Skip to content
Gestalt

API: Operations posture

Capability state: every operation in this file is staging-durable. They record production-like ops posture (edge policy, restore/rollback rehearsals, incident receipts) and a durable status summary, but production admission stays globally disabled and raw incident payloads never cross the membrane. See 022 gap report for the broader gap surface.

This cluster covers Gestalt’s operations posture — the surface that records what would have to be true at the runtime edge, backup/restore lane, and incident-response lane to admit a pilot or production tenant. None of these operations open production admission on their own; pilot.admissionGate (in admission-and-key-custody.md) is the gate that cites them.

Three lanes:

  • Edge policy laneops.edgePolicyCheck records a production-like route surface (enumerated public routes), an edge access/WAF/rate-limit/auth profile, and immutable audit retention. Refuses weak edge posture, raw DB routes, and root signing fallback.
  • Backup/restore laneops.restoreRehearse records a no-wipe backup restore and rollback rehearsal tied to a verified proof bundle commitment, non-zero SLOs, and runbook hash material.
  • Incident-response laneops.incidentReceipt records a monitoring-alert receipt, a secret-rotation receipt, and an incident receipt with hash-only alert/mitigation/communications material.

ops.status aggregates durable record counts and a posture summary (edge ready, restore ready, incident ready) through a membrane-safe summary surface.

See reference: capability state.

ops.edgePolicyCheck

Section titled “ops.edgePolicyCheck”

Record production-like route surface, edge access, WAF, rate limit, and immutable audit retention posture while production remains disabled; refuse weak edge posture.

POST /v1/ops/edge-policy/check
state: staging-durable
sdk_role: record production-like route surface, access edge, WAF, rate limit, and immutable audit retention posture while production remains disabled; refuse weak edge posture
request_record: CloudOpsEdgePolicyCheckRequest
responses: ops_route_surface | ops_edge_policy | ops_audit_retention | refusal | receipt

Request

Section titled “Request”
interface OpsEdgePolicyCheckRequest {
  tenant?: GestaltRef;
  company?: GestaltRef;
  edge_policy_ref?: GestaltRef;
  route_surface_ref?: GestaltRef;
  audit_retention_ref?: GestaltRef;
  public_base_url?: string;
  access_provider?: string;          // required (non-empty)
  tls_termination?: string;          // required (non-empty)
  waf_profile?: string;              // required (non-empty)
  rate_limit_profile?: string;       // required (non-empty)
  auth_policy_ref?: GestaltRef;      // required (non-empty)
  route_manifest_hash?: string;      // required (non-empty)
  audit_retention_days?: number;     // must be >= 30
  immutable_audit_log?: boolean;     // must be true
  production_requested?: boolean;
  raw_db_route_requested?: boolean;  // refused if true
  public_db_port_open?: boolean;     // refused if true
  contains_customer_data?: boolean;  // refused if true
}

Response

Section titled “Response”
{
  "operation": "ops.edgePolicyCheck",
  "outcome": "pending",
  "body": {
    "route_surface": "ops_route_surface:...",
    "edge_policy": "ops_edge_policy:...",
    "audit_retention": "ops_audit_retention:...",
    "public_route_surface_enumerated": true,
    "waf_rate_limit_auth_edge": true,
    "edge_posture_verified": true,
    "audit_retention_verified": true,
    "raw_db_exposed": false,
    "root_fallback_enabled": false,
    "production_admission": false,
    "durable_state": {...}
  },
  "receipt": {...}
}

Refusal codes: customer_data_forbidden, ops_raw_db_route_forbidden, ops_root_fallback_forbidden, ops_edge_posture_missing, ops_audit_retention_insufficient.

