Brac POC — consolidated demo plan

Single consolidated demo plan for BRAC Bank — merged requirements from the original 9-section email and the v2 demo-scope PDF, with delivery, sequencing, and the live demo flow.

This page consolidates the two BRAC source documents into one plan: the requirements, the architecture, what we reuse vs build, the per-item delivery, the phase sequencing, and the live demo flow.

Operating principle:

Demo apps run on OpenShift (spoke-dc-v6). Not on the docker-runtime-vm we built earlier for the broader app-dev path.
dc-lab platform VMs are reused as-is. SigNoz, DefectDojo, Kafka KRaft, Redis Sentinel, WSO2 APIM/IS, Jenkins, GitLab, Nexus, Trivy — no Helm/operator rebuild of services that already run on lab VMs.
New work is OCP-side: the demo apps + Service Mesh + OTel collector + integration glue (ESO bindings, Routes, NetworkPolicies, mesh canary, the few new operators).
The live demo is browser-driven. A single-page app (“BRAC POC Demo Dashboard”) served by the MFE Router has one panel per demo requirement. Each panel triggers the actual backend action (canary calls, mTLS verify, Redis primary kill, trace storm, Nexus pull) and renders the result inline. Native admin UIs (Kiali, SigNoz, WSO2 Publisher, DefectDojo, RHACS) are linked or iframed from the SPA; no terminal walls during the demo.

The two source documents (preserved verbatim for the audit trail):

Requirements email — the 9-section tender qualifying scope.
v2 Demo-Scope PDF (received 2026-05-11) — 8-item live-demo subset, adds Service Mesh + mesh canary, includes the MFE/BFF reference architecture image.

Merged requirements

The union of both documents, deduplicated, priority-ordered for the live demo. Live-demo priorities come from the v2 PDF; the rest are tender-qualifying scope from the original email.

#	Component	Source	Priority
1	API Gateway (WSO2 APIM, distributed CP/DP split, HA, external DBs, policies, IS as Identity Key Manager)	both	Demo
2	IAM (WSO2 IS, SAML + OIDC SSO, Identity Federation, hardening)	both	Demo
3	Service Mesh + mTLS (“Comply MTLS” — strict mTLS between services)	v2 PDF only — NEW	Demo
4	Canary deployment via service mesh (replaces the original email’s NGINX header-canary)	v2 PDF (replaces email §8)	Demo
5	Observability + Kafka (HIGH PRIORITY) — OTel SDK + non-SDK, OTel→Kafka→SigNoz, trace sampling + log filtering + metrics routing, ClickHouse hot/cold, 4 dashboards (app perf, .NET runtime, system, tracing)	both	Demo (HIGH)
6	Redis HA (Sentinel topology, hard-kill failover with mock client reconnect — reused from the existing dc-lab VM Sentinel cluster; mock client runs on OCP)	both	Demo
7	SigNoz (the existing observability backend; explicitly named in v2)	both	Demo
8	Nexus OSS (multi-format repos — Maven, PyPI, npm, Docker — three-endpoint split with HA + Backup)	both	Demo
9	MFE Router + BFF Router + layered TLS (per the v2 architecture diagram: User → MFE Router → WSO2 API GW → BFF Router → Mesh → Identity → Product, with two TLS-terminate hops)	v2 PDF only — NEW	Demo (architectural)
10	Open Liberty demo workloads (in-mesh services with MicroProfile health + metrics)	email §8 (NGINX canary removed, mesh canary replaces)	Demo
11	OpenShift Platform foundation (Terraform 3-node cluster, ODF Block + Object)	email §1	Tender
12	Compliance Operator + PCI-DSS scan + remediation report	email §1	Tender
13	RHACS Critical-vuln deployment-block policy	email §1	Tender
14	Prometheus/Grafana custom alerts + Loki log forwarding (System + Infrastructure + Audit to external)	email §1	Tender
15	Trivy SCA + SBOM single dashboard	email §5	Tender
16	GitLab + Jenkins + ArgoCD chain (HA + DC-DR, monorepo conditional builds, hybrid CD)	email §4	Tender
17	Kafka Schema Registry + Connect + DLQ (the Kafka cluster itself is item 5)	email §7	Tender
18	JBoss EAP managed domain	email §9	Tender

Original email also mentions “Support Service for 13 Products” but the PDF is truncated at section 9 — sections 10-13 are not captured. Open question to BRAC.

