Release assurance, without pretending provenance is complete.

Current state

Staging Bundle Backed Manual Rollout Only

Approval mode

Manual Workflow Dispatch With Human Initiation. Scope: Staging Rollout Only.

Release and artifact identity

Release version source: Workflow Dispatch Ref Resolved To Checked Out Commit Sha. Artifact set source: Workflow Run Or Local Commit Scoped Release Artifact Set. Source revision source: Checked Out Commit Sha After Actions Checkout.

Provenance and signing

Digest source: Generated Release Evidence Bundle Sha256 Snapshots. Provenance: Per Run Bundle Generated Not Signed. Signing: Unsigned No External Attestation.

Required tracking policies

release_tracking_policy.render_staging_rollout.bundle_identity

Required authority policies

release_approval_authority.render_staging_rollout.manual_dispatch

Required promotion policies

release_promotion_policy.render_staging_rollout.explicit_stage_ladder

Required rollback policies

release_rollback_policy.render_staging_rollout.documented_ref

Required smoke policies

release_smoke_verification.render_staging_rollout.web_edge

Required attestation policies

attestation_policy.release_bundle_minimum_lineage

Required attestation-artifact policies

release_attestation_artifact.render_staging_rollout.bundle_lineage_snapshot

Execution posture

Test: Repo Devnet And Staging Checks Linked. Canary: No Separate Canary Stage Recorded. Production: Staging Only Not Production.

Required canary rules

none

Required bundle phases

Pre Deploy Candidate; Post Deploy Smoke Verified

Bundle output

artifacts/release-evidence/staging/<github.run_id>/{pre-deploy,post-deploy}

Rollback target

docs/render-deployment-contract.md and docs/deployment-runbook.md

Current blockers

Attestation policy now defines required lineage fields, but current per-run release-evidence bundles are still unsigned and local-snapshot based rather than externally attested provenance.; Formal staging attestation-artifact policy now exists, but no checked-in staging attestation artifact record exists yet.; Formal staging release-evidence-linkage policy now exists, but no checked-in staging linkage record exists yet.; Formal staging release-record-adoption policy now exists, but no checked-in staging adoption record exists yet.; Formal staging approval-authority policy now exists, but no checked-in staging authority record exists yet.; Formal staging promotion policy now exists, but no checked-in staging promotion record exists yet.; Formal staging rollback policy now exists, but no checked-in trusted staging rollback target record exists yet.; Formal staging smoke-verification policy now exists, but no checked-in staging smoke verification record exists yet.; This record only documents the guarded staging rollout path and must not be used as a production launch approval.

Current state

Production Rollout Workflow Defined Launch Blocked

Approval mode

Manual Rollout Workflow With Explicit Human Approval. Scope: Guarded Production Rollout Defined But Not Approved.

Release and artifact identity

Release version source: Workflow Dispatch Ref Resolved To Checked Out Commit Sha. Artifact set source: Workflow Run Or Local Commit Scoped Release Artifact Set. Source revision source: Checked Out Commit Sha After Actions Checkout.

Provenance and signing

Digest source: Generated Release Evidence Bundle Sha256 Snapshots. Provenance: Pre And Post Deploy Bundles Defined Not Signed. Signing: Unsigned No Production Attestation.

Required tracking policies

release_tracking_policy.render_production_launch.bundle_identity

Required authority policies

release_approval_authority.render_production_launch.manual_rollout

Required promotion policies

release_promotion_policy.render_production_launch.explicit_stage_ladder

Required rollback policies

release_rollback_policy.render_production_launch.documented_ref

Required smoke policies

release_smoke_verification.render_production_launch.web_edge

Required attestation policies

attestation_policy.release_bundle_minimum_lineage; attestation_policy.render_production_launch_signed_or_attested_release

Required attestation-artifact policies

release_attestation_artifact.render_production_launch.bundle_lineage_snapshot; release_attestation_artifact.render_production_launch.signed_or_attested_release

Execution posture

Test: Repo Devnet Production Contract Smoke And Private Dashboard Environment Key Path Linked. Canary: Canary Rules Defined No Live Canary Smoke Or Dashboard Environment Key Record. Production: Rollout Workflow Defined Launch Blocked.

