TanstackTemplate
Reference Contracts

Ops Release Evidence Extraction Protocol

Candidate: ops-release-evidence

Target owner: cloudflare-saas-core

Target package: cloudflare-saas-core/packages/release-evidence

Purpose

This protocol freezes the shared contract for Cloudflare release evidence before any code is moved out of this template. The goal is to make release readiness, production cutover, provider canary, image-safety, and operator approval evidence reusable without making a vertical product's Worker names, smoke fixtures, copy, or launch decisions part of core.

Shared Contract

The shared package should own the schema and validators for these public-safe artifacts:

  • release-readiness
  • release-status
  • release-packet
  • secret-rotation-receipt
  • production-resource-ready
  • operator-assisted-production
  • provider-canary-evidence
  • image-safety-canary-evidence

The shared package may expose pure validators, report builders, Markdown formatters, and privacy scanners. It should not deploy Workers, call provider SDKs, read secret values, or know a product's route names, copy, presets, storage namespaces, or model choice.

Core Inputs

Core can receive structured inputs such as:

  • repository and workflow run selectors
  • expected commit SHA and branch
  • canonical staging and production origin descriptors
  • Cloudflare resource descriptors without raw ids
  • secret-free rotation receipts that include secret names, before/after metadata timestamps, preflight status, and next safe command labels
  • public-safe smoke and canary evidence JSON
  • operator-reviewed production resource and traffic approval references
  • accepted deferral ids and launch milestone ids

Every input must be safe to commit to an artifact or release packet. Private ops notes may be referenced by name, but the shared package must not read those private notes.

Product Adapters

The product template keeps the adapters that create evidence:

  • staging smoke execution and source media fixtures
  • secret synchronization and GitHub secret writes
  • deploy dispatch and metadata-lag override decisions
  • provider-specific canary runner and model input mapping
  • image-safety reviewer mode and launch decision source
  • Worker, D1, R2, route, and domain naming
  • product launch copy, support promises, and pricing/commercial boundaries

Adapters emit public-safe artifacts into the shared contract. Core validates and summarizes those artifacts; it does not create the product-specific evidence.

Privacy Rules

The shared validators must reject artifacts containing:

  • API tokens, bearer tokens, webhook secrets, or provider credentials
  • raw actor, user, account, workspace, or owner ids
  • R2 object keys, storage namespaces, provider input keys, or generated output keys
  • raw provider execution ids, Gateway metadata, image bytes, or private URLs
  • secret values or derived token fingerprints in rotation receipts

Artifacts may include stable public labels, redacted references, aggregate counts, current commit SHAs, workflow ids, secret names, metadata timestamps, preflight pass/fail status, and reviewer-owned reference labels.

Acceptance Fixture

The product-free acceptance fixture lives at ops-release-evidence.core-fixture.json. It proves the contract can describe a generic AI/media template without product identity. Before extraction, the fixture must still satisfy these constraints:

  • it references ops-release-evidence
  • it names cloudflare-saas-core/packages/release-evidence as the target
  • it lists at least one source-known artifact, one staging runtime artifact, one secret-rotation artifact, one production cutover artifact, one provider canary artifact, and one image-safety artifact
  • it keeps product adapters separate from core validators
  • it contains no vertical product name, raw storage key, token marker, or actor identifier

Extraction Sequence

  1. Keep the current product-local scripts as the source of truth.
  2. Add a second template fixture or platform fixture that uses the same artifact contracts without product identity.
  3. Move only schema validation, privacy scanning, readiness aggregation, and Markdown/JSON formatting into the shared package.
  4. Keep smoke execution, Cloudflare deploy dispatch, provider calls, and product launch decisions in the template.
  5. Run the product template against the extracted package and keep pnpm verify:local green before claiming the extraction complete.

Non-Goals

  • No automatic production approval.
  • No secret synchronization.
  • No secret synchronization, secret writes, or token creation; core may only validate and summarize secret-free rotation receipts.
  • No Cloudflare resource creation.
  • No generic AI provider plugin registry.
  • No shared product copy, pricing, or safety promises.

On this page