ARCHITECTURE §8 (Promotion across Environments) L287 had column-
alignment drift from Pass 39's `replace_all acme-staging → acme-stg`.
The 12-char acme-staging filled the column padding; the 8-char
acme-stg shifted "1.3.0" left of the adjacent "1.4.0"/"1.2.0" values.
PERSONAS-AND-JOURNEYS L230 had the same Pass 39 fix but I'd done
that as an explicit Edit with proper padding; ARCHITECTURE used
replace_all which produced misaligned 7-space gap.
Fixed: acme-stg padded to acme-stg + 11 spaces (was 7) so all four
rows in the §8 mockup table align at the version column.
Methodology lesson #17: replace_all on shorter strings inside ASCII
code-block tables silently breaks column alignment. Greps can't
detect whitespace-alignment drift; manual column-check after
replace_all is needed.
ARCHITECTURE.md §1-§14 deep re-scan with all current lessons:
- §3 Topology: 15-component Catalyst control plane matches PTS §2
union (post-Pass 40). Per-host-cluster list omits OpenTofu
(bootstrap-only/not-runtime) defensibly.
- §5 explicitly defines <env> as {org}-{env_type} — anchors the
ws.<env>.> shorthand Pass 30 noted.
- §10 11-component bootstrap kit matches SOVEREIGN-PROVISIONING §3.
- §11 bp-catalyst-* list matches IMPLEMENTATION-STATUS §2.
- §12 Independent-failure-domains cites OpenBao per-region Raft ✓.
platform/langfuse/README.md: clean. Banner correct (§4.7 AI
Observability). Distinguishes per-host-cluster Grafana stack from
Application-level LangFuse correctly.
Drift found. Consecutive-clean count remains 0 but drift surface
shifting toward cosmetic territory (column alignment, freshness)
rather than architectural.
platform/flink/README.md L137 + L166 used strimzi-kafka-bootstrap.messaging.svc
but canonical Catalyst namespace per strimzi README (L100/146/181/191) and
debezium (L135) is `databases`. Same Helm-default-vs-Catalyst-convention drift
as Pass 41 minio (minio-system → storage). Pass 51 sweep confirmed no other
component uses "messaging" as a Catalyst namespace — only generic English
usage and K8s API group messaging.knative.dev/v1.
Fixed both instances to strimzi-kafka-bootstrap.databases.svc:9093. Port
9093 (TLS) kept — port choice (9092 vs 9093) is a separate architectural
question deferred.
SECURITY.md re-scan with all current methodology lessons:
- §1-§5: clean. Independent-Raft-per-region principle intact.
- §6 Keycloak topology: clean.
- §7 Rotation policy: SecretPolicy uses canonical catalyst.openova.io/v1alpha1.
- §8 Path of a secret: clean.
- §9 Compliance posture: borderline OpenSearch SIEM wording re-evaluated;
acceptable in context.
- §10 Threat model: clean.
Methodology note: Helm-default-namespace drift now found across 3 instances
(Pass 41 minio, Pass 51 flink). Add cross-component namespace verification
to standard checks.
Drift found. Consecutive-clean count resets from 2 (49→50) to 0.
platform/crossplane/README.md had three real drift items:
1. §"Terraform vs Crossplane" — Catalyst's canonical bootstrap IaC is
OpenTofu (PTS §3.2 + SOVEREIGN-PROVISIONING §3), not Terraform.
Renamed section to "OpenTofu vs Crossplane", added intro paragraph
clarifying the OSS-fork rationale, updated table rows + Decision.
2. XRD CompositeResourceDefinition example used name: xdatabases.openova.io
and group: openova.io. Per BLUEPRINT-AUTHORING §8 (Pass 42 verified
canonical), Crossplane XRDs use compose.openova.io group — separate
from Catalyst CRDs (catalyst.openova.io). Fixed to
xdatabases.compose.openova.io / group: compose.openova.io with inline
pointer to BLUEPRINT-AUTHORING §8.
3. Composition compositeTypeRef.apiVersion was openova.io/v1alpha1, fixed
to compose.openova.io/v1alpha1. Also corrected Composition metadata.name
to database.hcloud.compose.openova.io for naming consistency.
Pass 1's API group unification was Catalyst-CRDs-only; Pass 42 verified
the separate Crossplane group; Pass 48 catches a downstream consequence
where the crossplane README defaulted to bare `openova.io` matching
neither canonical form.
PERSONAS-AND-JOURNEYS §1-§7 deep re-scan: clean. Pass 22, 33, 39 fixes
all intact. Three-pass-touched doc reads consistently. Stable.
Banner already correctly enforces "platform plumbing, never user-facing"
per ARCHITECTURE §7.4 / GLOSSARY.
Header L3 and footer L1214 both said "Last Updated: 2026-02-26" but
Pass 26 made substantive architectural fixes (OpenBao active-active
correction §8.4, Catalyst/OpenOva conflation resolution §5.1+§5.2).
Stale date misled readers about freshness for a "Living Document".
