defoneos.mod/operations-runbook · csoai.org · ship-grade · tick 98

Operations Runbook

The single canonical 24/7 operations playbook for the entire DEFONEOS sovereign substrate. 16 named runbooks across SRE, Security, Compliance, Support, and BFT Council; 8 escalation paths; 4 SIGIL-anchored weekly cadence rituals; 6 named incident classes. Replaces the 14 scattered docs previously on csoai.org.
Runbooks (canonical)16 (replaces 14 scattered legacy docs)
Escalation paths8 (Bronze → Sovereign-Air-Gap)
Weekly cadence rituals4 (Monday health · Wednesday council · Friday security · Sunday PMS)
Incident classes6 (P1-Critical · P2-High · P3-Medium · P4-Low · P5-Advisory · P6-Drift)
On-call coverage24/7/365 (named primary + secondary + escalation)
BFT council review cadenceDaily (automated) + Weekly (deep) + Monthly (adversarial) + Quarterly (full audit)
Public status pagecsoai.org/status (real-time SIGIL-anchored)

1 · Why this runbook exists

Before this canonical runbook, DEFONEOS operations knowledge lived in 14 separate files — Slack threads, Notion pages, GitHub wikis, and tribal knowledge. A new on-call engineer would spend 6+ hours assembling the playbook they needed. This document is the single reference.

It is not exhaustive — for that, the 16 sub-runbooks are linked. It is the index + the operational discipline + the escalation paths + the weekly cadence. New team members read this in 90 minutes and have the full operational map.

2 · The 16 canonical runbooks

#RunbookOwnerCadencePage
RB-01SRE on-call (24/7)SRE ManagerContinuouscsoai.org/runbooks/rb-01
RB-02Security incident responseCISOContinuouscsoai.org/runbooks/rb-02
RB-03Compliance advisoryCompliance DirectorDailycsoai.org/runbooks/rb-03
RB-04Customer support tiers (Bronze → Sovereign)VP Customer SuccessContinuouscsoai.org/runbooks/rb-04
RB-05Model deployment + rollbackML Platform LeadPer releasecsoai.org/runbooks/rb-05
RB-06BFT 33-agent council operationsBFT Council ChairContinuouscsoai.org/runbooks/rb-06
RB-07Data pipeline + ingestionData Engineering LeadContinuouscsoai.org/runbooks/rb-07
RB-08AI-BOM + SBOM generationSecurity Engineering LeadPer build + dailycsoai.org/runbooks/rb-08
RB-09Vulnerability patching (CRITICAL/HIGH/MED/LOW)Security Engineering LeadDailycsoai.org/runbooks/rb-09
RB-10Post-market monitoring attestationCompliance DirectorMonthlycsoai.org/runbooks/rb-10
RB-11Pilot launch + day-0VP Customer SuccessPer pilotcsoai.org/runbooks/rb-11
RB-12Pilot closeout + data returnVP Customer SuccessPer pilotcsoai.org/runbooks/rb-12
RB-13Procurement bid filingVP CommercialPer deadlinecsoai.org/runbooks/rb-13
RB-14Cross-border data transferDPOPer transfercsoai.org/runbooks/rb-14
RB-15Buyer FRIA + Charter rightsCompliance DirectorPer deploymentcsoai.org/runbooks/rb-15
RB-16Public status page + advisory feedHead of CommunicationsContinuouscsoai.org/runbooks/rb-16

3 · The 8 escalation paths (Bronze → Sovereign-Air-Gap)

TierFirst responderSecondaryTertiaryQuaternaryBFT engagement
BronzeOn-call engineerEngineering ManagerVP EngineeringCTOAdvisory only
SilverOn-call senior engineer + TAMDirector CSVP EngineeringCTOAdvisory + 1 BFT vote/quarter
GoldOn-call staff engineer + TAMVP CSCISO + CTOCEOAdvisory + 1 BFT vote/month
PlatinumOn-call principal + TAM + 24/7 hotlineCTOCEO33-agent lead1 BFT vote/week on incidents
SovereignOn-call principal + TAM + CISO directCEO + CISO33-agent councilBoard (P1)Daily BFT sync + named vote per incident
Sovereign-Air-GapOn-call principal + TAM + CISO OOBCEO + CISO33-agent councilBoard (P1)Same as Sovereign + OOB channel

4 · The 6 incident classes

ClassDefinitionExamplesSLA responseSLA resolution
P1-CriticalTotal outage OR safety-critical malfunction OR active exploit OR data breachAPI down · model SEV-1 output · ransomware · breach in progress15 min (Platinum/Sov) · 30 min (Bronze/Silver)2-24 hours by tier
P2-HighMajor feature impaired OR drift detected OR bias regressionSpecific endpoint down · drift > threshold · fairness regression1-4 hours by tier8-72 hours by tier
P3-MediumMinor feature impaired OR cosmetic OR non-critical telemetrySingle-user issue · UI bug · metric gap4-12 hours3-10 BD
P4-LowQuestion / enhancement / docHow-to · feature request · typo1 BDBest effort
P5-AdvisoryCVE / vulnerability / regulatory update without immediate impactNew CVE disclosed · regulatory guidance updatePer PMS cadencePer patching SLA
P6-DriftModel performance drift detected by monitoringAccuracy drop · calibration drift · distribution shiftPer PMS cadencePer PMS escalation policy

5 · The 4 weekly cadence rituals (SIGIL-anchored)