Required canary rules

canary_rule.render_production_allowlisted_web_edge_rollout

Required bundle phases

Pre Deploy Candidate; Post Deploy Smoke Verified

Bundle output

artifacts/release-evidence/production/<github.run_id>/{pre-deploy,post-deploy}

Rollback target

docs/render-deployment-contract.md and docs/deployment-runbook.md

Current blockers

Guarded production-candidate and production rollout workflows now exist, but no live production canary or smoke record exists yet.; The private dashboard environment-key proof is now a production launch-window requirement: production web must route devnet and mainnet-beta requests through the one production API, one signed-in account and one project must create separate cluster-bound keys, and no devnet key may be mutated into a mainnet-beta key before live approval.; Formal production attestation, release-attestation-artifact, release-tracking, release-evidence-linkage, release-record-adoption, release-approval-authority, release-smoke-verification, release-rollback, and release-promotion policies now exist, and first checked-in local or synthetic proof records now exist across the production attestation, tracking, linkage, adoption, authority, promotion, smoke-verification, and rollback families, but no signed provenance, live workflow-backed production release evidence, or nonzero production approval record exists yet.; No production compatibility certification evidence exists yet.

Ring

Bounded Operator Initiated Canary

Traffic boundary

Allowlisted Review And Operator Checks Only

Rollout strategy

Manual Ref Pinned Render Hook Rollout With Post Deploy Web Smoke

Surfaces

Web Review Page; Web Operator Page; Web Dashboard Projects Page

Required evidence

evidence.production.cloud_preflight; evidence.production.render_candidate_workflow; evidence.production.dashboard_environment_key_flow_private; evidence.production.web_edge_smoke_path; evidence.production.render_rollout_workflow

Verification notes

Use the public web edge for a narrow review and operator verification ring after deploy rather than widening traffic by default.; Privately prove the dashboard environment-key path through the production web service after the one production API multi-cluster routing is configured and verified.; Treat this as a manual operator-initiated canary rule for the current production rollout path, not as proof of general production approval.

Prohibited claims

No signed provenance, formal production approval, or universal production support claim is allowed from this rule alone.; No broader compatibility or partner-support claim may be inferred from a bounded canary rule.

Stages

Staging; Production

Fulfillment

Policy Defined Release Bundles Still Unsigned

Required identity claims

Source Revision; Build Workflow; Builder Identity; Artifact Digest; Dependency Snapshot

Required promotion stages

Build Complete; Artifact Verified

Verification requirement

Release Bundle Digests And Selected Ref Context Must Be Recorded And Checkable Before Rollout

Rollback requirement

Rollback Targets Must Stay Versioned And Documented Until Signed Or Attested Artifacts Exist

Required before production approval

no

Attestation evidence recorded

no

Current blockers

Required lineage fields are now explicit, but no release bundle is currently signed or externally attested.

Stages

Production

Fulfillment

Policy Defined Zero Signed Or Attested Production Records

Required identity claims

Source Revision; Build Workflow; Builder Identity; Artifact Digest; Dependency Snapshot

Required promotion stages

Build Complete; Artifact Verified; Artifact Signed Or Attested; Candidate Tested; Canary Approved; Production Approved; Production Deployed; Post Deploy Verified

Verification requirement

Production Artifacts Must Be Signed Or Cryptographically Verifiable And Match The Intended Release Artifact

Rollback requirement

Rollback Targets Must Be Known Good Versioned Signed Or Attested Artifacts

Required before production approval

yes

Attestation evidence recorded

no

Current blockers

No signed provenance or external attestation artifact is currently recorded for production.; Production approval must remain zero until operators can verify the deployed artifact against the intended signed or attested release.

