Ops Release Evidence Extraction Protocol
Candidate: ops-release-evidence
Target owner: cloudflare-saas-core
Target package: cloudflare-saas-core/packages/release-evidence
Purpose
This protocol freezes the shared contract for Cloudflare release evidence before any code is moved out of this template. The goal is to make release readiness, production cutover, provider canary, image-safety, and operator approval evidence reusable without making a vertical product's Worker names, smoke fixtures, copy, or launch decisions part of core.
Shared Contract
The shared package should own the schema and validators for these public-safe artifacts:
release-readinessrelease-statusrelease-packetsecret-rotation-receiptproduction-resource-readyoperator-assisted-productionprovider-canary-evidenceimage-safety-canary-evidence
The shared package may expose pure validators, report builders, Markdown formatters, and privacy scanners. It should not deploy Workers, call provider SDKs, read secret values, or know a product's route names, copy, presets, storage namespaces, or model choice.
Core Inputs
Core can receive structured inputs such as:
- repository and workflow run selectors
- expected commit SHA and branch
- canonical staging and production origin descriptors
- Cloudflare resource descriptors without raw ids
- secret-free rotation receipts that include secret names, before/after metadata timestamps, preflight status, and next safe command labels
- public-safe smoke and canary evidence JSON
- operator-reviewed production resource and traffic approval references
- accepted deferral ids and launch milestone ids
Every input must be safe to commit to an artifact or release packet. Private ops notes may be referenced by name, but the shared package must not read those private notes.
Product Adapters
The product template keeps the adapters that create evidence:
- staging smoke execution and source media fixtures
- secret synchronization and GitHub secret writes
- deploy dispatch and metadata-lag override decisions
- provider-specific canary runner and model input mapping
- image-safety reviewer mode and launch decision source
- Worker, D1, R2, route, and domain naming
- product launch copy, support promises, and pricing/commercial boundaries
Adapters emit public-safe artifacts into the shared contract. Core validates and summarizes those artifacts; it does not create the product-specific evidence.
Privacy Rules
The shared validators must reject artifacts containing:
- API tokens, bearer tokens, webhook secrets, or provider credentials
- raw actor, user, account, workspace, or owner ids
- R2 object keys, storage namespaces, provider input keys, or generated output keys
- raw provider execution ids, Gateway metadata, image bytes, or private URLs
- secret values or derived token fingerprints in rotation receipts
Artifacts may include stable public labels, redacted references, aggregate counts, current commit SHAs, workflow ids, secret names, metadata timestamps, preflight pass/fail status, and reviewer-owned reference labels.
Acceptance Fixture
The product-free acceptance fixture lives at
ops-release-evidence.core-fixture.json.
It proves the contract can describe a generic AI/media template without product
identity. Before extraction, the fixture must still satisfy these constraints:
- it references
ops-release-evidence - it names
cloudflare-saas-core/packages/release-evidenceas the target - it lists at least one source-known artifact, one staging runtime artifact, one secret-rotation artifact, one production cutover artifact, one provider canary artifact, and one image-safety artifact
- it keeps product adapters separate from core validators
- it contains no vertical product name, raw storage key, token marker, or actor identifier
Extraction Sequence
- Keep the current product-local scripts as the source of truth.
- Add a second template fixture or platform fixture that uses the same artifact contracts without product identity.
- Move only schema validation, privacy scanning, readiness aggregation, and Markdown/JSON formatting into the shared package.
- Keep smoke execution, Cloudflare deploy dispatch, provider calls, and product launch decisions in the template.
- Run the product template against the extracted package and keep
pnpm verify:localgreen before claiming the extraction complete.
Non-Goals
- No automatic production approval.
- No secret synchronization.
- No secret synchronization, secret writes, or token creation; core may only validate and summarize secret-free rotation receipts.
- No Cloudflare resource creation.
- No generic AI provider plugin registry.
- No shared product copy, pricing, or safety promises.