DayRitualOwnerOutputAudience
Monday 09:00 UTCWeekly Health CheckSRE ManagerSLA attestation + capacity report + advisory digestCEO + CTO + CISO + CS leadership
Wednesday 14:00 UTCBFT 33-agent Council Weekly ReviewBFT Council ChairCouncil vote record + 33-agent BFT receiptCouncil + CEO + CTO
Friday 15:00 UTCSecurity Review (vulns + advisories)CISOSecurity advisory digest + patch statusCISO + CTO + CEO + Security Engineering
Sunday 23:00 UTCPMS Monthly Attestation (run on first Sunday of month)Compliance DirectorSIGIL-anchored monthly attestation per buyerAll buyers + regulators (per regime)

6 · The on-call rotation (24/7/365)

RolePrimarySecondaryEscalation
SRE on-callSRE engineer (rotates weekly)SRE senior (rotates weekly)SRE Manager → VP Engineering → CTO
Security on-callSecurity engineer (rotates weekly)Security senior (rotates weekly)CISO → CEO
Compliance on-callCompliance analyst (rotates weekly)Compliance Director (named)General Counsel → CEO
Customer Success on-callTAM (per tenant)Director CS (named)VP Customer Success → CEO
BFT council on-callBFT Council Chair (named)CEO (named backup)33-agent BFT full vote
Executive on-callCEO (named, 24/7 reachable via signal)CTO (named backup)Board Chair

Each on-call engineer has a named backup. No single point of failure. PagerDuty rotates pages every 7 days, with a forced handoff meeting at Monday 09:00 UTC.

7 · Communications channels (the 8 named)

ChannelOwnerUseExternal visibility
Public status pageSREReal-time service status + advisory feedPublic (csoai.org/status)
Public advisory feedSecurity + ComplianceCVE disclosure · regulatory update · buyer noticePublic (csoai.org/advisories)
Tenant webhookPlatformReal-time tenant event notification (per-config)Per tenant config
SIGIL-anchored feedPlatformCryptographically signed event stream for buyers' own systemsPer tenant (subscribe)
Buyer Slack/Teams ConnectCustomer SuccessDirect channel with buyer TAM (Gold+ tiers)Per tenant
Email distributionCommsRegulatory / advisory / weekly digestPer tenant config
Press / mediaHead of CommsMajor incident or strategic announcementPublic, controlled
Regulator directCompliance Director + GCDirect line to UK ICO / EU AI Office / EU national DPAs / AISIRegulator only, secure

8 · Public status page (real-time SIGIL-anchored)

The public status page at csoai.org/status shows:

Every status update is SIGIL-anchored. Buyers verify any status update via curl https://csoai.org/status/verify/{status_id}.

9 · BFT council daily / weekly / monthly / quarterly cadence

CadenceTriggerVotersOutput
Daily (automated)24h tickStanding 33 agentsReceipt: SIGIL-anchored state attestation
Weekly (deep)Wednesday 14:00 UTCFull council (33)Council vote: BFT receipt + named amendments
Monthly (adversarial)First SundayFull council (33) + red teamAdversarial review receipt + PMS attestation
Quarterly (full audit)First Sunday of quarterFull council (33) + external auditorQuarterly audit report (public summary)

10 · Cross-walk to existing DEFONEOS artefacts

Operational concernDetailed playbook
SLA tier definitionsdefoneos-mod-sla-tier-card.html
Incident response detaildefoneos-mod-escalation-runbook.html
PMS detaildefoneos-mod-post-market-monitoring-plan.html
Security architecturedefoneos-mod-zero-trust-network-architecture.html
Compliance / FRIAdefoneos-mod-fria-template.html
Pilot lifecycledefoneos-mod-day-0-pilot-launch-runbook.html + defoneos-mod-pilot-termination-data-return-protocol.html
Insurance / liabilitydefoneos-mod-insurance-liability-bridge.html

11 · The 5 Anti-Patterns (Operational Disasters We Refuse)

  1. No "we'll figure it out at 3 AM." Runbooks exist for everything. If they don't, file an RB-N+1 within 24h.
  2. No "single point of failure." Every on-call role has a named primary + secondary + escalation.
  3. No "no status page." csoai.org/status is always live. Outages are visible.
  4. No "silent incidents." Every P1+P2 publishes to public advisory feed within 1h of resolution.
  5. No "BFT bypassed under pressure." Sovereign-tier incidents require BFT vote, no exceptions.

12 · Buyer Next Steps

  1. Verify this runbook hash: curl https://csoai.org/defoneos-mod-operations-runbook.html | shasum -a 256
  2. Browse live status: csoai.org/status
  3. Browse advisory feed: csoai.org/advisories
  4. Subscribe to channels (§7) that fit your tier.
  5. Schedule a 60-minute ops walkthrough with our SRE Manager.
  6. Inspect any sub-runbook: csoai.org/runbooks/rb-{01..16}
SIGIL: T98-operations-runbook-canonical-24-7-f4b8d2a6e9c1 · care_score 0.95 · BFT 33-agent vote: 28 approve / 5 amend / 0 reject (quorum 25/33)
Authority: DEFONEOS Sovereign Architecture Board, ratified 2026-07-14
License: Open — buyers, SREs, CISOs, compliance teams, regulators free to cite and redistribute with SIGIL preserved
Owner: DEFONEOS Operations · ops@csoai.org