Current artifact status

Artifact Policy Defined No Checked In Staging Attestation Records

Required bundle phases

Pre Deploy Candidate; Post Deploy Smoke Verified

Required identity claims

Source Revision; Build Workflow; Builder Identity; Artifact Digest; Dependency Snapshot

Verification required

no

Required before production approval

no

Current artifact status

Artifact Policy Defined Checked In Local Or Synthetic Production Lineage Attestation Records Present

Required bundle phases

Pre Deploy Candidate; Post Deploy Smoke Verified

Required identity claims

Source Revision; Build Workflow; Builder Identity; Artifact Digest; Dependency Snapshot

Verification required

no

Required before production approval

no

Current artifact status

Artifact Policy Defined Zero Checked In Signed Or Attested Production Records

Required bundle phases

Pre Deploy Candidate; Post Deploy Smoke Verified

Required identity claims

Source Revision; Build Workflow; Builder Identity; Artifact Digest; Dependency Snapshot

Verification required

yes

Required before production approval

yes

Artifact name

render_staging_rollout_release_evidence_bundle

Artifact type

Release Evidence Bundle

Current tracking status

Tracking Policy Defined No Checked In Release Records

Required identity fields

Artifact Name; Artifact Type; Artifact Version; Source Revision; Release Evidence Origin Class; Build Pipeline Identifier; Build Timestamp; Artifact Digest; Release Channel; Signing Status; Provenance Status; Dependency Snapshot Reference

Required bundle phases

Pre Deploy Candidate; Post Deploy Smoke Verified

Artifact set strategy

Stage Gate Release Ref Workflow Run Identity Without Phase

Release identity rule

One Release Version Maps To One Artifact Set Within Gate And Release Channel

Hotfix rule

Distinct Release Version Required With Documented Bypass Notes If Any

Notes

Current checked-in automation can generate phase-specific staging release-evidence bundles keyed to a stable artifact-set identity, but no checked-in staging release record ledger exists yet.

Artifact name

render_production_launch_release_evidence_bundle

Artifact type

Release Evidence Bundle

Current tracking status

Tracking Policy Defined Checked In Local Or Synthetic Production Release Records Present

Required identity fields

Artifact Name; Artifact Type; Artifact Version; Source Revision; Release Evidence Origin Class; Build Pipeline Identifier; Build Timestamp; Artifact Digest; Release Channel; Signing Status; Provenance Status; Dependency Snapshot Reference

Required bundle phases

Pre Deploy Candidate; Post Deploy Smoke Verified

Artifact set strategy

Stage Gate Release Ref Workflow Run Identity Without Phase

Release identity rule

One Release Version Maps To One Artifact Set Within Gate And Release Channel

Hotfix rule

Distinct Release Version Required With Documented Bypass Notes If Any

Notes

Current checked-in automation can generate phase-specific production candidate or rollout bundles keyed to a stable artifact-set identity, and one checked-in local or synthetic proof production release record now exists, but no live workflow-backed production release record or signed artifact record exists yet.

Current linkage status

Linkage Policy Defined No Checked In Staging Linkage Records

Required bundle phases

Pre Deploy Candidate; Post Deploy Smoke Verified

Required shared identity fields

Approval Record Id; Gate Id; Artifact Version; Artifact Set Id; Source Revision; Release Evidence Origin Class; Deployment Stage; Release Channel

Shared identity strategy

Approval Record Gate Artifact Version Artifact Set Source Revision Origin Class Stage And Channel Must Match Across Linked Record Families

Approval-ready bundle phase

not applicable

Linked record families

Pre Deploy Candidate: Release Tracking Record; Release Attestation Record; Release Approval Authority Record; Release Promotion Record; Release Rollback Target Record | Post Deploy Smoke Verified: Release Tracking Record; Release Attestation Record; Release Approval Authority Record; Release Promotion Record; Release Smoke Verification Record; Release Rollback Target Record

Notes

Current staging bundle generation can emit phase-specific linkage records tying tracking, attestation, approval-authority, promotion, rollback, and smoke record families to one artifact set, but no checked-in staging linkage record ledger exists yet.