Architecture (consolidated)

The v2 PDF’s reference image translated to OCP + dc-lab terms:

User (browser)
  │ HTTPS (TLS terminate #1 — OCP Route + cert-manager)
  ▼
MFE Router  ── serves ── ► BRAC POC Demo Dashboard (SPA)
  │                          │   one panel per demo req
  │ HTTP                     │   (canary control, redis kill,
  ▼                          │   mTLS verify, trace storm, etc.)
WSO2 API GW              ◀──┘
  │ HTTPS (TLS terminate #2 — existing WSO2 VM, lab CA)
  ▼
BFF Router  ── exposes ── ► /demo/* endpoints (canary, mtls-check,
  │                          redis-kill, trigger-traces, nexus-pull)
  │ HTTP
  ▼
Mesh boundary ─────┐
  │ mTLS strict    │
  ▼                │
Identity ◀────── WSO2 IAM (lateral, token introspection / authz callout — existing WSO2 IS VM)
  │ mTLS           │
  ▼                │
Product            │
  │                │
  └─[mesh observability sidecars → OTel Collector → existing Kafka VMs → existing SigNoz VM + ClickHouse]

Pieces and their hosts:

Layer	Component	Host
Edge TLS	OCP Route + cert-manager + lab CA	`spoke-dc-v6`
MFE Router	NGINX `Deployment` (serves the SPA static bundle + reverse-proxies API calls)	`brac-demo-frontend` ns on spoke-dc-v6
Demo Dashboard SPA	Static React app (or Astro static build) with one panel per demo req	`brac-demo-frontend` ns — served by the MFE Router
API Gateway	WSO2 APIM (existing distributed CP/DP setup)	dc-lab WSO2 VMs
BFF Router	Node or Liberty `Deployment` exposing `/demo/*` endpoints for the SPA	`brac-demo-frontend` ns
Mesh data plane	OSSM 3 ambient	`brac-demo-services` ns (label `istio.io/dataplane-mode=ambient`)
Identity service	Open Liberty `OpenLibertyApplication` v1+v2 (canary’d)	`brac-demo-services` ns
Product service	Open Liberty `OpenLibertyApplication`	`brac-demo-services` ns
IAM (authz callouts)	WSO2 IS (existing)	dc-lab WSO2 IS VM
Trace + log pipeline	OTel Collector (Gateway) → Kafka → SigNoz	Collector on `brac-demo-otel` ns; Kafka + SigNoz on existing dc-lab VMs

The BRAC POC Demo Dashboard (SPA)

A single browser app is the demo cockpit. The evaluator opens one URL and clicks through eight tabs. Each tab triggers real backend calls against the actual demo stack and renders the result inline. Native admin UIs (Kiali, SigNoz, WSO2 Publisher, DefectDojo, RHACS, OCP console) are either iframed inside a panel or opened in a new tab via a button — so the SPA stays the orchestrating surface, not the only surface.

Stack: React 18 (or static Astro build for parity with the zahid blog) + Tailwind. Diagrams reuse @xyflow/react (Whiteboard) for the mesh request graph. Live charts via Recharts. WebSocket or Server-Sent Events for live updates (Redis primary changes, request streams).

Served by: MFE Router (NGINX) as a static bundle at /. API calls go through the MFE Router’s reverse-proxy to the BFF Router’s /demo/* endpoints.

