🔧 Operator

Operator Validation Soak

3 min readExternal operator · MaintainerFuture hardened-core gate

What this page covers

The operator validation soak is a future public evidence gate before Stigmem can declare a release-candidate line. At least one external operator must run the hardened core for 30 days, report findings publicly when safe, and confirm that P0 findings are fixed or explicitly carried forward.

What the operator runs

Reference node

Deployment using the current main branch or the release tag named by maintainers.

Same-org federation

Local or same-organization federation using documented peer setup.

Hardened surfaces

mTLS, key rotation, audit log, observability, and runbook surfaces exercised where applicable.

No experimental plugins

Unless the issue explicitly says the operator is validating that plugin as a separate ADR-008 gate.

Cross-organization production federation remains pre-stable until the soak finishes and the project declares the release-candidate line.

Before the soak starts

Item

Evidence

Notes

Deployment shape

public issue

Operator-candidate issue with non-sensitive context.

Version under test

SHA / tag

Commit SHA or release tag.

Topology

shape

Single node, same-org federation, or limited cross-org test.

Reporting path

public + advisory

Public issues for non-sensitive findings; private advisory path for vulnerabilities.

Weekly cadence

LOG.md

Digest entry or GitHub Discussion link.

Stop conditions

P0 / risk

P0 finding, secret exposure, unsafe deployment pattern, or operator request.

Do not put secrets, private topology diagrams, private customer data, exploit details, or unpublished vulnerability details in public issues.

Weekly digest

Each week, maintainers should add a short digest to LOG.md or link a public Discussion:

## YYYY-MM-DD — Operator Soak Digest, Week N

- Operator context: <public non-sensitive summary>
- Version under test: <commit or release tag>
- Deployment shape: <single node / same-org federation / limited federation>
- Findings opened: #NN, #NN
- Findings closed: #NN
- P0 status: none / #NN
- ADR-004 observability notes: <signals that helped or were missing>
- Next week: <planned validation focus>

Finding triage

Open public findings with the Operator finding issue template whenever the report can be shared safely. Maintainers apply:

type/operator-finding

For all soak findings.

operator-soak-finding

For findings produced during the 30-day soak.

severity/P0

When the finding blocks safe continuation.

P0 findings stop the soak until the operator and maintainers agree it is safe to continue. Fix PRs should reference the finding issue and include the validation that proves the fix.

ADR-004 feedback

Operator feedback should explicitly name which observability signals helped and which were missing. When the feedback changes incident-response expectations, open an ADR-004 amendment issue or PR and link the operator finding.

Exit evidence

Hardened-core exit requires:

1. One external operator completed 30 days of validation.
2. All P0 soak findings are closed or explicitly carried forward with a release blocker label.
3. Weekly digests are linked from LOG.md.
4. Relevant ADR-004 amendments are opened or merged.
5. Roadmap and checklist state are updated in the same PR that records exit evidence.