Production Checklist
Alpha
These guidelines apply to alpha deployments. Production SLAs and guarantees will be defined before general availability.
Before deploying auditors to production, ensure your images meet the Lucid security requirements.
Auditor Image Requirements
1. Notarized Images
In production, the Lucid platform refuses to run auditors that are not cryptographically notarized.
- Run
lucid auditor publishfor every custom auditor image - Verify the image digest matches the one registered in the Lucid Verifier
lucid auditor publish my-auditor:v1Pushing image to registry...
Registering digest with Verifier...
[+] Auditor published and notarized.
Registering digest with Verifier...
[+] Auditor published and notarized.
2. Compliance Verification
Before publishing, verify your auditor meets the Lucid Standard:
lucid auditor verify my-auditor:v1[+] Basic labels found.
[+] Compliance probe successful!
[*] Verification complete. Auditor is compliant.
[+] Compliance probe successful!
[*] Verification complete. Auditor is compliant.
3. Non-Root Execution
- Ensure your Auditor
Dockerfileuses a non-root user (UID > 1000)
# Example Dockerfile
FROM python:3.12-slim
# Create non-root user
RUN useradd -m -u 1001 appuser
USER appuser
WORKDIR /app
COPY --chown=appuser:appuser . .
RUN pip install --user lucid-auditor-sdk
CMD ["python", "main.py"]
Hardware Verification
AI Passport Verification
After deploying your agent, verify that attestation is working:
- Deploy a test workload
- Verify that the returned AI Passport shows
hardware_attested: true - Ensure the signature chain reflects the hardware manufacturer's certificate (Intel/AMD)
lucid passport show <passport-id>Passport ID: pass-001
Hardware Attested: true
TEE Type: AMD SEV-SNP
Signature: Valid (AMD Root CA)
Hardware Attested: true
TEE Type: AMD SEV-SNP
Signature: Valid (AMD Root CA)
Monitoring Setup
Log Monitoring
- Connect your agents to the Lucid Observer dashboard
- Verify that audit logs for blocked/redacted requests appear in real-time
Access the Observer dashboard at https://observer.lucid.sh.
Network & Ingress
- Configure TLS certificates for all public endpoints
- Enable TLS passthrough for data-plane ingress (zero-trust requirement)
- Apply default-deny network policies with explicit allow rules per service
- Verify mTLS between all data-plane pods
Secrets Management
- Generate unique JWT secrets (
LUCID_JWT_SECRET,LUCID_RESET_SECRET,LUCID_VERIFY_SECRET) - Store secrets in a Kubernetes Secret (not in config maps or environment YAML)
- Rotate API keys and internal service tokens before go-live
- Never commit secrets to version control
Backup & Recovery
- Configure automated database backups (PostgreSQL
pg_dumpCronJob) - Test restore procedure before go-live
- Review the Disaster Recovery Runbook (
deploy/infrastructure/backup/DISASTER_RECOVERY.md)
Scaling
- Set Horizontal Pod Autoscalers (HPA) for Verifier and Observer
- Configure Pod Disruption Budgets (PDB) for critical services
- Right-size GPU nodes for your model inference workload
CI/CD
- Add
lucid auditor verifyto your CI pipeline for custom auditors - Add
lucid policy validatefor Cedar policy files - Use
lucid diff -f env.yamlto preview changes before applying
Cedar Policies
- Validate all Cedar policies with
lucid policy validate - Test policies with sample claims using
lucid policy test - Push policies to deployment with
lucid policy push
Support
For assistance with production deployments, contact the Lucid Engineering team at [email protected].