Panels (one per v2 demo requirement):

Tab	What you see in the browser	What it actually does	Backend it touches
1. API Gateway	”Try the sample API” button → response viewer with status, latency, full request/response. Inline link “Open WSO2 Publisher” button.	Calls a published API on the WSO2 API GW with a demo key.	dc-lab WSO2 APIM.
2. IAM	Current-user panel: name, claims, token expiry, federated source. Buttons: Logout, Re-login (SAML), Re-login (OIDC), Switch IdP.	OIDC + SAML SP flows against WSO2 IS. Token introspection on every render.	dc-lab WSO2 IS.
3. Service Mesh + mTLS	Live request graph (React Flow) of the mesh — identity → product nodes with green edges when mTLS verified, red when not. “Verify mTLS now” button.	BFF calls a backend helper that runs the equivalent of `istioctl authn tls-check` via Istiod’s API and returns MUTUAL / PERMISSIVE / NONE per edge.	OSSM control plane on spoke-dc-v6.
4. Canary via mesh	Slider 0-100% to set v1/v2 split. “Send 100 requests” button. Live bar chart counting v1 hits vs v2 hits as they arrive. Header toggle “x-canary: beta” for sticky-to-v2.	SPA fires 100 parallel `fetch()` calls to identity-svc. The Istio VirtualService routes per the slider’s setting (BFF dynamically updates the VS via Kubernetes API, or the slider just maps to the canary header).	identity-svc v1 + v2 + Istio VirtualService.
5. Observability + Kafka (HIGH PRIORITY)	“Trigger 50 traces” button → fires varied requests (some error, some slow, some OK). Inline iframe of the SigNoz “service map” view scoped to the BRAC services. Buttons: open .NET runtime dashboard, app perf, system, tracing — each in a new tab.	SPA fires requests through BFF → mesh → identity → product. Traces propagate through Istio→OTel Collector→Kafka topics→SigNoz. ClickHouse queries surface in the SigNoz iframe.	OTel Collector + existing Kafka + existing SigNoz.
6. Redis HA	Status panel: current primary host (live, polling), replica health. Live read/write rate counter (driven by a background trickle of dummy ops). Big red button “Hard-kill primary”. Watch primary swap, counter dip, recovery.	BFF exposes `POST /demo/redis/kill-primary` that runs `redis-cli -h <primary> DEBUG SEGFAULT` over the lab `/24`. Background polling via Sentinel `+switch-master` topic detects the swap.	existing Redis Sentinel VMs.
7. SigNoz	Iframe of the SigNoz dashboards (4 tabs) or four large “Open dashboard” cards.	SigNoz itself, browser-native.	existing SigNoz VM.
8. Nexus OSS	List of demo artifacts across Maven/PyPI/npm/Docker. “Pull this” buttons → backend performs the pull from Nexus, returns digest + size + format-specific metadata. Inline iframe of the Nexus browse UI.	BFF calls Nexus REST API (and shells out to `mvn`/`npm`/`docker pull` in a sandbox pod for the real-format demo).	existing Nexus three-endpoint split.

Tender-item tour (bottom of the SPA): smaller cards linking out to the native UIs — Compliance scan results (OCP console), RHACS policy violations (RHACS UI), DefectDojo SBOM view, the BRAC monorepo + Jenkins build page (GitLab + Jenkins UIs), JBoss admin console (port 9990).

Why one SPA, not one app per panel: the evaluator gets a single mental model — open the URL, walk top-to-bottom. The story is the SPA itself, not the cobbled tooling underneath. Every panel renders live data, so the demo is always real-time, not pre-recorded.

