Blast Radius Classifier in CD

Classify changes; gate accordingly.

Classify every deploy

Tag each change as low, medium, or high blast radius. Low: feature-flagged backend, internal admin tool. High: payments path, auth service, public API.

Classification is done by the author, validated by review. Auto-classification (file-path heuristics) catches the obvious cases.

Unclassified deploys are blocked. The classifier is a forcing function for the author to think about impact.

Low blast radius treatment

Auto-deploy on merge. No human approval, no canary, no progressive rollout.

Examples: behind-flag features, isolated batch jobs, internal tools.

Safety: feature flag default off, observability on the new path. Roll forward by flipping the flag, not by another deploy.

High blast radius treatment

Two-person review. Pre-deploy SLO check. Canary to 1% for at least 30 minutes.

Auto-rollback on SLO regression. Manual smoke test before full ramp.

Deploys outside business hours require explicit incident commander on call.

Automate the classifier

File-path rules: changes to `payments/`, `auth/`, `apis/v1/` auto-tag as high.

Code change size: PRs over 500 lines auto-tag as medium minimum.

Database migrations: any DDL auto-tags as high regardless of size.

How to roll this out

Start with three tiers (low/medium/high). Don't add more tiers until you feel a real gap.

Make the classifier visible in PR labels. The team sees the blast radius before approving.

Audit quarterly: did high-tier deploys actually go through high-tier checks. Drift here means the system isn't load-bearing.