: - packages/products/gpuaas/provisioning - packages/platform/iam - doc/architecture/db_schema_v1.sql - scripts/seed.sql - dist/uat/kind - .fairway/artifacts review_domains: - backend - architecture - security - ops risk_level: high migration_type: kind-provisioning-posix-identity depends_on: - PSSM-KIND-MAAS-LXD-BOOTSTRAP-HANDOFF-001 acceptance_checks: - Provisioning no longer depends on retired `user_posix_identities` table names after the platform IAM migration. - POSIX identity lookup/lazy creation uses the current platform IAM identity table or facade contract. - Kind schema/seed includes the required POSIX identity contract without reintroducing legacy table ownership. - Regression coverage proves a compute allocation can bind a provider worker and resolve POSIX identity. - Kind mutating compute lifecycle UAT reaches active and release cleanup after the fix. - id: PSSM-FRONTEND-V3PROD-HREF-CLEANUP-001 title: Remove generated /v3-prod hrefs from API responses kind: frontend-contract role: backend profile: platform-foundation parent_id: PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 owning_domain: frontend owning_layer: response-link-generation source_paths: - cmd/api - packages/web - doc/architecture/platform-foundation/V3_Namespace_Retirement_Plan_v1.md - doc/architecture/platform-foundation/ownership-maps/v3-namespace-inventory.md target_paths: - cmd/api - packages/web - dist/uat/kind - .fairway/artifacts review_domains: - backend - frontend - product risk_level: medium migration_type: v3-prod-generated-href-cleanup depends_on: - PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 acceptance_checks: - Release/task/evidence API responses no longer emit `/v3-prod/*` browser hrefs. - Generated browser hrefs point to canonical frontend routes or documented compatibility redirects. - Regression coverage prevents new `/v3-prod` generated links in API responses. - id: PSSM-KIND-AUTHZ-EVIDENCE-AUDIT-001 title: Fix kind authz decision audit evidence writes kind: bug role: backend profile: platform-foundation parent_id: PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 owning_domain: platform-audit owning_layer: authz-evidence source_paths: - cmd/api - packages/platform/audit - packages/platform/evidence - packages/shared/authz - doc/architecture/db_schema_v1.sql target_paths: - cmd/api - packages/platform/audit - packages/platform/evidence - dist/uat/kind - .fairway/artifacts review_domains: - backend - security - ops risk_level: medium migration_type: authz-audit-evidence depends_on: - PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 acceptance_checks: - Authenticated API probes no longer emit audit input invalid for successful authz decisions. - If an audit/evidence write is optional, the behavior and degradation path are explicit. - Regression coverage verifies the corrected audit/evidence input shape. - Kind evidence confirms clean logs for the authenticated API baseline. - id: PSSM-FRONTEND-V3-ROUTE-FIXTURE-CLEANUP-001 title: Remove stale /v3 frontend route assumptions from tests and fixtures kind: frontend-contract role: frontend profile: platform-foundation parent_id: PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 owning_domain: frontend owning_layer: navigation-contract source_paths: - packages/web - scripts - doc target_paths: - packages/web - scripts - dist/uat/kind - .fairway/artifacts review_domains: - frontend - product - ops risk_level: medium migration_type: v3-route-cleanup depends_on: - PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 acceptance_checks: - Static scan no longer finds stale browser /v3 route assumptions in tests, fixtures, or UAT scripts. - Runtime redirects from retired /v3 browser routes continue to land on canonical routes. - Canonical route UAT evidence covers /, /workloads, /compute, /apps, /storage, /access, /account, and /platform/overview. - id: PSSM-KIND-MANAGED-INGRESS-MAAS-LXD-REACHABILITY-001 title: Fix kind managed-ingress reachability to MAAS-LXD worker endpoints kind: bug role: ops profile: platform-foundation parent_id: PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 owning_domain: appplatform owning_layer: managed-ingress-networking source_paths: - packages/products/appplatform/runtime - packages/platform/maas - cmd/api - infra/k8s/overlays/local-kind - scripts/ops target_paths: - packages/products/appplatform/runtime - cmd/api - infra/k8s/overlays/local-kind - scripts/ops - dist/uat/kind - .fairway/artifacts review_domains: - ops - backend - architecture - security risk_level: high migration_type: kind-managed-ingress-maas-lxd-reachability depends_on: - PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 acceptance_checks: - Kind API route-forward path can reach MAAS-LXD worker app endpoints, or the kind profile explicitly uses a supported tunnel/reverse-proxy data plane. - OpenAI-compatible `/v1/models` route succeeds through the managed public route with a service-account bearer token. - Direct worker-local health and public managed-route health are both captured as evidence. - The fix is scoped to kind/dev network topology and does not touch demo resources. - id: PSSM-NODE-AGENT-OCI-PULL-CREDENTIALS-001 title: Implement node-agent credentialed OCI pulls for private app artifacts kind: bug role: backend profile: platform-foundation parent_id: PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 owning_domain: appplatform owning_layer: node-agent-artifact-pull source_paths: - cmd/node-agent - packages/products/appplatform/runtime - packages/platform/artifacts - doc/architecture/App_Artifact_Trust_and_Promotion_v1.md - doc/architecture/Launchable_OCI_Workload_Profile_Contract_v1.md target_paths: - cmd/node-agent - packages/products/appplatform/runtime - packages/platform/artifacts - scripts/ops - dist/uat/kind - .fairway/artifacts review_domains: - backend - security - ops - app-developer risk_level: high migration_type: node-agent-private-oci-pull depends_on: - PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 acceptance_checks: - Node-agent no longer rejects launchable OCI workloads that carry a `pull_credential_ref`. - Private registry credentials are resolved without printing secrets and are not persisted in workload logs. - Kind vLLM launch does not require manual terminal-based docker login or image preloading. - Regression evidence covers unavailable credential, bad credential, and successful private pull paths. - id: PSSM-UAT-HARNESS-EXIT-ACCURACY-001 title: Fix UAT harness false-positive exits and response capture kind: boundary-guard role: governance profile: platform-foundation parent_id: PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 owning_domain: platform-foundation owning_layer: uat-harness source_paths: - scripts/ops - scripts/ws_terminal_smoke.go - packages/web/e2e target_paths: - scripts/ops - scripts/ws_terminal_smoke.go - dist/uat/kind - .fairway/artifacts review_domains: - ops - governance - backend - frontend risk_level: high migration_type: uat-harness-exit-accuracy depends_on: - PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 acceptance_checks: - UAT scripts return nonzero whenever their summary records a FAIL. - HTTP response bodies are preserved for 4xx/5xx failures instead of being lost by `curl -f`. - Terminal smoke cannot pass by matching the command echo and fails cleanly on command/read errors. - Package-level UAT commands use pipefail or equivalent protection when output is tee'd into evidence logs. - id: PSSM-MANAGED-INGRESS-USAGE-CAPTURE-001 title: Fix managed-ingress usage capture metadata for app routes kind: bug role: backend profile: platform-foundation parent_id: PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 owning_domain: appplatform owning_layer: managed-ingress-usage-evidence source_paths: - cmd/api - packages/products/appplatform/runtime - packages/platform/billing - packages/platform/evidence target_paths: - cmd/api - packages/products/appplatform/runtime - packages/platform/billing - packages/platform/evidence - dist/uat/kind - .fairway/artifacts review_domains: - backend - ops - billing - architecture risk_level: medium migration_type: managed-ingress-usage-capture depends_on: - PSSM-KIND-MANAGED-INGRESS-MAAS-LXD-REACHABILITY-001 acceptance_checks: - Managed route requests include route family, client auth mode, and proxy pool metadata required for usage capture. - Usage capture failures are classified separately from upstream route-forward failures. - Regression coverage proves successful usage/evidence capture for a service-account managed app route. - id: PSSM-KIND-BROWSER-COMPUTE-REGION-HARNESS-001 title: Fix kind browser compute UAT region selection kind: bug role: frontend profile: platform-foundation parent_id: PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 owning_domain: gpuaas owning_layer: uat-harness source_paths: - packages/web/e2e/v3-live-compute-launch.spec.ts - scripts/ops/demo_uat_package.sh target_paths: - packages/web/e2e/v3-live-compute-launch.spec.ts - scripts/ops/demo_uat_package.sh - dist/uat/kind review_domains: - frontend - ops risk_level: medium migration_type: post-pssm-kind-uat depends_on: - PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 acceptance_checks: - Kind browser compute launch/precheck requests use the configured live UAT region instead of the default product region. - Isolated Playwright mutating compute browser UAT passes against kind. - id: PSSM-KIND-SCHEDULER-APP-PREREQ-001 title: Prepare kind scheduler app prerequisites for RKE2, Slurm, and Headlamp UAT kind: bug role: ops profile: platform-foundation parent_id: PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 owning_domain: appplatform owning_layer: scheduler-app-uat source_paths: - scripts/ops - packages/web/e2e/v3-live-app-runtime-smoke.spec.ts - packages/products/appplatform/runtime - packages/products/gpuaas/inventory target_paths: - scripts/ops - dist/uat/kind - .fairway/artifacts review_domains: - ops - backend - frontend risk_level: high migration_type: post-pssm-kind-uat depends_on: - PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 acceptance_checks: - Kind UAT creates or verifies scheduler/controller prerequisites before requiring rke2-self-managed and slurm-reference app workloads. - Headlamp route readiness is proven or skipped with a classified prerequisite-missing result. - App browser smoke distinguishes runtime app coverage from scheduler app coverage. - id: PSSM-KIND-NODE-BOOTSTRAP-PACKAGE-CONFIG-001 title: Restore kind node bootstrap package metadata for provider VM handoff kind: bug role: ops profile: platform-foundation parent_id: PSSM-KIND-SCHEDULER-APP-PREREQ-001 owning_domain: gpuaas owning_layer: kind-provider-bootstrap source_paths: - infra/k8s/overlays/local-kind/configmap.yaml - scripts/k8s/kind_parity.sh - scripts/ops/maas_lxd_attach_bootstrap_to_provider_resource.sh target_paths: - infra/k8s/overlays/local-kind/configmap.yaml - dist/uat/kind - .fairway/artifacts review_domains: - ops - backend risk_level: high migration_type: post-pssm-kind-uat depends_on: - PSSM-KIND-SCHEDULER-APP-PREREQ-001 acceptance_checks: - Kind gpuaas-core-config includes non-empty NODE_BOOTSTRAP_PACKAGE_REF, DIGEST, and TAG values for default and architecture-specific bootstrap packages. - Admin node bootstrap-script API returns 201 for a kind provider node. - Provider reconciler no longer logs bootstrap package/script 503 for kind provider VM handoff. - id: PSSM-KIND-NODE-BOOTSTRAP-RESOLVE-ADDRESS-001 title: Fix kind MAAS-LXD node bootstrap resolve address for worker phone-home kind: bug role: ops profile: platform-foundation parent_id: PSSM-KIND-SCHEDULER-APP-PREREQ-001 owning_domain: gpuaas owning_layer: kind-provider-bootstrap source_paths: - infra/k8s/overlays/local-kind/configmap.yaml - infra/k8s/overlays/local-kind/patches/core-config-local.yaml - doc/operations/runbooks/Kind_Demo_Environment_Readiness_Runbook.md target_paths: - infra/k8s/overlays/local-kind/configmap.yaml - infra/k8s/overlays/local-kind/patches/core-config-local.yaml - dist/uat/kind - .fairway/artifacts review_domains: - ops - backend risk_level: high migration_type: post-pssm-kind-uat depends_on: - PSSM-KIND-NODE-BOOTSTRAP-PACKAGE-CONFIG-001 acceptance_checks: - Rendered kind node bootstrap script maps API, registry, and terminal hostnames to the MAAS-LXD worker-reachable host address, not 127.0.0.1. - A fresh kind provider VM records bootstrap progress and enrolls node-agent. - Compute allocation backed by the fresh provider VM reaches active. - id: PSSM-KIND-NODE-BOOTSTRAP-TLS-HOST-001 title: Fix kind MAAS-LXD bootstrap TLS host and CA validation kind: bug role: ops profile: platform-foundation parent_id: PSSM-KIND-SCHEDULER-APP-PREREQ-001 owning_domain: gpuaas owning_layer: kind-provider-bootstrap source_paths: - infra/k8s/overlays/local-kind/configmap.yaml - infra/k8s/overlays/local-kind/patches/core-config-local.yaml - scripts/ops/env_profile_verify.sh - doc/operations/runbooks/Managed_App_UAT_Failure_Runbook.md target_paths: - infra/k8s/overlays/local-kind/configmap.yaml - infra/k8s/overlays/local-kind/patches/core-config-local.yaml - scripts/ops/env_profile_verify.sh - dist/uat/kind - .fairway/artifacts review_domains: - ops - backend - security risk_level: high migration_type: post-pssm-kind-uat depends_on: - PSSM-KIND-NODE-BOOTSTRAP-RESOLVE-ADDRESS-001 acceptance_checks: - "Kind provider bootstrap fetch uses a local ingress hostname whose TLS certificate chains to NODE_BOOTSTRAP_CA_BUNDLE_PEM." - "env_profile_verify.sh --env kind --profile kind_cloudflare validates bootstrap API and registry TLS with the configured worker resolve address." - A fresh MAAS-LXD VM fetches the bootstrap script without curl certificate failures. - A fresh compute allocation reaches active after node-agent enrollment. - id: PSSM-KIND-SCHEDULER-SSH-ENDPOINT-PORT-001 title: Support bridged SSH endpoints for kind scheduler controllers kind: bug role: backend profile: platform-foundation parent_id: PSSM-KIND-SCHEDULER-APP-PREREQ-001 owning_domain: appplatform owning_layer: scheduler-controllers source_paths: - cmd/rke2-self-managed-controller/main.go - cmd/slurm-reference-controller/main.go - packages/products/appplatform/runtime target_paths: - cmd/rke2-self-managed-controller/main.go - cmd/rke2-self-managed-controller/main_test.go - cmd/slurm-reference-controller/main.go - cmd/slurm-reference-controller/main_test.go - dist/uat/kind - .fairway/artifacts review_domains: - backend - ops risk_level: high migration_type: post-pssm-kind-uat depends_on: - PSSM-KIND-NODE-BOOTSTRAP-TLS-HOST-001 acceptance_checks: - RKE2 and Slurm scheduler controllers honor adapter_detail.port and allocation connection.port when building SSH targets. - SSH execution helpers pass bridged endpoint ports through explicit ssh -p arguments. - Unit tests cover adapter-detail and allocation-derived bridged SSH endpoint behavior. - Kind scheduler controller pod can reach the MAAS-LXD worker SSH service through the configured bridge endpoint. - id: PSSM-SCHEDULER-BOOTSTRAP-CREDENTIAL-BINDING-001 title: Bind scheduler app bootstrap credentials during launch submit kind: bug role: backend profile: platform-foundation parent_id: PSSM-KIND-SCHEDULER-APP-PREREQ-001 owning_domain: appplatform owning_layer: scheduler-app-launch source_paths: - cmd/api/routes_v3_launch_submit.go - packages/products/appplatform/runtime - packages/products/gpuaas/inventory - doc/architecture/App_SDK_Design_Principles_v1.md target_paths: - cmd/api - packages/products/appplatform/runtime - packages/products/gpuaas/inventory - dist/uat/kind - .fairway/artifacts review_domains: - backend - architecture - security - ops risk_level: high migration_type: post-pssm-scheduler-app-launch depends_on: - PSSM-KIND-SCHEDULER-SSH-ENDPOINT-PORT-001 acceptance_checks: - RKE2 and Slurm launch submit binds `bootstrap_access_credential_id` to the created app instance when the scheduler controller requires an app-scoped SSH credential. - App launch precheck or submit returns a product-owned blocker when the required bootstrap credential cannot be bound. - Controller startup no longer requires manual app-instance credential PATCH after launch. - Regression evidence covers scheduler launch credential binding