Deployment Runbook
Scope
The repository Docker Compose files are development/demo topologies. They are not production hardening guides. Production deployments require managed secrets, TLS termination, backup/restore procedures, network segmentation, and organization-specific regulatory controls.
Required production controls
- Set
MERLON_ENV=productionand enable authentication. - Terminate external TLS at a trusted ingress or reverse proxy. The API refuses an Engine connection without TLS configuration in production.
- Store database passwords, bootstrap tokens, JWT material, and encryption keys in a secret manager; do not commit them or place production values in
.envfiles. - Keep
MERLON_SEED=falseoutside local development. - Restrict PostgreSQL, the Engine gRPC endpoint, API
/metrics, and the Engine metrics port (9090) to private networks or authenticated monitoring infrastructure. - Back up
MERLON_ENCRYPTION_KEY_RINGand verify that recovery procedures can restore both database data and required key material.
Configuration verification
Before rollout, record the Engine configuration digests from startup logs or ConfigService and retain the approved rule files with the release evidence. See ADR-0012.
Audit-log database roles
The application database role should not have UPDATE or DELETE privileges on audit_logs. Grant read-only audit access through a separate role and test the grants in the target environment. See audit-hardening.sql.example (in this directory) for a role-template example.