Status: Experimental · Phase: Deploy · Priority: P0.2
Prevent unsafe deployment when operational gates fail.
DeploymentGatePolicy — named thresholds (default, production)DeploymentGate — single pass/fail check with messageDeploymentGateReport — composite gate result| Gate | Condition |
|---|---|
| Readiness | Score ≥ threshold and mission_ready |
| Safety | Safety audit has no critical/high findings |
| Capability | Capability traceability matrix PASS |
| Package trust | Configured packages meet trust threshold (with --config) |
| Official provenance | Production: no official package name path/git overrides (official_provenance) |
| Registry signatures | Production: SPANDA_REGISTRY_REQUIRE_SIGNATURE=1 and valid lockfile registry signatures |
| Composite trust | Program composite trust score ≥ 60 (spanda-trust) |
| Secure boot | Secure-boot contract trust passes when trust.jetson / trust.pi imported |
| Operational policy | Named policy { } passes verify-time rules (--operational-policy <name>) |
| Health | No high-severity health readiness issues |
spanda deploy gate rover.sd
spanda deploy gate rover.sd --policy production
spanda deploy gate rover.sd --operational-policy WarehousePolicy
spanda deploy gate rover.sd --json --config spanda.toml
Production policy (--policy production) additionally requires:
spanda-mqtt = { path =
"../evil" })SPANDA_REGISTRY_REQUIRE_SIGNATURE=1 in the environmentspanda.lock verifies against signed checksums in
registry/index.jsonExample CI:
export SPANDA_REGISTRY_REQUIRE_SIGNATURE=1
spanda deploy gate src/main.sd --policy production --config spanda.toml
Deployment is blocked (exit code 1) when any gate fails.
Extends spanda-readiness (evaluate_deployment_gates), safety auditor, and capability
traceability. Complements deploy rollout --require-certify.
Composes spanda-readiness, capability verification, health framework, and assurance evidence.
See readiness.md · ci-verify.md · platform-maturity-roadmap.md.