without printing credential material. - id: PSSM-KIND-UAT-CAPACITY-SEQUENCING-001 title: Make kind full UAT capacity sequencing explicit after scheduler proof kind: boundary-guard role: ops profile: platform-foundation parent_id: PSSM-KIND-UAT-POST-SCHEMA-GUARD-001 owning_domain: platform-foundation owning_layer: uat-harness source_paths: - scripts/ops/demo_uat_package.sh - scripts/ops/demo_uat_mutating.sh - packages/web/e2e/v3-live-compute-launch.spec.ts target_paths: - scripts/ops/demo_uat_package.sh - dist/uat/kind - .fairway/artifacts review_domains: - ops - backend - frontend - product risk_level: high migration_type: post-pssm-kind-uat depends_on: - PSSM-KIND-SCHEDULER-APP-PREREQ-001 - PSSM-KIND-MAAS-LXD-CAPACITY-READINESS-001 acceptance_checks: - Kind full UAT records when scheduler workloads have consumed the constrained provider capacity needed by compute mutating and browser launch tests. - The UAT package provides an explicit cleanup/release handoff before compute mutating checks in constrained kind runs. - Rerun evidence proves compute mutating and Playwright compute browser tests pass after scheduler capacity is released. - The capacity sequencing gap is recorded as a learning item so future UAT planning does not conflate product failure with environment capacity exhaustion. - id: PSSM-KIND-REGION-PROFILE-LAUNCH-GATE-001 title: Gate kind mutating launches on profile region and ready provider capacity kind: boundary-guard role: ops profile: platform-foundation parent_id: PSSM-UAT-LIVE-PREREQ-GATE-001 owning_domain: gpuaas owning_layer: uat-prerequisites source_paths: - scripts/ops/kind_uat_prereq_baseline.sh - scripts/ops/demo_uat_package.sh - scripts/ops/env_profiles.json - packages/web/e2e/v3-live-compute-launch.spec.ts - .fairway/artifacts/pssm-uat-gap-taxonomy-2026-06-04.md target_paths: - scripts/ops - packages/web/e2e - dist/uat/kind - .fairway/artifacts review_domains: - ops - frontend - backend risk_level: high migration_type: uat-profile-region-gate depends_on: - PSSM-UAT-LIVE-PREREQ-GATE-001 acceptance_checks: - Kind launch preflight asserts requested region matches ready MAAS-LXD provider worker capacity. - Browser and API mutating launch fixtures use the same configured UAT region. - A mismatch fails the prereq phase as a profile/config defect before creating on-demand resources. - Evidence names expected region, ready provider count, selected SKU, and remediation. - id: PSSM-KIND-NODE-BOOTSTRAP-CA-BUNDLE-GATE-001 title: Gate kind node bootstrap on CA bundle and TLS host validation kind: boundary-guard role: ops profile: platform-foundation parent_id: PSSM-KIND-SCHEDULER-APP-PREREQ-001 owning_domain: gpuaas owning_layer: kind-provider-bootstrap source_paths: - infra/k8s/overlays/local-kind/configmap.yaml - infra/k8s/overlays/local-kind/patches/core-config-local.yaml - scripts/ops/env_profile_verify.sh - doc/operations/runbooks/Managed_App_UAT_Failure_Runbook.md - .fairway/artifacts/pssm-uat-gap-taxonomy-2026-06-04.md target_paths: - scripts/ops - infra/k8s/overlays/local-kind - dist/uat/kind - .fairway/artifacts review_domains: - ops - security - backend risk_level: high migration_type: kind-bootstrap-ca-bundle-gate depends_on: - PSSM-KIND-NODE-BOOTSTRAP-RESOLVE-ADDRESS-001 acceptance_checks: - Rendered kind bootstrap CA bundle validates the API URL and registry URL from a MAAS-LXD worker perspective. - Bootstrap host override does not use localhost or a host whose certificate cannot be validated by the configured CA bundle. - The gate fails before provider VM handoff when TLS/CA data is placeholder, missing, or inconsistent. - Evidence includes sanitized URL, CA fingerprint, profile name, and validation result. - id: PSSM-SCHEDULER-LAUNCH-PRECHECK-SUBMIT-PARITY-001 title: Align scheduler launch precheck and submit blocker semantics kind: bug role: backend profile: platform-foundation parent_id: PSSM-UAT-BLOCKING-INTEGRATION-SMOKE-001 owning_domain: appplatform owning_layer: scheduler-app-launch source_paths: - cmd/api/routes_v3_launch_submit.go - packages/products/appplatform/runtime - packages/products/gpuaas/inventory - .fairway/artifacts/pssm-uat-gap-taxonomy-2026-06-04.md target_paths: - cmd/api - packages/products/appplatform/runtime - packages/products/gpuaas/inventory - .fairway/artifacts review_domains: - backend - ops - architecture risk_level: high migration_type: scheduler-precheck-submit-parity depends_on: - PSSM-UAT-BLOCKING-INTEGRATION-SMOKE-001 acceptance_checks: - Launch submit rejects required dependency blockers that launch precheck would reject. - RKE2 and Slurm scheduler launch paths share blocker classification for SSH key, bootstrap credential, capacity, and controller reachability. - Regression coverage proves precheck and submit cannot diverge on required dependencies. - Product-owned validation errors are returned instead of late runtime 500s. - id: PSSM-KIND-SCHEDULER-CONTROLLER-SSH-REACHABILITY-001 title: Add kind scheduler controller SSH reachability prereq gate kind: boundary-guard role: ops profile: platform-foundation parent_id: PSSM-UAT-LIVE-PREREQ-GATE-001 owning_domain: appplatform owning_layer: scheduler-app-uat source_paths: - scripts/ops - cmd/rke2-self-managed-controller - cmd/slurm-reference-controller - .fairway/artifacts/pssm-uat-gap-taxonomy-2026-06-04.md target_paths: - scripts/ops - dist/uat/kind - .fairway/artifacts review_domains: - ops - backend risk_level: high migration_type: scheduler-controller-ssh-prereq depends_on: - PSSM-KIND-SCHEDULER-SSH-ENDPOINT-PORT-001 acceptance_checks: - Controller pods can SSH to every allocated MAAS-LXD scheduler worker through the bridged endpoint before launch submit. - Reachability failures are classified as environment prerequisite, credential binding, endpoint port, or provider networking. - The gate records sanitized SSH target metadata and does not print private keys. - Scheduler app UAT does not start when controller SSH reachability is absent. - id: PSSM-ALLOCATION-CREATE-SSH-KEY-VALIDATION-001 title: Reject bare-metal allocation create when no SSH key can be resolved kind: bug role: backend profile: platform-foundation parent_id: PSSM-UAT-BLOCKING-INTEGRATION-SMOKE-001 owning_domain: gpuaas owning_layer: allocation-contract source_paths: - cmd/api - packages/products/gpuaas/provisioning - packages/platform/iam - .fairway/artifacts/pssm-uat-gap-taxonomy-2026-06-04.md target_paths: - cmd/api - packages/products/gpuaas/provisioning - .fairway/artifacts review_domains: - backend - product - ops risk_level: high migration_type: allocation-ssh-key-validation depends_on: - PSSM-UAT-BLOCKING-INTEGRATION-SMOKE-001 acceptance_checks: - Bare-metal allocation create validates that a usable SSH key or credential path is available before provisioning begins. - Missing key returns a product-owned validation or prerequisite error, not a late provisioning failure. - Browser and API UAT prereq phases can satisfy the requirement explicitly. - Regression coverage proves missing, invalid, and valid SSH key paths. - id: PSSM-ZERO-GPU-ALLOCATION-CONTRACT-TEST-001 title: Add contract tests for CPU-only compute VM allocations kind: bug role: backend profile: platform-foundation parent_id: PSSM-UAT-BLOCKING-INTEGRATION-SMOKE-001 owning_domain: gpuaas owning_layer: allocation-contract source_paths: - cmd/api - packages/products/gpuaas/provisioning - packages/products/gpuaas/inventory - doc/api - .fairway/artifacts/pssm-uat-gap-taxonomy-2026-06-04.md target_paths: - cmd/api - packages/products/gpuaas/provisioning - packages/products/gpuaas/inventory - doc/api - .fairway/artifacts review_domains: - backend - product - architecture risk_level: medium migration_type: zero-gpu-allocation-contract depends_on: - PSSM-UAT-BLOCKING-INTEGRATION-SMOKE-001 acceptance_checks: - CPU-only compute VM SKUs with zero GPUs have explicit API and service contract coverage. - Billing, placement, and lifecycle code do not assume GPU count is greater than zero. - Contract tests prevent zero-GPU compute from regressing into invalid allocation or billing behavior. - UAT can classify compute-only coverage separately from GPU-node coverage. - id: PSSM-APP-MEMBER-OPERATION-ADD-500-001 title: Fix app member add operation 500 for allocation intent payloads kind: bug role: backend profile: platform-foundation parent_id: PSSM-UAT-BLOCKING-INTEGRATION-SMOKE-001 owning_domain: appplatform owning_layer: app-runtime-membership source_paths: - cmd/api - packages/products/appplatform/runtime - .fairway/artifacts/pssm-uat-gap-taxonomy-2026-06-04.md target_paths: - cmd/api - packages/products/appplatform/runtime - .fairway/artifacts review_domains: - backend - product - ops risk_level: high migration_type: app-member-operation-add-500 depends_on: - PSSM-UAT-BLOCKING-INTEGRATION-SMOKE-001 acceptance_checks: - Member-operation add accepts valid allocation_intent payloads without requiring target_member_id. - Invalid member-operation inputs return product-owned validation errors instead of 500s. - Regression coverage proves allocation-intent add, existing-member add, and invalid payload behavior. - UAT app-runtime flows capture the response body and correlation ID if this path fails. - id: PSSM-SLURM-WORKER-ADD-IDEMPOTENCY-001 title: Make Slurm worker-add retry converge when worker is already active kind: bug role: backend profile: platform-foundation parent_id: PSSM-UAT-BLOCKING-INTEGRATION-SMOKE-001 owning_domain: appplatform owning_layer: slurm-runtime-controller source_paths: - cmd/slurm-reference-controller - packages/products/appplatform/runtime - .fairway/artifacts/pssm-uat-gap-taxonomy-2026-06-04.md target_paths: - cmd/slurm-reference-controller - packages/products/appplatform/runtime - .fairway/artifacts review_domains: - backend - ops risk_level: medium migration_type: slurm-worker-add-idempotency depends_on: - PSSM-UAT-BLOCKING-INTEGRATION-SMOKE-001 acceptance_checks: - Slurm worker-add retry treats already-active worker state as converged success when the desired membership is present. - Duplicate worker-add requests remain idempotent and do not create inconsistent runtime state. - Regression coverage proves first add, retry-after-timeout, already-active, and failed-worker paths. - UAT scheduler evidence distinguishes idempotent convergence from real controller failure. - id: PSSM-INTEGRATION-SELECTED-SCHEMA-DRIFT-001 title: Repair selected integration smoke suite after PSSM schema and package migration kind: bug role: backend profile: platform-foundation parent_id: PSSM-UAT-BLOCKING-INTEGRATION-SMOKE-001 owning_domain: platform-foundation owning_layer: pre-uat-integration-smoke source_paths: - Makefile - scripts/ci/integration_smoke.sh - cmd/api - cmd/webhook-worker - cmd/billing-worker - packages/products/gpuaas/provisioning/orchestrator - .fairway/artifacts/pssm-uat-gap-taxonomy-2026-06-04.md target_paths: - Makefile - cmd/api - cmd/webhook-worker - cmd/billing-worker - packages/products/gpuaas/provisioning/orchestrator - .fairway/artifacts review_domains: - backend - ops - architecture risk_level: high migration_type: selected-integration-schema-drift depends_on: - PSSM-UAT-BLOCKING-INTEGRATION-SMOKE-001 acceptance_checks: - make test-integration-selected uses only current post-PSSM package paths. - Selected integration fixtures align with current IAM, audit, node, MAAS, billing, and allocation schema constraints. - PRE_UAT_INTEGRATION_STRICT=true scripts/ci/integration_smoke.sh exits zero against a freshly migrated local integration database. - Remaining non-critical integration failures are either fixed or moved out of the selected pre-UAT smoke target with explicit rationale. - id: PSSM-UAT-TRACE-SMOKE-OBSERVABILITY-PREREQ-001 title: Make pre-UAT trace smokes require reachable Tempo with clear failure classification kind: boundary-guard role: ops profile: platform-foundation parent_id: PSSM-UAT-BLOCKING-INTEGRATION-SMOKE-001 owning_domain: platform-observability owning_layer: pre-uat-trace-smoke source_paths: - scripts/ci/integration_smoke.sh - scripts/ops/allocation_trace_path_smoke.sh - scripts/ops/app_runtime_trace_smoke.sh - doc/operations/Platform_UAT_Completeness_Matrix_v1.md target_paths: - scripts/ci - scripts/ops - .fairway/artifacts review_domains: - ops - backend - architecture risk_level: high migration_type: trace-smoke-observability-prereq depends_on: - PSSM-UAT-BLOCKING-INTEGRATION-SMOKE-001 acceptance_checks: - Trace smoke scripts fail fast when TEMPO_BASE_URL is unreachable. - Failure message classifies the issue as missing observability prerequisite, not app/runtime trace defect. - Local dev/kind/dev runbooks document how to start or point at Tempo before strict pre-UAT gates. - PRE_UAT_INTEGRATION_STRICT=true scripts/ci/integration_smoke.sh exits zero when Tempo is reachable and selected traces include expected services. - id: PSSM-KIND-PROVIDER-ACTIVE-USAGE-VISIBILITY-001 title: Expose active platform usage references on provider-resource cleanup blockers kind: bug role: backend profile: platform-foundation parent_id: PSSM-KIND-PROVIDER-MISSING-CLEANUP-RUNBOOK-001 owning_domain: gpuaas owning_layer: provider-lifecycle-api source_paths: - cmd/api/routes_v3_provider_resources.go - packages/products/gpuaas/inventory/legacyimpl - scripts/ops/kind_provider_missing_cleanup.sh target_paths: - cmd/api - packages/products/gpuaas/inventory - scripts/ops - .fairway/artifacts review_domains: - backend - ops risk_level: medium migration_type: provider-cleanup-blocker-visibility depends_on: - PSSM-KIND-PROVIDER-MISSING-CLEANUP-RUNBOOK-001 acceptance_checks: - Provider-resource list/detail exposes the allocation, node, or platform resource reference that causes `node_in_use`. - Cleanup scripts can classify active usage from list/detail payloads before attempting a mutating action. - "`node_in_use` responses include a product-owned blocker detail that points to the active usage reference without requiring direct SQL." - Regression coverage proves an orphan/external provider row with hidden active usage is not misclassified as safe cleanup. - id: PSSM-SCHEMA-ACCESS-FACADE-DEBT-BURNDOWN-001 title: Burn down approved schema-access guard debt behind platform/product facades kind: boundary-guard role: backend profile: platform-foundation parent_id: PSSM-PROD-C16-CROSS-DOMAIN-DB-BOUNDARY-GUARD-001 owning_domain: platform-foundation owning_layer: boundary-guards source_paths: - scripts/ci/platform_foundation_boundary_report.sh - doc/architecture/platform-foundation/guard-allowed-debt.tsv - packages/platform - packages/products target_paths: - packages/platform - packages/products - .fairway/artifacts review_domains: - backend - governance - architecture risk_level: medium migration_type: schema-access-debt-burndown depends_on: - PSSM-PROD-C16-CROSS-DOMAIN-DB-BOUNDARY-GUARD-001 acceptance_checks: - Schema-access findings are grouped by platform service or product facade owner. - Product direct access to platform IAM, audit, credentials, policy, billing, and outbox tables is replaced by platform facades or explicit read models. - Platform direct access to product tables is replaced by product facades or explicit read models. - Approved schema-access debt rows are removed or narrowed before blocking_all graduation. - id: PSSM-SCHEMA-ACCESS-APPPLATFORM-RUNTIME-FACADE-001 title: Extract App Platform runtime schema access behind platform facades kind: boundary-guard role: backend profile: platform-foundation parent_id: PSSM-SCHEMA-ACCESS-FACADE-DEBT-BURNDOWN-001 owning_domain: appplatform owning_layer: runtime source_paths: - packages/products/appplatform/runtime/lifecycle_backend.go - doc/architecture/platform-foundation/guard-allowed-debt.tsv target_paths: - packages/products/appplatform/runtime - packages/platform - doc/architecture/platform-foundation/guard-allowed-debt.tsv review_domains: - backend - architecture risk_level: medium migration_type: schema-access-facade-extraction depends_on: - PSSM-SCHEMA-ACCESS-FACADE-DEBT-BURNDOWN-001 acceptance_checks: - App Platform runtime direct references to platform IAM, credential, policy, audit, and outbox tables are replaced by platform facades or explicit read models. - Boundary guard schema-access findings for packages/products/appplatform/runtime/lifecycle_backend.go are removed or reduced with evidence. - Any remaining direct access is documented as a narrower owner-visible exception. - id: PSSM-SCHEMA-ACCESS-GPUAAS-INVENTORY-FACADE-001 title: Extract GPUaaS inventory schema access behind platform read models kind: boundary-guard role: backend profile: platform-foundation parent_id: PSSM-SCHEMA-ACCESS-FACADE-DEBT-BURNDOWN-001 owning_domain: gpuaas owning_layer: inventory source_paths: - packages/products/gpuaas/inventory/legacyimpl/service.go - doc/architecture/platform-foundation/guard-allowed-debt.tsv target_paths: - packages/products/gpuaas/inventory - packages/platform - doc/architecture/platform-foundation/guard-allowed-debt.tsv review_domains: - backend - architecture risk_level: medium migration_type: schema-access-facade-extraction depends_on: - PSSM-SCHEMA-ACCESS-FACADE-DEBT-BURNDOWN-001 acceptance_checks: - GPUaaS inventory direct references to platform IAM, billing, audit, and policy tables are replaced by platform facades or explicit read models. - Boundary guard schema-access findings for packages/products/gpuaas/inventory/legacyimpl/service.go are removed or reduced with evidence. - Any remaining direct access is documented as a narrower owner-visible exception. - id: PSSM-SCHEMA-ACCESS-GPUAAS-PROVISIONING-FACADE-001 title: Extract GPUaaS provisioning schema access behind platform handoff facades kind: boundary-guard role: backend profile: platform-foundation parent_id: PSSM-SCHEMA-ACCESS-FACADE-DEBT-BURNDOWN-001 owning_domain: gpuaas owning_layer: provisioning source_paths: - packages/products/gpuaas/provisioning/orchestrator/service.go - packages/products/gpuaas/provisioning/worker/service.go - doc/architecture/platform-foundation/guard-allowed-debt.tsv target_paths: - packages/products/gpuaas/provisioning - packages/platform - doc/architecture/platform-foundation/guard-allowed-debt.tsv review_domains: - backend - architecture risk_level: medium migration_type: schema-access-facade-extraction depends_on: - PSSM-SCHEMA-ACCESS-FACADE-DEBT-BURNDOWN-001 acceptance_checks: - GPUaaS provisioning direct references to platform IAM, outbox, audit, and credential tables are replaced by platform facades or explicit read models. - Boundary guard schema-access findings for GPUaaS provisioning orchestrator and worker packages are removed or reduced with evidence. - Any remaining direct access is documented as a narrower owner-visible exception. - id: PSSM-SCHEMA-ACCESS-GPUAAS-TERMINAL-FACADE-001 title: Extract GPUaaS terminal schema access behind platform session facades kind: boundary-guard role: backend profile: platform-foundation parent_id: PSSM-SCHEMA-ACCESS-FACADE-DEBT-BURNDOWN-001 owning_domain: gpuaas owning_layer: terminal source_paths: - packages/products/gpuaas/terminal/runtime_backend.go - doc/architecture/platform-foundation/guard-allowed-debt.tsv target_paths: - packages/products/gpuaas/terminal - packages/platform - doc/architecture/platform-foundation/guard-allowed-debt.tsv review_domains: - backend - architecture risk_level: medium migration_type: schema-access-facade-extraction depends_on: - PSSM-SCHEMA-ACCESS-FACADE-DEBT-BURNDOWN-001 acceptance_checks: - GPUaaS terminal direct references to platform session and credential state are replaced by platform facades or explicit read models. - Boundary guard schema-access findings for packages/products/gpuaas/terminal/runtime_backend.go are removed or reduced with evidence. - Any remaining direct access is documented as a narrower owner-visible exception. - id: PSSM-SCHEMA-ACCESS-MAAS-PRODUCT-READMODEL-FACADE-001 title: Extract MAAS product-table access behind GPUaaS read models kind: boundary-guard role: backend profile: platform-foundation parent_id: PSSM-SCHEMA-ACCESS-FACADE-DEBT-BURNDOWN-001 owning_domain: platform-maas owning_layer: maas source_paths: - packages/platform/maas/legacyimpl - doc/architecture/platform-foundation/guard-allowed-debt.tsv target_paths: - packages/platform/maas - packages/products/gpuaas - doc/architecture/platform-foundation/guard-allowed-debt.tsv review_domains: - backend - architecture - ops tags: - program:pssm-closeout - program:stabilization - surface:maas - surface:schema - gate:boundary-guard - work-type:facade risk_level: high migration_type: schema-access-facade-extraction depends_on: - PSSM-SCHEMA-ACCESS-FACADE-DEBT-BURNDOWN-001 acceptance_checks: - Platform MAAS direct references to GPUaaS node, allocation, and provider tables are replaced by GPUaaS product read models or explicit lifecycle contracts. - Boundary guard schema-access findings for packages/platform/maas/legacyimpl are removed or reduced with evidence. - Any remaining direct access is documented as a narrower owner-visible exception. - id: PSSM-SCHEMA-ACCESS-SMALL-PLATFORM-CLEANUP-001 title: Clean up small platform product-table schema access findings kind: boundary-guard role: backend profile: platform-foundation parent_id: PSSM-SCHEMA-ACCESS-FACADE-DEBT-BURNDOWN-001 owning_domain: platform-foundation owning_layer: platform-facades source_paths: - packages/platform/adminops - packages/platform/auth - packages/platform/audit - packages/platform/billing - packages/platform/notification - packages/platform/releases - packages/platform/storage - doc/architecture/platform-foundation/guard-allowed-debt.tsv target_paths: - packages/platform - packages/products - doc/architecture/platform-foundation/guard-allowed-debt.tsv review_domains: - backend - architecture risk_level: medium migration_type: schema-access-facade-extraction depends_on: - PSSM-SCHEMA-ACCESS-FACADE-DEBT-BURNDOWN-001 acceptance_checks: - Product-table references in small platform packages are replaced by product read models, moved behind owner facades, or justified as explicit owner-visible exceptions. - Boundary guard schema-access findings for the small platform package group are removed or reduced with evidence. - Any remaining direct access is documented as a narrower owner-visible exception. - id: PSSM-PROD-C19-API-BEARER-LIVE-LOAD-REVOCATION-001 title: Run live api_bearer route-forward load and revocation evidence kind: boundary-guard role: backend profile: platform-foundation parent_id: PSSM-PROD-C19-API-BEARER-PROXY-AUTHZ-SCALING-001 owning_domain: platform-proxy owning_layer: api-bearer-authz source_paths: - scripts/ops/proxy_authz_api_bearer_load_smoke.sh - doc/architecture/platform-foundation/API_Bearer_Proxy_Authz_Production_Decision_v1.md - cmd/api/routes_platform_proxy_authz.go target_paths: - dist/uat - .fairway/artifacts review_domains: - backend - ops - security tags: - program:pssm-closeout - program:security-review - environment:dev - surface:api-bearer - gate:live-evidence - work-type:load-test risk_level: high migration_type: api-bearer-live-load-revocation depends_on: - PSSM-PROD-C19-API-BEARER-PROXY-AUTHZ-SCALING-001 acceptance_checks: - Live api_bearer route has valid, invalid, and wrong-project token evidence. - Smoke captures before/after proxy authz metrics snapshots. - Mid-run service-account disable or route-version change stops acceptance within cache TTL. - No invalid API-client response contains IdP HTML or browser redirect. - Results decide whether cmd/api remains acceptable or cmd/proxy-authz extraction becomes launch-blocking for high-RPS customers. - id: FAIRWAY-REVIEW-DOMAIN-OPERATING-MODEL-001 title: Define review-domain operating model for Fairway-tracked GPUaaS work kind: boundary-guard role: governance profile: platform-foundation owning_domain: platform-foundation owning_layer: review-governance source_paths: - AGENTS.md - doc/operations/Fairway_Agent_Operating_Model.md - .fairway/platform-foundation-config.toml - .fairway/platform-foundation-implementation-track.yaml target_paths: - doc/operations/Fairway_Review_Operating_Model.md - AGENTS.md - doc/operations/Fairway_Agent_Operating_Model.md - .fairway/artifacts review_domains: - governance - architecture - security - ops risk_level: high migration_type: fairway-review-operating-model acceptance_checks: - Review-domain triggers are documented for architecture, security, ops, backend, frontend, and governance work. - Risk-based minimum review expectations are documented for low, medium, high, and critical/launch-sensitive work. - Track-session review behavior is documented so reviewer sessions keep context but Fairway remains the durable record. - GPUaaS agent startup instructions point agents to the review operating model before closing, reviewing, merging, or promoting high-risk work. - id: FAIRWAY-REVIEW-GATE-ENFORCEMENT-001 title: Add Fairway review gate enforcement from review_domains and risk_level kind: boundary-guard role: governance profile: platform-foundation owning_domain: fairway owning_layer: review-gates source_paths: - doc/operations/Fairway_Review_Operating_Model.md - ../fairway/cmd/fairway - ../fairway/internal/dashboard - ../fairway/internal/store - ../fairway/docs/agent-guide.md - ../fairway/docs/design/dashboard.md target_paths: - ../fairway/cmd/fairway - ../fairway/internal/dashboard - ../fairway/internal/store - ../fairway/docs - .fairway/artifacts review_domains: - governance - architecture - security - ops risk_level: high migration_type: fairway-review-gate-enforcement depends_on: - FAIRWAY-REVIEW-DOMAIN-OPERATING-MODEL-001 acceptance_checks: - Fairway can derive missing required review domains from task `review_domains`, `risk_level`, and recorded review verdicts. - "Dashboard and task detail show missing required review domains separately from generic `review: not_required`." - Merge-ready or done checks warn or block according to configured review policy without breaking low-risk evidence-only tasks. - Review commands support recording domain-scoped approvals and changes-requested verdicts with durable reason and optional artifact. - Tests cover medium, high, and critical review requirements plus self-review rejection. - id: FAIRWAY-REVIEW-DOMAIN-OWNER-MISMATCH-001 title: Fix review-domain satisfaction when owner domain requires independent reviewer kind: boundary-guard role: governance profile: platform-foundation owning_domain: fairway-coordination owning_layer: review-gates source_paths: - ../fairway/internal - ../fairway/docs - .fairway/platform-foundation-implementation-track.yaml target_paths: - ../fairway/internal - ../fairway/docs - .fairway/artifacts review_domains: - governance - ops tags: - program:fairway-process - program:stabilization - surface:fairway - gate:review - work-type:bookkeeping risk_level: medium migration_type: review-domain-bookkeeping depends_on: - FAIRWAY-REVIEW-DOMAIN-OPERATING-MODEL-001 acceptance_checks: - Fairway can distinguish reviewer identity from review domain so independent ops/frontend reviewers can satisfy ops/frontend domains without self-review. - Existing completed GPUaaS tasks with ops-reviewer/frontend-reviewer approvals can be closed or explicitly waived without fabricating owner self-review. - Merge-ready output explains the difference between missing review domain, self-review rejection, and acceptable independent domain approval. - Tests or documented command examples cover owner-domain review tasks such as `OPS-LOCAL-RELEASE-VERIFY-UTILITY-001` and `HARNESS-FIX-FRONTEND-E2E-PLAYWRIGHT-IMAGE-PULL-LOCAL-001`. - id: FAIRWAY-TRACK-SESSION-REVIEW-CONTEXT-001 title: Define dedicated review track sessions with retained domain context kind: boundary-guard role: governance profile: platform-foundation owning_domain: fairway owning_layer: provider-session-review-context source_paths: - doc/operations/Fairway_Review_Operating_Model.md - doc/operations/Fairway_Agent_Operating_Model.md - ../fairway/docs/agent-guide.md - ../fairway/examples/session-adapters target_paths: - doc/operations/Fairway_Review_Operating_Model.md - ../fairway/docs - ../fairway/examples/session-adapters - .fairway/artifacts review_domains: - governance - architecture - ops risk_level: medium migration_type: fairway-review-track-session-context depends_on: - FAIRWAY-REVIEW-DOMAIN-OPERATING-MODEL-001 acceptance_checks: - Architecture, security, ops, backend, frontend, and governance review sessions have documented startup and handoff behavior. - Reviewer provider sessions attach to the reviewed task and record scope, evidence reviewed, verdict, and next owner. - Dashboard or diagnostics can distinguish implementer sessions from reviewer sessions, or a follow-up product task exists to add that distinction. - Provider-independent instructions cover Codex threads, tmux Claude sessions, and shell fallback sessions. - id: OPS-CI-WAIT-WINDOW-OPERATING-MODEL-001 title: Define productive CI and deploy wait-window operating model kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: operations owning_layer: ci-cd-operating-model source_paths: - AGENTS.md - doc/operations/Fairway_Agent_Operating_Model.md - .gitlab-ci.yml - scripts/ci/ target_paths: - AGENTS.md - doc/operations/Fairway_Agent_Operating_Model.md - doc/operations/ - .fairway/artifacts review_domains: - ops - governance risk_level: medium migration_type: ci-wait-window-operating-model acceptance_checks: - Operating model defines what agents should do during 15-20 minute CI/deploy wait windows without creating conflicting work. - Rules distinguish dependency-blocking CI waits from safe parallel work, review prep, evidence cleanup, runbook updates, and next-task triage. - Every CI/deploy wait window has a Fairway checkpoint or deploy-run task recording pipeline URL, commit SHA, expected completion, and next action. - Follow-up task taxonomy is documented for CI-FIX, CD-FIX, UAT-BUG, OPS-FIX, HARNESS-FIX, and DOC-FIX findings discovered after pipeline completion. - Guidance prevents large uncommitted work piles while CI is running and requires meaningful commits at review boundaries. - id: OPS-CI-FAILURE-LEARNING-REVIEW-001 title: Review CI failures as missed local gates or true environment failures kind: boundary-guard role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: operations owning_layer: ci-review-learning-loop source_paths: - .gitlab-ci.yml - scripts/ci - scripts/ops - doc/governance/CI_Enforcement_Checklist.md - doc/operations/Fairway_Agent_Operating_Model.md - doc/operations/Fairway_Review_Operating_Model.md - .fairway/artifacts - tmp-ux/gpuaas-stabilization-working-memory-2026-06-05.md target_paths: - doc/operations - doc/governance/CI_Enforcement_Checklist.md - doc/operations/Fairway_Review_Operating_Model.md - .fairway/artifacts - .fairway/platform-foundation-implementation-track.yaml review_domains: - ops - governance - backend - frontend - security risk_level: medium migration_type: ci-failure-learning-review depends_on: - OPS-CI-WAIT-WINDOW-OPERATING-MODEL-001 - FAIRWAY-REVIEW-DOMAIN-OPERATING-MODEL-001 acceptance_checks: - Recent CI, CD, smoke, and UAT failures are classified as missed local gate, missed review gate, CI-environment-only failure, flaky runner/cache failure, or intentional approval-gated blocker. - Each deterministic missed gate maps to a concrete local command, script smoke fixture, review checklist item, or Fairway review requirement. - Each true CI-environment-only failure maps to CI-FIX, CD-FIX, OPS-FIX, or HARNESS-FIX taxonomy with owner and evidence. - Review operating model requires reviewers to record exact verification commands and evidence paths for tasks touching CI scripts, release gates, generated artifacts, YAML/JSON, or promotion wiring. - A reusable "CI failure learning" artifact template exists so future failures improve gates instead of becoming one-off fixes. - id: OPS-FUNCTIONAL-ESCAPE-REVIEW-20260609-001 title: Review CI-passing functional escapes and add pre-push functional probes kind: boundary-guard role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: operations owning_layer: pre-push-functional-validation source_paths: - cmd/node-agent - packages/products/appplatform/runtime - packages/products/gpuaas/provisioning - scripts/ops - scripts/ci - doc/operations/CI_Failure_Learning_Review_2026-06-06.md - doc/operations/Local_Automation_Utility_Layer_v1.md - .fairway/artifacts target_paths: - scripts/ops - scripts/ci - doc/operations - doc/governance/CI_Enforcement_Checklist.md - .fairway/artifacts - .fairway/platform-foundation-implementation-track.yaml review_domains: - ops - governance - backend tags: - program:stabilization - program:uat-hardening - surface:appplatform - surface:node-agent - gate:pre-push-functional - gate:uat - work-type:process-hardening risk_level: high migration_type: functional-escape-learning-review depends_on: - OPS-CI-FAILURE-LEARNING-REVIEW-001 - OPS-LOCAL-GATE-SELECTOR-UTILITY-001 acceptance_checks: - June 9 OCI/app-runtime fixes that passed CI but failed live kind behavior are inventoried with source commits, Fairway tasks, evidence paths, and failing live symptoms. - Each miss is classified as unit-test gap, live-probe gap, config drift gap, stale-state cleanup gap, missing API/read-model surface, or acceptable environment-only discovery. - The review separates CI coverage gaps from functional validation gaps so CI is not blamed for behavior it was not designed to prove. - Required pre-push functional probes are defined for app-runtime/node-agent changes, including OCI runtime selection, delayed status probe behavior, runtime hint propagation, node-agent package metadata parity, stale container/port cleanup, and app launch/readiness state transitions. - Local gate selector or operating documentation is updated so changed app-runtime/node-agent/provider-worker paths recommend the new functional probes before pushing to master. - Any recurring direct SQL or ad hoc kubectl/psql diagnostic used during the review is converted into an API-first read-model task or deterministic script follow-up. - Future UAT and stabilization tasks must record either the matching functional probe evidence or an explicit reason the probe is not applicable. - id: OPS-CI-RUNNER-CAPACITY-BASELINE-001 title: Analyze GitLab runner capacity and CI critical path before scale-out kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: operations owning_layer: ci-runner-capacity source_paths: - .gitlab-ci.yml - scripts/ci/ - scripts/ops/ - doc/operations/local-dev/docker-compose.gitlab.yaml - doc/governance/CI_Enforcement_Checklist.md - doc/operations/Fairway_Agent_Operating_Model.md - tmp-ux/gpuaas-stabilization-working-memory-2026-06-05.md target_paths: - doc/operations/ - doc/governance/CI_Enforcement_Checklist.md - .fairway/artifacts - .fairway/platform-foundation-implementation-track.yaml review_domains: - ops - governance risk_level: medium migration_type: ci-runner-capacity-analysis depends_on: - OPS-CI-WAIT-WINDOW-OPERATING-MODEL-001 - OPS-CI-FAILURE-LEARNING-REVIEW-001 acceptance_checks: - Current GitLab runner capacity, executor type, concurrency, tags, and host resource headroom are documented without printing secrets or runner tokens. - Recent pipeline evidence captures queue wait time, job runtime, pipeline critical path, concurrency pressure, retry rate, and common failure stages. - Analysis distinguishes runner queue bottlenecks from long job runtime and from deploy/runtime bottlenecks. - Recommendation states whether to add runners now, how many to add first, which tags to use, and which jobs must remain serialized or protected. - Decision includes rollback steps and monitoring metrics for the first scale-out, including pending time, total pipeline duration, host CPU/memory/disk pressure, and failure rate. - If scale-out is recommended, a follow-up implementation task exists for controlled runner capacity change and evidence from at least three concurrent branch pipelines. - id: OPS-CI-RUNNER-ADMIN-METRICS-ACCESS-001 title: Obtain runner inventory and host headroom evidence kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: operations owning_layer: ci-runner-capacity source_paths: - doc/operations/CI_Runner_Capacity_Baseline_v1.md - .gitlab-ci.yml - doc/operations/local-dev/docker-compose.gitlab.yaml target_paths: - doc/operations/ - .fairway/artifacts review_domains: - ops - governance tags: - program:production-readiness - program:stabilization - environment:ci - surface:ci-runner - gate:capacity - work-type:ops-evidence risk_level: medium migration_type: ci-runner-admin-metrics-access depends_on: - OPS-CI-RUNNER-CAPACITY-BASELINE-001 acceptance_checks: - Non-secret runner inventory is attached, including runner IDs, tags, executor type, concurrency limits, and protected/scope settings. - Runner host CPU, memory, disk, I/O, cache, and network headroom is attached for at least one branch-burst window. - Evidence avoids runner tokens, registration tokens, secrets, and sensitive host credentials. - Any missing access is recorded as an explicit ops access blocker with owner and next action. - id: OPS-CI-RUNNER-CONTROLLED-SCALEOUT-001 title: Add first controlled CI runner capacity increment kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: operations owning_layer: ci-runner-capacity source_paths: - doc/operations/CI_Runner_Capacity_Baseline_v1.md - .gitlab-ci.yml - doc/operations/local-dev/docker-compose.gitlab.yaml target_paths: - doc/operations/ - .fairway/artifacts review_domains: - ops - governance - security tags: - program:production-readiness - program:stabilization - environment:ci - surface:ci-runner - gate:approval-required - gate:capacity - work-type:ops-change risk_level: high migration_type: ci-runner-controlled-scaleout depends_on: - OPS-CI-RUNNER-ADMIN-METRICS-ACCESS-001 acceptance_checks: - Change is explicitly approved before mutating GitLab runner configuration or runner hosts. - First increment adds no more than one `ci-report,platform-control` runner and one `ci-build,platform-control` runner. - Release/deploy/protected jobs remain serialized or protected by tags and GitLab permissions. - At least three concurrent branch pipelines are observed after scale-out, with queue p50/p90, total duration, host pressure, retry rate, and failure rate compared against the baseline. - Rollback steps are documented and tested or dry-run verified. - id: OPS-CI-RUNTIME-OPTIMIZATION-BATCH-001 title: Optimize CI runtime critical path before runner scaleout kind: epic role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: operations owning_layer: ci-runtime-optimization source_paths: - .gitlab-ci.yml - scripts/ci/ - scripts/ops/local_ci_monitor.sh - .fairway/artifacts/ops-ci-runner-admin-metrics-access-20260610/ - tmp-ux/ci-runner-capacity-parallel-batch-20260610.md - tmp-ux/gpuaas-stabilization-operating-model-2026-06-10.md target_paths: - .gitlab-ci.yml - scripts/ci/ - scripts/ops/ - doc/operations/ - .fairway/artifacts/ review_domains: - ops - governance - backend - frontend tags: - program:production-readiness - program:stabilization - environment:ci - surface:ci-runtime - gate:ci - work-type:optimization risk_level: medium migration_type: ci-runtime-optimization-batch depends_on: - OPS-CI-RUNNER-CAPACITY-BASELINE-001 acceptance_checks: - Runtime optimization plan uses the June 10 runner evidence showing low queue p90 and runtime-bound pipeline critical path. - Child lanes identify safe changes that reduce CI duration without changing runner configuration or protected release/deploy semantics. - Each lane records baseline timing, expected improvement, local validation, rollback/split criteria, and CI evidence after merge. - Runner scaleout remains blocked unless future runner inventory and host-headroom evidence proves branch-burst saturation. - id: OPS-CI-RUNTIME-BACKEND-BUILD-TEST-CRITICAL-PATH-001 title: Reduce backend build and test CI runtime kind: task role: backend profile: platform-foundation parent_id: OPS-CI-RUNTIME-OPTIMIZATION-BATCH-001 owning_domain: operations owning_layer: ci-backend-runtime source_paths: - .gitlab-ci.yml - scripts/ci/build_and_tests.sh - scripts/ci/backend_build_and_tests.sh - go.mod - go.sum target_paths: - .gitlab-ci.yml - scripts/ci/ - .fairway/artifacts/ review_domains: - backend - ops - governance tags: - program:production-readiness - program:stabilization - environment:ci - surface:backend - gate:ci - work-type:optimization risk_level: medium migration_type: ci-backend-runtime-optimization acceptance_checks: - Baseline backend_build_and_tests timing and sub-step timing are captured from recent CI and local script instrumentation. - Any optimization preserves test coverage and does not hide failing packages. - Changes are limited to cache use, package grouping, tool bootstrap, or script timing/reporting unless reviewed as a broader CI behavior change. - Evidence compares before/after backend job duration and records rollback steps. - id: OPS-CI-RUNTIME-FRONTEND-BUILD-E2E-001 title: Reduce frontend build and e2e CI runtime kind: task role: frontend profile: platform-foundation parent_id: OPS-CI-RUNTIME-OPTIMIZATION-BATCH-001 owning_domain: operations owning_layer: ci-frontend-runtime source_paths: - .gitlab-ci.yml - scripts/ci/frontend_build_and_tests.sh - scripts/ci/frontend_e2e.sh - scripts/ci/frontend_e2e_common.sh - scripts/ci/pnpm_common.sh - packages/web/ target_paths: - .gitlab-ci.yml - scripts/ci/ - packages/web/ - .fairway/artifacts/ review_domains: - frontend - ops - governance tags: - program:production-readiness - program:stabilization - environment:ci - surface:frontend - gate:frontend-e2e - work-type:optimization risk_level: medium migration_type: ci-frontend-runtime-optimization acceptance_checks: - Baseline frontend_build_and_tests and frontend_e2e timing is captured, including Playwright image/bootstrap and pnpm install/cache timing. - Any focused e2e optimization preserves mandatory UX/e2e gates for touched user-visible flows. - Changes do not make frontend e2e depend on an ad hoc existing localhost server. - Evidence compares before/after frontend job duration and records rollback steps. - id: OPS-CI-RUNTIME-INTEGRATION-SMOKE-001 title: Reduce integration smoke CI runtime without weakening coverage kind: task role: backend profile: platform-foundation parent_id: OPS-CI-RUNTIME-OPTIMIZATION-BATCH-001 owning_domain: operations owning_layer: ci-integration-runtime source_paths: - .gitlab-ci.yml - scripts/ci/integration_smoke.sh - scripts/ci/ci_script_smoke.sh - doc/operations/ target_paths: - .gitlab-ci.yml - scripts/ci/ - doc/operations/ - .fairway/artifacts/ review_domains: - backend - ops - governance tags: - program:production-readiness - program:stabilization - environment:ci - surface:integration-smoke - gate:ci - work-type:optimization risk_level: medium migration_type: ci-integration-smoke-runtime-optimization acceptance_checks: - Integration smoke sub-step timing and environment bootstrap timing are captured. - Optimization preserves schema/API/runtime coverage that catches PSSM and UAT escape classes. - Any narrowed smoke matrix is justified by changed-file/task mapping and has a full-matrix fallback. - Evidence compares before/after integration_smoke duration and records rollback steps. - id: OPS-CI-RUNTIME-PACKAGE-MIGRATION-SECURITY-001 title: Reduce package, migration, and security scan CI runtime kind: task role: ops profile: platform-foundation parent_id: OPS-CI-RUNTIME-OPTIMIZATION-BATCH-001 owning_domain: operations owning_layer: ci-release-and-security-runtime source_paths: - .gitlab-ci.yml - scripts/ci/migration_validation.sh - scripts/ci/security_scans.sh - scripts/ci/security_sast_*.sh - scripts/ci/package_and_attest.sh - doc/operations/ target_paths: - .gitlab-ci.yml - scripts/ci/ - doc/operations/ - .fairway/artifacts/ review_domains: - ops - security - governance tags: - program:production-readiness - program:security-review - program:stabilization - environment:ci - surface:release - surface:security-scan - gate:security-scan - work-type:optimization risk_level: medium migration_type: ci-package-migration-security-runtime-optimization acceptance_checks: - Baseline migration_validation, package_and_attest, and security scan timings are captured by sub-step. - Security scan optimizations do not weaken severity/SLA/waiver enforcement. - Package optimizations preserve artifact integrity, digest/attestation evidence, and release profile gates. - Evidence compares before/after package/migration/security job duration and records rollback steps. - id: OPS-CI-RUNTIME-CACHE-IMAGE-PULL-EFFICIENCY-001 title: Improve CI cache and image-pull efficiency kind: task role: ops profile: platform-foundation parent_id: OPS-CI-RUNTIME-OPTIMIZATION-BATCH-001 owning_domain: operations owning_layer: ci-cache-image-pull-efficiency source_paths: - .gitlab-ci.yml - scripts/ci/ - doc/operations/Platform_Control_CI_CD_Target_Model_v1.md - doc/operations/local-dev/docker-compose.gitlab.yaml target_paths: - .gitlab-ci.yml - scripts/ci/ - doc/operations/ - .fairway/artifacts/ review_domains: - ops - security - governance tags: - program:production-readiness - program:stabilization - environment:ci - surface:cache - surface:registry - gate:ci - work-type:optimization risk_level: medium migration_type: ci-cache-image-pull-optimization acceptance_checks: - Go, pnpm/npm, Next.js, Docker, Playwright, and scanner cache/image-pull behavior is inventoried from existing CI logs and scripts. - Proposed cache/image-pull changes do not introduce unpinned, untrusted, or stale artifacts. - Any registry/build-cache change includes cache invalidation, rollback, and supply-chain evidence impact. - Evidence identifies whether cache/image-pull changes are likely to reduce backend, frontend, integration, package, or security job runtime. - id: OPS-LOCAL-AUTOMATION-UTILITIES-EPIC title: Build deterministic local CI/CD/QA/UAT utility layer kind: epic role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: operations owning_layer: local-automation-utilities source_paths: - scripts/ci/ - scripts/ops/ - doc/operations/Fairway_Agent_Operating_Model.md - doc/governance/CI_Enforcement_Checklist.md - .fairway/platform-foundation-implementation-track.yaml target_paths: - scripts/ops/ - doc/operations/ - doc/governance/CI_Enforcement_Checklist.md - .fairway/artifacts - .fairway/platform-foundation-implementation-track.yaml review_domains: - ops - governance - backend tags: - program:production-readiness - program:stabilization - surface:local-automation - gate:ci - gate:deploy - gate:uat - work-type:utility risk_level: high migration_type: local-ops-automation-utility-layer depends_on: - OPS-CI-FAILURE-LEARNING-REVIEW-001 - OPS-CI-RUNNER-CAPACITY-BASELINE-001 acceptance_checks: - Existing CI, deploy, QA, UAT, branch-closeout, and Fairway evidence scripts are inventoried with gaps identified. - CI/CD/QA/UAT waits and log collection are handled by deterministic utilities instead of long-running agent polling. - Utility outputs are structured JSON or stable text artifacts that can be consumed without an LLM. - Repetitive workflow utilities cover CI monitoring, deploy monitoring, UAT summarization, frontend/codegen gate selection, branch/worktree closeout, Fairway reconciliation, evidence packet generation, ops endpoint smoke checks, and release readiness verification. - Optional local LLM summarization through Ollama is a secondary reporting layer and never the authority for pass/fail, deploy mutation, task status, review approval, or release readiness. - Utility outputs can be recorded as Fairway evidence, checkpoints, deploy-run evidence, or follow-up task recommendations. - The operating model documents utility usage, expected inputs/outputs, artifact locations, Fairway recording commands, and when Codex/Claude/human judgment is required versus when a local utility result is sufficient. - id: OPS-LOCAL-AUTOMATION-INVENTORY-001 title: Inventory existing CI/CD/QA/UAT scripts and define utility gaps kind: release-evidence role: ops profile: platform-foundation parent_id: OPS-LOCAL-AUTOMATION-UTILITIES-EPIC owning_domain: operations owning_layer: local-automation-utilities source_paths: - scripts/ci/ - scripts/ops/ - Makefile - .gitlab-ci.yml - doc/operations/ - doc/governance/CI_Enforcement_Checklist.md target_paths: - doc/operations/Local_Automation_Utility_Layer_v1.md - .fairway/artifacts - .fairway/platform-foundation-implementation-track.yaml review_domains: - ops - governance risk_level: medium migration_type: local-automation-inventory depends_on: - OPS-LOCAL-AUTOMATION-UTILITIES-EPIC acceptance_checks: - "Existing reusable scripts are mapped by lifecycle phase: CI monitor, deploy monitor, QA gate, UAT run, UAT summarize, branch closeout, evidence writer, and release verify." - Gaps are classified