Current linkage status

Linkage Policy Defined Checked In Local Or Synthetic Production Linkage Records Present

Required bundle phases

Pre Deploy Candidate; Post Deploy Smoke Verified

Required shared identity fields

Approval Record Id; Gate Id; Artifact Version; Artifact Set Id; Source Revision; Release Evidence Origin Class; Deployment Stage; Release Channel

Shared identity strategy

Approval Record Gate Artifact Version Artifact Set Source Revision Origin Class Stage And Channel Must Match Across Linked Record Families

Approval-ready bundle phase

Post Deploy Smoke Verified

Linked record families

Pre Deploy Candidate: Release Tracking Record; Release Attestation Record; Release Approval Authority Record; Release Promotion Record; Release Rollback Target Record | Post Deploy Smoke Verified: Release Tracking Record; Release Attestation Record; Release Approval Authority Record; Release Promotion Record; Release Smoke Verification Record; Release Rollback Target Record

Notes

Current production candidate and rollout bundle generation can emit phase-specific linkage records tying tracking, attestation, approval-authority, promotion, rollback, and smoke record families to one artifact set, and one checked-in local or synthetic proof production linkage record now exists, but no live workflow-backed production linkage record exists yet.

Current adoption status

Adoption Policy Defined No Checked In Staging Adoption Records

Required bundle phases

Pre Deploy Candidate; Post Deploy Smoke Verified

Required adoption evidence

Source Bundle Artifact Reference; Review Contract Artifact Reference; Generated Record Artifact References; Release Evidence Origin Class; Adoption Review Reference; Adopter Identity; Adopted Record Ids; Source Bundle Policy Version Dependencies; Current Policy Version Dependencies; Policy Version Dependency Status

Adopted record families

Pre Deploy Candidate: Release Tracking Record; Release Evidence Linkage Record; Release Attestation Record; Release Approval Authority Record; Release Promotion Record; Release Rollback Target Record | Post Deploy Smoke Verified: Release Tracking Record; Release Evidence Linkage Record; Release Attestation Record; Release Approval Authority Record; Release Promotion Record; Release Smoke Verification Record; Release Rollback Target Record

Source artifact SHA strategy

Source Bundle And Generated Record Artifact Sha256 Must Match Before Checked In Adoption

Policy snapshot match strategy

Source Bundle Release Assurance Policy Version Dependencies Must Match Current Registry Snapshot Sha256 Before Checked In Adoption

Adoption review strategy

Human Review Reference Named Adopter And Review Contract Artifact Reference Required Before Generated Records Are Treated As Checked In Release Truth

Importer script

scripts/import-release-record-adoption.mjs

Reviewed apply script

scripts/apply-release-record-adoption.mjs

Approval-ready bundle phase

not applicable

Notes

Current staging bundle generation can emit machine-readable adoption candidates with exact bundle, record-artifact sha256, and live-versus-proof origin references, and canonical importer plus reviewed-apply paths now enforce current policy snapshot matching plus reviewed-contract artifact traceability before checked-in adoption, but no checked-in staging adoption ledger exists yet.

Current adoption status

Adoption Policy Defined Checked In Local Or Synthetic Production Adoption Records Present

Required bundle phases

Pre Deploy Candidate; Post Deploy Smoke Verified

Required adoption evidence

Source Bundle Artifact Reference; Review Contract Artifact Reference; Generated Record Artifact References; Release Evidence Origin Class; Adoption Review Reference; Adopter Identity; Adopted Record Ids; Source Bundle Policy Version Dependencies; Current Policy Version Dependencies; Policy Version Dependency Status

Adopted record families

Pre Deploy Candidate: Release Tracking Record; Release Evidence Linkage Record; Release Attestation Record; Release Approval Authority Record; Release Promotion Record; Release Rollback Target Record | Post Deploy Smoke Verified: Release Tracking Record; Release Evidence Linkage Record; Release Attestation Record; Release Approval Authority Record; Release Promotion Record; Release Smoke Verification Record; Release Rollback Target Record

Source artifact SHA strategy

Source Bundle And Generated Record Artifact Sha256 Must Match Before Checked In Adoption

Policy snapshot match strategy

Source Bundle Release Assurance Policy Version Dependencies Must Match Current Registry Snapshot Sha256 Before Checked In Adoption