SDK example

Section titled “SDK example”
const edge = await client.opsEdgePolicyCheck({
  tenant: "tenant_node:rheinwerk_calibration",
  company: "company_geist:rheinwerk_calibration",
  edge_policy_ref: "ops_edge_policy:m29_fixture",
  route_surface_ref: "ops_route_surface:m29_fixture",
  audit_retention_ref: "ops_audit_retention:m29_fixture",
  public_base_url: "https://staging.gestalt.example",
  access_provider: "cloudflare_access_fixture",
  tls_termination: "managed_tls_fixture",
  waf_profile: "waf_fixture_strict",
  rate_limit_profile: "rate_limit_fixture_tenant_scoped",
  auth_policy_ref: "auth_policy:m29_edge_fixture",
  route_manifest_hash: "sha256:m29_route_manifest_fixture",
  audit_retention_days: 90,
  immutable_audit_log: true,
});

ops.restoreRehearse

Section titled “ops.restoreRehearse”

Record no-wipe backup restore and rollback rehearsal tied to a verified proof bundle commitment, non-zero SLOs, and runbook hash material.

POST /v1/ops/restore/rehearse
state: staging-durable
sdk_role: record no-wipe backup restore and rollback rehearsal tied to a verified proof bundle commitment, non-zero SLOs, and runbook hash material
request_record: CloudOpsRestoreRehearsalRequest
responses: ops_backup_restore_rehearsal | ops_rollback_rehearsal | refusal | receipt

Request

Section titled “Request”
interface OpsRestoreRehearsalRequest {
  tenant?: GestaltRef;
  company?: GestaltRef;
  restore_ref?: GestaltRef;
  rollback_ref?: GestaltRef;
  backup_snapshot_ref?: GestaltRef;
  proof_bundle?: GestaltRef;
  manifest_commitment?: string;        // must match a known proof bundle
  restore_slo_minutes?: number;        // must be > 0
  rollback_slo_minutes?: number;       // must be > 0
  restore_runbook_hash?: string;       // required (non-empty)
  rollback_runbook_hash?: string;      // required (non-empty)
  destructive_wipe_requested?: boolean;// refused if true
  contains_customer_data?: boolean;    // refused if true
}

Response

Section titled “Response”
{
  "operation": "ops.restoreRehearse",
  "outcome": "verified",
  "body": {
    "restore_rehearsal": "ops_backup_restore:...",
    "rollback_rehearsal": "ops_rollback:...",
    "proof_bundle": "proof_bundle:...",
    "manifest_commitment": "sha256:...",
    "proof_verification_passed": true,
    "restore_runbook_verified": true,
    "rollback_runbook_verified": true,
    "slo_targets_recorded": true,
    "restore_slo_minutes": 30,
    "rollback_slo_minutes": 15,
    "destructive_wipe_requested": false,
    "raw_db_exposed": false,
    "production_admission": false,
    "durable_state": {...}
  },
  "receipt": {...}
}

Refusal codes: customer_data_forbidden, ops_destructive_wipe_forbidden, ops_restore_runbook_missing, ops_restore_proof_verification_missing.

The manifest_commitment is checked against known proof bundles (see proofs-and-receipts.md). Restores must be no-wipe and disposable.

SDK example

Section titled “SDK example”
const restore = await client.opsRestoreRehearse({
  tenant: "tenant_node:rheinwerk_calibration",
  company: "company_geist:rheinwerk_calibration",
  restore_ref: "ops_backup_restore:m29_fixture",
  rollback_ref: "ops_rollback:m29_fixture",
  backup_snapshot_ref: "backup_snapshot:m29_fixture",
  proof_bundle: "proof_bundle:m6_cross_domain_cloud_authority_worldline",
  manifest_commitment: "sha256:m29_manifest_required",
  restore_slo_minutes: 30,
  rollback_slo_minutes: 15,
  restore_runbook_hash: "sha256:m29_restore_runbook_fixture",
  rollback_runbook_hash: "sha256:m29_rollback_runbook_fixture",
});

ops.incidentReceipt

Section titled “ops.incidentReceipt”

Record incident alert and secret rotation receipt with hash-only alert/mitigation/communications material and without raw incident payloads.

