Skip to content

Auto-PR: docs(fleet): §9 custody spectrum — managed -> BYOC -> self-custody migration path#95

Merged
ncimino merged 1 commit into
mainfrom
docs/nik-custody-migration-path
Jul 16, 2026
Merged

Auto-PR: docs(fleet): §9 custody spectrum — managed -> BYOC -> self-custody migration path#95
ncimino merged 1 commit into
mainfrom
docs/nik-custody-migration-path

Conversation

@weown-bot

Copy link
Copy Markdown
Contributor

🤖 Automated Pull Request — authored by weown-bot (ecosystem service account)

Opened by: @ncimino
Last pushed by: @ncimino
Branch: docs/nik-custody-migration-pathmain

Contributors on this branch:


📋 Human Review Checklist — NIST CSF 2.0 Functions

Review per the 6 NIST CSF Functions. Frameworks referenced: NIST CSF 2.0, CIS Controls v8 IG1, CSA CCM v4, ISO/IEC 27001:2022, SOC 2, ISO/IEC 42001:2023. See docs/COMPLIANCE_ROADMAP.md.

🏛️ Govern (GV)

  • CODEOWNERS correct for affected paths (.github/CODEOWNERS)
  • ADR required/updated if an architectural decision is introduced
  • Policy impact considered and documented
  • All Copilot AI review comments addressed or explicitly deferred with rationale

🔍 Identify (ID)

  • New assets inventoried (Helm values, container images, dependencies)
  • SBOM regenerated if dependencies changed
  • Risk register / threat model touched if threat surface changed (.github/SECURITY_ASSESSMENT.md)

🛡️ Protect (PR)

  • Least privilege: RBAC, ServiceAccounts, scoped PATs (NIST PR.AC, CIS 5/6, ISO A.5.15-A.5.18)
  • Secrets managed via Infisical (never --from-literal, never /tmp, always $(mktemp) — ISO A.8.24)
  • NetworkPolicy present for new deployments (NIST PR.AC-5, CIS 12, CSA IVS)
  • TLS 1.3 with strong cipher suites where applicable (NIST PR.DS-1, CIS 3)
  • Container security: non-root UID 1000+, Pod Security restricted (NIST PR.IP, CIS 4)

🕵️ Detect (DE)

  • Logs / metrics added for new components (NIST DE.CM, CIS 8/13)
  • Alert rules updated if thresholds change
  • Health checks (livenessProbe + readinessProbe) configured

🚨 Respond (RS)

  • Runbook updated if operational behavior changes (.github/INCIDENT_RESPONSE.md)
  • Incident response impact considered (escalation paths, on-call)

♻️ Recover (RC)

  • Backup strategy covers new persistent data (NIST RC.RP, CIS 11, ISO A.8.13)
  • Rollback procedure tested or documented
  • DR impact assessed for new critical components

📚 Documentation & Versioning

  • Relevant CHANGELOG.md updated (per-directory or repo-level /CHANGELOG.md)
  • #WeOwnVer version bumped per docs/VERSIONING_WEOWNVER.md
  • READMEs / ADRs / inline comments updated

📝 Recent Commits (full bodies for Copilot context)

1a6e57c docs(fleet): §9 custody spectrum — managed -> BYOC -> self-custody migration path

Author: Nik
Date: Wed Jul 15 22:38:17 2026 -0600

Managed ships first (Tyler's complexity-collapse call); custody is a parameter,
not a rewrite: every per-tenant boundary (state file, secrets project, LLM key,
GPG backup keypair, DNS, registry row) is a hand-off point. Three tiers over
one template (managed / BYOC via customer-revocable scoped token / full
self-custody), per-customer migration sequence (parallel-build -> restore ->
smoke -> DNS cutover -> soak -> decommission -> custody ceremony), ~zero
downtime via the proven INT-S004 cutover pattern. Notes BYOC as the landing
zone for the D210 position.



