Stop conditions
Pause if out-of-band recovery is missing, the rollback path is unclear, the preview changes behavior unexpectedly, or validation shows a leak or broken admin path.
Operator runbook
Install and provision without losing recovery.
Bring up a local gateway, then validate routing, DNS, fallback, and privacy posture before trusting the deployment.
- 01Preflight
Confirm recovery access, map interfaces, export current network state, and define failure behavior.
- 02Preview
Create device group, DNS ownership, route profile, and fallback behavior in dry-run mode.
- 03Apply
Apply only after the operator confirms rollback for firewall, DNS, route, and admin access changes.
- 04Validate
Check admin UI, DHCP/DNS behavior, route trace, fallback state, leak posture, and known-good backup.
Support boundary
Review support boundaries before asking anyone else to touch live routing, DNS, firewall, credentials, or remote access. Ownership stays with the operator unless a bounded change window is explicitly approved.
Recovery check
Keep console, SSH, or local admin recovery available before applying any live policy change so rollback stays practical if the first pass fails.
Safe commands
Use read-only discovery first: ip addr, ip route, resolver status, failed services, and current firewall state.
Rollback
Disable policy apply, restore known-good route/DNS/firewall state, restart affected services, and confirm local admin access.
Output
Report deployment mode, interface map, policy summary, DNS trace, route trace, fallback behavior, remaining risks, and rollback location.
Runbook evidence
Each runbook phase should leave a redacted operator artifact.
Shows device and group scope before the runbook changes policy.
Shows resolver ownership, filtering posture, and bypass handling before apply.
Shows backup and recovery evidence that should be captured before live apply.