Target environment

Plane	Host	Status
OpenShift demo plane (new namespaces)	`spoke-dc-v6`	Existing cluster; new namespaces only
dc-lab platform plane	dc-lab VMs (HAProxy / PDNS / MinIO / Vault / Nexus / GitLab / Jenkins / SigNoz + ClickHouse / Kafka KRaft / Redis Sentinel / WSO2 APIM + IS / Trivy / DefectDojo)	Existing; reused as-is, no rebuild
Hub control plane	`hub-dc-v6` (ACM + GitOps pull control plane)	Existing
Bootstrap automation	`scripts/rebuild/` (profile-aware after #244)	Existing; demo’d as the “Terraform 3-node automation” requirement

New tenant namespaces created for the POC, on spoke-dc-v6:

brac-demo-frontend — MFE Router, BFF Router, optional demo SPA.
brac-demo-services — in-mesh Open Liberty demo services (Identity, Product), OSSM ambient.
brac-demo-otel — OTel Collector (Gateway).
brac-demo-jboss — planned JBoss EAP managed-domain demo (separate from mesh services). For the delivered bank-employees chat implementation, see JBoss Chat app.
brac-demo-evidence — scratch / artifacts during the live demo.

Reuse vs build matrix

Component	Reuse from dc-lab (as-is)	Build new for POC
API Gateway (WSO2 APIM)	WSO2 APIM CP/DP VMs + their DB backends (per ADR 0008)	OCP-side: ESO secret pulling APIM admin/key Manager credentials from Vault; demo SP and OIDC client registrations
IAM (WSO2 IS)	WSO2 IS VM with existing SAML + OIDC + Federation setup	Demo SP webapp, demo OIDC client, demo Federation IdP source registration
Service Mesh + mTLS	OSSM 3 ambient mode already installed on spoke-dc-v6 (DEV-OCP-1.4 #178)	Scope to `brac-demo-services`; `PeerAuthentication.mtls.mode=STRICT`; Kiali dashboard scoped view
Mesh canary	None — new pattern (replaces NGINX header-canary from email §8)	`VirtualService` + `DestinationRule` with header-based override (`x-canary: beta` → v2) + 90/10 default split
Observability + Kafka	Kafka KRaft VMs (kafka-0/1/2, ADR 0007), SigNoz VM (signoz-0) + ClickHouse, NooBaa OBC pattern for cold archive	OTel Collector (Gateway) on `brac-demo-otel` with `tail_sampling` + `filter` + `routing` processors; sample microservice (.NET preferred) with + without SDK; 4 dashboards (app perf, .NET runtime, system, tracing) authored in SigNoz
Redis HA	Redis Sentinel VMs (ADR 0006) — used as-is for the demo	OCP-side mock client only — a small `Deployment` in `brac-demo-evidence` that uses `redis-py` `Sentinel` to connect to the lab Sentinel pool; demonstrates client reconnect after a VM-side hard-kill. No new Redis on OCP.
SigNoz	SigNoz VM with ClickHouse + retention	None — the four BRAC dashboards are authored against the existing SigNoz
Nexus OSS	Existing Nexus three-endpoint split (`mirror-registry` / `docker-group` / `app-registry`, ADR 0019)	None — demo the existing setup
MFE Router + BFF Router	None	NGINX `Deployment` for MFE (serves the SPA + reverse-proxies API); Node `Deployment` for BFF exposing `/demo/*` endpoints; cert-manager Route at the edge
Demo Dashboard SPA	None	New React + Tailwind SPA in `brac-demo-frontend` with 8 panels (API GW, IAM, Mesh+mTLS, Canary, Observability, Redis, SigNoz, Nexus). Static bundle served by NGINX. React Flow for the mesh graph, Recharts for live counters, SSE for live primary/swap updates.
Open Liberty demo apps	Open Liberty Operator + Liberty hello-world (DEV-OCP-5.1 #200)	`identity-svc` v1 + v2 (canary’d) + `product-svc`, all `OpenLibertyApplication` CRs with MicroProfile features enabled
OpenShift platform foundation	spoke-dc-v6 cluster, ODF (Block + Object), all baseline operators	Walkthrough of `scripts/rebuild/` Terraform/Ansible as the “automation” demo (no fresh cluster needed)
Compliance / PCI-DSS	ScanSettingBinding `ocp4-pci-dss-4-0` already running on spoke-dc-v6 (ADR 0020)	Filtered view of latest ComplianceCheckResult + ComplianceRemediation, exported as a report artifact
RHACS critical-block	RHACS Central + Sensor + Scanner V4 already running	Policy scoped to `brac-demo-*` namespaces; intentionally-vulnerable image triggers scale-to-zero
Prom alerts + Loki forwarding	Cluster Observability Operator + LokiStack + ClusterLogForwarder already running	Three BRAC-scoped `PrometheusRule` CRs; ClusterLogForwarder output to an external mock destination
Trivy SCA + SBOM dashboard	Trivy server VM, DefectDojo VM, today’s Jenkins pipeline `templates/jenkinsfiles/trivy-defectdojo-import.groovy` (commit b84037c)	Extend pipeline to add `--format cyclonedx` SBOM stage; DefectDojo product with SCA + SBOM engagements side-by-side
GitLab + Jenkins + ArgoCD chain	GitLab VM, Jenkins single VM (ADR 0009), ArgoCD instances (hub + spoke-local)	BRAC monorepo (`apps/brac-payment-api/`, `apps/brac-risk-engine/`) + conditional Jenkinsfile + hybrid CD pipeline; DC-DR as documented procedure + rehearsed restore
Kafka Schema Registry + Connect + DLQ	Kafka KRaft VMs	Schema Registry (Apicurio) deployed alongside Kafka or on OCP as a client; Kafka Connect with mock Source/Sink + DLQ topic
JBoss EAP managed domain	None (not in dc-lab)	EAP Operator on OCP, Domain Controller + Host Controller StatefulSets + 2 Server Groups in `brac-demo-jboss`