POST /v1/ops/incident/receipt
state: staging-durable
sdk_role: record incident alert and secret rotation receipt with hash-only alert/mitigation/communications material and without raw incident payloads
request_record: CloudOpsIncidentReceiptRequest
responses: ops_monitoring_alert | ops_secret_rotation | ops_incident_receipt | refusal | receipt

Request

Section titled “Request”
interface OpsIncidentReceiptRequest {
  tenant?: GestaltRef;
  company?: GestaltRef;
  incident_ref?: GestaltRef;
  alert_ref?: GestaltRef;
  secret_rotation_ref?: GestaltRef;
  severity?: string;                 // required (non-empty)
  detected_by?: string;              // required (non-empty)
  alert_rule_hash?: string;          // required (non-empty)
  mitigation_hash?: string;          // required (non-empty)
  communications_hash?: string;      // required (non-empty)
  customer_data_exposed?: boolean;   // refused if true
  raw_payload?: unknown;             // refused if present
}

Response

Section titled “Response”
{
  "operation": "ops.incidentReceipt",
  "outcome": "verified",
  "body": {
    "incident": "ops_incident:...",
    "alert": "ops_monitoring_alert:...",
    "secret_rotation": "ops_secret_rotation:...",
    "critical_alert_path_rehearsed": true,
    "alert_baseline_verified": true,
    "incident_hash_material_verified": true,
    "private_secret_material_exposed": false,
    "raw_payload_stored": false,
    "production_admission": false,
    "durable_state": {...}
  },
  "receipt": {...}
}

Refusal codes: ops_incident_raw_payload_forbidden, ops_incident_severity_missing, ops_incident_hash_material_missing.

The membrane stores only refs and hashes — raw alert payloads, mitigation diffs, and communications text never cross.

SDK example

Section titled “SDK example”
const incident = await client.opsIncidentReceipt({
  tenant: "tenant_node:rheinwerk_calibration",
  company: "company_geist:rheinwerk_calibration",
  incident_ref: "ops_incident:m29_fixture",
  alert_ref: "ops_monitoring_alert:m29_fixture",
  secret_rotation_ref: "ops_secret_rotation:m29_fixture",
  severity: "low_fixture",
  detected_by: "synthetic_monitor",
  alert_rule_hash: "sha256:m29_alert_rule_fixture",
  mitigation_hash: "sha256:m29_mitigation_fixture",
  communications_hash: "sha256:m29_comms_fixture",
});

ops.status

Section titled “ops.status”

Inspect durable operations posture records through membrane-safe summaries.

GET /v1/ops/status
state: staging-durable
sdk_role: inspect durable operations posture records through membrane-safe summaries
request_record: CloudOpsStatusRequest
responses: ops_status | receipt

GET endpoint — no request body. The authenticated tenant is inferred from the session.

Response

Section titled “Response”
{
  "operation": "ops.status",
  "outcome": "verified",
  "body": {
    "tenant": "tenant_node:rheinwerk_calibration",
    "durable_records": {...},
    "local_overlay_counts": {
      "ops_route_surfaces": 0,
      "ops_edge_policies": 0,
      "ops_audit_retentions": 0,
      "ops_backup_restore_rehearsals": 0,
      "ops_rollback_rehearsals": 0,
      "ops_monitoring_alerts": 0,
      "ops_secret_rotations": 0,
      "ops_incident_receipts": 0,
      "pilot_admission_gates": 0
    },
    "posture": {
      "edge_policy_ready": false,
      "restore_rehearsal_ready": false,
      "rollback_rehearsal_ready": false,
      "alert_baseline_ready": false,
      "secret_rotation_ready": false,
      "incident_response_ready": false,
      "operations_posture_complete": false,
      "raw_db_exposed": false,
      "production_admission": false
    },
    "raw_db_exposed": false,
    "production_admission": false
  },
  "receipt": {...}
}

operations_posture_complete: true requires edge, restore, and incident lanes to all be populated; pilot admission still requires a separately signed gate.

SDK example

Section titled “SDK example”
const status = await client.opsStatus();
Section titled “Where to read next”