Skip to main content

Deployment Runbook

Scope

The repository Docker Compose files are development/demo topologies. They are not production hardening guides. Production deployments require managed secrets, TLS termination, backup/restore procedures, network segmentation, and organization-specific regulatory controls.

Required production controls

  • Set MERLON_ENV=production and enable authentication.
  • Terminate external TLS at a trusted ingress or reverse proxy. The API refuses an Engine connection without TLS configuration in production.
  • Store database passwords, bootstrap tokens, JWT material, and encryption keys in a secret manager; do not commit them or place production values in .env files.
  • Keep MERLON_SEED=false outside local development.
  • Restrict PostgreSQL, the Engine gRPC endpoint, API /metrics, and the Engine metrics port (9090) to private networks or authenticated monitoring infrastructure.
  • Back up MERLON_ENCRYPTION_KEY_RING and verify that recovery procedures can restore both database data and required key material.

Configuration verification

Before rollout, record the Engine configuration digests from startup logs or ConfigService and retain the approved rule files with the release evidence. See ADR-0012.

Audit-log database roles

The application database role should not have UPDATE or DELETE privileges on audit_logs. Grant read-only audit access through a separate role and test the grants in the target environment. See audit-hardening.sql.example (in this directory) for a role-template example.