as deterministic utility gap, Fairway ingestion gap, optional local LLM summarization gap, or process documentation gap. - First implementation order is documented, prioritizing CI monitor, UAT summarizer, deploy monitor, branch/worktree closeout, and evidence packet generation before broader local LLM integration. - The inventory states which outputs must be valid without LLM assistance and which outputs may be enhanced by Ollama/Gemma/Qwen summaries. - Follow-up implementation tasks exist for the first concrete utility wrappers. - id: OPS-LOCAL-CI-MONITOR-UTILITY-001 title: Add deterministic local CI monitor utility kind: task role: ops profile: platform-foundation parent_id: OPS-LOCAL-AUTOMATION-UTILITIES-EPIC owning_domain: operations owning_layer: local-automation-utilities source_paths: - scripts/ci/ - scripts/ops/ - .gitlab-ci.yml - doc/operations/Local_Automation_Utility_Layer_v1.md target_paths: - scripts/ops/ - doc/operations/ - .fairway/artifacts review_domains: - ops - governance risk_level: medium migration_type: local-ci-monitor-utility depends_on: - OPS-LOCAL-AUTOMATION-INVENTORY-001 acceptance_checks: - Utility accepts pipeline id, branch, source SHA, expected window, and optional Fairway deploy-run/task id. - Utility polls CI deterministically, collects failed job summaries/log artifact paths, and emits machine-readable JSON. - Utility classifies results into pass, fail, timeout, blocked, retryable-runner-noise, or needs-human-triage without requiring an LLM. - Optional Ollama summarization can draft a concise failure summary from collected logs, but invalid or absent LLM output does not change the deterministic result. - Utility can record or print Fairway evidence/checkpoint commands without exposing CI secrets. - id: OPS-LOCAL-UAT-SUMMARY-UTILITY-001 title: Add deterministic UAT result summarizer with optional Ollama classifier kind: task role: ops profile: platform-foundation parent_id: OPS-LOCAL-AUTOMATION-UTILITIES-EPIC owning_domain: operations owning_layer: local-automation-utilities source_paths: - scripts/ops/ - doc/operations/ - doc/operations/runbooks/ - doc/operations/Local_Automation_Utility_Layer_v1.md target_paths: - scripts/ops/ - doc/operations/ - .fairway/artifacts review_domains: - ops - governance - backend risk_level: medium migration_type: local-uat-summary-utility depends_on: - OPS-LOCAL-AUTOMATION-INVENTORY-001 acceptance_checks: - Utility accepts a UAT run artifact directory and emits scenario matrix JSON with pass, fail, blocked, skipped, and unknown statuses. - Failure classification distinguishes product bug, harness fix, environment gap, deploy fix, CI fix, ops fix, flaky retry candidate, and needs-human-triage. - Deterministic classification works from structured run artifacts even when Ollama/local LLM is disabled. - Optional Ollama model can draft evidence text and next-action recommendation, with schema validation and deterministic fallback. - Output includes Fairway evidence text and suggested follow-up task metadata without directly changing task status or approving release readiness. - id: OPS-LOCAL-DEPLOY-MONITOR-UTILITY-001 title: Add deterministic deploy monitor utility kind: task role: ops profile: platform-foundation parent_id: OPS-LOCAL-AUTOMATION-UTILITIES-EPIC owning_domain: operations owning_layer: local-automation-utilities source_paths: - scripts/ops/ - scripts/ci/ - doc/operations/runbooks/ - doc/operations/Local_Automation_Utility_Layer_v1.md target_paths: - scripts/ops/ - doc/operations/ - .fairway/artifacts review_domains: - ops - governance risk_level: medium migration_type: local-deploy-monitor-utility depends_on: - OPS-LOCAL-AUTOMATION-INVENTORY-001 acceptance_checks: - Utility accepts environment, source SHA, image tag or digest, deployment name, namespace, rollout window, and optional Fairway deploy-run/task id. - Utility checks image freshness, Kubernetes rollout state, pod readiness, service health, ingress/Pomerium reachability, and smoke endpoints. - Utility classifies findings as image_not_fresh, rollout_stuck, secret_missing, migration_failed, ingress_or_proxy_issue, service_crash, dependency_unhealthy, pass, timeout, or needs-human-triage. - Utility emits JSON and markdown evidence suitable for Fairway deploy-run attachment without requiring LLM interpretation. - Documentation explains safe usage boundaries and states that the utility observes and reports unless explicitly invoked with a separately reviewed mutate/apply path. - id: OPS-LOCAL-GATE-SELECTOR-UTILITY-001 title: Add frontend and contract gate selector utility kind: task role: ops profile: platform-foundation parent_id: OPS-LOCAL-AUTOMATION-UTILITIES-EPIC owning_domain: operations owning_layer: local-automation-utilities source_paths: - scripts/ci/ - packages/web/ - doc/api/ - doc/operations/Local_Automation_Utility_Layer_v1.md target_paths: - scripts/ci/ - doc/operations/ - .fairway/artifacts review_domains: - ops - governance - frontend - backend risk_level: medium migration_type: local-validation-gate-selector depends_on: - OPS-LOCAL-AUTOMATION-INVENTORY-001 acceptance_checks: - Utility accepts a changed-file list, branch, or commit range and recommends required validation gates. - Frontend-visible changes require make verify-web and frontend_e2e unless a documented focused spec fully covers the touched journey. - OpenAPI, AsyncAPI, generated SDK, route contract, or frontend API consumption changes require codegen smoke and enforced-clean generated artifact validation. - Utility emits deterministic JSON with required commands, rationale, and Fairway evidence template text. - Documentation maps utility recommendations to AGENTS.md UX/e2e and contract/codegen gate rules. - id: OPS-LOCAL-CLOSEOUT-UTILITY-001 title: Add branch worktree and Fairway closeout utility kind: task role: ops profile: platform-foundation parent_id: OPS-LOCAL-AUTOMATION-UTILITIES-EPIC owning_domain: operations owning_layer: local-automation-utilities source_paths: - scripts/ - doc/operations/Fairway_Agent_Operating_Model.md - doc/governance/Multi_Agent_Lane_Worktrees_v1.md - .fairway/platform-foundation-implementation-track.yaml target_paths: - scripts/ops/ - doc/operations/ - .fairway/artifacts review_domains: - ops - governance risk_level: medium migration_type: local-closeout-utility depends_on: - OPS-LOCAL-AUTOMATION-INVENTORY-001 acceptance_checks: - Utility reports local worktrees, local branches, remote branches, dirty state, merge state, CI state, Fairway task status, review state, and push-intent evidence. - Utility classifies each branch or worktree as safe_to_delete, preserve_for_review, preserve_unmerged, dirty, missing_ci, missing_review, missing_push_intent, or needs-human-triage. - Utility supports dry-run by default and requires explicit apply for deletion or cleanup actions. - Utility never deletes remote branches unless merge state, review state, CI state, and push-intent rules are satisfied. - Documentation explains reviewer merge-lane usage so implementation lanes do not push many task branches directly to remote. - id: OPS-LOCAL-EVIDENCE-PACKET-UTILITY-001 title: Add Fairway evidence packet generator utility kind: task role: governance profile: platform-foundation parent_id: OPS-LOCAL-AUTOMATION-UTILITIES-EPIC owning_domain: governance owning_layer: local-automation-utilities source_paths: - .fairway/platform-foundation-implementation-track.yaml - doc/operations/Fairway_Agent_Operating_Model.md - doc/operations/Fairway_Review_Operating_Model.md target_paths: - scripts/ops/ - doc/operations/ - .fairway/artifacts review_domains: - ops - governance risk_level: medium migration_type: local-evidence-packet-utility depends_on: - OPS-LOCAL-AUTOMATION-INVENTORY-001 acceptance_checks: - Utility accepts task id, command results, artifact paths, commit SHA, CI/deploy/UAT references, and optional reviewer notes. - Utility emits a markdown packet, JSON evidence payload, Fairway record evidence command, review packet, and follow-up task suggestions. - Utility can optionally call Ollama to draft a human summary, but schema validation and deterministic fallback preserve the evidence packet when local LLM output is missing or invalid. - Utility does not record approvals, mark merge-ready, close tasks, or mutate release state. - Documentation shows examples for CI failure, deploy run, UAT run, review packet, and release readiness packet. - id: OPS-LOCAL-OPS-SMOKE-UTILITY-001 title: Add ops endpoint and access smoke utility kind: task role: ops profile: platform-foundation parent_id: OPS-LOCAL-AUTOMATION-UTILITIES-EPIC owning_domain: operations owning_layer: local-automation-utilities source_paths: - scripts/ops/ - doc/operations/runbooks/ - doc/operations/Local_Automation_Utility_Layer_v1.md target_paths: - scripts/ops/ - doc/operations/ - .fairway/artifacts review_domains: - ops - governance risk_level: medium migration_type: local-ops-smoke-utility depends_on: - OPS-LOCAL-AUTOMATION-INVENTORY-001 acceptance_checks: - Utility checks API health, status/ops APIs, Grafana, Netdata, Temporal UI, Pomerium-protected routes, and other configured ops endpoints. - Utility classifies failures as route_missing, auth_policy_issue, service_down, upstream_unhealthy, tls_or_dns_issue, proxy_issue, or needs-human-triage. - Utility uses APIs or explicit operator surfaces by default and flags repeated direct-DB inspection as a missing operator surface. - Output includes JSON status, markdown summary, and Fairway evidence text. - Documentation states which endpoints are public, ops-only, SRE-only, or internal-only. - id: OPS-LOCAL-RELEASE-VERIFY-UTILITY-001 title: Add local release readiness verifier utility kind: task role: ops profile: platform-foundation parent_id: OPS-LOCAL-AUTOMATION-UTILITIES-EPIC owning_domain: operations owning_layer: local-automation-utilities source_paths: - scripts/ci/ - scripts/ops/ - doc/operations/ - doc/governance/ target_paths: - scripts/ops/ - doc/operations/ - .fairway/artifacts review_domains: - ops - governance - backend risk_level: high migration_type: local-release-readiness-verifier depends_on: - OPS-LOCAL-AUTOMATION-INVENTORY-001 acceptance_checks: - Utility verifies clean worktree, pushed source SHA, CI success, deploy-run evidence, UAT evidence, release notes, changelog, artifacts, signing or attestation evidence where applicable, and Fairway review state. - Utility emits pass, blocked, or needs-human-triage with explicit blocker list and source evidence paths. - Utility produces a release-run packet suitable for Fairway evidence. - Utility never tags, pushes, deploys, or approves release readiness unless a separate explicit reviewed command path is invoked. - Documentation explains how to use the verifier before platform-control promotion, dev deploy, and production release gates. - id: CD-FIX-DEV-CONTROL-WORKER-DIGEST-MAPPING-001 title: Fix dev-control worker digest image mapping kind: task role: ops profile: platform-foundation owning_domain: deploy-validation owning_layer: dev-control-rke2 source_paths: - scripts/ci/platform_control_deploy.sh - scripts/ci/ci_script_smoke.sh - infra/k8s/ target_paths: - scripts/ci/ - infra/k8s/ - .fairway/artifacts/ review_domains: - ops - backend risk_level: high migration_type: cd-fix acceptance_checks: - Dev-control deploy maps billing-worker, notification-relay, outbox-relay, and webhook-worker to registry digest images, not local-only dev-control-local tags. - Filtered runtime-fast deploys preserve existing digest image references for services outside the filtered publish set. - Dev-control redeploy verifies rollout status for all gpuaas-core deployments, not only touched deployments. - No new gpuaas-core pods remain in ImagePullBackOff for dev-control-local images. - CI smoke or equivalent deploy-regression gate catches digest mapping regressions before dev deploy validation. - id: CD-FIX-DEV-CONTROL-INGRESS-TLS-NETPOLICY-REGRESSION-001 title: Fix dev-control ingress TLS and NetworkPolicy regression kind: task role: ops profile: platform-foundation owning_domain: deploy-validation owning_layer: dev-control-ingress source_paths: - infra/k8s/base/namespaces/network-policies.yaml - infra/k8s/overlays/dev-control-rke2/ - scripts/ci/platform_control_deploy.sh - scripts/ci/dev_control_rke2_release_env.sh target_paths: - infra/k8s/ - scripts/ci/ - doc/operations/evidence/ - .fairway/artifacts/ review_domains: - ops - governance risk_level: high migration_type: cd-fix acceptance_checks: - Dev-control public registry ingress returns an HTTP response through Traefik and Cloudflare, not a timeout. - Dev-control overlay removes duplicate base `gpuaas-core/default` TLSStore while Traefik default TLS secret is provisioned in the `traefik` namespace. - NetworkPolicy allows the Traefik namespace to reach public `gpuaas-infra` services exposed through ingress. - CI smoke or equivalent deploy-regression gate catches HTTPS/TLSStore/NetworkPolicy drift before dev deploy validation. - Evidence links the original pipeline 2543 registry timeout to the ingress/TLS/NetworkPolicy root cause. - id: SEC-CODEGUARD-GAP-MAP-001 title: Map Project CodeGuard guidance against GPUaaS security controls kind: architecture-map role: security profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: security-review owning_layer: agent-security-rules source_paths: - doc/operations/CodeGuard_Gap_Map_v1.md - AGENTS.md - doc/operations/Security_Scan_Promotion_Gate_Runbook.md - doc/operations/Supply_Chain_Evidence_Gate_Runbook.md - doc/operations/Vulnerability_Remediation_SLA_v1.md - doc/governance/Security_Waiver_Governance_v1.md target_paths: - doc/operations/CodeGuard_Gap_Map_v1.md - .fairway/platform-foundation-implementation-track.yaml - .fairway/artifacts review_domains: - architecture - security - governance tags: - program:security-review - program:stabilization - surface:agent-security - gate:security-review - work-type:architecture-map risk_level: high migration_type: codeguard-gap-map acceptance_checks: - Project CodeGuard active upstream repository, version, or commit is recorded as external guidance. - GPUaaS controls are classified as covered, partial, missing, or not-applicable against CodeGuard rule families. - Existing GPUaaS controls remain authoritative where project-specific contract, privacy, tenant-isolation, or production-readiness rules are stricter. - Follow-up Fairway tasks are created for missing agent-rule evidence, review-packet integration, MCP/tooling review, and route/runtime rule mapping. - Security and architecture reviewers agree whether CodeGuard should be adopted as a pinned guidance layer, an MCP-backed rule source, or both. - id: SEC-CODEGUARD-FAIRWAY-RULE-EVIDENCE-001 title: Add Fairway security-rule evidence for high-risk tasks kind: task role: governance profile: platform-foundation parent_id: SEC-CODEGUARD-GAP-MAP-001 owning_domain: governance owning_layer: fairway-security-evidence source_paths: - doc/operations/CodeGuard_Gap_Map_v1.md - doc/operations/Fairway_Agent_Operating_Model.md - doc/operations/Fairway_Review_Operating_Model.md - .fairway/platform-foundation-implementation-track.yaml target_paths: - doc/operations/ - .fairway/platform-foundation-implementation-track.yaml - .fairway/artifacts review_domains: - security - governance - architecture tags: - program:security-review - surface:fairway - surface:agent-security - work-type:governance risk_level: high migration_type: codeguard-fairway-rule-evidence depends_on: - SEC-CODEGUARD-GAP-MAP-001 acceptance_checks: - Fairway guidance defines a `security-rule-selection` evidence expectation for high-risk tasks. - Evidence captures selected rule families, affected source paths, applicability rationale, non-applicable rationale, reviewer domain, and residual risk. - Security-rule evidence is treated as review input, not automatic approval or release authorization. - Required task tags and review-domain routing are documented for auth, authz, secrets, runtime, Kubernetes, supply-chain, MCP/tooling, and data-protection changes. - id: SEC-CODEGUARD-REVIEW-PACKET-001 title: Extend review packets with deterministic security-rule selection kind: task role: ops profile: platform-foundation parent_id: SEC-CODEGUARD-GAP-MAP-001 owning_domain: operations owning_layer: local-automation-utilities source_paths: - doc/operations/CodeGuard_Gap_Map_v1.md - doc/operations/Local_Automation_Utility_Layer_v1.md - scripts/ops/ - scripts/ci/ target_paths: - scripts/ops/ - doc/operations/ - .fairway/artifacts review_domains: - security - ops - governance tags: - program:security-review - program:production-readiness - surface:local-automation - surface:agent-security - work-type:utility risk_level: high migration_type: codeguard-review-packet-utility depends_on: - SEC-CODEGUARD-GAP-MAP-001 - OPS-LOCAL-EVIDENCE-PACKET-UTILITY-001 acceptance_checks: - Review packet utility can emit a deterministic security-rule section from changed paths, task tags, and task risk. - Output identifies required security review domains and suggested follow-up tasks without depending on an LLM for pass/fail. - Optional local LLM summarization remains secondary and cannot approve, waive, or close security findings. - Documentation shows examples for API route, frontend auth/session, node-agent/runtime, Kubernetes/edge, supply-chain, and ops utility changes. - id: SEC-CODEGUARD-MCP-TOOLING-REVIEW-001 title: Review MCP provider and local automation tooling security kind: task role: security profile: platform-foundation parent_id: SEC-CODEGUARD-GAP-MAP-001 owning_domain: security-review owning_layer: agent-tooling-security source_paths: - doc/operations/CodeGuard_Gap_Map_v1.md - doc/operations/Fairway_Agent_Operating_Model.md - doc/operations/Local_Automation_Utility_Layer_v1.md - scripts/ops/ - scripts/ci/ target_paths: - doc/operations/ - .fairway/artifacts review_domains: - security - architecture - ops tags: - program:security-review - surface:mcp - surface:local-automation - surface:agent-security - work-type:security-review risk_level: high migration_type: codeguard-mcp-tooling-review depends_on: - SEC-CODEGUARD-GAP-MAP-001 acceptance_checks: - Provider sessions, MCP-style tools, browser adapters, provider-event adapters, local memory files, and automation utilities are reviewed for permission and trust boundaries. - Review covers secret exposure, transcript retention, command execution scope, local LLM usage, evidence redaction, and provider-event spoofing risks. - Missing controls become concrete Fairway tasks with owners and acceptance checks. - No new MCP server or provider adapter is enabled until security and ops approve its boundary. - id: SEC-CODEGUARD-ROUTE-RUNTIME-MAP-001 title: Map security rule families to API route runtime and frontend surfaces kind: architecture-map role: architecture profile: platform-foundation parent_id: SEC-CODEGUARD-GAP-MAP-001 owning_domain: security-review owning_layer: route-runtime-security-map source_paths: - doc/operations/CodeGuard_Gap_Map_v1.md - doc/api/ - cmd/api/ - packages/platform/ - packages/products/ - packages/web/ - infra/k8s/ target_paths: - doc/operations/ - doc/architecture/ - .fairway/artifacts review_domains: - architecture - security - backend - frontend - ops tags: - program:security-review - program:production-readiness - surface:api - surface:runtime - surface:frontend - surface:kubernetes - work-type:architecture-map risk_level: high migration_type: codeguard-route-runtime-map depends_on: - SEC-CODEGUARD-GAP-MAP-001 acceptance_checks: - API routes are mapped to authn, authz, IDOR, input-validation, error-handling, logging, and audit rule families. - App runtime, provider runtime, and node-agent surfaces are mapped to image trust, command execution, mTLS, task signing, tenant isolation, and secrets rule families. - Frontend account/security and browser-connect surfaces are mapped to session, token exposure, MFA posture, CSRF/XSS, and route guard rule families. - Kubernetes, Pomerium, Cloudflare, NetworkPolicy, runner, and registry surfaces are mapped to cloud/IaC/container security rule families. - Gaps become follow-up tasks rather than broad undifferentiated security work. - id: SEC-CODEGUARD-NODE-TASK-SIGNING-MTLS-EVIDENCE-001 title: Add node task signing and mTLS runtime evidence kind: task role: backend profile: platform-foundation parent_id: SEC-CODEGUARD-ROUTE-RUNTIME-MAP-001 owning_domain: provisioning owning_layer: node-task-runtime-trust source_paths: - cmd/node-agent/ - cmd/api/routes.go - cmd/api/routes_internal_nodes_test.go - cmd/api/internal_nodes_integration_test.go - packages/platform/secrets/ - packages/products/gpuaas/provisioning/ - packages/products/gpuaas/terminal/ - doc/operations/CodeGuard_Route_Runtime_Map_v1.md target_paths: - .fairway/artifacts - doc/operations/ review_domains: - security - backend - ops - architecture tags: - program:security-review - program:production-readiness - surface:node-agent - surface:runtime - surface:mtls - surface:task-signing - detected_by:security_review - expected_gate:review_gate - work-type:evidence-follow-up risk_level: high migration_type: node-task-signing-mtls-evidence depends_on: - SEC-CODEGUARD-ROUTE-RUNTIME-MAP-001 acceptance_checks: - Evidence proves node task envelopes are signed, verified, freshness-bounded, and replay-resistant for supported node-agent task paths. - Evidence proves task acceptance is bound to authenticated node identity, including the current mTLS/service-auth posture and any explicit residual risk. - Tests or deterministic probes cover invalid signature, expired or stale task, replayed task, wrong node identity, unknown task type, and service-auth failure paths. - Evidence names affected source paths, records detected_by=security_review and expected_gate=review_gate, and avoids secrets, tokens, private keys, raw certificates, or credential-bearing URLs. - Security, backend, ops, and architecture reviewers either approve the evidence or create narrower implementation tasks for remaining runtime-trust gaps. - id: DEPLOY-CI-RUN-20260609-VLLM-TTL-STATUS-PROBE-2595 title: Monitor master CI for vLLM TTL/status-probe reconciliation kind: task role: ops profile: platform-foundation owning_domain: ci owning_layer: master-ci source_paths: - cmd/api/routes.go - cmd/api/internal_nodes_integration_test.go - packages/products/appplatform/runtime/lifecycle_backend.go - packages/products/appplatform/runtime/lifecycle_backend_integration_test.go - cmd/node-agent/catalog.go - cmd/node-agent/catalog_test.go target_paths: - .fairway/artifacts review_domains: - ops tags: - program:uat-hardening - program:stabilization - environment:ci - gate:ci - work-type:deploy-run risk_level: medium migration_type: ci-monitor acceptance_checks: - Pipeline 2595 for master commit 08bf5a774 is monitored through the FW-128 utility path. - CI pass/fail is recorded as Fairway evidence with the pipeline URL. - A scoped CI-FIX task is created if the pipeline fails. - id: PSSM-KIND-NODE-AGENT-SELF-UPDATE-HEARTBEAT-08BF-001 title: Fix kind node-agent self-update heartbeat after 08bf5a774 package rollout kind: task role: backend profile: platform-foundation owning_domain: gpuaas owning_layer: node-agent-lifecycle source_paths: - cmd/node-agent - packages/platform/adminops - cmd/api - scripts/ops target_paths: - cmd/node-agent - packages/platform/adminops - cmd/api - scripts/ops - .fairway/artifacts review_domains: - backend - ops - governance tags: - program:uat-hardening - program:stabilization - environment:kind - surface:node-agent - work-type:runtime risk_level: high migration_type: kind-node-agent-self-update-heartbeat acceptance_checks: - node.self_update for package 08bf5a774 results in a node heartbeat reporting agent_commit or agent_version 08bf5a774. - lifecycle 9ea643c4 or a retry lifecycle reaches completed instead of remaining running with reported_agent_version null. - evidence includes bootstrap package metadata, node.self_update task output, node-agent logs or API heartbeat proof, and no broad parity rebootstrap. - id: CD-FIX-NODE-BOOTSTRAP-ARCH-SHA-METADATA-PROPAGATION-001 title: Propagate arch-specific node bootstrap SHA metadata to bootstrap consumers kind: task role: ops profile: platform-foundation owning_domain: platform-control owning_layer: bootstrap-metadata-release source_paths: - scripts/ci/platform_control_update_node_bootstrap_metadata.sh - scripts/ci/platform_control_deploy.sh - scripts/ci/platform_control_release_manifest.sh - scripts/ci/platform_control_deploy_from_manifest.sh - scripts/k8s/kind_parity.sh - infra/k8s target_paths: - scripts/ci - infra/k8s - .fairway/artifacts review_domains: - ops - backend - governance tags: - program:uat-hardening - program:stabilization - environment:kind - environment:dev - surface:node-agent - work-type:cd-fix risk_level: high migration_type: node-bootstrap-sha-metadata-propagation acceptance_checks: - arch-specific NODE_BOOTSTRAP_PACKAGE_SHA256_AMD64/ARM64 is carried through release env, manifests/configmaps, and bootstrap consumer rollouts. - focused script smoke catches missing SHA propagation. - kind provisioning worker no longer enqueues stale package_sha256 after metadata update. - id: PSSM-KIND-NODE-AGENT-LIFECYCLE-STALE-RUN-RECOVERY-001 title: Add node-agent lifecycle stale run recovery surface kind: task role: backend profile: platform-foundation owning_domain: gpuaas owning_layer: node-agent-lifecycle source_paths: - packages/platform/adminops - cmd/api - doc/api target_paths: - packages/platform/adminops - cmd/api - doc/api - .fairway/artifacts review_domains: - backend - ops - governance tags: - program:uat-hardening - program:stabilization - environment:kind - surface:node-agent - work-type:runtime risk_level: high migration_type: node-agent-lifecycle-stale-recovery acceptance_checks: - stale pending/running node-agent lifecycle can be recovered without direct DB mutation. - recovery records audit/error details and does not hide in-flight healthy lifecycle runs. - kind UAT no longer requires direct SQL to clear a stale node-agent lifecycle after worker restart. - id: FAIRWAY-GPUAAS-RULE-PACK-ADOPTION-001 title: Adopt Fairway platform and GPUaaS rule packs in platform foundation track kind: architecture-map role: architecture profile: platform-foundation parent_id: SEC-CODEGUARD-GAP-MAP-001 owning_domain: platform-foundation owning_layer: fairway-rule-packs source_paths: - doc/operations/CodeGuard_Gap_Map_v1.md - doc/operations/Fairway_Agent_Operating_Model.md - .fairway/platform-foundation-config.toml - .fairway/platform-foundation-implementation-track.yaml target_paths: - doc/operations/ - .fairway/platform-foundation-config.toml - .fairway/platform-foundation-implementation-track.yaml - .fairway/artifacts review_domains: - architecture - security - governance - ops tags: - program:security-review - program:stabilization - surface:fairway - surface:agent-security - work-type:architecture-map risk_level: high migration_type: gpuaas-rule-pack-adoption depends_on: - SEC-CODEGUARD-GAP-MAP-001 acceptance_checks: - GPUaaS records `fairway-run/fairway-rules-platform` as the reusable cross-project operating rule source. - GPUaaS records `subashram/fairway-rules-gpuaas` as the product/domain-specific rule source. - Adoption plan states advisory-first rollout, first blocking candidates, and how CodeGuard remains external security guidance. - Applicable rule families are mapped to current platform-foundation tags, review domains, and high-risk task classes. - No Fairway rule-source loader behavior is assumed until FW-144 through FW-149 land in Fairway core. - id: OPS-PREFLIGHT-DEV-PROVIDER-NODE-RECONCILIATION-001 title: Add dev provider-node reconciliation preflight before UAT kind: task role: ops profile: platform-foundation owning_domain: gpuaas owning_layer: uat-preflight source_paths: - scripts/ops - cmd/api - packages/products/gpuaas - doc/operations target_paths: - scripts/ops - doc/operations - .fairway/artifacts review_domains: - ops - backend - governance tags: - program:uat-hardening - program:production-readiness - environment:dev - surface:provider-runtime - surface:uat - gate:preflight risk_level: high migration_type: ops-preflight acceptance_checks: - UAT preflight queries GPUaaS admin node/read-model APIs and provider inventory before app, terminal, or browser workload tests run. - The gate fails before UAT if GPUaaS has a node/provider resource whose backing Proxmox or MAAS-LXD object is absent, unless the node is already retired/deleted by API state. - The gate fails before UAT if a provider object exists but GPUaaS classifies the node under the wrong provider, runtime provider, or region/network zone. - The gate excludes blocked, bootstrap_issued, stale-heartbeat, or no-heartbeat nodes from launchable UAT target selection. - Manual node host input is rejected or flagged when it does not match the current GPUaaS node host for the selected allocation/node. - Evidence includes node id, hostname, host/primary IP, provider id, provider object id or VMID, GPUaaS region/provider classification, provider inventory result, heartbeat state, and launchable/excluded decision. - Any required repeated direct DB or provider-console inspection is converted into an API/read-model follow-up task instead of being left as an ad hoc UAT step. - id: CLI-AGENT-FRIENDLY-DISCOVERY-EPIC title: Make GPUaaS CLI agent-friendly for cold-start and automation use kind: epic role: architecture profile: platform-foundation owning_domain: gpuaas owning_layer: cli source_paths: - cmd/gpuaas-cli - doc/operations - doc/api - scripts/ci target_paths: - cmd/gpuaas-cli - doc/operations - scripts/ci - .fairway/artifacts review_domains: - architecture - backend - ops - governance tags: - program:stabilization - program:production-readiness - surface:cli - surface:agent-automation - work-type:developer-experience risk_level: medium migration_type: cli-agent-friendly-discovery acceptance_checks: - GPUaaS CLI cold-start behavior is documented and testable for agents and deterministic automation. - Child tasks cover offline operating guidance, machine-readable command discovery, and preflight/doctor checks. - The model preserves current Cobra help behavior and does not weaken existing human CLI workflows. - Evidence identifies which Fairway cold-start lessons apply to GPUaaS CLI and which do not. - id: CLI-AGENT-GUIDE-COMMAND-001 title: Add offline GPUaaS CLI agent guide command kind: task role: backend profile: platform-foundation parent_id: CLI-AGENT-FRIENDLY-DISCOVERY-EPIC owning_domain: gpuaas owning_layer: cli source_paths: - cmd/gpuaas-cli - doc/operations - doc/api - AGENTS.md target_paths: - cmd/gpuaas-cli - doc/operations - .fairway/artifacts review_domains: - backend - ops - governance tags: - program:stabilization - program:production-readiness - surface:cli - surface:agent-automation - work-type:developer-experience risk_level: medium migration_type: cli-agent-operating-contract depends_on: - CLI-AGENT-FRIENDLY-DISCOVERY-EPIC acceptance_checks: - "`gpuaas agent-guide` or equivalent prints a concise offline operating contract for agents using the CLI." - The guide states required global flags for automation, especially `--no-input`, `--output json`, `--base-url`, and `--project-id`. - The guide explains contract-first usage, error envelope expectations, correlation-id capture, and when to use API/read-model surfaces instead of direct DB queries. - The command references canonical docs and embedded OpenAPI/schema commands without requiring network access. - Tests cover command output and confirm the command exits 0 without needing configured credentials. - id: CLI-MACHINE-READABLE-COMMAND-CATALOG-001 title: Add machine-readable GPUaaS CLI command catalog for agents kind: task role: backend profile: platform-foundation parent_id: CLI-AGENT-FRIENDLY-DISCOVERY-EPIC owning_domain: gpuaas owning_layer: cli source_paths: - cmd/gpuaas-cli - doc/api - scripts/ci target_paths: - cmd/gpuaas-cli - scripts/ci - .fairway/artifacts review_domains: - backend - ops - governance tags: - program:stabilization - program:production-readiness - surface:cli - surface:agent-automation - work-type:developer-experience risk_level: medium migration_type: cli-machine-readable-discovery depends_on: - CLI-AGENT-FRIENDLY-DISCOVERY-EPIC acceptance_checks: - CLI exposes a JSON command catalog listing command path, short description, required flags, output modes, auth/project requirements, and related API operation when known. - Human `--help` remains concise and unchanged unless a targeted improvement is required. - Catalog generation is deterministic and covered by a CI smoke test. - Agents can use the catalog to decide safe read-only commands versus mutating commands without scraping human help text. - Mutating commands are clearly marked and include idempotency-key guidance where applicable. - id: CLI-AGENT-PREFLIGHT-DOCTOR-001 title: Add GPUaaS CLI agent preflight and doctor command kind: task role: backend profile: platform-foundation parent_id: CLI-AGENT-FRIENDLY-DISCOVERY-EPIC owning_domain: gpuaas owning_layer: cli source_paths: - cmd/gpuaas-cli - scripts/ops - doc/operations target_paths: - cmd/gpuaas-cli - scripts/ci - doc/operations - .fairway/artifacts review_domains: - backend - ops - governance tags: - program:stabilization - program:production-readiness - surface:cli - surface:agent-automation - gate:preflight - work-type:developer-experience risk_level: medium migration_type: cli-agent-preflight-doctor depends_on: - CLI-AGENT-FRIENDLY-DISCOVERY-EPIC acceptance_checks: - "`gpuaas doctor --output json` or equivalent validates CLI config, base URL reachability, auth state, project context, API contract version, and safe automation flags." - Doctor output is machine-readable, includes remediation hints, and never prints secrets or bearer tokens. - Doctor distinguishes unauthenticated setup, expired token, missing project, unreachable API, and incompatible server/contract shape. - CI smoke covers success and representative failure fixtures without requiring a live production environment. - Docs explain how agents should run doctor before UAT, deploy smoke, or mutating CLI workflows. - id: RTE-POLICY-READINESS-EPIC title: Produce RTE deployment policy readiness evidence for GPUaaS kind: epic role: architecture profile: platform-foundation owning_domain: gpuaas owning_layer: rte-readiness source_paths: - doc/operations/RTE_Policy_Readiness_Map_v1.md - doc/architecture - doc/operations - scripts/ci - scripts/ops - .fairway/platform-foundation-implementation-track.yaml target_paths: - doc/operations - .fairway/artifacts - .fairway/platform-foundation-implementation-track.yaml review_domains: - architecture - security - governance - ops tags: - program:production-readiness - program:security-review - environment:rte - surface:compliance-evidence - work-type:evidence risk_level: high migration_type: rte-policy-readiness acceptance_checks: - RTE Secure Engineering and RTE Software/Firmware/Supply Chain policies are mapped to GPUaaS evidence, owners, gaps, waivers, and existing Fairway tasks. - RTE readiness layer consumes existing GPUaaS controls instead of creating duplicate MFA, supply-chain, PKI, vulnerability, waiver, or CodeGuard tracks. - Output identifies controls owned outside GPUaaS engineering, including supplier screening, personnel screening/training, procurement clauses, and formal RTE governance approval. - Architecture, security, governance, and ops agree on the RTE launch evidence packet shape before an RTE instance is treated as production-ready. - id: RTE-POLICY-CONTROL-MAP-001 title: Map RTE policy requirements to GPUaaS evidence and gaps kind: architecture-map role: architecture profile: platform-foundation parent_id: RTE-POLICY-READINESS-EPIC owning_domain: gpuaas owning_layer: rte-readiness source_paths: - doc/operations/RTE_Policy_Readiness_Map_v1.md - doc/operations/CodeGuard_Gap_Map_v1.md - doc/operations/Fairway_Rule_Pack_Adoption_Plan_v1.md - .fairway/platform-foundation-implementation-track.yaml target_paths: - doc/operations - .fairway/artifacts review_domains: - architecture - security - governance - ops tags: - program:production-readiness - program:security-review - environment:rte - surface:compliance-evidence - work-type:architecture-map risk_level: high migration_type: rte-control-map depends_on: - RTE-POLICY-READINESS-EPIC acceptance_checks: - Control map links each RTE policy theme to existing GPUaaS docs, APIs, evidence artifacts, Fairway tasks, or explicit gaps. - Map distinguishes code/product gaps from RTE/G42 governance, procurement, HR, supplier, and legal obligations. - Existing tasks for MFA, supply chain, secrets/PKI, JIT, vulnerability SLA, waiver governance, CodeGuard, and audit evidence are referenced rather than duplicated. - Required RTE launch blockers, deferrals, and waivers are listed with owner, expiry, evidence path, and review domain. - id: RTE-ENV-BOUNDARY-SEGMENTATION-EVIDENCE-001 title: Produce RTE environment boundary and segmentation evidence kind: release-evidence role: ops profile: platform-foundation parent_id: RTE-POLICY-READINESS-EPIC owning_domain: gpuaas owning_layer: rte-environment source_paths: - doc/architecture - doc/operations - scripts/ops - infra target_paths: - doc/operations - scripts/ops - .fairway/artifacts review_domains: - architecture - security - ops - governance tags: - program:production-readiness - environment:rte - surface:network-boundary - surface:ops - work-type:evidence risk_level: high migration_type: rte-boundary-segmentation-evidence depends_on: - RTE-POLICY-CONTROL-MAP-001 acceptance_checks: - RTE instance topology identifies access zone, management plane, compute zone, storage zone, observability zone, and external dependencies. - Evidence proves dev/test/staging/RTE production separation and states any approved exception or shared service boundary. - Public, operator, admin, node-agent, registry, Keycloak, Pomerium, Temporal, NATS, Redis, Postgres, and observability paths are classified by trust boundary. - Boundary validation avoids screenshots-only evidence and uses APIs, Kubernetes state, route config, firewall/security group exports, or deterministic probes where possible. - id: RTE-SUPPLY-CHAIN-PROVENANCE-SCREENING-001 title: Produce RTE supply-chain provenance and supplier screening evidence kind: release-evidence role: security profile: platform-foundation parent_id: RTE-POLICY-READINESS-EPIC owning_domain: gpuaas owning_layer: supply-chain source_paths: - doc/operations - scripts/ci - scripts/ops - infra target_paths: - doc/operations - scripts/ci - .fairway/artifacts review_domains: - security - ops - governance tags: - program:production-readiness - program:security-review - environment:rte - surface:supply-chain - work-type:evidence risk_level: high migration_type: rte-supply-chain-provenance-screening depends_on: - SEC-ARCH-SUPPLY-CHAIN-EVIDENCE-GATE-001 - RTE-POLICY-CONTROL-MAP-001 acceptance_checks: - RTE evidence packet includes SBOM, provenance, signature, scanner, waiver, and artifact trust evidence for release artifacts, images, app artifacts, and node-agent packages. - Supplier/prohibited-source screening requirement is mapped for OS images, Kubernetes/RKE2, Keycloak, Temporal, NATS, Redis, Postgres, Pomerium, Cloudflare/edge, registries, GPU drivers, firmware, and critical SaaS dependencies. - Any supplier/prohibited-equipment decision that is outside GPUaaS authority is explicitly routed to RTE/G42 security, procurement, legal, or governance. - Evidence includes unsupported/EOL dependency register or links to the task that will produce it. - id: RTE-SERVICE-EXPOSURE-CONFIG-BASELINE-001 title: Produce RTE service exposure and configuration baseline evidence kind: release-evidence role: ops profile: platform-foundation parent_id: RTE-POLICY-READINESS-EPIC owning_domain: gpuaas owning_layer: rte-baseline source_paths: - doc/operations - scripts/ops - infra - packages/platform - cmd target_paths: - doc/operations - scripts/ops - .fairway/artifacts review_domains: - ops - security - architecture tags: - program:production-readiness - environment:rte - surface:service-exposure - surface:configuration-baseline - work-type:evidence risk_level: high migration_type: rte-service-exposure-config-baseline depends_on: - RTE-ENV-BOUNDARY-SEGMENTATION-EVIDENCE-001 acceptance_checks: - Inventory lists ports, protocols, public endpoints, admin endpoints, internal service endpoints, WebSocket paths, node-agent paths, and management interfaces with justification. - Baseline captures Kubernetes resources, runtime config, edge/Pomerium policy, cert-manager/PKI posture, registry trust, node-agent package metadata, and app artifact trust posture. - Unnecessary or undocumented services are removed, disabled, or tracked with waiver and owner. - Evidence is generated by deterministic scripts or APIs and can be rerun for RTE change control. - id: RTE-RETENTION-LOGGING-INCIDENT-EVIDENCE-001 title: Produce RTE retention, logging, and incident containment evidence kind: release-evidence role: ops profile: platform-foundation parent_id: RTE-POLICY-READINESS-EPIC owning_domain: gpuaas owning_layer: rte-observability source_paths: - doc/operations - scripts/ops - packages/platform - cmd target_paths: - doc/operations - scripts/ops - .fairway/artifacts review_domains: - ops - security - governance tags: - program:production-readiness - program:security-review - environment:rte - surface:observability - surface:incident-response - work-type:evidence risk_level: high migration_type: rte-retention-logging-incident-evidence depends_on: - RTE-POLICY-CONTROL-MAP-001 acceptance_checks: - Evidence categories are mapped to retention period, storage location, export path, owner, access control, and immutability or tamper-evidence posture. - RTE launch packet includes centralized logging, alerting, audit, security monitoring, and continuous-improvement evidence for the deployed instance. - Incident containment runbook covers disabling compromised app artifacts, blocking routes, draining/quarantining nodes, revoking credentials, rotating secrets/certs, and rolling back release artifacts. - Any RTE-required 5-year retention obligation not yet met by GPUaaS evidence storage is tracked as a launch blocker or approved waiver. - id: SEC-CI-SCAN-THRESHOLD-GRADUATION-EPIC title: Graduate CI and pre-prod security scan reports into thresholded gates kind: epic role: security profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: appsec owning_layer: security-scan-ci-enforcement source_paths: - .gitlab-ci.yml - scripts/ci/security_sast_tool_report.sh - scripts/ci/security_sast_summary.sh - scripts/ci/security_govulncheck_report.sh - scripts/ci/security_scans_summary.sh - scripts/ci/security_image_scan_report.sh - scripts/ci/security_dast_report.sh - scripts/ci/security_promotion_gate.sh - doc/operations/Security_Scan_Promotion_Gate_Runbook.md - doc/governance/security_scan_exceptions.json target_paths: - scripts/ci - .gitlab-ci.yml - doc/operations - doc/governance - .fairway/artifacts review_domains: - security - ops - governance - backend - frontend tags: - program:security-review - program:production-readiness - surface:ci - surface:security-scan - work-type:gate risk_level: high migration_type: security-scan-threshold-graduation depends_on: - SEC-PROD-SCAN-ENFORCEMENT-GATE-001 - SEC-PROD-VULNERABILITY-SLA-001 - SEC-PROD-WAIVER-GOVERNANCE-001 acceptance_checks: - Current SAST, dependency, secret, image, and DAST report failures are fixed, waived, or converted into owner-bound follow-up tasks before normal CI is made blocking. - The pipeline keeps scan triage current after the initial cleanup so report-only failures cannot silently accumulate again. - CI distinguishes report-only, warning, pre-prod blocking, and production-promotion blocking modes with documented thresholds. - Scanner unavailable/skipped behavior is explicit and fails in blocking modes unless an approved unexpired exception exists. - Threshold decisions use vulnerability SLA and waiver governance rather than ad hoc per-job allow_failure behavior. - id: SEC-CI-SCAN-REPORT-TRIAGE-001 title: Triage current CI security scan reports before threshold enforcement kind: release-evidence role: security profile: platform-foundation parent_id: SEC-CI-SCAN-THRESHOLD-GRADUATION-EPIC owning_domain: appsec owning_layer: security-scan-triage source_paths: - dist/security - .gitlab-ci.yml - scripts/ci/security_sast_tool_report.sh - scripts/ci/security_sast_summary.sh - scripts/ci/security_govulncheck_report.sh - scripts/ci/security_scans_summary.sh - doc/operations/Security_Scan_Promotion_Gate_Runbook.md - doc/governance/security_scan_exceptions.json target_paths: - doc/operations - .fairway/artifacts - doc/governance/security_scan_exceptions.json review_domains: - security - ops - governance tags: - program:security-review - program:production-readiness - surface:ci - surface:security-scan - work-type:evidence risk_level: high migration_type: security-scan-report-triage depends_on: - SEC-CI-SCAN-THRESHOLD-GRADUATION-EPIC acceptance_checks: - Latest CI SAST, secret, dependency, image, and DAST artifacts are collected or regenerated locally with sanitized paths. - Findings are classified as true positive, false positive, existing accepted risk, tool/config noise, unavailable scanner, or missing scan target. - Each true positive creates a scoped fix task with owner, affected paths, detected_by, expected_gate, and review domains. - Each accepted risk has an approved exception with owner, expiry, impact, compensating control, and follow-up task. - id: SEC-CI-SCAN-BASELINE-KEEPUP-001 title: Keep security scan triage current in the pipeline before hard enforcement kind: release-evidence role: security profile: platform-foundation parent_id: SEC-CI-SCAN-THRESHOLD-GRADUATION-EPIC owning_domain: appsec owning_layer: security-scan-baseline-keepup source_paths: - .gitlab-ci.yml - scripts/ci/security_sast_summary.sh - scripts/ci/security_govulncheck_report.sh - scripts/ci/security_scans_summary.sh - scripts/ci/security_promotion_gate.sh - doc/governance/security_scan_exceptions.json - doc/operations/Vulnerability_Remediation_SLA_v1.md target_paths: - scripts/ci - .gitlab-ci.yml - doc/operations - .fairway/artifacts review_domains: - security - ops - governance tags: - program:security-review - program:production-readiness - surface:ci - surface:security-scan - work-type:evidence risk_level: high migration_type: security-scan-baseline-keepup depends_on: - SEC-CI-SCAN-REPORT-TRIAGE-001 acceptance_checks: - Pipeline emits a machine-readable scan baseline/triage summary showing unresolved findings, waived findings, expired waivers, skipped tools, and owner-bound follow-up tasks. - New report-only findings after the baseline create or update Fairway follow-up tasks instead of remaining only in CI artifacts. - Summary distinguishes existing baseline debt from newly introduced findings so blocking-new mode has a stable input. - CI evidence includes the scan report SHA/source pipeline, baseline version, exception registry version, and recommendation for report, warning, blocking-new, or blocking-all mode. - id: SEC-CI-SCAN-TOOL-REQUIRED-MODES-001 title: Make security scanner availability fail closed in blocking modes kind: task role: security profile: platform-foundation parent_id: SEC-CI-SCAN-THRESHOLD-GRADUATION-EPIC owning_domain: appsec owning_layer: security-scan-tooling source_paths: - .gitlab-ci.yml - scripts/ci/bootstrap_ci_toolchain.sh - scripts/ci/security_sast_tool_report.sh - scripts/ci/security_govulncheck_report.sh - scripts/ci/security_image_scan_report.sh - scripts/ci/security_dast_report.sh - scripts/ci/security_promotion_gate.sh target_paths: - .gitlab-ci.yml - scripts/ci - doc/operations - .fairway/artifacts review_domains: - security - ops - governance tags: - program:security-review - program:production-readiness - surface:ci - surface:security-scan - work-type:gate risk_level: high migration_type: security-scan-tool-required-modes depends_on: - SEC-CI-SCAN-BASELINE-KEEPUP-001 acceptance_checks: - Scan scripts keep report-only mode available for calibration but fail closed when invoked in warning/pre-prod/production blocking mode. - Missing gosec, semgrep, gitleaks, govulncheck, trivy, or ZAP produces machine-readable blocked evidence in blocking modes. - Optional bootstrap warnings in `.gitlab-ci.yml` do not silently convert an intended blocking scan into skipped/pass. - Smoke fixtures cover tool unavailable, skipped scan, tool execution error, clean report, finding report, and approved exception cases. - id: SEC-CI-SAST-SCA-THRESHOLD-GATE-001 title: Add normal CI thresholds