Updated to 2026-04-28.
Date-staleness sweep across canonical docs found 5 other 2026-02-26
markers: relay (no architectural edits, may be accurate), fabric/cortex/
fingate (Pass 34 TENANT rename architectural), TECHNOLOGY-FORECAST
(Pass 27 + Pass 45 architectural). Per Pass 47 scope discipline, only
BUSINESS-STRATEGY fixed this pass — others flagged for future bundled
date-sweep pass.
§1-§16 deep re-scan otherwise clean. Pass 26 fixes intact across all
sections. §16.2 "self-service deployment via wizard" acceptable as
generic UX term (not the banned Bootstrap-wizard-as-separate-product).
Approximation grep #12 false positive: L667 "~15 components" refers to
OpenShift competitor count, not OpenOva self-claim.
platform/coraza/README.md: clean. Banner correct (per-host-cluster
§3.1 DMZ). Integration table consistent with §3.1 + §10 SIEM pipeline.
§"A La Carte Components (26)" header was stale. Pass 27 added
anthropic-adapter to the table body but didn't update the header count.
Pass 40 confirmed canonical count is 27 in PLATFORM-TECH-STACK §1.
Verified by counting:
- Mandatory: 25 platform/-folder components + OpenTelemetry note = 26 ✓
- A La Carte: 27 platform/-folder components ✓
- Total platform/ folders: 52 (matches Overview L11 "all 52 platform
components" and the 52 directories in platform/)
Fixed header (26) → (27). 25 + 27 = 52 = Overview claim. Internally
consistent.
Lesson: union-equality checks must verify both body count AND header
count. Adding an item to a body without updating the header creates
off-by-one drift.
§"Removed Components" Dapr/RabbitMQ "Kafka covers..." entries reviewed:
defensible context (app-level use cases; NATS is control-plane only,
Kafka via Strimzi is the Application Blueprint).
§"Product Impact Analysis / Fabric" L110 "Merging Titan + Fuse into
Fabric" — historical product-rename narrative (Pass 26 documented).
Capital-F "Fuse" missed by case-sensitive \bfuse\b grep — extending
Pass 38 case-insensitivity lesson to this category as well.
platform/syft-grype/README.md: clean. Banner correct (per-host-cluster
§3.3). Catalyst integration accurate.
Both targets verified clean. No edits needed.
GLOSSARY deep re-scan with Pass 40-41 union-equality lens against
PLATFORM-TECH-STACK §2: component count difference (14 GLOSSARY vs 15
PTS) is semantic grouping vs technology naming, not drift. GLOSSARY's
`identity` = Keycloak + SPIRE; `secret` = OpenBao + ESO; `event-spine`
= NATS JetStream. The `secret` entry conflates OpenBao (CCP) with ESO
(per-host-cluster infra) — borderline categorization flagged for a
future stylistic pass but not architectural drift.
Banned-terms cross-check vs CLAUDE.md: all 11 entries match exactly.
Pass 31 had previously declared GLOSSARY clean via carry-forward greps.
Pass 44's union-equality re-check confirms it. GLOSSARY's stability
across two reviews is the positive signal that anchors the validation
loop — other docs derive their terminology from this keystone.
platform/sigstore/README.md: clean. Banner correct (per-host-cluster
§3.3). Integration table consistent with §3.3 supply-chain stack
(Harbor, Kyverno, Gitea Actions, Syft + Grype).
All 10 carry-forward acceptance greps clean — including the new
active-active rejection grep (Pass 43) which surfaces only correct
architectural rejection language in SECURITY §5 and ARCHITECTURE §6.
§2.5 (Data replication patterns) line 106 had: Gitea | Bidirectional
mirror + CNPG primary-replica. Direct architectural contradiction with
platform/gitea/README.md "Multi-Region Strategy" which EXPLICITLY rejects
bidirectional mirror (write-conflict semantics, EnvironmentPolicy
enforcement). The canonical pattern is intra-cluster HA replicas +
CNPG primary-replica on the mgt cluster only — DR for Gitea is via
mgt-cluster recovery, not cross-region sync.
Same drift category as Pass 7 (component READMEs active-active) and
Pass 26 (BUSINESS-STRATEGY active-active OpenBao). The "active-active
for everything stateful" mental model survived in this row.
Fixed to canonical wording with inline pointer to gitea README.
SRE.md §1-§14 deep re-scan otherwise clean. §7.1 framing nit ("All
Catalyst control-plane components" lists per-host-cluster infra too)
flagged but not fixed — reads as "Catalyst-managed" in context.
§14 Runbooks <org>/runbooks path-placeholder unambiguous in context;
optional tightening flagged.
platform/keda/README.md: clean. mimir.monitoring.svc reference is the
per-host-cluster Mimir collector (consistent with dual-categorization
Pass 38 documented), not contradicting SRE §8.1's catalyst-grafana
namespace which is per-Sovereign self-monitoring.