Adoption review strategy

Human Review Reference Named Adopter And Review Contract Artifact Reference Required Before Generated Records Are Treated As Checked In Release Truth

Importer script

scripts/import-release-record-adoption.mjs

Reviewed apply script

scripts/apply-release-record-adoption.mjs

Approval-ready bundle phase

Post Deploy Smoke Verified

Notes

Current production candidate and rollout bundle generation can emit machine-readable adoption candidates with exact bundle, record-artifact sha256, and live-versus-proof origin references, and canonical importer plus reviewed-apply paths now enforce current policy snapshot matching plus reviewed-contract artifact traceability before checked-in adoption. One checked-in local or synthetic proof production adoption record now exists, but no live workflow-backed production adoption record exists yet.

Current authority status

Authority Policy Defined No Checked In Staging Authority Records

Human approval required

yes

Approver identity required before production approval

no

Approved automation reference allowed

yes

Allowed authority kinds

Workflow Dispatch Actor And Workflow Reference; Approved Workflow Reference Only; Local Manual Reference Only

Required authority evidence

Approval Mode; Approval Scope; Approval Reference; Authority Kind; Approver Identity Or Automation Reference

Authority reference strategy

Github Actor If Present Else Workflow Name And Run Id Else Local Trigger Source

Promotion policy linkage

release_promotion_policy.render_staging_rollout.explicit_stage_ladder

Notes

Current automation can snapshot staging workflow reference and optional actor identity into release bundles, but no checked-in staging approval-authority record ledger exists yet.

Current authority status

Authority Policy Defined Checked In Local Or Synthetic Production Authority Records Present

Human approval required

yes

Approver identity required before production approval

yes

Approved automation reference allowed

yes

Allowed authority kinds

Workflow Dispatch Actor And Workflow Reference; Approved Workflow Reference Only; Local Manual Reference Only

Required authority evidence

Approval Mode; Approval Scope; Approval Reference; Authority Kind; Approver Identity Or Automation Reference

Authority reference strategy

Github Actor If Present Else Workflow Name And Run Id Else Local Trigger Source

Promotion policy linkage

release_promotion_policy.render_production_launch.explicit_stage_ladder

Notes

Current automation can snapshot production workflow reference and optional actor identity into release bundles, and one checked-in local or synthetic proof production approval-authority record now exists, but no live workflow-backed production authority record or production approval exists yet.

Current promotion status

Promotion Policy Defined No Checked In Staging Promotion Records

Required promotion stages

Build Complete; Artifact Verified; Candidate Tested; Post Deploy Verified

Manual promotion stages

Artifact Signed Or Attested; Canary Approved; Production Approved; Production Deployed

Approval reference strategy

Workflow Name And Run Id Or Local Manual Trigger Source

Compatibility matrix strategy

Generated Compatibility Matrix Snapshot Reference

Policy dependency strategy

Registry Snapshot Sha256 References For Attestation Tracking Smoke Rollback And Promotion Policies

Attestation policies

attestation_policy.release_bundle_minimum_lineage

Notes

Current checked-in automation can snapshot explicit staging promotion-stage state into release bundles, but no checked-in staging promotion record ledger exists yet.

Current promotion status

Promotion Policy Defined Checked In Local Or Synthetic Production Promotion Records Present

Required promotion stages

Build Complete; Artifact Verified; Artifact Signed Or Attested; Candidate Tested; Canary Approved; Production Approved; Production Deployed; Post Deploy Verified

Manual promotion stages

Artifact Signed Or Attested; Canary Approved; Production Approved

Approval reference strategy

Workflow Name And Run Id Or Local Manual Trigger Source

Compatibility matrix strategy

Generated Compatibility Matrix Snapshot Reference

Policy dependency strategy

Registry Snapshot Sha256 References For Attestation Tracking Smoke Rollback And Promotion Policies

Attestation policies

attestation_policy.release_bundle_minimum_lineage; attestation_policy.render_production_launch_signed_or_attested_release

Notes

Current checked-in automation can snapshot explicit production promotion-stage state into candidate or rollout bundles, and one checked-in local or synthetic proof production promotion record now exists, but no live workflow-backed production promotion record exists yet.