Phase sequencing

Block A items are reuse-walkthroughs (no new code; just narration + screencasts). Block B is the actual build work, sequenced so highest-priority demo items land first. The Demo Dashboard SPA runs as a parallel track from P1 onward — each backend capability ships with its SPA panel ready.

Phase	Wall-clock	What lands	Demo’able by end
P0: Block A foundation walkthroughs	Day 1-2	Cluster provisioning narrative + ODF + Compliance + RHACS + Prom alerts + Loki forwarder, all with BRAC-scoped views applied	Cluster + compliance + RHACS + log forwarding demos (linked from the SPA later)
P1: Observability + Kafka pipeline + SPA scaffold (HIGH PRIORITY)	Day 3-5	OTel Collector deployed; sample microservice w/+w/o SDK; pipeline OTel→Kafka→SigNoz wired; 4 dashboards authored. SPA scaffold + panel 5 (Observability) shipped.	Hit “Trigger 50 traces” in the SPA → traces appear in the embedded SigNoz iframe
P2: Service Mesh + mTLS + canary + SPA panels 3-4 (v2 priority)	Day 5-7	OSSM scoped; STRICT mTLS; VirtualService canary on identity-svc v1/v2; Istio→OTel trace export. SPA panels: Mesh+mTLS (live React Flow graph), Canary (slider + bar chart).	Live canary slider in the SPA drives traffic shift; Kiali iframe shows mesh; “Verify mTLS now” button returns MUTUAL
P3: MFE + BFF + WSO2 wiring + SPA panels 1-2	Day 7-10	MFE Router (NGINX edge serving the SPA), BFF Router (`/demo/` endpoints), egress NetworkPolicy to WSO2 VMs, SAML + OIDC + Federation flows. SPA panels: API Gateway (Try-it), IAM (user/claims).*	Full user → MFE → SPA → BFF → API GW → mesh → Identity → Product flow visible in the browser
P4: Redis client + Nexus + SPA panels 6-8	Day 10-12	OCP-side Redis mock client + background polling for `+switch-master`; SBOM pipeline extension; BRAC monorepo + conditional Jenkinsfile; hybrid CD. SPA panels: Redis (kill button + live status), SigNoz (iframe), Nexus (artifact list + pull).	”Hard-kill primary” in the SPA triggers VM-side kill; live status panel shows swap
P5: JBoss managed domain + tender-tour cards + evidence pack	Day 12-14	EAP Operator + Domain/Host Controllers + Server Groups; deploy + reload demo. SPA bottom: tender-item card grid linking to Compliance, RHACS, DefectDojo, GitLab, Jenkins, JBoss admin. Full evidence pack written.	One-click access from the SPA to every native UI; all 18 demo steps recorded

Live demo flow — browser-only

The evaluator opens one URL (the SPA) and walks down the page. Every panel is interactive; nothing requires terminal access. The full session is ~90 minutes — about 5-10 min per panel, with the HIGH-PRIORITY Observability + Kafka section getting the longest slot.