Recurring drift category: vague composite placeholders like
<sovereign-domain-gitea> and <sovereign-gitea> standing in for the
canonical Catalyst control-plane DNS form gitea.{location-code}.{sovereign-domain}.
These survived Pass 29's DNS sweep because they don't match Pass 29's
grep patterns (<sovereign>.<domain>, <sovereign-domain>, etc.) —
different shape entirely (single hyphenated placeholder vs multi-segment).
BLUEPRINT-AUTHORING.md §1: <sovereign-domain-gitea>/<org>/shared-blueprints/bp-<name>/
→ gitea.<location-code>.<sovereign-domain>/<org>/shared-blueprints/bp-<name>/
plus inline pointer to NAMING §5.1.
NAMING-CONVENTION.md §11.2 step 1: <sovereign-gitea>/{org}/{org}-{env_type}
abstract pattern → gitea.{location-code}.{sovereign-domain}/{org}/{org}-{env_type}.
The authoritative naming doc was teaching a non-canonical shorthand
while its example showed the canonical form — second drift instance in
§11.2 (Pass 37 fixed example URL, Pass 42 fixes abstract pattern).
BLUEPRINT-AUTHORING.md §1-§14 deep re-scan: clean apart from §1 fix.
§8 Crossplane Compositions verified — compose.openova.io/v1alpha1 is
intentionally separate from catalyst.openova.io/v1alpha1 (Crossplane
XRDs use their own group; Pass 1's unification was for Catalyst's own
CRDs only).
platform/falco/README.md: clean.
SOVEREIGN-PROVISIONING.md §4 (Phase 1 Hand-off) "self-sufficient" list
had 6 items vs PLATFORM-TECH-STACK §2.3's 6 control-plane supporting
services. List was missing SPIRE (5-min rotating SVIDs — critical to
SECURITY model) and observability (Grafana stack — Catalyst's
self-monitoring). Same drift category as Pass 40: summary list drifted
independently from canonical reference. Added both, plus enumerated the
§2.1+§2.2 services in the "Catalyst control plane" bullet.
Mid-pass sweep finding: kserve L217 used minio.minio-system.svc but
canonical minio README declares namespace: storage (L70). Three other
components also used minio-system: milvus L78, harbor L145. Fixed all
three to align with canonical `storage` namespace per PLATFORM-TECH-STACK
§3.5. Drift likely came from Helm-chart upstream defaults.
platform/kserve substantively clean apart from namespace fix.
Pass 41 lesson: union-equality check applies to ALL summary passages in
canonical docs. When a passage enumerates items derived from a canonical
source list, count both and verify equality.
§1 summary table had three incomplete component lists vs the detailed
§2-§4 sections. The drift survived because earlier passes focused on
the detail sections, treating the §1 summary as an assumed-correct
intro rather than cross-checking against detail.
Catalyst control plane row: missing provisioning (§2.2) and observability
(§2.3 Grafana stack). Added both. Reordered to match §2 subsection order.
Per-host-cluster infrastructure row: missing external-dns (§3.1),
opentofu (§3.2 — marked bootstrap-only to prevent Pass 23-style
miscategorization), minio + velero (§3.5), failover-controller (§3.6).
Application Blueprints row: missing anthropic-adapter (§4.6, member of
bp-cortex). Added.
§1 is now strictly the union of §2+§3+§4 — a true index, not a
parallel list that drifts independently.
§2-§5 detailed sections all clean. iceberg README clean (literal
MINIO_ACCESS_KEY placeholders flagged with clickhouse's similar
minioadmin issue for a future security-hardening pass).
Pass 23 lesson inverted: the lesson was "deep-read later sections"; this
pass demonstrates summary sections also need cross-reference checks
against detail. Both directions need re-scans.
NAMING §2.4 establishes the 3-char env_type form (prod|stg|uat|dev|poc)
but multiple Environment-name examples used the long form `staging`.
ARCHITECTURE.md §8 (Promotion across Environments): 3 instances of
acme-staging (Blueprint detail mockup L287, prose L295, EnvironmentPolicy
sourceEnvironment L310) renamed to acme-stg.
PERSONAS-AND-JOURNEYS.md: 3 instances renamed —
- digital-channels-staging → digital-channels-stg (Layla narrative L126, L135)
- acme-staging → acme-stg (Blueprint detail mockup L230)
Pass 33 fixed Layla's DNS but left the env_type spelling.
Preserved: payment-rail-staging (Application name, free-form per NAMING)
and minimum-replicas-production (Kyverno policy identifier).
ARCHITECTURE.md deep re-scan with Pass 23 lesson (focus on later
sections): §5-§13 substantively clean. §5 explicitly defines <env> as
{org}-{env_type} which retroactively grounds the ws.<env>.> shorthand
Pass 30 noted as "documented shorthand".
platform/clickhouse/README.md: clean. minioadmin literal placeholder
flagged for future security-hardening pass but not Catalyst drift.
