You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Follow-up tracker for items deferred by PR #821 (Epic 14+13+12: startup hardening, observability, reverse proxy). Parent: DEM-713.
Open items
T4 — wstcp reachability per environment. Operator-driven probe documented in docs/runbooks/wstcp-reachability-check.md. Run on every long-lived staging + mainnet host and capture results. Flip WSTCP_BIND_HOST=127.0.0.1 for containerized deployments behind a co-located proxy.
T8 full WASM notary session via Playwright. Current driver only verifies SDK load + RPC reach. Full Prover → Notarize → Presentation flow blocked by SDK packaging (tlsn-js ships UMD, no ESM default). Either repackage tlsn-js with ESM entry or import via SDK's webpack helper (mergeTlsnWebpackConfig).
T13 — drop redundant host port mappings. Currently in docker-compose.proxy.yml override only. After a green smoke-proxy.sh run on staging, fold the port removal into the main compose for proxy deployments.
Real-environment ACME verification. Devnet uses Caddy's internal CA (tls internal). Need a live test on a real domain with Let's Encrypt issuance, rate-limit handling, and renewal smoke.
Legacy XFF mode audit.XFF_MODE=legacy is still selectable for back-compat and only logs error at startup. Grep production envs to confirm no node is still on legacy; add a deprecation timeline if any are.
basic_auth sentinel fail-loud. Current sentinel hash silently rejects all callers when operators forget to set METRICS_BASIC_AUTH_HASH / MCP_BASIC_AUTH_HASH. Fail loudly at boot (e.g., refuse to start the proxy profile) when the sentinel is still in place on a proxy-enabled deployment.
Pre-existing TS errors.tsc --noEmit still reports errors in src/features/l2ps-messaging/* and testing/scripts/verify-release-gate.ts. Out of scope for this PR but should not stay open — file separately or close as known-bad.
Follow-up tracker for items deferred by PR #821 (Epic 14+13+12: startup hardening, observability, reverse proxy). Parent: DEM-713.
Open items
docs/runbooks/wstcp-reachability-check.md. Run on every long-lived staging + mainnet host and capture results. FlipWSTCP_BIND_HOST=127.0.0.1for containerized deployments behind a co-located proxy.mergeTlsnWebpackConfig).docker-compose.proxy.ymloverride only. After a greensmoke-proxy.shrun on staging, fold the port removal into the main compose for proxy deployments.tls internal). Need a live test on a real domain with Let's Encrypt issuance, rate-limit handling, and renewal smoke.XFF_MODE=legacyis still selectable for back-compat and only logserrorat startup. Grep production envs to confirm no node is still on legacy; add a deprecation timeline if any are.METRICS_BASIC_AUTH_HASH/MCP_BASIC_AUTH_HASH. Fail loudly at boot (e.g., refuse to start the proxy profile) when the sentinel is still in place on aproxy-enabled deployment.tsc --noEmitstill reports errors insrc/features/l2ps-messaging/*andtesting/scripts/verify-release-gate.ts. Out of scope for this PR but should not stay open — file separately or close as known-bad.References
docs/discoveries/startup-assessment-2026-05-13/(CHANGELOG.md, 06/07/08 epic docs)docs/runbooks/proxy-setup.md,health-endpoint.md,dormant-mode.md,mcp-security.md,wstcp-reachability-check.mdFiled by Nesy-Claude per KYN-192.