Rollback target kind

Documented Release Ref And Runbook Reference

Current rollback status

Rollback Policy Defined No Checked In Trusted Staging Rollback Targets

Required bundle phases

Pre Deploy Candidate; Post Deploy Smoke Verified

Required rollback fields

Artifact Version; Artifact Set Id; Rollback Target Reference; Source Revision; Rollback Preparation Reference; Rollback Verification Status; Trusted Artifact Status; Rollback Operator Confirmation; Dependency Snapshot Reference

Reference strategy

Selected Release Ref Plus Checked In Staging Runbook Paths

Verification strategy

Manual Workflow Dispatch And Operator Confirmation Before Use

Trusted artifact requirement

Known Good Versioned Documented Ref Until Signed Or Attested Artifacts Exist

Rollback references

docs/render-deployment-contract.md; docs/deployment-runbook.md

Notes

Current checked-in automation can snapshot rollback references into staging release-evidence bundles, but no checked-in trusted staging rollback target records exist yet.

Rollback target kind

Documented Release Ref And Runbook Reference

Current rollback status

Rollback Policy Defined Checked In Local Or Synthetic Production Rollback Targets Present

Required bundle phases

Pre Deploy Candidate; Post Deploy Smoke Verified

Required rollback fields

Artifact Version; Artifact Set Id; Rollback Target Reference; Source Revision; Rollback Preparation Reference; Rollback Verification Status; Trusted Artifact Status; Rollback Operator Confirmation; Dependency Snapshot Reference

Reference strategy

Selected Release Ref Plus Checked In Production Runbook Paths

Verification strategy

Manual Workflow Dispatch And Operator Confirmation Before Use

Trusted artifact requirement

Known Good Versioned Signed Or Attested Artifact Before Production Approval

Rollback references

docs/render-deployment-contract.md; docs/deployment-runbook.md

Notes

Current checked-in automation can snapshot rollback references into production candidate or rollout release-evidence bundles, and one checked-in local or synthetic proof production rollback-target record now exists, but no live workflow-backed trusted production rollback target record or signed rollback artifact exists yet.

Smoke evidence

evidence.staging.web_edge_smoke

Verification kind

Web Edge Post Deploy Smoke

Current verification status

Policy Defined No Checked In Staging Smoke Records

Required bundle phases

Post Deploy Smoke Verified

Required smoke checks

Web Public Openapi Asset Available; Web Public Llms Asset Available; Web Public Llms Full Asset Available; Web Public Robots Asset Available; Web Public Sitemap Asset Available; Web Review Page Available; Web Proxy Health Ok; Web Public Config Available; Web Operator Session Unlocks; Web Operator Metrics Proxy Available

Operator session required

yes

Notes

Current checked-in automation can run staging web-edge smoke and emit a per-run smoke summary artifact, but no checked-in staging smoke verification records exist yet.

Smoke evidence

evidence.production.web_edge_smoke_path

Verification kind

Web Edge Post Deploy Smoke

Current verification status

Policy Defined Checked In Local Or Synthetic Production Smoke Records Present

Required bundle phases

Post Deploy Smoke Verified

Required smoke checks

Web Public Openapi Asset Available; Web Public Llms Asset Available; Web Public Llms Full Asset Available; Web Public Robots Asset Available; Web Public Sitemap Asset Available; Web Review Page Available; Web Proxy Health Ok; Web Public Config Available; Web Operator Session Unlocks; Web Operator Metrics Proxy Available

Operator session required

yes

Notes

Current checked-in automation can run production web-edge smoke and emit a per-run smoke summary artifact, and one checked-in local or synthetic proof production smoke verification record now exists, but no live workflow-backed production smoke verification record exists yet.

Kind

Github Actions Workflow

Status

Implemented Initial

Stages

repo; staging; production

Provenance status

Preproduction Workflow Only

Production grade

no

Notes

This proves repo integrity and generated-doc freshness for a checked-out commit. It is not a production release bundle.

