Promotion gates
A bot does not advance to the next readiness state until every gate below is green. Gates are observable from production data — no subjective sign-off, no "looks good to me".
State diagram
Idea only → Spec started → Parameters defined → Thresholds defined → Tests defined → Ready to build → Built → Shadow → Limited live → General live → Deprecated.
Gates by transition
Built → Shadow
| Gate | How measured | Threshold |
|---|---|---|
| Checklist 27/27 green | Generator output | 100% |
| All unit + integration + property tests pass | CI | 100% on main for 7 consecutive days |
| Wire examples replay cleanly | make replay against last 7d of staging fixtures | 0 unexpected reason codes |
| Reason-code stability check | CI lint vs registry | No reword of existing codes |
Shadow → Limited live
| Gate | How measured | Threshold |
|---|---|---|
| Shadow agreement with current live decision | Side-by-side replay of last 30 days | ≥ 99% identical decision; divergences manually reviewed |
| P99 latency | Prometheus | ≤ documented SLO |
| Error rate | Prometheus | < 0.1% over 7 days |
| No P0 alerts in shadow | Alertmanager | 0 over 7 days |
| Failure-injection recipes pass | Chaos suite | All 5 standard scenarios pass |
Limited live → General live
| Gate | How measured | Threshold |
|---|---|---|
| Time in limited live | Calendar | ≥ 30 days |
| User-facing incidents attributed to this bot | Incident log | 0 P1, ≤ 2 P2 |
| False-positive rate (Risk bots) | Manual review of 100 random REJECT/RESHAPE | ≤ 5% incorrect |
| Reconciliation drift | BuilderAttribution + on-chain | Within tolerance for 30 days |
| Plain-English coverage | Every emitted reason code has a user_message | 100% |
Demotion
A bot in General live is demoted to Limited live (and stops affecting users) when any of the following holds for 24 consecutive hours: P0 alert active, error rate > 1%, reconciliation drift outside tolerance, or a security finding above CVSS 7.0. Demotion is automatic and on-call cannot disable it.