Pre-demo morning-of: all panels render with green health pips. The Demo Dashboard footer shows a Last-Validated timestamp ≤ 1 hour old.

Walk order (the SPA tabs from left to right):

API Gateway (5 min) — click “Try the sample API” → response viewer fills in. Open “WSO2 Publisher” tab from the panel; show the policy + key + IS-as-Key-Manager link. Back to SPA.
IAM (10 min) — Click Logout → Re-login via OIDC (browser redirect to IS, return with token visible in the user panel). Repeat via SAML. Click “Switch IdP” → Federation to a second IdP source. The user panel updates each time, with claims + federated-source live.
Service Mesh + mTLS (10 min) — Live React Flow graph already showing identity → product green edges. Click “Verify mTLS now” → button flashes, returns MUTUAL inline. Open Kiali tab from the panel for the full mesh-wide view.
Canary via mesh (5 min) — Slider at 90/10 by default. Click “Send 100 requests” → bar chart fills in real time (~90 to v1, ~10 to v2). Toggle the “x-canary: beta” sticky header → next 100 all land on v2. Slide to 50/50 → next 100 split evenly.
Observability + Kafka — HIGH PRIORITY (15 min) — Click “Trigger 50 traces” → varied requests fire. Embedded SigNoz iframe shows the service map filling in. Click “Open .NET Runtime dashboard” → opens dedicated tab showing GC heap moving with the load. Same for App Perf, System, Tracing. Mention sampling/filtering/routing (visible in the trace counts).
Redis HA (5 min) — Status panel shows current primary (e.g., redis-0) + replicas. Live read/write rate ticking (~50/s). Click the big red “Hard-kill primary” button. Status panel switches to redis-1 in ~15 seconds. Rate counter dips to zero briefly, then resumes. Sentinel +switch-master event surfaced inline.
SigNoz (5 min) — Already mostly seen in step 5. Click the four dashboard cards for a coherent tour. Use the natural flow to show Kafka topic lag (also in SigNoz).
Nexus OSS (5 min) — Artifact list shows 4 entries (one each Maven / PyPI / npm / Docker). Click “Pull this” on each — backend returns digest + size + format-specific metadata. “Open Nexus browse” link to the existing Nexus UI for the three-endpoint split.

Tender-item tour (15 min, bottom of the SPA):

Card grid links out to native UIs — one click each:

OCP cluster + ODF — opens the OCP console (Storage page).
Compliance + PCI-DSS — opens the OCP console ComplianceCheckResult view.
RHACS critical-block — opens RHACS Violations page; tab back to SPA, click “Try to deploy CVE-rich image” → policy hit toast appears.
Trivy + DefectDojo (SCA + SBOM) — opens DefectDojo product view with both engagements side-by-side.
BRAC monorepo + conditional Jenkinsfile — opens GitLab + Jenkins build page; demonstrate by pushing a change to apps/brac-payment-api/ and watching only that build trigger.
Hybrid CD — Jenkins page shows the same build artifact deployed to both an OCP Liberty CR and one existing VM target.
Kafka Schema Registry + DLQ — small inline panel in the SPA: “Produce valid Avro” / “Produce invalid Avro” buttons; reject message shown inline. “Inject poison record” → DLQ topic count increments.
JBoss EAP managed domain — opens the JBoss admin console (port 9990). Show server-group list; trigger a Server Group A rolling reload from the SPA; B keeps serving (visible in the console).

Wrap (5 min): SPA footer has a “View evidence pack” link → reports/brac-poc/. Final slide: thank-you + open Q&A.

Evidence pack

Per workstream, a folder in reports/brac-poc/<NN>-<slug>/:

1-page summary of what was demonstrated + which dc-lab assets it consumed.
CRs + ConfigMaps applied to spoke-dc-v6 (committed to platform-gitops under clusters/spoke-dc-v6/brac-demo/).
Screenshots of the relevant UIs (RHACS, SigNoz dashboards, WSO2 Publisher, DefectDojo, Kiali mesh graph, JBoss CLI).
Recorded terminal sessions (asciinema or script) for the live demos.
Logs from the critical moments (Sentinel +switch-master, RHACS policy hit, canary traffic shift, mTLS handshake, Schema Registry reject).

No secret values, no kubeconfigs, no credential bytes in the evidence pack. Vault paths referenced by name only.

Open questions

OCP cluster choice: use existing spoke-dc-v6 (default — fastest) or stand up a separate POC cluster (more demonstrable for the Terraform-automation requirement but adds 2-3 days)?
OCP version pin: confirm BRAC’s evaluation tools work against the current spoke-dc-v6 minor; if they want a specific version, plan a controlled upgrade or a side cluster.
JBoss EAP image entitlement: valid pull secret for the EAP Operator’s images? Otherwise fall back to community WildFly.
WSO2 license / image entitlement: existing WSO2 VMs run fine. Confirm no new license needed for the POC.
DC-DR scope: default is “documented procedure + one rehearsed restore in a side namespace” rather than a second live cluster. Confirm.
Truncated requirements PDF: original email mentions “13 Products” but PDF ends at section 9. Request sections 10-13 before P5 finalizes.
MFE / BFF stack choice: NGINX-only for MFE, or a real micro-frontend aggregator (Module Federation / single-spa)? BFF as Liberty (Java ecosystem fit) or Node (lighter)?
“Comply MTLS” interpretation: v2 PDF says “MTLS (Commply MTLS / Service mesh)”. Likely typo for “Compliance-grade mTLS” — strict mTLS + FIPS-ish posture + audit. Confirm.
Demo Dashboard SPA stack choice: React 18 (familiar, lots of components) vs. static Astro build (matches the zahid blog stack, simpler hosting). Default: React for the interactive panels (live charts, SSE, React Flow), but consider Astro + React islands if zero-deps is a goal.
Redis kill-primary auth model: the SPA’s “Hard-kill primary” button calls a BFF endpoint that runs redis-cli DEBUG SEGFAULT against the lab Sentinel pool. Should the BFF authenticate as a specific Vault-stored user, or is the BFF’s own service identity sufficient? Tradeoff: audit trail vs simplicity.

Resolved:

(2026-05-11) Redis HA stays on existing VM Sentinel — no OCP-side Redis deployment. OCP carries only a small mock client to demonstrate Sentinel reconnect.
(2026-05-11) Demo is browser-driven via a single SPA. Live demo cockpit served by the MFE Router. One panel per requirement, real backend calls, no terminal walls.

What’s intentionally not in this plan

No rebuild of dc-lab services on OCP. SigNoz, DefectDojo, Kafka KRaft, Redis Sentinel, WSO2 APIM/IS, Jenkins, GitLab, Nexus, Trivy — all reused on their existing VMs.
No deployment of demo apps to docker-runtime-vm. That path exists for the broader app-dev direction (project_app_dev_direction.md), but for this POC the demo apps run on OCP.
No second OCP cluster unless Q2 = yes.
No NGINX-based header canary at the application tier — replaced by mesh canary per v2 PDF (the MFE Router still has NGINX hardening: HSTS + custom 404 + rate-limit on login).
No new ADRs unless a load-bearing direction changes (e.g., adopting OCP-native Redis or migrating Kafka off VMs as strategic direction beyond the demo).
Sections 10-13 of the original requirements PDF — not in scope until we see them.