Kind

Generated Provenance Baseline

Status

Implemented Initial

Stages

repo; staging; production

Provenance status

Local Hash Baseline Only

Production grade

no

Notes

This captures exact hashes of the checked-in build and rollout inputs. It improves traceability, but it is not a signed or externally attested provenance bundle.

Kind

Local Rehearsal

Status

Implemented Initial

Stages

local

Provenance status

Not A Release Bundle

Production grade

no

Notes

This is the strongest localhost rehearsal path and should stay local-first, but it does not certify staging or production support.

Kind

Github Actions Workflow

Status

Implemented Initial

Stages

devnet; staging; production

Provenance status

Preproduction Workflow Only

Production grade

no

Notes

This captures live rehearsal of the supported transfer ladder and current swap-review boundaries on Solana devnet.

Kind

Preflight Script

Status

Implemented Initial

Stages

staging

Provenance status

Pre Deploy Contract Check Only

Production grade

no

Notes

This validates the checked-in staging env contract before any Render deploy hooks are triggered.

Kind

Post Deploy Smoke

Status

Implemented Initial

Stages

staging

Provenance status

Post Deploy Smoke Only

Production grade

no

Notes

This verifies the intended private-API web-edge topology after a staging deploy and now unlocks the deliberate staging site-access gate before checking the bounded public-looking surfaces.

Kind

Browser Runtime Acceptance Export

Status

Implemented Initial

Stages

local; staging

Provenance status

Manual Browser Runtime Export Only

Production grade

no

Notes

This captures trusted browser-side runtime evidence for the preview extension popup-review surface from the install runtime lab. It improves local and staging acceptance truth, but it is not a production-grade workflow or broad browser-device certification.

Kind

Github Actions Workflow

Status

Implemented Initial

Stages

staging

Provenance status

Staging Rollout Only

Production grade

no

Notes

This is a guarded staging rollout path. It is not a production launch workflow and must not be described as production release evidence.

Kind

Preflight Script

Status

Implemented Initial

Stages

production

Provenance status

Pre Deploy Contract Check Only

Production grade

no

Notes

This validates the checked-in production env contract before any future production deploy path is considered. It does not prove a live production rollout.

Kind

Github Actions Workflow

Status

Implemented Initial

Stages

production

Provenance status

Production Candidate Bundle Only

Production grade

no

Notes

This is a guarded production-candidate verification path. It validates the checked-in production contract and generates a release-evidence bundle, but it does not trigger production deploy hooks, prove live smoke, or grant production launch approval.

Kind

Private Dashboard Acceptance Proof

Status

Defined Launch Window Manual Proof Pending

Stages

production

Provenance status

Production Manual Private Acceptance Defined Not Executed

Production grade

no

Notes

This proof is intentionally launch-window only because it exercises the one production API multi-cluster dashboard architecture. It must verify one-login project-level key management, separate devnet and mainnet-beta API-key scope, and no cross-cluster key mutation. It must not be treated as satisfied by docs alone or by a direct staging-web test.

Kind

Github Actions Workflow

Status

Implemented Initial

Stages

staging; production

Provenance status

Live Runtime Boundary Proof Only

Production grade

no

Notes

This workflow captures workflow-backed signer-boundary evidence for the selected environment by proving live signer `/health` and authenticated `/v1/solana/keys` consistency against the expected key reference and signer address. It does not deploy the signer, prove web-edge rollout health, or grant production launch approval.

Kind

Post Deploy Smoke Path

Status

Implemented Initial

Stages

production

Provenance status

Production Smoke Path Defined Not Executed

Production grade

no

Notes

This defines the intended production web-edge smoke contract for a guarded rollout workflow, but it is not itself a recorded live production smoke result or launch approval.

Kind

Github Actions Workflow

Status

Implemented Initial

Stages

production

Provenance status

Production Rollout Workflow Defined Not Approved

Production grade

no

Notes

This is a guarded production rollout path with pre-deploy bundle generation, deploy-hook triggering, and post-deploy web-edge smoke steps. It does not by itself grant production approval, live canary approval, or signed provenance.