Current Controls in-progress

GPUaaS already has meaningful control depth. The portal should make that visible without pretending every control is already production-enforced.

Control Areas

• GitLab CI orchestrates contracts, build/test, security, SDK, migration, package, preflight, deploy, and post-deploy stages.
• Reusable scripts/ci/*.sh keep gate logic portable beyond GitLab.
• Contract validation, breaking-change checks, SDK smoke, and route guards exist.
• Security scans exist across SAST, secrets, dependencies, images, DAST, and API fuzzing paths.
• Runtime invariant guards cover audit, outbox, policy literals, logs, correlation, traces, node control-plane communication, and token transport.
• Persona UAT automation exists for current environments and produces evidence.
• Platform-control release promotion has an explicit branch and SHA discipline.

How To Read This

Treat current controls as assets to preserve and graduate. The core maturity question is whether a control is advisory, report-only, warning, or blocking in the target release path.

Canonical sources

• doc/operations/GPUaaS_Security_CD_Current_State_Gap_Roadmap_v1.mdraw
• doc/operations/Production_Platform_Baseline.mdraw
• doc/governance/Security_Control_Verification.mdraw