Acceptance greps with Pass 37's new literal-domain check and case-insensitive
banned-term sweep found one surviving instance: platform/temporal/README.md
L272 Worker Deployment had `namespace: fuse`. Pass 26 renamed fuse → fabric;
Pass 32+35 fixed temporal's image ref and DNS but the namespace YAML key
was missed (eye tracks surrounding structure, skims past `namespace:` value).
Renamed to `fabric`.
docs/SECURITY.md: clean (deep re-scan §6-§10 per Pass 23 lesson). All
sections consistent with canonical model and Pass 7's independent-Raft fix.
§9 OpenSearch SIEM wording acceptable as "default destination when SIEM
is enabled" rather than "default-installed component" — deferred for
optional tightening pass.
platform/grafana/README.md: clean. Banner, tiered storage, and OTel
instrumentation example all consistent with canonical conventions.
Lesson: case-insensitive banned-term grep is non-negotiable. Future
passes should always run \bfuse\b and similar legacy-product-name greps
regardless of surfaced category.
Applied Pass 23 lesson (deep-read later sections of long canonical docs)
to NAMING-CONVENTION §7-§11. Found one drift instance in §11.2 — the
most authoritative passage on Environment realization.
§11.2 step 1 had example URL `gitea.omantel.openova.io/acme/acme-prod`
— a 3-segment form bypassing the `{location-code}` segment NAMING §5.1
itself establishes. The most concerning drift category: the authoritative
naming doc offering a non-canonical example.
Pass 29's earlier sweep caught placeholder forms (gitea.<sovereign>.<domain>
etc.) but missed this because it uses a literal Sovereign domain
(omantel.openova.io) completing a 3-segment form — evades any
placeholder-shape grep.
Fixed to `gitea.<location-code>.omantel.openova.io/acme/acme-prod` and
added inline pointer to §5.1.
platform/cilium/README.md: clean. Generic upstream K8s/Cilium patterns
in all examples; no Catalyst-specific drift.
Pattern note for future passes: drift sweeps should also grep for
literal canonical domains (omantel.openova.io, bankdhofar.local,
openova.io) to catch the literal-domain variant.
Sweep grep at end of pass: no other instances of literal-domain form
across canonical docs.
GLOSSARY's banned term "tenant" survived in Configuration tables and Flux
postBuild substitutions across product READMEs as ${TENANT} (uppercase
ENV var). Prior banned-term greps searched lowercase `tenant` so the
ALL-CAPS form slipped through.
Product README fixes:
- products/cortex: TENANT/DOMAIN → ORGANIZATION/SOVEREIGN_DOMAIN, plus
two DNS placeholder fixes for llm-gateway and chat URLs (same shape
Pass 25/31 fixed elsewhere).
- products/fingate: 6 instances (Flux substitution, Configuration table,
4 URL templates) renamed. URL shape api.openbanking.<org>.<sov-dom>
flagged as 4-segment FQDN that doesn't match NAMING §5.1 or §5.2 —
deferred to a deeper architectural pass.
- products/fabric: Configuration table row renamed.
Component README:
- platform/keycloak: shared-sovereign hostname auth.<sovereign-domain>
and per-organization auth.<org>.<sovereign-domain> both missing
<location-code> per NAMING §5.1. Fixed.
platform/librechat ${TENANT_ID} preserved — that's Microsoft Azure AD
tenant-ID (external technology, exempted by GLOSSARY).
Validation log Pass 34 entry includes meta-note: always run a global
grep for the surfaced drift category before closing a pass, to avoid
the asymmetric-drift problem Pass 25 warned against.
The corporate-narrative section (§4.2 Layla at Bank Dhofar) read fluently
but had Catalyst-naming-rule violations stacked through the timeline that
Pass 22's banner-style scan missed:
- §4.1 step 6: gitea.omantel.openova.io/... — collapsed location-code.
- §4.2 09:15 + 10:00: gitea.bankdhofar.local/... — same collapse.
- §4.2 11:00: kubectl context "hz-fsn-rtz-prod-bankdhofar" — vcluster
named after Sovereign instead of Organization. Per NAMING §1.5, vcluster
name = Org name. Layla works on payment-rail in digital-channels Org,
so the context is hz-fsn-rtz-prod-digital-channels.
- §4.2 16:00: api.bankdhofar.local/... — same DNS collapse, plus
tightened the SPIFFE narrative (external Backstage wouldn't normally
hold a SPIFFE SVID; clarified that Backstage runs inside the Sovereign
in this scenario).
platform/vllm/README.md: clean.
Lesson recorded in validation log: narrative-style prose is particularly
susceptible to "reads fluently → looks fine" inspection bias. Grep for
placeholder shapes regardless of how well the prose reads.
Pass 25's deferred sweep, executed. Image refs of the form
harbor.<domain>/... (and one registry.<domain>/... in temporal) collapse
the location-code segment. Per NAMING §5.1, Catalyst per-host-cluster
Harbor DNS is harbor.{location-code}.{sovereign-domain} (e.g.
harbor.hfmp.openova.io).