for SAST, secrets, and dependency scans kind: task role: security profile: platform-foundation parent_id: SEC-CI-SCAN-THRESHOLD-GRADUATION-EPIC owning_domain: appsec owning_layer: security-scan-ci-enforcement source_paths: - .gitlab-ci.yml - scripts/ci/security_sast_tool_report.sh - scripts/ci/security_sast_summary.sh - scripts/ci/security_govulncheck_report.sh - scripts/ci/security_scans_summary.sh - scripts/ci/security_promotion_gate.sh - doc/governance/security_scan_exceptions.json - doc/operations/Vulnerability_Remediation_SLA_v1.md target_paths: - .gitlab-ci.yml - scripts/ci - doc/operations - .fairway/artifacts review_domains: - security - ops - governance - backend - frontend tags: - program:security-review - program:production-readiness - surface:ci - surface:security-scan - work-type:gate risk_level: high migration_type: sast-sca-ci-threshold-gate depends_on: - SEC-CI-SCAN-TOOL-REQUIRED-MODES-001 acceptance_checks: - Normal CI fails on new unwaived critical/high SAST, secret, or dependency findings after the triaged baseline is established. - Existing accepted findings remain visible in SLA summaries and do not disappear from evidence when waived. - Threshold config supports at least report, warning, blocking-new, and blocking-all modes. - The CI security summary reports mode, baseline version, finding counts, waiver counts, and release recommendation. - id: SEC-CI-IMAGE-DAST-PREPROD-THRESHOLD-GATE-001 title: Add pre-prod thresholds for image/container and DAST scans kind: task role: security profile: platform-foundation parent_id: SEC-CI-SCAN-THRESHOLD-GRADUATION-EPIC owning_domain: appsec owning_layer: preprod-security-scan-enforcement source_paths: - .gitlab-ci.yml - scripts/ci/security_image_scan_report.sh - scripts/ci/security_dast_report.sh - scripts/ci/security_promotion_gate.sh - doc/operations/Security_Scan_Promotion_Gate_Runbook.md - doc/governance/security_scan_exceptions.json target_paths: - .gitlab-ci.yml - scripts/ci - doc/operations - .fairway/artifacts review_domains: - security - ops - governance tags: - program:security-review - program:production-readiness - surface:ci - surface:dast - surface:image-scan - work-type:gate risk_level: high migration_type: image-dast-preprod-threshold-gate depends_on: - SEC-CI-SCAN-TOOL-REQUIRED-MODES-001 acceptance_checks: - Pre-prod scan mode fails when image/container or DAST scanners are skipped, unavailable, or report unwaived critical/high findings. - Existing pre-prod external security scan gate work is reconciled or linked before blocking DAST is enabled. - DAST targets, auth mode, target environment, allowed endpoints, rate limits, and rollback/stop conditions are documented before enabling blocking mode. - Image scan targets include API, workers, terminal gateway, app runtime, node-agent/package artifacts where applicable, and any skipped target is explicit evidence. - Pre-prod security scan evidence feeds the production promotion gate and vulnerability SLA summaries without duplicating exception logic. - id: SEC-PENTEST-READINESS-GATE-001 title: Define and verify formal penetration test readiness gate kind: release-evidence role: security profile: platform-foundation parent_id: SEC-ARCH-REVIEW-EPIC owning_domain: appsec owning_layer: penetration-test-readiness source_paths: - doc/architecture - doc/operations - doc/api - .gitlab-ci.yml - scripts/ci - scripts/ops - doc/governance/security_scan_exceptions.json target_paths: - doc/operations - doc/governance - .fairway/artifacts review_domains: - security - ops - governance - architecture - backend - frontend tags: - program:security-review - program:production-readiness - surface:pentest - surface:preprod - work-type:evidence risk_level: high migration_type: pentest-readiness-gate depends_on: - SEC-CI-SCAN-THRESHOLD-GRADUATION-EPIC - SEC-CODEGUARD-ROUTE-RUNTIME-MAP-001 - RTE-SERVICE-EXPOSURE-CONFIG-BASELINE-001 acceptance_checks: - Formal pen test is not scheduled until current high/critical SAST, SCA, secret, image, and DAST findings are fixed, waived, or tracked with owner and expiry. - Pre-prod target environment is stable enough for testing and has documented deploy, rollback, seed/test data, test accounts, logging, audit, correlation IDs, and incident contact path. - Attack surface inventory lists public domains, APIs, WebSockets, Pomerium routes, admin/operator endpoints, node-agent paths, app runtime routes, and excluded/destructive test boundaries. - Rules of engagement define target environment, allowed test classes, excluded tests, test window, rate limits, contacts, stop criteria, rollback criteria, and evidence handling. - Readiness packet includes architecture diagrams, auth model, API contracts, route/runtime map, known risks, approved waivers, scan summaries, logging/monitoring posture, and security review contacts. - id: OPS-FAIRWAY-DASHBOARD-CLOUDFLARE-READONLY-001 title: Add read-only Fairway dashboard Cloudflare sharing setup kind: task role: ops profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: operations owning_layer: fairway-dashboard-sharing source_paths: - /Users/subash/dev/fairway/docs/design/dashboard-sharing.md - /Users/subash/dev/fairway/docs/config-reference.md - .fairway/platform-foundation-config.toml - scripts/ops - doc/operations - Makefile target_paths: - scripts/ops/fairway_readonly_dashboard_cloudflare.sh - doc/operations/Fairway_Readonly_Dashboard_Cloudflare_Runbook.md - Makefile - .fairway/artifacts review_domains: - ops - security - governance tags: - program:production-readiness - program:fairway-process - environment:cloudflare - surface:dashboard - surface:ops - work-type:ops-readiness risk_level: medium migration_type: fairway-dashboard-cloudflare-readonly acceptance_checks: - GPUaaS has a documented read-only Fairway dashboard sharing topology using Cloudflare Tunnel and Cloudflare Access. - Start/stop/status/verify commands exist and keep the Fairway origin bound to localhost. - The tunnel token path is outside git and no secret values are committed or printed. - The runbook separates Cloudflare Access authentication from Fairway read-only mutation blocking. - The setup does not enable write-mode dashboard actions or trust Cloudflare identity headers inside Fairway. - id: OPS-FAIRWAY-DASHBOARD-CLOUDFLARE-ACCESS-LIVE-001 title: Complete live Cloudflare Access setup for Fairway dashboard kind: task role: ops profile: platform-foundation parent_id: OPS-FAIRWAY-DASHBOARD-CLOUDFLARE-READONLY-001 owning_domain: operations owning_layer: fairway-dashboard-sharing source_paths: - scripts/ops/fairway_readonly_dashboard_cloudflare.sh - doc/operations/Fairway_Readonly_Dashboard_Cloudflare_Runbook.md - .env.cloudflare.core42-dev target_paths: - .git/ops-evidence/fairway-dashboard-cloudflare/token - .fairway/artifacts review_domains: - ops - security tags: - program:production-readiness - environment:cloudflare - surface:dashboard - surface:ops - work-type:ops-readiness risk_level: medium migration_type: fairway-dashboard-cloudflare-live-access depends_on: - OPS-FAIRWAY-DASHBOARD-CLOUDFLARE-READONLY-001 acceptance_checks: - Cloudflare Access app exists for fairway-gpuaas.core42.dev before connector is started. - Access policy is limited to named initial operator email or approved reviewer allowlist. - make fairway-dashboard-share-start succeeds. - make fairway-dashboard-share-verify confirms unauthenticated public request is challenged or denied. - No tunnel token or Access credentials are committed or printed. - id: GOV-CRITICAL-FLOW-PREFLIGHT-DRILL-GATE-001 title: Establish critical-flow preflight and drill governance gate kind: boundary-guard role: governance profile: platform-foundation parent_id: OPS-PROD-READINESS-BACKLOG owning_domain: governance owning_layer: critical-flow-readiness source_paths: - doc/operations/IAM_MFA_Drill_Retrospective_2026-06-13.md - doc/operations/GPUaaS_Coordination_Process_Lessons_2026-06-13.md - doc/governance/Product_Gap_Readiness_Gate.md - doc/operations/Product_Quality_Flow_Coverage_Operating_Model_v1.md target_paths: - doc/governance/Critical_Flow_Preflight_And_Drill_Gate_v1.md - doc/governance/Product_Gap_Readiness_Gate.md - doc/operations/Product_Quality_Flow_Coverage_Operating_Model_v1.md - AGENTS.md review_domains: - governance - architecture - security - ops tags: - program:fairway-process - program:production-readiness - work-type:governance - surface:critical-flow risk_level: medium migration_type: critical-flow-preflight-drill-gate acceptance_checks: - Governance docs state that P0/P1 critical flows require flow/dependency mapping before implementation, broad UAT, deploy validation, or live drill scheduling. - The gate requires checked-in reproducible non-live/disposable preflight proof before live-window authorization. - The gate requires reviewer packets to include causal goal, last blocker, allowed proof, forbidden actions, commands, artifact paths, and next owner/action. - The gate defines bounded retry and causal-reset behavior after repeated meaningful failures. - AGENTS or startup prompt docs reference the gate so future tracks follow it. - id: UAT-CRITICAL-FLOW-COVERAGE-AUDIT-001 title: Audit P0/P1 flows against critical-flow preflight gate kind: boundary-guard role: governance profile: platform-foundation parent_id: GOV-CRITICAL-FLOW-PREFLIGHT-DRILL-GATE-001 owning_domain: product-quality owning_layer: flow-coverage source_paths: - doc/operations/Product_Quality_Flow_Coverage_Matrix_v1.md - doc/operations/Product_Quality_Flow_Coverage_Decision_Packet_2026-06-13.md - doc/operations/Demo_UAT_Flow_Coverage_Matrix_v1.md - doc/operations/MFA_Flow_Contract_Product_Quality_Review_Model_v1.md target_paths: - doc/operations/Product_Quality_Flow_Coverage_Matrix_v1.md - doc/operations/Product_Quality_Flow_Coverage_Decision_Packet_2026-06-13.md - .fairway/artifacts review_domains: - governance - product - architecture - ops - security tags: - program:uat-hardening - program:production-readiness - work-type:flow-coverage - surface:critical-flow risk_level: medium migration_type: critical-flow-coverage-audit depends_on: - GOV-CRITICAL-FLOW-PREFLIGHT-DRILL-GATE-001 acceptance_checks: - P0/P1 Product Quality rows identify missing happy, empty, blocked, recovery, negative, cleanup, provider, browser, environment, and rollback subpaths. - Each critical flow maps to a checked-in preflight or a follow-up task that owns the missing preflight. - MFA, terminal allocation/connect, storage mount grant, billing low-balance/insufficient-balance, deploy/UAT, and provider lifecycle flows are explicitly classified. - Audit output creates or references scoped `UAT-BUG-*`, `HARNESS-FIX-*`, `OPS-FIX-*`, or `GOV-*` tasks for every accepted gap. - id: HARNESS-CRITICAL-FLOW-PREFLIGHT-PACKET-TEMPLATE-001 title: Create reusable critical-flow preflight and reviewer packet templates kind: task role: ops profile: platform-foundation parent_id: GOV-CRITICAL-FLOW-PREFLIGHT-DRILL-GATE-001 owning_domain: operations owning_layer: harness-governance source_paths: - doc/governance/Critical_Flow_Preflight_And_Drill_Gate_v1.md - doc/operations/IAM_MFA_Drill_Retrospective_2026-06-13.md - scripts/ops - scripts/ci target_paths: - doc/operations - scripts/ops - scripts/ci - .fairway/artifacts review_domains: - ops - governance - security - architecture tags: - program:uat-hardening - program:fairway-process - work-type:harness - surface:critical-flow risk_level: medium migration_type: critical-flow-preflight-packet-template depends_on: - GOV-CRITICAL-FLOW-PREFLIGHT-DRILL-GATE-001 acceptance_checks: - A reusable packet template exists for non-live preflight, live-window authorization, reviewer context, rollback proof, and causal-reset recommendation. - Template fields distinguish allowed actions, forbidden actions, execution surface, source SHA, artifact directory, evidence contract, retry count, expiry, rollback owner, and evidence owner. - Template examples cover MFA-like browser/provider flows without hardcoding MFA-only semantics. - Validation or fixture checks prove required fields fail closed before a live or broad-UAT packet is accepted. - id: GOV-RISK-SCALED-REVIEW-MODEL-001 title: Adopt risk-scaled review inheritance for GPUaaS critical flows kind: boundary-guard role: governance profile: platform-foundation parent_id: GOV-CRITICAL-FLOW-PREFLIGHT-DRILL-GATE-001 owning_domain: governance owning_layer: review-governance source_paths: - doc/operations/Fairway_Review_Operating_Model.md - doc/governance/Critical_Flow_Preflight_And_Drill_Gate_v1.md - doc/operations/IAM_MFA_Drill_Retrospective_2026-06-13.md - doc/operations/GPUaaS_Coordination_Process_Lessons_2026-06-13.md target_paths: - doc/operations/Fairway_Review_Operating_Model.md - doc/governance/Critical_Flow_Preflight_And_Drill_Gate_v1.md - doc/operations/GPUaaS_Track_Startup_Prompts.md - .fairway/platform-foundation-implementation-track.yaml review_domains: - governance - architecture - security - ops tags: - program:fairway-process - program:production-readiness - work-type:governance - surface:review-routing - detected_by:mfa-drill-retrospective risk_level: medium migration_type: risk-scaled-review-inheritance acceptance_checks: - GPUaaS governance docs distinguish micro-slice, grouped-slice, and epic/release review levels. - Docs state that small child tasks preserving an already-blocked posture can use one accountable independent reviewer or grouped review, while epic/live/deploy/production-readiness approvals keep the full review matrix. - Docs list no-inheritance cases such as source/prod mutation, credentials, public exposure, live drill/window, sensitive-operation gate implementation, and weakening safety gates. - Docs require new process changes to state a speed, quality, or safety hypothesis and run as a bounded pilot before becoming default policy. - Docs direct teams to remove or narrow process that does not improve delivery speed, defect discovery, rollback safety, or cycle time, and to invest instead in preflight, tests, UAT flow coverage, or tool automation. - Orchestrator/startup guidance tells tracks to batch small review slices and request Architecture Control mapping only when it reduces risk or resolves same-lane authorship, not as a default ceremony. - Fairway product follow-up exists for configurable review profiles so GPUaaS does not depend on manual chat policy. - id: GOV-AUTOMATE-REPEATED-WORK-001 title: Establish automate-after-repetition operating rule kind: boundary-guard role: governance profile: platform-foundation parent_id: GOV-RISK-SCALED-REVIEW-MODEL-001 owning_domain: governance owning_layer: automation-governance source_paths: - doc/governance/Critical_Flow_Preflight_And_Drill_Gate_v1.md - doc/operations/Fairway_Review_Operating_Model.md - doc/operations/GPUaaS_Coordination_Process_Lessons_2026-06-13.md - tmp-ux/gpuaas-mfa-closeout-working-memory-2026-06-14.md target_paths: - doc/governance/Critical_Flow_Preflight_And_Drill_Gate_v1.md - doc/operations/Fairway_Review_Operating_Model.md - doc/operations/GPUaaS_Track_Startup_Prompts.md - scripts/ops - scripts/ci - .fairway/platform-foundation-implementation-track.yaml review_domains: - governance - architecture - ops tags: - program:fairway-process - program:production-readiness - work-type:governance - surface:automation - detected_by:mfa-drill-retrospective risk_level: medium migration_type: automate-repeated-work-rule acceptance_checks: - "GPUaaS docs state the operating rule: first time manual, second time capture the checklist or command, third time automate or create an automation task." - Docs define preferred automation targets including Fairway state summaries, review-wait/merge-ready checks, commit-boundary handling, preflight packet generation, UAT coverage diffs, CI/deploy monitor handbacks, evidence redaction, and delivery-overhead reporting. - Orchestrator guidance requires agents to create a scoped automation task when they repeat deterministic coordination or validation work more than twice. - Automation proposals must still state how they improve speed, quality, safety, or token usage before becoming default process. - Follow-up Fairway product task exists to detect repeated workflows and recommend automation candidates from task/session/evidence history.