G
Gait

Prime-Time Hardening Runbook (OSS)

Prime-Time Hardening Runbook (OSS)

Use this runbook to deploy Gait as a hardened execution boundary for production OSS usage.

1) Configure Hardened Defaults

Create project config from template:

mkdir -p .gait
cp examples/config/oss_prod_template.yaml .gait/config.yaml

Set secrets in environment:

  • GAIT_PRIVATE_KEY
  • GAIT_MCP_TOKEN
  • broker token variables (GAIT_BROKER_TOKEN_*) when broker mode is enabled

2) Validate Production Readiness

gait doctor --production-readiness --json

Must return:

  • ok=true
  • status=pass

3) Start Hardened MCP Service

gait mcp serve \
  --policy examples/policy/base_high_risk.yaml \
  --profile oss-prod \
  --listen 127.0.0.1:8787 \
  --auth-mode token \
  --auth-token-env GAIT_MCP_TOKEN \
  --max-request-bytes 1048576 \
  --http-verdict-status strict \
  --trace-dir ./gait-out/mcp-serve/traces \
  --runpack-dir ./gait-out/mcp-serve/runpacks \
  --session-dir ./gait-out/mcp-serve/sessions \
  --trace-max-age 168h \
  --trace-max-count 50000 \
  --runpack-max-age 336h \
  --runpack-max-count 20000 \
  --session-max-age 336h \
  --session-max-count 20000

4) Must-Pass Hardening Gates

make test-hardening-acceptance
make test-chaos
bash scripts/test_session_soak.sh
make bench-budgets

5) Operational Guardrails

  • Keep --http-verdict-status strict for service callers that can handle non-2xx on non-allow.
  • Keep allow_client_artifact_paths=false in production.
  • Set GAIT_TELEMETRY_HEALTH_PATH to monitor telemetry write degradation.
  • Keep session lock profile on standard unless operating swarms; use swarm only with contention evidence.

6) Incident Escalation Flow

  1. Capture and verify artifacts:
    • gait verify --json
    • gait trace verify --json
  2. Package evidence:
    • gait guard pack --run --json
    • gait incident pack --from --window 24h --json
  3. Convert to regression:
    • gait regress bootstrap --from --json