Fixed (11 instances, 9 files):
- anthropic-adapter, bge (×2), debezium, harbor (×2 — ingress + Kyverno
policy), knative (×2 — serving + traffic-split), llm-gateway, strimzi,
trivy — all standardized to harbor.<location-code>.<sovereign-domain>.
- temporal had two drift items in one line: registry.<domain> (off-spec
placeholder — Catalyst's only per-host-cluster registry is Harbor) AND
legacy "fuse" namespace (renamed to bp-fabric per BUSINESS-STRATEGY
§16.2 / Pass 26). Rewritten to fabric/order-worker.
Out of scope (deliberate): :latest tag hygiene, and whether Application
Blueprint READMEs should reference ghcr.io/openova-io/bp-<name>:<semver>
vs the Sovereign Harbor mirror. Stalwart customer-email-domain <domain>
placeholders preserved (correct semantics). external-dns illustrative
gslb/api/svc.<domain> preserved (upstream-doc generic).
With Pass 29 (canonical-doc DNS) + Pass 31 (carry-over fixes) + Pass 32
(image registry), the recurring DNS-placeholder collapse drift category
is addressed end-to-end.
Validation log Pass 32 entry added.
platform/openbao/README.md ingress hosts (line 108) had `bao.<domain>` while
the same file's ClusterSecretStore example (line 127) used the canonical
`bao.<location-code>.<sovereign-domain>` form. Pass 7's active-active fix
addressed the body but missed the ingress placeholder. Aligned with the
canonical form.
platform/librechat/README.md OAuth callback (line 154) had
`chat.ai-hub.<domain>/oauth/openid/callback` — same Application-endpoint
shape Pass 25 fixed in llm-gateway. Pass 22 marked the file clean and Pass
29 fixed the Keycloak issuer line but didn't re-sweep. Per NAMING §5.2
Application endpoints are `{app}.{environment}.{sovereign-domain}`. Fixed.
docs/GLOSSARY.md verified clean — single-source-of-truth has held across
the loop (Pass 6/7/14/20/22/26/27 all consistent with current GLOSSARY).
Validation log Pass 31 entry includes meta-note: third file (librechat)
that needed re-opening after a "clean" mark — banner scans miss YAML-block
drift. Future passes should default to a full placeholder-shape grep on
every file touched.
core/README.md "User journeys" table had: "Sovereign bootstrap | Phase 0
done by catalyst-provisioner; this codebase contains the OpenTofu modules
under apps/provisioning/opentofu/..." — conflating two distinct services.
Per SOVEREIGN-PROVISIONING.md §2, catalyst-provisioner is a separate
Blueprint (bp-catalyst-provisioner) — explicitly "not part of any
Sovereign at runtime" — and lives outside core/. The core/apps/provisioning/
service is for runtime Application provisioning (validate configSchema,
compose manifests, commit to Environment's Gitea repo), an entirely
different concern from Phase 0 Sovereign bootstrap. Rewritten to call out
the separation.
platform/neo4j/README.md: clean.
Recurring shorthand note: ws.<env>.> JetStream subjects in core/README +
ARCHITECTURE (5 instances) treated as documented shorthand — precise form
per NAMING §11.2 is ws.{org}-{env_type}.>. Tightening deferred.
Validation log Pass 30 entry added.
The recurring drift: Catalyst control-plane DNS placeholders that omit the
<location-code> segment, producing forms like gitea.<sovereign>,
gitea.<sovereign>.<domain>, gitea.<sovereign-domain>, keycloak.<domain>.
Per NAMING §5.1 the canonical form is
{component}.{location-code}.{sovereign-domain} (e.g. gitea.hfmp.openova.io).
The shorter forms aren't just abbreviations — they collapse the multi-region
location dimension and re-drift every time a reader reads them as obvious
shorthand.
Fixes:
- CLAUDE.md "Customer Sync" — both gitea.<sovereign>/catalog/... lines.
- docs/SOVEREIGN-PROVISIONING.md §3 DNS-records bullet (3 lines) + §5
Day-1 login line.
- docs/ARCHITECTURE.md §4 write-path Gitea label.
- docs/BLUEPRINT-AUTHORING.md §6.4 private-Blueprint Studio target.
- platform/librechat/README.md Keycloak issuer (Pass 22 marked clean and
missed this — banner scans miss YAML-block drift).
platform/nemo-guardrails/README.md verified clean.
Final grep confirms only canonical forms remain. Validation log Pass 29
entry added with the recurring-drift-pattern note for future passes.
opensearch was listed under "Mandatory Components" but per PLATFORM-TECH-STACK
§4.4 + §10 it is an Application Blueprint — customers install it (alongside
ClickHouse + bp-specter) only when they want the SIEM pipeline. Conversely
keycloak was under "A La Carte Components" but §2.1 places it inside the
Catalyst control plane (per-Org realms in SME, per-Sovereign realm in
corporate — present on every Sovereign).
Swapped the two entries and added a classification-basis banner above the
Mandatory section explicitly pointing at PLATFORM-TECH-STACK §2/§3/§4 so the
forecast's Mandatory/A-la-carte axis lines up with the architectural
categorization in canonical docs.
platform/milvus/README.md: clean.
