Security & Production Readiness in-progress

The product has security and operational process, but much of it is compressed into the current environment shape. This section makes the control model, readiness gaps, and operating separation visible without turning portal pages into the source of truth.

Persona Routes

Persona	First-read path	Decision points	Next-action pages
Security reviewer	Current Controls, Security Controls, Release Evidence	Am I validating implemented controls, checking evidence quality, reviewing gaps, or deciding what can be shared externally?	Gaps Roadmap, External Security Path, Terminal Session Security
Platform operator	Production Baseline, Release Operations, Runbook Index	Is this a release gate, incident response, patching, reserve capacity, or evidence-capture question?	Incident Workflow, Observability, Day-2 Operations
Architecture reviewer	System Overview, Shared Services, Domain Ownership	Does the security posture match platform/product boundaries, data flows, terminal access, and release authority?	API Domain Authoring, Storage Lifecycle, Release Evidence

What To Read First

• Current-state security/CD roadmap for controls, gaps, and planned hardening.
• Production platform baseline for environment and operational expectations.
• Platform-foundation gap portfolio for the consolidated architecture view.
• Current security architecture and triage docs for implemented controls, current gaps, and review routing.
• Secrets/PKI runtime trust and audit tamper-evidence docs for custody, rotation, WORM retention, and evidence expectations.
• Platform-control promotion policy for release authority and promotion rules.

Pages

• Current Controls
• Security Controls
• Gaps Roadmap
• Release Evidence
• Evidence and Readiness Model
• Evidence, Audit, Billing, And Release Custody

Readiness Themes

• Release rings and reserved capacity for patch, feature, UAT, and rollback confidence.
• Evidence bundles for release, security, runtime, and operational verification.
• Separation between development flow, UAT automation, and production promotion.
• Report-only guards that graduate to warning and then blocking gates.
• Clear ownership for security, ops, platform, product, and app-developer surfaces.
• Vulnerability remediation SLA, release-profile gates, and audit/evidence retention expectations for production readiness.

Readiness Posture

Control-To-Release Decision Path

What This Section Should Let Reviewers Do

• review current controls without reading all raw architecture docs first;
• separate production-readiness truth from future-state aspirations;
• identify whether a failure is a product bug, an environment gap, or an intentionally deferred control;
• follow the evidence path from user flow to release decision.

Canonical sources

• doc/operations/GPUaaS_Security_CD_Current_State_Gap_Roadmap_v1.mdraw
• doc/operations/Production_Platform_Baseline.mdraw
• doc/architecture/platform-foundation/Security_Architecture_Current_State_v1.mdraw
• doc/architecture/platform-foundation/Security_Architecture_Review_Triage_v1.mdraw
• doc/architecture/platform-foundation/Secrets_PKI_Runtime_Trust_Model_v1.mdraw
• doc/architecture/platform-foundation/Audit_Tamper_Evidence_and_WORM_Retention_v1.mdraw
• doc/architecture/platform-foundation/Platform_Release_Profile_Gates_v1.mdraw
• doc/governance/Security_Control_Verification.mdraw
• doc/governance/Platform_Control_Release_Promotion_Policy.mdraw
• doc/operations/Vulnerability_Remediation_SLA_v1.mdraw
• doc/architecture/platform-foundation/AI_Factory_Production_Readiness_Gap_Portfolio_v1.mdraw