Solana OVault Canary Rollout

Run this guide when rolling out the Solana preflight path on mainnet.

It uses the canonical Solana preflight route:

Runtime Controls

Set on all deploy-session runtimes:

DEPLOY_SOLANA_OVAULT_KILL_SWITCH
- 0: normal behavior
- 1: disable Solana preflight writes during incident response
DEPLOY_SOLANA_LEGACY_WRITE_DISABLED
- 0: canonical endpoint accepts writes
- 1: direct writes to /api/deploy/registerSolanaBridgeToken are disabled (410)

Optional aliases are also supported:

Prepare
- Ensure DEPLOY_SOLANA_OVAULT_KILL_SWITCH=0
- Ensure deploy-session TTL is long enough for mainnet latency (DEPLOY_SESSION_TTL_MINUTES>=45)
- Deploy API/runtime config
Canary creators (1-3)
- Run /deploy for canary creators only
- Confirm phase progression reaches phase3_sent/completed
Verify preflight path
- Confirm status handler calls /api/deploy/registerSolanaBridgeToken
- Confirm expected depositEligible, redeemEligible, and compatibility gating behavior
Expand
- Keep the canonical route enabled while cohort size increases
Legacy cutover
- Set DEPLOY_SOLANA_LEGACY_WRITE_DISABLED=1
- Keep DEPLOY_SOLANA_OVAULT_KILL_SWITCH=0
- Verify direct calls to /api/deploy/registerSolanaBridgeToken return 410

Watch deploy-session failures for:

Solana preflight failed
OVault eligibility failures (existingMintCompatible, depositEligible, redeemEligible)

No-Go if canary sessions regress or preflight failures spike.

If canary health degrades:

When ready to re-enable:

Set DEPLOY_SOLANA_OVAULT_KILL_SWITCH=0
After stability, set DEPLOY_SOLANA_LEGACY_WRITE_DISABLED=1 again if you want to freeze writes
Re-run canary validation

Kill switch affects deploy-session Solana preflight routing only.
Legacy write-disable gate applies only to the canonical endpoint path.
Existing compatibility/eligibility hard gates remain active regardless of route mode.