Validation log Pass 27 entry added.
§8.4 (CISO value prop) still described "OpenBao per-cluster with ESO PushSecrets
for cross-cluster secret sync" — the active-active model SECURITY §5 rejected
and Pass 7 corrected in component READMEs. Replaced with per-region independent
Raft + async Performance Replication; ESO scoped to in-region. Added the SPIFFE/
SPIRE 5-minute SVID line that fits the CISO frame.
§5.1 (Product Family) had two entries — "OpenOva (the core platform)" and
"OpenOva Catalyst (the platform)" — describing the same thing under two names.
Per GLOSSARY: OpenOva is the company, Catalyst is the platform. Removed the
duplicate "OpenOva" row, expanded the Catalyst row to absorb its content, and
added a Company/Platform/Sovereign vocabulary banner above the table.
§5.2 (Architecture Relationship diagram) had OPENOVA at the top as the platform.
Replaced with CATALYST + a footer clarifying each child is a composite Blueprint.
platform/matrix/README.md: clean.
Validation log Pass 26 entry added.
platform/llm-gateway/README.md had three malformed DNS placeholders:
- KEYCLOAK_URL collapsed location-code + sovereign-domain into <domain> and
used Application namespace `ai-hub` as a Keycloak realm name. Per NAMING §7
and SECURITY §7, Keycloak realms are per-Org in SME-style or per-Sovereign
in corporate-style — never per-Application-namespace. Fixed to
`keycloak.<location-code>.<sovereign-domain>/realms/<org>`.
- ANTHROPIC_BASE_URL and `claude config set api_base` examples used
`llm-gateway.ai-hub.<domain>/v1` — but NAMING §5.2 establishes
Application endpoints as `{app}.{environment}.{sovereign-domain}`.
Fixed to `llm-gateway.<env>.<sovereign-domain>/v1`.
docs/IMPLEMENTATION-STATUS.md confirmed clean: CRD list, surfaces, and
control-plane component list all match canonical docs.
Sweep concern logged for `harbor.<domain>` / `:latest` image patterns
appearing across many platform READMEs — to be addressed in a dedicated
sweep pass rather than asymmetrically here.
Validation log Pass 25 entry added.
SRE.md §12 (Alertmanager configuration) webhook URLs at lines 442/451 used
`gitea.<sovereign>.<domain>/...` — the two-segment placeholder is malformed
against NAMING §5.1 which establishes Catalyst control-plane DNS as
`{component}.{location-code}.{sovereign-domain}` (e.g. `gitea.hfmp.openova.io`).
Fixed both webhook URLs to `gitea.<location-code>.<sovereign-domain>/...`.
platform/livekit/README.md: clean — banner correct, integration tables
consistent with bp-cortex voice path.
Validation log Pass 24 entry added.
Pass 23 — drift-detection on PLATFORM-TECH-STACK §6-§11 (less-
scrutinized in earlier passes) + platform/litmus.
§7.1 Resource estimates:
- Crossplane was listed under "Catalyst control plane" — but
Crossplane is per-host-cluster infrastructure per §3.2. Same
categorization slip pattern as the §3 topology fix in Pass 6.
- Split into:
* §7.1 (Catalyst-specific only): +SPIRE server row that was
missing; subtotal corrected to ~11.3 GB. Removed Crossplane.
* New §7.4 (Per-host-cluster overhead): explicit breakdown for
Cilium / Flux / Crossplane / cert-manager / ESO / Kyverno /
Trivy / Falco / Harbor / MinIO / Velero / small operators.
Subtotal ~8.8 GB per host cluster.
- §7.2 heading renamed "Per-Organization vcluster (workload
regions)" for clarity.
§10 SIEM/SOAR:
- "This pipeline is itself a composite Blueprint (bp-siem)" — but
bp-siem doesn't exist in §5's composite Blueprint inventory.
The SIEM pipeline is a COMPOSITION of existing Application
Blueprints (Strimzi + OpenSearch + ClickHouse + bp-specter on
top of per-host-cluster Falco/Trivy/Kyverno), not a single
packaged composite.
- Reworded to make the actual composition explicit. Audit-log
fallback now correctly points at the Grafana stack
(per-Sovereign observability) rather than implying SIEM is
required for any audit retention.
platform/litmus/README.md: clean. Banner correct, integration
table consistent (Grafana, Kyverno, Gitea Actions, failover-
controller integrations all match the agreed model).
VALIDATION-LOG: Pass 23 entry added.
Refs #37
Pass 22 — drift-detection on PERSONAS-AND-JOURNEYS + platform/librechat.
One real fix.
PERSONAS-AND-JOURNEYS.md §6.3 Environment view example:
- "Environment: bankdhofar-corp-banking-prod" — three-segment form
implying Sovereign-Org-EnvType. But NAMING-CONVENTION §11.1
establishes `{org}-{env_type}` — the Sovereign name is NOT in
the Environment name. The Sovereign is determined by which
Catalyst console you're logged into.
