Core repo preparation is in place, but the pre-deploy hardening pass is still in progress. The static/IPFS publish path, monitoring assets, WordPress deployment material, and container scaffolding all exist, but production deployment should wait until the immediate backlog below is closed.
See TOPOLOGY.md for the architecture diagram and completion dashboard.
-
Rotate or confirm removal of any local secret-like reference values before sharing or exporting the repo.
-
Run one honest end-to-end dry run of
just validate, monitoring export, IPFS publish, and the Verpex deployment steps with non-production credentials. -
Apply the Cloudflare Terraform changes for
ipfs.nuj-lcb.org.ukand confirm the Web3 gateway subscription is active in the target account. -
Reconcile service hostname naming across docs and infra, especially
chatversuszulip, plusconference,stfp, andoffice. -
Validate the new origin-side governance MU-plugin on the Verpex/Varnish stack, provision
SINOPLE_CAPABILITY_SECRET, and only then decide whether the optional Cloudflare/api/*worker is worth enabling. -
Align the public site contact details and role addresses with the current redirect matrix before cutover.
-
Deploy WordPress 6.9 on Verpex cPanel with Sinople theme, php-aegis, and all plugins.
-
Configure Cloudflare DNS (A records), SSL (Full Strict), WAF, Bot Fight Mode, HTTP/3.
-
Publish IPFS fallback with Pinata + DNSLink, then finish the Cloudflare Web3/custom hostname configuration for direct browser access.
-
Create all WordPress pages from
content/pages/andcontent/policies/markdown. -
Security hardening: Wordfence 2FA, security headers (A+ on securityheaders.com), encrypted backups.
-
Members area: bbPress forum (4 forums), Members plugin with
nuj_memberrole, privacy-first defaults. -
LiteSpeed Cache: TTLs matching Varnish VCL rules, Redis object cache if available, WebP image optimisation.
-
Email: WP Mail SMTP via Verpex SMTP or transactional service.
-
.well-known files served correctly with AIBDP consent enforcement.
-
Build and verify the Cerro Torre manifest (
infra/wordpress.ctp) using Chainguard wolfi-base; capture SBOM/in-toto artifacts. -
Switch to signed containers:
cerro-torre signwith Ed25519 (Dilithium5 when available). -
Deploy via
selur-compose.ymlwith svalinn gateway + vordr runtime. -
Wire feedback-o-tron MCP integration for incident pipeline.
-
Expand automation router + robot automaton triggers.
-
Migrate policy hashes from SHA-256 to SHAKE3-512 (FIPS 202).
-
Implement Ed448 + Dilithium5 hybrid signatures for CTP manifests.
-
Add Kyber-1024 (ML-KEM-1024) post-quantum key exchange.
-
Harden monitoring: UptimeRobot, Wordfence alerting pipeline, LiteSpeed Cache dashboards.
-
Security audit: panic-attack assail + echidna proofing.
-
Keep
.machine_readable/6a2/metadata updated after every session. -
Update
TOPOLOGY.mdcompletion dashboard when components change. -
Ensure
contractiles/must/Mustfilepasses all checks before releases. -
Run
runhaskell contractiles/trust/Trustfile.hsfor crypto verification. -
Document how to run
just validate,ct pack, and the consent/bot handoff requirements.