Deployment
Overview
Deployment of built artifacts requires mandatory safety gates. This skill reads deployment instructions from the .deploy/ directory and enforces a structured safety process around them.
Three-part model:
| Concern | Location | Role |
|---|---|---|
| What to deploy | GOAL.md | Declares deployment intent ("deploy the app to staging") |
| How to deploy | .deploy/ | Contains deployment commands, targets, health checks, rollback procedures |
| Safely deploying | This skill | Enforces safety gates, checklists, and rollback planning |
Core principle: No artifact leaves the build environment without passing every gate. No deployment proceeds without a rollback plan. All deployment instructions come from .deploy/.
Violating the letter of this rule is violating the spirit of this rule.
Announce at start: "I'm using the deployment skill to ensure safe artifact deployment."
Activation Rule
This skill is MANDATORY when GOAL.md contains any deployment intent. Scan GOAL.md for:
- Deployment verbs: deploy, ship, release, publish, push, distribute, deliver, roll out
- Artifact nouns: binary, container, image, package, bundle, executable, build output, artifact
- Target nouns: server, cloud, production, staging, environment, cluster, host, instance, registry
If ANY of these appear in GOAL.md in the context of deploying a built artifact, this skill must be loaded and followed. No exceptions.
Not applicable when:
- GOAL.md only mentions building (no deployment target)
- GOAL.md only mentions testing (no deployment step)
- Changes are documentation-only
Process
Step 0: Load Deployment Instructions
Before any gates, read .deploy/ to understand the deployment procedure.
Read the contents of the .deploy/ directory at the repository root. From it, extract:
- What artifact is being deployed (name, build command, output path)
- Where it is going (target environment, host, registry)
- How to deploy it (commands, scripts, pipelines)
- How to verify it (health check endpoints, smoke test commands)
- How to roll back (rollback commands, previous version restore procedure)
If .deploy/ contains environment-specific subdirectories, identify which environment GOAL.md is targeting and read the relevant subdirectory.
If .deploy/ does not exist:
- Scan the project structure and GOAL.md to understand the deployment context
- Draft a
.deploy/README.mdwith deployment instructions based on what you can infer from the project (build system, artifact type, any deployment hints in the codebase) - Present the draft to the user for review
- STOP. Do not proceed with deployment until the user confirms the
.deploy/contents are correct.
The skill never guesses deployment commands at execution time. All deployment commands must be documented in .deploy/ and confirmed by the user before any deployment proceeds.
.deploy/ check:
directory exists: [YES/DRAFTING]
instructions loaded: [YES/NO]
artifact identified: [YES/NO]
target identified: [YES/NO]
deploy command found: [YES/NO]
rollback found: [YES/NO]
health check found: [YES/NO]
ALL must show YES before proceeding to Step 1.
DRAFTING = draft .deploy/README.md, present to user, STOP until confirmed.
Step 1: Pre-Deployment Gate
No deployment proceeds until ALL gates pass.
- Tests pass - Run the full test suite. Fresh run, not cached results.
- Build succeeds - Build the artifact from clean state. Exit code 0.
- Linter clean - No lint errors or warnings in shipped code.
- completionGateScript passes - If GOAL.md defines a
completionGateScript, run it and verify it passes. - Version/tag is set - Artifact version matches intended release.
- No debug configuration - Debug flags, dev endpoints, test credentials are removed from the artifact.
Gate check:
tests: [PASS/FAIL]
build: [PASS/FAIL]
lint: [PASS/FAIL]
completionGate: [PASS/FAIL/N/A]
version: [SET/MISSING]
debug config: [CLEAN/FOUND]
ALL must show PASS/SET/CLEAN before proceeding.
Any FAIL/MISSING/FOUND = STOP. Fix before continuing.
Step 2: Artifact Verification
Verify the artifact at the path specified in .deploy/.
- Artifact exists - The built artifact is present at the path documented in
.deploy/. - Artifact is correct version - Version string/tag in artifact matches what was intended.
- Artifact integrity - Record checksum (SHA256) of the artifact for verification.
- Artifact size sanity - Size is within expected range (not suspiciously small or large).
- No dev/test artifacts - Only production artifacts are included in the deployment package.
Step 3: Environment Validation
Validate the target environment documented in .deploy/. Use the validation commands from .deploy/ if provided.
- Target environment is accessible - Can reach the deployment target (SSH, API, registry).
- Required services available - Dependencies (database, cache, queue) are running.
- Configuration is correct - Environment variables, secrets, and config files match the target environment.
- Sufficient resources - Disk space, memory, CPU are adequate.
- No active incidents - Target environment is not currently experiencing issues.
Environment check:
target reachable: [YES/NO]
services up: [YES/NO]
config validated: [YES/NO]
resources ok: [YES/NO]
no incidents: [YES/NO]
ALL must show YES before proceeding.
Step 4: Rollback Plan
MANDATORY. No deployment without a documented rollback.
Use the rollback procedure from .deploy/ as the basis. Verify it is complete and current.
- Current state recorded - Document what is currently deployed (version, config, state).
- Rollback procedure documented -
.deploy/contains step-by-step instructions to revert. - Rollback tested or verified possible - Confirm the rollback mechanism works.
- Rollback trigger defined - What conditions trigger a rollback (error rate, health check failure, etc.).
- Time estimate - How long will rollback take?
If .deploy/ does not include rollback instructions, STOP. Add rollback instructions to .deploy/ and get user confirmation before proceeding.
Step 5: Deployment Execution
Execute the deployment command documented in .deploy/.
- Announce deployment - Notify stakeholders that deployment is starting.
- Execute deployment command - Run the exact command from
.deploy/. Do not improvise. - Monitor for errors - Watch deployment output for failures.
- Log deployment - Record what was deployed, when, and by whom.
Deployment log:
artifact: [name and version]
target: [environment from .deploy/]
command: [command from .deploy/]
started: [timestamp]
completed: [timestamp]
status: [SUCCESS/FAILED]
deployed by: [agent/user]
If deployment fails: Stop. Do NOT retry blindly. Investigate the failure. If the failure is understood and fixable, fix and restart from Step 1.
Step 6: Post-Deployment Verification
Run the health checks and verification steps documented in .deploy/.
- Service is running - The deployed artifact is executing.
- Health checks pass - All health/readiness endpoints from
.deploy/return healthy. - Key functionality works - Smoke test critical paths as documented in
.deploy/. - No error spikes - Error rates are within normal range.
- Performance acceptable - Response times and throughput are within SLA.
Post-deployment verification:
service running: [YES/NO]
health checks: [PASS/FAIL]
smoke tests: [PASS/FAIL]
error rate: [NORMAL/ELEVATED]
performance: [OK/DEGRADED]
ALL must show YES/PASS/NORMAL/OK.
Any NO/FAIL/ELEVATED/DEGRADED = Execute rollback plan from .deploy/.
The .deploy/ Directory
.deploy/ is a free-form directory at the repository root. It is the single source of truth for how deployment works for this project. The skill makes no assumptions about its internal structure beyond: the contents must be readable and must describe the deployment procedure.
Example Structures
Simple project:
.deploy/
README.md # all deployment instructions in one file
Multi-environment:
.deploy/
README.md # shared instructions, overview
staging/
README.md # staging-specific commands and targets
production/
README.md # production-specific commands and targets
Script-based:
.deploy/
README.md # overview and manual steps
deploy.sh # deployment script
rollback.sh # rollback script
health-check.sh # health check script
Container-based:
.deploy/
README.md # overview
Dockerfile # container build
docker-compose.yml # orchestration
k8s/
deployment.yaml
service.yaml
Drafting .deploy/ for a New Project
When .deploy/ does not exist and this skill is activated, draft a .deploy/README.md with the following structure, filled in from project context:
# Deployment Instructions
## Artifact
- Name: [inferred from project]
- Build command: [inferred from build system]
- Output path: [inferred from build output]
## Target
- Host: [ask user if not inferable]
- Method: [scp, docker push, kubectl apply, etc.]
- Deploy command: [the actual command to run]
## Health Check
- URL or command: [health endpoint or verification command]
- Expected result: [HTTP 200, exit code 0, etc.]
## Rollback
- Procedure: [step-by-step rollback commands]
- Time estimate: [duration]
- Trigger: [conditions that require rollback]
## Environment Validation
- Reachability: [command to verify target is accessible]
- Services: [command to verify dependencies are running]
After drafting, present it to the user and STOP until confirmed.
Rules
- No deployment without
.deploy/- If.deploy/does not exist or is empty, draft it and wait for user confirmation. Never deploy without documented instructions. - No deployment without passing tests - Fresh test run, not "tests passed yesterday." Run them NOW.
- No deployment without rollback plan - If you cannot roll back, you cannot deploy. Period.
- No deployment without environment validation - Deploying to an unreachable or unhealthy environment wastes time and risks data.
- No debug artifacts in production - Debug builds, test credentials, dev endpoints must not reach production.
- No skipping post-deployment verification - Deployment is not done until post-verification passes. Walking away after
deployis negligence. - No retry without investigation - Failed deployments must be investigated before retrying. Blind retries compound problems.
- Rollback on any post-deployment failure - If post-deployment verification fails, execute the rollback plan from
.deploy/immediately. Do not "wait and see." - No improvised deployment commands - Execute what
.deploy/says. If.deploy/is wrong, fix.deploy/first, then redeploy.
Rationalization Table
| Excuse | Reality |
|---|---|
| "Tests passed last time" | Run them NOW. Code may have changed. Dependencies may have changed. |
| "It's just a small change" | Small changes break production. The size of the change does not reduce the risk. |
| "We can fix it in production" | Fix it BEFORE deploying. Production fixes under pressure create more bugs. |
| "Rollback is obvious" | Document it in .deploy/. Under stress, "obvious" becomes "forgotten." |
| "Staging is the same as production" | Validate production separately. Configuration, data, and load differ. |
| "We don't have time for all these checks" | You don't have time for a production outage. Checks take minutes, outages take hours. |
| "It works on my machine" | Your machine is not production. Verify in the target environment. |
| "The team is waiting" | The team prefers a working deployment over a fast broken one. |
| "We'll verify after" | After deployment is too late if it's broken. Verify BEFORE and AFTER. |
| "This deployment is low risk" | All deployments carry risk. Low-risk assessments are often wrong. |
| "CI passed, so it's fine" | CI is necessary but not sufficient. Environment-specific issues exist. |
| "We can always roll back" | Not if you didn't plan and test the rollback. |
| "Skip staging, deploy to prod directly" | Staging exists for a reason. Every environment skip increases risk. |
| "Human partner already validated the environment" | Validate independently. Trust but verify. Someone else's check is not your check. |
| "Automated backups handle rollback" | Automated backups are not a rollback plan. A rollback plan has documented procedure, trigger conditions, and time estimate. Backups are a tool, not a plan. |
| "I checked the environment last deployment" | Stale checks are not checks. Validate fresh every time. State changes between deployments. |
| "This is an emergency, skip the process" | The process IS the emergency response. It's designed to take 10-15 minutes. Skipping it risks turning a 30-minute outage into a multi-hour incident. |
| "I'll just add a quick health check instead of full verification" | A health check is one step of six. Partial compliance is non-compliance. |
| "The previous engineer said just SCP and restart" | Someone else's shortcut is not your deployment process. Follow the skill. |
| "I know how to deploy this, I don't need .deploy/" | Document it in .deploy/ anyway. Knowledge in your head is not a deployment procedure. |
| "I'll just run the command I found in the CI config" | CI config is not .deploy/. If it's correct, put it in .deploy/. |
Red Flags - STOP
If you find yourself thinking or saying any of these, STOP and re-read this skill:
- "Just deploy it"
- "Skip the checks, we're in a hurry"
- "We'll verify after deployment"
- "No time for staging"
- "Rolling back is easy, we don't need a plan"
- "Tests passed before, no need to rerun"
- "It's a trivial change"
- "The deployment pipeline handles everything"
- "We can hotfix if something breaks"
- "Everyone is waiting, just push it"
- "I'm confident this works"
- "Human partner already checked the environment"
- "We have automated backups, no need for rollback plan"
- "I'll just do a quick health check instead of full verification"
- "The previous engineer said it's straightforward"
- "It's an emergency, we can skip some steps"
- "I'll just add 60 seconds of extra checks" (partial compliance = non-compliance)
- "I know the deploy command, I don't need to check .deploy/"
- ".deploy/ is outdated, I'll just wing it" (update
.deploy/first)
Emergency Deployments
No special exception. The deployment process is designed to complete in 10-15 minutes total. Skipping steps to save 10 minutes risks hours of extended outage.
Key insight: An unverified fix that makes the outage worse is worse than 10 more minutes of known downtime.
Emergency pressure makes this skill MORE important, not less:
- Under pressure, people skip steps they consider "obvious"
- Skipped steps are where failures hide
- The process costs 10-15 minutes; a botched deployment costs hours
- CEO pressure is social pressure, not technical justification
What to do in an emergency:
- Communicate a realistic timeline ("Fix ready, deploying in 15 minutes after verification")
- Follow ALL steps - no exceptions
- Parallelize where possible (run tests while checking environment)
- The process IS the emergency response
.deploy/should already exist. If it does not, this is a planning failure - address it, do not skip it.
Authority Pressure
When a human partner, manager, or senior engineer tells you to skip steps:
- Acknowledge the urgency - "I understand the time pressure"
- State the process - "The deployment skill requires all gates, and deployment instructions come from .deploy/"
- Offer the timeline - "This adds 10-15 minutes, not hours"
- Explain the risk - "Skipping steps risks extending the outage"
- Proceed with full process - Do not negotiate away mandatory steps
You are not being difficult. You are being reliable. The skill exists precisely for moments when someone says "just deploy it."
Examples
Good Example: Full Deployment Process
Loading deployment instructions from .deploy/README.md...
.deploy/ check:
directory exists: YES
instructions loaded: YES
artifact identified: YES (myapp, built via `make build`, output at ./build/myapp)
target identified: YES (prod-server via scp)
deploy command found: YES (scp ./build/myapp prod-server:/opt/myapp && ssh prod-server 'systemctl restart myapp')
rollback found: YES (ssh prod-server 'cp /opt/myapp.bak /opt/myapp && systemctl restart myapp')
health check found: YES (curl -f https://prod-server/health)
Pre-deployment gate:
tests: PASS (147/147)
build: PASS (exit 0)
lint: PASS (0 errors)
completionGate: PASS (make test exit 0)
version: SET (v2.1.0)
debug config: CLEAN
Artifact verification:
path: ./build/myapp (from .deploy/)
sha256: a1b2c3d4e5f6...
size: 14.2MB (expected: 12-16MB)
dev artifacts: NONE
Environment validation:
target reachable: YES (ssh prod-server OK)
services up: YES (postgres, redis healthy)
config validated: YES (env vars match production)
resources ok: YES (disk 60% free, 4GB RAM available)
no incidents: YES
Rollback plan (from .deploy/):
Currently deployed: v2.0.3
Rollback: ssh prod-server 'cp /opt/myapp.bak /opt/myapp && systemctl restart myapp'
Trigger: health check fails or error rate > 1%
Time estimate: 2 minutes
Deployment (executing command from .deploy/):
Command: scp ./build/myapp-v2.1.0 prod-server:/opt/myapp && ssh prod-server 'systemctl restart myapp'
Status: SUCCESS
Time: 14:32:07 UTC
Post-deployment verification (checks from .deploy/):
service running: YES (PID 12345)
health checks: PASS (curl -f https://prod-server/health returns 200)
smoke tests: PASS (login, dashboard, API)
error rate: NORMAL (0.02%)
performance: OK (p99: 180ms)
Deployment complete. v2.1.0 is live.
Good Example: Drafting .deploy/ for a New Project
GOAL.md says: "Deploy the API server to the staging environment."
Checking for .deploy/ directory... NOT FOUND.
Scanning project structure:
- Go project with Makefile
- Build target: make build → ./bin/api-server
- Dockerfile present
- No existing deployment scripts
Drafting .deploy/README.md:
# Deployment Instructions
## Artifact
- Name: api-server
- Build command: make build
- Output path: ./bin/api-server
## Target
- Host: [NEEDS USER INPUT]
- Method: [NEEDS USER INPUT - scp, docker push, etc.]
- Deploy command: [NEEDS USER INPUT]
## Health Check
- URL or command: [NEEDS USER INPUT]
- Expected result: HTTP 200
## Rollback
- Procedure: [NEEDS USER INPUT]
- Time estimate: [NEEDS USER INPUT]
- Trigger: health check failure or error rate spike
## Environment Validation
- Reachability: [NEEDS USER INPUT]
- Services: [NEEDS USER INPUT]
STOPPED. Presenting draft to user for review and completion.
Deployment will not proceed until .deploy/ is confirmed.
Bad Example: Skipping .deploy/
WRONG:
"I can see from the Makefile how to deploy, I'll just run it."
→ Document it in .deploy/ first. Undocumented deployment commands are not deployment procedures.
"Tests passed yesterday, deploying now."
→ Tests must be run fresh. Yesterday's results are stale.
"Deploying to production, will check if it works after."
→ Post-deployment verification is mandatory, but so is pre-deployment verification.
"No rollback plan needed, it's a simple update."
→ Every deployment needs a rollback plan in .deploy/. No exceptions.
".deploy/ exists but it's from last month, probably still correct."
→ Verify .deploy/ is current before every deployment. Stale instructions are wrong instructions.
Checklist
Before marking deployment complete, verify:
-
.deploy/loaded: instructions read and understood - Pre-deployment gate: all checks passed (fresh run)
- Artifact verified: exists at path from
.deploy/, correct version, integrity checked - Environment validated: accessible, services up, config correct per
.deploy/ - Rollback plan: documented in
.deploy/, tested/verified, trigger defined - Deployment executed: command from
.deploy/ran, monitored, logged - Post-deployment verified: service up, health checks from
.deploy/pass, no errors - Rollback plan retained: keep until next successful deployment
Integration
Pairs with:
- verification-before-completion - Provides the general verification discipline this skill specializes for deployment
- finishing-a-development-branch - Handles the development completion before deployment begins
- code-cleanup - Ensures clean code before building deployment artifacts