cfec11bb46
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
stop-slop, taste-skill, terrashark had embedded .git dirs causing Woodpecker clone to fail on submodule update.
1.8 KiB
1.8 KiB
Blast Radius
Use this guide to limit impact scope for changes, failures, and rollbacks.
Symptoms
- tiny change triggers very large plan
- unrelated services share one state and fail together
- production and non-production are entangled
- review/approval ownership is unclear
Boundary model
Split along:
- ownership boundaries
- change cadence boundaries
- recovery boundaries
If these differ, split stack/state.
Architecture patterns
- platform foundation stack (network, identity, shared controls)
- service stack(s) per business workload
- bootstrap stack for backend/state prerequisites
Do not combine all of them in one root.
State isolation rules
- one backend key per isolated stack/environment
- dedicated lock scope per stack
- backup/versioning required for production states
- no shared prod/non-prod state files
Environment separation options
- separate directories + separate backend keys
- workspace per environment (only with strict governance)
- separate repositories for hard regulatory segregation
Apply governance
- serialize applies to shared foundations
- require explicit approval for production and destructive plans
- block auto-apply for high-impact stacks
Example structure
infra/
bootstrap/
platform/
dev/
prod/
services/
billing/
dev/
prod/
catalog/
dev/
prod/
LLM mistake checklist
Common model mistakes to correct:
- proposes one monolithic root for convenience
- recommends workspace-only isolation without access controls
- mixes blast radius discussion with purely stylistic concerns
- omits rollback path for shared foundation changes
Verification checks
- does plan only touch intended stack?
- does state key scope match ownership boundary?
- is rollback path documented for this apply?