- This same doc's §4.2 (Layla narrative) explicitly says
"Their internal Organizations are `core-banking`, `digital-
channels`, `analytics`, `corporate-it`" — so the Org is
`core-banking`, and the Environment in that Org for production
is `core-banking-prod`.
- Fixed example to `core-banking-prod`.
platform/librechat/README.md: clean. The example
`namespace: ai-hub` is a customer-chosen Application namespace
(illustrative; the actual namespace would be the Cortex Application
name, customer-chosen).
VALIDATION-LOG: Pass 22 entry added.
Refs #37
Pass 21 — drift-detection on BLUEPRINT-AUTHORING + platform/langfuse.
One real fix.
BLUEPRINT-AUTHORING.md §11 (CI pipeline):
- Old version showed `on: push # branch: main # tags: vX.Y.Z` — the
per-Blueprint-repo CI shape that was explicitly rejected when we
locked Option A (monorepo canonical) in Pass 1.
- §2 already establishes monorepo + path-matrix tag form
`platform/<name>/v1.2.3` / `products/<name>/v1.2.3`. §11 should
have matched §2 from the start; this slipped through previous
passes.
- Rewrote §11: single root-level CI, on.pull_request.paths triggers
validate, on.push.tags: platform/*/v* | products/*/v* triggers
build-and-sign with tag-parse → folder-detect → fan-out publish.
Includes worked example: tagging `platform/wordpress/v1.3.0`
builds `platform/wordpress/` and publishes
ghcr.io/openova-io/bp-wordpress:1.3.0.
platform/langfuse/README.md: clean. Banner correct. "Used by:
OpenOva Cortex" is acceptable commercial phrasing alongside the
technical bp-cortex reference.
VALIDATION-LOG: Pass 21 entry added.
Refs #37
Pass 20 — drift-detection on SOVEREIGN-PROVISIONING + platform/kyverno.
Two real findings.
SOVEREIGN-PROVISIONING.md §8:
- "Existing Applications with `placement: active-active: false,
single-region` do not migrate automatically" — invalid YAML
mixing a boolean with an enum. The canonical placement model
(per GLOSSARY) has `placement.mode: single-region | active-
active | active-hotstandby`, no boolean toggle.
- Rewrote: "Existing Applications with `placement.mode: single-
region` ... user explicitly switches Placement to active-active
(or active-hotstandby) and adds the new region to
placement.regions".
platform/kyverno/README.md:
- Policy V5 (minimum-replicas-production) targeted namespaces
labeled `openova.io/env: production` — out-of-spec label name
AND value. NAMING-CONVENTION §6 establishes `openova.io/env-type:
prod` (hyphen-form, short value).
- Fixed to `openova.io/env-type: prod`.
Both findings show the same pattern: schema-level details that
survive grep-based banned-term checks but contradict the canonical
spec when read in body.
VALIDATION-LOG: Pass 20 entry added.
Refs #37
Pass 18 — drift-detection on NAMING-CONVENTION + platform/keycloak.
Two real findings.
NAMING-CONVENTION §11.1:
- The example list of Catalyst Environments included `bankdhofar-dr`
— but `dr` is NOT a valid env_type. Canonical values per §2.4 are
prod / stg / uat / dev / poc. DR is a Placement mode
(active-active / active-hotstandby across regions inside the
*-prod Environment), not a separate Environment.
- Replaced `bankdhofar-dr` with `bankdhofar-uat` and added an
explicit "DR is a Placement, not an Env Type" note.
platform/keycloak/README.md:
- Keycloak Deployment YAML example used `namespace: open-banking`
with 2 replicas — Fingate-specific narrative that contradicted
the per-Org / per-Sovereign topology stated in the banner.
Rewrote with two side-by-side examples:
* shared-sovereign (3 HA replicas, catalyst-keycloak namespace,
CNPG-backed)
* per-organization (1 replica in <org> namespace, optional
embedded DB for smallest SME tier)
- HA section was a single set of claims (2+ replicas, CNPG, Infinispan)
that only matched corporate. Now branches on topology — corporate
gets HA + Infinispan, SME gets single replica with restart-on-
deploy as acceptable for tier SLAs.
Same kind of drift Pass 17 caught in Harbor: banner says one thing,
body still describes the older model. Both fixed.
VALIDATION-LOG: Pass 18 entry added.
Refs #37
Pass 17 — drift-detection sweep on ARCHITECTURE + harbor. Two real
findings.
ARCHITECTURE §13 (OAM table):
- `| Trait | Blueprint overlay (`overlays/small|medium|large`) |`
has pipe chars inside backticks inside a Markdown table cell —
a known GFM rendering hazard. Replaced with comma-separated
examples.
platform/harbor/README.md:
- The banner added in Pass 9 said "every host cluster runs a
Harbor instance" but the body still described an older
"Harbor Primary / Harbor Replica" cross-region replication
topology. Same shape of architectural drift Pass 7 caught in
OpenBao/ESO/Gitea/Flux — banner-add doesn't rewrite the body.
- Three sections rewritten:
* Overview mermaid: now shows upstream-OCI → multiple
independent per-cluster Harbors with local Trivy scan + local
Pod pulls.
* "Multi-Region Replication" → "Per-host-cluster mirroring (NOT
primary-replica)". Single source of truth = upstream OCI
(ghcr.io/openova-io/* for Catalyst+Blueprints, customer CI for
application images), not a "primary Harbor".
* Example replication policy: was a `dest_registry` cross-region
push policy → now a pull-mirror policy from ghcr.io with
scheduled-cron trigger.
- "Why Mandatory" table reframed in per-host-cluster terms.
VALIDATION-LOG: Pass 17 entry added with the specific drift-detection
lesson — banner-addition passes don't catch body-level drift; need
explicit body re-reads.
Refs #37
Pass 15 swept all 52 platform/*/README.md files for the role-in-
Catalyst banner. 3 still lacked one (cnpg, flux, strimzi) and got
banners added:
- cnpg (§4.1): production Postgres; underlying engine for FerretDB +
Gitea metadata.
- flux (§3.2): per-vcluster Flux + host-level Flux for Catalyst
itself; pulls from single per-Sovereign Gitea.
- strimzi (§4.1): Application-tier event streaming; NOT the Catalyst
control-plane spine (which uses NATS JetStream). Same upstream-
tech-different-tier disambiguation pattern as Valkey.
CONVERGENCE: 52 / 52 platform components have role-in-Catalyst
banners. All cross-refs resolve. No banned terms. No architectural
drift detected on this pass.
VALIDATION-LOG: Pass 15 entry + "Convergence achieved (initial
banner sweep)" marker added. The validation loop continues per
the standing instruction — but subsequent passes will be brief
drift-detection sweeps rather than systematic rewrites.
Refs #37
Seven more Application Blueprint banners landed:
- temporal (§4.3): durable workflow orchestration; bp-fabric.
- flink (§4.3): stream + batch processing; bp-fabric.
- debezium (§4.2): CDC into Strimzi/Kafka; bp-fabric pipeline source.
- iceberg (§4.4): open table format on MinIO + archival S3.
- openmeter (§4.8): API metering for bp-fingate.
- litmus (§4.9): chaos engineering required by DORA / NIS2.
- valkey (§4.1): banner explicitly states NOT a Catalyst control-
plane component — control plane uses NATS JetStream KV per
ARCHITECTURE §5 / GLOSSARY event-spine. Valkey is Application-tier
caching only. This is the disambiguation that PLATFORM-TECH-STACK
§1 establishes ("same upstream technology can serve in multiple
categories") — pinned in the per-component README so it can't be
misread.
VALIDATION-LOG: Pass 14 entry added.
Refs #37
All 4 communication components (composing under bp-relay) got role-
in-Catalyst banners pointing at PLATFORM-TECH-STACK §4.5:
- stalwart: JMAP/IMAP/SMTP self-hosted email.
- livekit: WebRTC SFU for video/audio/data; pairs with STUNner.
- stunner: K8s-native TURN/STUN for WebRTC NAT traversal.
- matrix: Matrix protocol via Synapse server. Banner explicitly
disambiguates "Synapse" as the chat-server implementation, NOT
the deprecated OpenOva product noun (retired in favor of bp-axon).
All 4 are explicitly Application Blueprints, NOT Catalyst control
plane.
VALIDATION-LOG: Pass 13 entry added.
Refs #37
7 more component READMEs got role-in-Catalyst banners:
- vpa, keda, reloader → per-host-cluster scaling/ops layer (§3.4).
Reloader specifically calls out its role in Catalyst's secret-
rotation flow (rolling deploy on K8s Secret hash change).
- external-dns → per-host-cluster DNS-sync (§3.1); pairs with k8gb
for the GSLB zone separation.
- coraza → DMZ-block WAF on every host cluster (§3.1).
- crossplane → per-Sovereign on the management cluster (§3.2);
banner explicitly emphasizes the agreed "never a user-facing
surface" rule (Users don't write Compositions in Application
configs; Blueprint authors and advanced contributors do). Cross-
references the no-fourth-surface clause in ARCHITECTURE §4/§7
and the Crossplane Composition section in BLUEPRINT-AUTHORING §8.
- opentofu → repositioned as Phase-0-only, runs on `catalyst-
provisioner` only, NOT installed on host clusters at runtime.
opentofu drift fixes (uncovered by line-by-line read):
- Section 5 line 182: "Bootstrap Wizard prompts for cloud credentials"
→ "Catalyst Bootstrap (Phase 0) prompts for cloud credentials"
(banned term).
- Same section line 186: "ESO PushSecrets sync to both regional
OpenBao instances" — the active-active drift Pass 7 corrected
elsewhere, still here. Replaced with "writes go to the primary
OpenBao region only; replicas pick up via async perf replication".
VALIDATION-LOG: Pass 10 entry added.
Refs #37