🔍 Copilot AI Review: Copilot is configured to auto-request review for bot-authored PRs. If an auto-created PR opens without an initial Copilot review, push a follow-up commit to the same open PR (review_on_push: true) to trigger review automatically.

👥 Required Reviewers: human approval enforced by branch protection + CODEOWNERS. @ncimino requested automatically.

📚 Review Guidelines: .github/copilot-instructions.md (phase-aware compliance directives)

🛠️ Workflow Operations: .github/workflows/README.md

Auto-generated by .github/workflows/auto-pr-to-main.yml

…gration path

Managed ships first (Tyler's complexity-collapse call); custody is a parameter,
not a rewrite: every per-tenant boundary (state file, secrets project, LLM key,
GPG backup keypair, DNS, registry row) is a hand-off point. Three tiers over
one template (managed / BYOC via customer-revocable scoped token / full
self-custody), per-customer migration sequence (parallel-build -> restore ->
smoke -> DNS cutover -> soak -> decommission -> custody ceremony), ~zero
downtime via the proven INT-S004 cutover pattern. Notes BYOC as the landing
zone for the D210 position.
@weown-bot weown-bot requested a review from ncimino as a code owner July 16, 2026 04:38
@weown-bot weown-bot requested review from Copilot and removed request for Copilot July 16, 2026 04:38
@ncimino ncimino merged commit adf02d4 into main Jul 16, 2026
17 of 18 checks passed
@ncimino ncimino deleted the docs/nik-custody-migration-path branch July 16, 2026 04:40
@ncimino

ncimino commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Session status record (2026-07-15, per orchestrator check-in)

  1. Worktrees: 4 clean worktrees reaped earlier today (alpine-veranda, openclaw-hardening, s004-stability, fix-nik-otel-syslog-parser — branches preserved). 5 remain, all carrying uncommitted work (laughing-hertz: staged owncloud files ≈ already on main; wonderful-neumann: untracked devbox site + 5 unique commits; beautiful-taussig: untracked onboarding docs; ferny-sky + waxen-hawk: devbox WIP). Full inventory delivered to owner; disposition is owner-gated per the no-discarding-uncommitted-work rule — awaiting per-worktree call.

  2. feature/nik-observability-signoz-otel: verified all deliverables (otel-agent/, fleet scripts, searxng-docker) exist on main via fresh commits (D1/D3 landing pattern); sole residue is Terraform for the deprecated signoz-docker template. Verdict recorded: dies, nothing to fold. Local-branch deletion awaits owner confirmation (destructive-action gate) — this comment is the documentation of why it dies.

  3. AnythingLLM production service: not blocked on engineering. Shipped to main today: per-customer key provisioning + lifecycle docs (Auto-PR: feature(saas): per-customer OpenRouter key provisioning + single-tenant instance lifecycle doc #88), automated-deploy gap fixes (Auto-PR: fix(deploy): automated AnythingLLM deploys now bootable + compliance facts table #89), tools-and-layers canon (Auto-PR: docs(infra): automation stack — tools & layers canon #90), GPG client-side encrypted backups + ZDR posture (Auto-PR: fix(deploy): age-keygen refuses to overwrite mktemp's pre-created file #91), CIS Phase-A hardening + encrypted-at-rest data volume (Auto-PR: security(anythingllm): CIS hardening play + encrypted-at-rest data volume (Phase A) #92), fleet operations design incl. IaC topology + custody migration path (Auto-PR: docs(fleet): fleet operations design — 100s-scale updates, rings, observability guarantee, billing lifecycle #93Auto-PR: docs(fleet): §9 custody spectrum — managed -> BYOC -> self-custody migration path #95). Private fleet registry repo scaffolded and live (registry + ephemeral-render wrapper). Next build in flight: on-droplet customer dashboard (SIMPLE_SSO plumbing first). Open human-gated items sit with the owner (commercial setup + provisioning key custody); production cutover additionally needs the dedicated LLM-provider account swap.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants