Enterprise Adoption Checklist

Use this checklist to track progress through an enterprise evaluation or initial production deployment. Each item links to the reference page where the capability is documented.

This checklist does not replace a security review. It is a structured path through what the repository currently provides and what it explicitly does not.

Phase 0 — Fit assessment

Answer these questions before investing evaluation time. A "no" answer does not mean the project is wrong for you — it means you need a plan to supply what is missing.

Question	If no
Is local-first (loopback-only) acceptable as the baseline?	You will need to enable runtime auth and plan network controls before any production use.
Can you tolerate revocation as a tracked gap rather than a solved capability?	Token revocation is not implemented. Short expiry + network controls are the current mitigation path.
Can you supply audit log rotation and retention tooling?	There is no built-in log rotation, retention policy, or push exporter.
Do you have infrastructure available for live identity proof (Authentik, Entra, or equivalent)?	Browser-login and federation proof cannot be validated in CI — you need real identity infrastructure.
Are you comfortable with no built-in OTEL trace export?	`obs.Observer` is the extension point; there is no production trace sink today.

If your answers to these questions are acceptable, continue with the phases below.

Phase 1 — Understand the deployment model

Read Deployment Models and choose one of: embedded, local daemon, or remote runtime.
Confirm whether multiple isolated instances (--instance-id) are needed for your environment.
Review the stale-registry fallback behavior to understand how ocli handles a dead daemon.

Reference: Deployment Models, Runtime Overview

Phase 2 — Enable and validate runtime auth

Enable runtime.server.auth on oclird with a suitable validationProfile.
Verify that catalog filtering and execution denial work under authenticated access.
Confirm token validation covers issuer, audience, expiry, and signature checks.
Document which auth flows are needed: providedToken, oauthClient, or browserLogin.

Reference: Authentik Reference Proof, Auth Resolution, Security Overview

Known gap: Token revocation and introspection-backed runtime auth are not a solved, reproducible proof path. See Enterprise Readiness for the honest statement.

Phase 3 — Configure policy and secret handling

Review scope-based catalog filtering and execution policy under your intended agent profiles.
Confirm secret sources (env:, vault references) meet your credential-handling requirements.
Review Policy and Approval and determine whether an approval gate is needed.

Reference: Security Overview, Secret Sources, Policy and Approval

Phase 4 — Set up audit logging

Confirm the default audit log path is accessible and writable in your deployment environment.
Decide whether to override --audit-path to direct logs to a central path or log aggregator.
Verify that tool_execution, authz_denial, authenticated_connect, and authn_failure events appear after test runs.
Review the audit log caveats: no built-in rotation, no server-side filtering, best-effort fsync durability.

Reference: Audit Logging, Tracing and Instances

Phase 5 — Run fleet validation

Run make product-test-fleet from the repo root and inspect artifacts under /tmp/ocli-fleet/.
Confirm the rubric.json and transcript.log artifacts for each lane that covers your deployment scenario.
For remote runtime auth scenarios, verify the remote-runtime-oauth-client lane passes.
For browser-login or Entra federation, review product-tests/testdata/fleet/live-proof-matrix.yaml and plan live proof execution against your identity infrastructure.

Reference: Fleet Validation, Enterprise Readiness

Phase 6 — Review known gaps and open questions

Read the Known gaps section of Enterprise Readiness.
Confirm that revocation is a tracked gap (not a hidden assumption) and decide whether that is acceptable for your risk model.
Review the Audit Logging caveats and decide whether supplemental retention or rotation tooling is needed.
Capture any live proof runs against your identity provider using the live-proof-matrix.yaml format.

Phase 7 — Plan external operational controls

These items are not provided by open-cli. Each requires operator-owned infrastructure or process before a production deployment is credible.

Token revocation — confirm your risk model accepts expiry-based validity windows, or plan an external revocation check in your network path.
Audit log rotation and retention — confirm logrotate, a log sidecar, or a log forwarder is in place against the audit path.
Network access control — for remote runtime deployments, confirm firewall rules, reverse proxy auth, or container/network isolation are in place.
Audit SIEM integration — plan how audit data will reach your SIEM. Pull-based log shipper reading the audit file is the available path today.
Live identity proof — for browser-login or Entra federation, confirm you have the necessary tenant, application registration, and test identity to run the live proof matrix.

Reference: Enterprise Overview — External operational requirements

Phase 0 — Fit assessment
Phase 1 — Understand the deployment model
Phase 2 — Enable and validate runtime auth
Phase 3 — Configure policy and secret handling
Phase 4 — Set up audit logging
Phase 5 — Run fleet validation
Phase 6 — Review known gaps and open questions
Phase 7 — Plan external operational controls

Phase 0 — Fit assessment​

Phase 1 — Understand the deployment model​

Phase 2 — Enable and validate runtime auth​

Phase 3 — Configure policy and secret handling​

Phase 4 — Set up audit logging​

Phase 5 — Run fleet validation​

Phase 6 — Review known gaps and open questions​

Phase 7 — Plan external operational controls​