DEFONEOS · OPERATIONAL ONBOARDING · WEEK 1

Pilot Onboarding Checklist

A detailed, actionable checklist for DEFONEOS sovereign AI pilot onboarding, covering Day 0 setup to Day 7 operational readiness. Each step is anchored to clear acceptance criteria and verifiable outcomes.

▣ SOVEREIGN ALIGNED ▣ STEP-BY-STEP GUIDANCE ▣ VERIFIABLE OUTCOMES ▣ BFT-GATED TRUST ▣ HUMAN-IN-THE-LOOP INTEGRATION

Table of Contents

  1. Day 0: Initial Setup and Access
  2. Day 1: Network and Security Hardening
  3. Day 2: Data Ingestion and Validation
  4. Day 3: Model Deployment and Baseline Testing
  5. Day 4: Human-in-the-Loop Integration
  6. Day 5: Performance Monitoring and Alerting
  7. Day 6: Security Audit and Red Team Preparation
  8. Day 7: Operational Readiness Review

Day 0: Initial Setup and Access

Objective: Securely establish baseline access and environment.

Step Description Acceptance Criteria Verification
1.1 Receive and verify DEFONEOS installer package. Package integrity verified via SHA-256 hash against public SIGIL ledger. openssl dgst -sha256 <package> | diff - <(curl sigil.csoai.org/defoneos-installer.sha256)
1.2 Deploy DEFONEOS sovereign substrate on isolated hardware. 5-service stack (Kernel, Fabric, Mesh, Oracle, Sentinel) confirmed running. ssh root@host 'defoneos status' returns all services green.
1.3 Establish initial secure SSH access for pilot team. Ed25519 keys rotated and multi-factor authentication (MFA) enabled. SSH login with private key and MFA token successful; password login disabled.
1.4 Configure BFT Council witness nodes for pilot instance. 3 witness nodes (2+1 quorum) successfully connected to main BFT council. BFT council log shows new nodes joined with `care_score > 0.9`.

Day 1: Network and Security Hardening

Objective: Harden network perimeter and internal communication.

Step Description Acceptance Criteria Verification
2.1 Implement strict firewall rules (egress-only, allowlist). Only whitelisted UK MOD/NCSC/CSOAI IP ranges permitted for egress. sudo iptables -L -v -n confirms rules; outbound probes to US/EU IPs fail.
2.2 Enforce sovereign-only TLS pinning for all external comms. All outgoing TLS connections use DEFONEOS-controlled root CA. openssl s_client -connect :443 -showcerts shows DEFONEOS CA.
2.3 Disable all non-essential network services and ports. Only SSH (22), BFT (8000), MCP (3101), Web (443) open. sudo nmap localhost shows only required ports open.
2.4 Integrate with existing UK MOD SIEM/SOC (if applicable). DEFONEOS audit logs (Ed25519-signed) streamed to SIEM. SIEM dashboard shows live log ingestion with integrity proofs.

Day 2: Data Ingestion and Validation

Objective: Securely ingest and validate initial training/operational data.

Step Description Acceptance Criteria Verification
3.1 Define data ingress pipeline via sovereign data escrow. Data schema (JSON-LD), classification, and retention policies defined. Escrow manifest (Ed25519-signed) matches policy documents.
3.2 Ingest initial UK MOD data corpus (encrypted, air-gapped). Data verified by 2 BFT agents for integrity/classification on ingress. Escrow ledger shows data_ingest_complete event with BFT attestations.
3.3 Run data quality and bias scans on ingested corpus. No P1/P2 data quality issues; bias metrics within acceptable thresholds. Automated scan report (Ed25519-signed) shows green status.
3.4 Establish data provenance chain on SIGIL ledger. Every data transformation/access event recorded with cryptographic proof. SIGIL ledger query for data UUID returns full provenance chain.

Day 3: Model Deployment and Baseline Testing

Objective: Deploy core models and establish performance baselines.

