Skip to content

Release readiness

Decided

Source: doc/Release_Go_NoGo_Checklist.md · doc/operations/Production_Platform_Baseline.md · doc/operations/Environment_Promotion_Policy.md · doc/operations/Release_Smoke_Checklist.md · doc/governance/Platform_Control_Release_Promotion_Policy.md

The gates between development → staging → production. A release is GO only when every mandatory check is green and no unresolved SEV-1/SEV-2 risk exists.

Decision rule

flowchart TB
    R[Release candidate] --> A{Architecture & contracts<br/>all green?}
    A -- no --> NG[NO-GO]
    A -- yes --> B{Security<br/>all green?}
    B -- no --> NG
    B -- yes --> C{Data & billing integrity<br/>all green?}
    C -- no --> NG
    C -- yes --> D{Reliability & ops<br/>all green?}
    D -- no --> NG
    D -- yes --> E{Delivery<br/>all green?}
    E -- no --> NG
    E -- yes --> F{Unresolved SEV-1<br/>or SEV-2 risk?}
    F -- yes --> NG
    F -- no --> GO[GO]

    classDef ng fill:#f8d7da,stroke:#42101e
    classDef go fill:#d1e7dd,stroke:#0a3622
    class NG ng
    class GO go

The five mandatory groups

mindmap
  root((Release Go/No-Go))
    Architecture & Contracts
      ADR set finalized
      OpenAPI validated + lint clean
      AsyncAPI validated
      Breaking changes reviewed with migration notes
    Security
      Threat model reviewed
      Security control verification complete
      No unresolved critical/high vulns
      Secret scanning clean
    Data & Billing Integrity
      Ledger invariants pass
      Migration validation pass forward + rollback
      Stripe webhook replay/idempotency tests pass
    Reliability & Operations
      SLO dashboards and alerts live
      Runbooks published for critical incidents
      Incident severity and escalation policy active
      Backup/restore drill completed
    Delivery
      CI pipeline all required gates green
      Release notes + compatibility notes complete
      Approval recorded by platform + security owners

Group 1 — Architecture & Contracts

Gate Evidence
ADR set finalized architecture/adrs/* — every active ADR signed off
OpenAPI validated + lint clean scripts/ci/contracts_validate.sh green; spectral clean
AsyncAPI validated Same script; envelope + subjects match emitter code
Breaking changes reviewed with migration notes scripts/ci/contracts_breaking_change.sh clean OR documented breaking changes with BREAKING: label + migration guide

Group 2 — Security

flowchart LR
    classDef gate fill:#fff3cd,stroke:#332701
    classDef done fill:#d1e7dd,stroke:#0a3622

    G1[Threat model reviewed]:::gate
    G2[Security control verification]:::gate
    G3[No critical/high vulns]:::gate
    G4[Secret scanning clean]:::gate
    G5[Pen test scope addressed]:::gate
    G6[Encryption envelope baseline]:::gate
    G7[mTLS internal active]:::gate
    G8[Admin token deny-list active]:::gate

    G1 & G2 & G3 & G4 & G5 & G6 & G7 & G8 --> ALL[All security gates GO]:::done
Gate Mandatory? Evidence source
Threat model reviewed Yes Threat model
Security control verification complete Yes Security_Control_Verification.md
No unresolved critical/high vulnerabilities Yes SAST/DAST/dependency scan reports
Secret scanning clean Yes git-secrets / gitleaks pass
Pen test scope addressed Conditional Pen_Test_Scope.md
Encryption envelope baseline live Conditional Encryption_Envelope_Spec.md
mTLS internal active in staging Conditional Per assumption A-014
Admin-token deny-list path live Yes Per assumption A-016

Group 3 — Data & Billing Integrity

flowchart TB
    classDef gate fill:#fff3cd,stroke:#332701
    classDef done fill:#d1e7dd,stroke:#0a3622

    L1[Ledger invariants tested<br/>never UPDATE/DELETE<br/>balance recomputable]:::gate
    L2[Audit immutability tested]:::gate
    L3[Migration forward + rollback pass]:::gate
    L4[Stripe webhook replay test passes<br/>AT-052]:::gate
    L5[Stripe signature bypass test passes<br/>AT-053]:::gate
    L6[Outbox-relay at-least-once verified]:::gate
    L7[Idempotency tests on all mutations]:::gate

