Change Management Policy (A.8.32)
Document ID: change-management-policy
Version: 1.0
Effective from: 2025-01-01
Owner: Founder / CEO
Review cycle: Annual
Purpose
Ensure that changes to production systems are assessed, authorised, and documented to prevent unintended disruption or security degradation.
Change categories
| Category | Examples | Authorization required |
|---|---|---|
| Standard (pre-approved) | Dependency updates, documentation, non-logic configuration | PR review + CI pass |
| Normal | New features, schema migrations, new collectors | PR review + CI pass + self-review checklist |
| Emergency | Critical security patch (CVE), production break | Deploy immediately, document within 24h |
| Major | New service, new trust boundary, new data category | PR review + threat model update + rollout plan |
Change process
- Plan — Create PR with description of the change and its motivation
- Review — Self-review using the code review checklist (Secure Development Policy)
- Test — CI:
bun run typecheck:all && bun run test:all - Approve — Merge requires at least one approving review (founder is sole approver during solo phase)
- Deploy —
bun run deployvia guarded deploy script (requires clean tree vs origin/main) - Verify —
bun run compliance:devand post-deploy evidence check
Deploy guard
All Cloudflare Worker deployments go through shared/agent-config/scripts/deploy-guarded.sh which refuses wrangler deploy if any tracked file differs from origin/main. This prevents deploying local divergent state.
Schema migrations
D1 migrations are numbered sequentially (migrations/NNNN_*.sql) and applied via wrangler d1 migrations apply. Migrations are append-only; no destructive column drops.
Rollback
- Worker code: Deploy previous version via
wrangler rollback - Schema: Rollback migrations are not supported in D1; design migrations to be additive
- Evidence: Evidence objects are immutable (R2 Object Lock); no rollback needed
Evidence
| Collector | Cadence | Control |
|---|---|---|
merge-activity | Daily | A.8.25, A.8.32 |
deployments | Weekly | A.5.8, A.8.32 |
branch-protection | Daily | A.8.19, A.8.25, A.8.31 |