Deploy readiness
When agents may ship live changes
A deployment is ready only when every required item is green or has an explicit user-approved waiver. If any required item is red and not waived, the correct delivery is a readiness report — not a live deploy.
Classification gate
- Delivery target is named: none, repo-only, prep-only, or live-deploy.
- User explicitly requested live deploy for this task.
- External changes are listed: domain, hosting target, data, API, or service impact.
- Out-of-scope risks are named: deletion, auth/rules changes, secret exposure, destructive operations, or public release.
Environment maturity
Target
Project, site, domain, cloud service, or environment name is known.
Owner
Human owner, maintainer, or approving role is known.
Config
Required env vars/config are present without printing secret values.
Rollback
Previous commit, hosting version, tag, restore command, or revert path exists.
Validation requirements
- Local validation/build/test command passed.
git diff --checkpassed.- Changed JSON/YAML/config parsed successfully.
- Applicable CI exists and is green, unless explicitly waived.
- Smoke path is defined and can confirm the deployed target works.
Security review
- No secrets, API keys, private keys, or credential values are committed or printed.
- No auth, authorization, CORS, database rules, or permission broadening unless explicitly approved.
- No untrusted input flows into commands, templates, queries, or generated config without validation.
- Every external write is named and approved by scope.
Firebase Hosting checklist
- Confirm source of truth for site files before editing copy or layout.
- Validate static assets/build output locally.
- Confirm Firebase project ID, hosting site/target, and active account without printing credentials.
- Check the custom domain after deploy, not only Firebase default URLs.
- Do not change Firebase rules, auth providers, billing, or data stores in the same run unless separately approved.
Readiness report format
Deployment classification: live-deploy requested | prep-only | repo-only Live deploy result: blocked | deferred | not in scope Blocking gaps: - [ ] <gap, required owner/action> Ready checks: - [x] <check and evidence> Rollback/recovery plan: - <what to revert/restore if a future deploy fails> Next action: - <single highest-leverage step>