Step Description Acceptance Criteria Verification
4.1 Deploy DEFONEOS base models (e.g., SOV3 Small, inference mesh). Models confirmed running on GPU cluster; health checks pass. defoneos models status shows all models 'LIVE'.
4.2 Run baseline functional and performance tests. All core functionality passes; latency/throughput within SLA. Automated test suite (Ed25519-signed report) shows 100% pass rate.
4.3 Generate initial model transparency report (LIME/SHAP). Top 10 features for key decisions identified; model explainability > 0.8. Transparency report (Ed25519-signed) available for review.
4.4 Establish model versioning and rollback procedures. Current model version recorded; ability to roll back to N-1 verified. defoneos models version and defoneos models rollback --check commands verified.

Day 4: Human-in-the-Loop Integration

Objective: Integrate human oversight and decision-making workflows.

Step Description Acceptance Criteria Verification
5.1 Integrate human review queues for high-risk decisions. All P0/P1 model outputs routed to human operator for approval. Simulator shows a P0 model output blocked for human review.
5.2 Configure human feedback loop for model retraining. Human corrections/annotations captured and queued for DPO. Feedback dashboard shows 10+ human annotations flowing to DPO queue.
5.3 Train pilot operators on DEFONEOS decision support interface. 3+ operators trained; pass simulation exercise with >90% accuracy. Training certification (Ed25519-signed) issued for all operators.
5.4 Establish emergency override and circuit breaker protocols. Owner-gated "kill switch" and model isolation procedures tested. Emergency protocol simulation confirms system shutdown/isolation.

Day 5: Performance Monitoring and Alerting

Objective: Establish comprehensive monitoring and incident response.

Step Description Acceptance Criteria Verification
6.1 Deploy DEFONEOS monitoring stack (Prometheus/Grafana). CPU, GPU, memory, network, model inference metrics collected. Grafana dashboards display real-time system metrics.
6.2 Configure critical alerts for operational thresholds. P0 alerts (e.g., 'model drift', 'red line violation') trigger correctly. Test alert (e.g., high latency injection) triggers P0 incident in SIEM.
6.3 Integrate with existing UK MOD incident response system. DEFONEOS incidents (Ed25519-signed) flow to MOD IR platform. Test incident successfully logged and triaged in MOD IR system.
6.4 Establish weekly performance review cadence. Pilot team reviews metrics, identifies optimizations/anomalies. Weekly review meeting minutes (Ed25519-signed) document findings.

Day 6: Security Audit and Red Team Preparation

Objective: Validate security posture and prepare for adversarial testing.

Step Description Acceptance Criteria Verification
7.1 Conduct internal security audit against DEFONEOS hardening guide. All 17 hardening steps verified; no critical vulnerabilities found. Internal audit report (Ed25519-signed) shows zero critical findings.
7.2 Prepare for BFT-gated external red team exercise. Red team scope, rules of engagement, and success metrics defined. BFT Council votes 27/33 (supermajority) to approve red team charter.
7.3 Simulate adversarial attacks against pilot system. Known prompt injection, data poisoning, model exfiltration vectors blocked. Simulation report confirms 7+ attack vectors successfully mitigated.
7.4 Review incident response runbooks and playbooks. Pilot team familiar with IR procedures for P0/P1 security incidents. IR drill with simulated P0 incident shows team follows runbook.

Day 7: Operational Readiness Review

Objective: Final review and sign-off for pilot operations.

Step Description Acceptance Criteria Verification
8.1 Conduct full operational readiness review (ORR) with UK MOD. All pre-flight checks passed; sign-off from UK MOD stakeholders. ORR document (Ed25519-signed) includes UK MOD approval.
8.2 Generate final sovereign compliance passport for pilot. Compliance against JSP 936, EU AI Act, NCSC guidelines attested. Compliance passport (Ed25519-signed) issued via CSOAI.org.
8.3 Publish DEFONEOS pilot case study (anonymized). Public case study details problem, solution, benefits, next steps. Case study published on csoai.org/defoneos/case-studies.
8.4 Transition to continuous improvement and expansion phase. Cadence for quarterly reviews and feature prioritization established. Continuous improvement plan (Ed25519-signed) in effect.
DEFONEOS — Sovereign AI for Public Services. Built in the UK. Designed for trust.