    L1 & L2 & L3 & L4 & L5 & L6 & L7 --> OK[Data + billing GO]:::done

Group 4 — Reliability & Operations

flowchart TB
    SLO[SLO dashboards live] --> ALERTS[Alerts wired to on-call]
    ALERTS --> RB[Runbooks published for critical incidents]
    RB --> IR[Incident severity policy + escalation active]
    IR --> DR[Backup/restore drill completed]
    DR --> RDY[Reliability GO]

    classDef gate fill:#fff3cd,stroke:#332701
    classDef done fill:#d1e7dd,stroke:#0a3622
    class SLO,ALERTS,RB,IR,DR gate
    class RDY done

The runbook inventory and severity model already exist:

Group 5 — Delivery

Gate Evidence
CI pipeline all required gates green scripts/ci/*.sh per CI gates
Release notes complete Generated from queue completed_at + commit log
Compatibility notes complete Breaking changes list reconciled with Contract_Versioning_Policy.md
Approval recorded by platform + security owners Signoff captured in PR + Phase Readiness Tracker

Environment promotion

flowchart LR
    classDef dev fill:#e3f2fd,stroke:#1565c0
    classDef stg fill:#fff3e0,stroke:#e65100
    classDef prod fill:#d1e7dd,stroke:#0a3622

    DEV[Dev<br/>local-dev compose]:::dev --> CI[CI host<br/>full integration + e2e]:::dev
    CI --> STG[Staging<br/>kind-parity or<br/>platform-control sandbox]:::stg
    STG --> PROD[Production<br/>platform-control release]:::prod

    DEV -.assumption A-012 GitLab-first.-> CI
    STG -.PKI staging readiness<br/>C-OPS-002.-> PROD
    STG -.assumption A-014<br/>east/west security validated.-> PROD
    STG -.Phase Readiness<br/>signoff.-> PROD

The promotion sequence is governed by:

Smoke checklist (post-promotion)

sequenceDiagram
    autonumber
    participant REL as Release owner
    participant SM as Smoke checklist
    participant API as cmd/api
    participant CLI as gpuaas-cli
    participant W as workers
    participant OBS as observability

    REL->>SM: kick off release smoke
    SM->>API: GET /healthz from edge
    SM->>API: GET /api/v1/buildinfo to confirm version
    SM->>CLI: gpuaas auth login (dev account)
    SM->>API: create canary allocation
    SM->>W: provisioning workflow runs
    W-->>API: status=active
    SM->>API: mint terminal-token + WS
    SM->>API: release canary allocation
    SM->>OBS: confirm SLO dashboards green
    SM->>OBS: confirm no critical alerts firing
    SM-->>REL: smoke GREEN or specific failures

Hard rule on platform-control branch

From AGENTS.md / Coding_Standards.md:

Before any release/platform-control promotion or deploy work, read Platform_Control_Release_Promotion_Policy.md and Multi_Agent_Lane_Worktrees_v1.md.

Required Forbidden
Merge fixes to master first Hand-editing release/platform-control as normal workflow
Use scripts/ci/platform_control_promote_release_branch.sh to promote Direct branch push
Audit signoff before deploy Skip-hook commits (--no-verify)

Sample release Go/No-Go output

GO/NO-GO decision: GO

Architecture & Contracts ........................... PASS
  ✓ ADRs frozen
  ✓ openapi.draft.yaml validated (spectral clean)
  ✓ asyncapi.draft.yaml validated
  ✓ No breaking changes since last release

Security ........................................... PASS
  ✓ Threat model reviewed (2026-04-24)
  ✓ Security control verification — full
  ✓ Vuln scan: 0 critical, 0 high
  ✓ Secret scan clean

Data & Billing Integrity ........................... PASS
  ✓ Ledger invariants test green
  ✓ Migration forward + rollback green
  ✓ AT-051, AT-052, AT-053 green

Reliability & Operations ........................... PASS
  ✓ SLO dashboards live (Grafana)
  ✓ 38 runbooks indexed
  ✓ Sev model + escalation active
  ✓ Backup/restore drill: 2026-05-01

Delivery ........................................... PASS
  ✓ CI: all gates green
  ✓ Release notes drafted
  ✓ Compatibility notes complete
  ✓ Approved: platform owner, security owner

Unresolved SEV-1/SEV-2: none

DECISION: GO

Where to look next