Blast Radius Classifier in CD

Classify changes; gate accordingly.

Classify every deploy

Every deploy gets a blast radius tag: low, medium, high. The author classifies, review validates, and unclassified deploys block merge. The classifier is a forcing function for the author to think about impact before shipping.

• Tag low, medium, high. Named tier per deploy; low covers feature-flagged backend changes and internal admin, high covers payments, auth, public API.
• Author classifies, review validates. Author tag and reviewer check per PR; auto-classification catches obvious cases via file-path heuristics.
• Unclassified deploys blocked. Require-tag rule per PR; classifier becomes a forcing function rather than a suggestion.
• Visible tier label per deploy. Tier badge per PR supports reviewer attention proportional to blast radius.

Low blast radius treatment

Low-tier deploys auto-deploy on merge. No human approval, no canary; safety comes from feature flags and observability rather than process gates.

• Auto-deploy on merge. No-human-gate path per deploy; no approval, no canary, no progressive rollout for genuinely low-risk changes.
• Examples. Behind-flag features, isolated batch jobs, internal tools per deploy; safe-to-revert changes that do not warrant ceremony.
• Safety: feature flag plus observability. Flag-default-off and metrics-on-new-path safety net per deploy; roll forward by flipping the flag.
• Documented criteria per tier. Named "what counts as low" definition per tier catches scope creep into the low tier.

High blast radius treatment

High-tier deploys go through full ceremony. Two-person review, pre-deploy SLO check, 1% canary with 30+ minute soak, off-hours requires named incident commander.

• Two-person review. Named reviewer pair per PR drives careful review on the changes that matter most.
• Pre-deploy SLO check plus 1% canary. Metric-driven gate per deploy, 30+ minute soak, auto-rollback on regression.
• Manual smoke test before full ramp. Human verification step per deploy drives last-mile confidence on high-blast-radius changes.
• Off-hours requires IC. Explicit incident commander on-call per deploy catches "we deployed and went home" on high-risk changes.

Automate the classifier

Automation reduces author friction. File-path rules catch obvious cases, change-size heuristics flag large PRs, database migrations auto-tag high regardless of code-line size.

• File-path rules. Auto-tag-as-high pattern per rule; changes to payments/, auth/, apis/v1/ tag automatically.
• Code change size. Line-count tier per PR; PRs over 500 lines auto-tag as medium minimum regardless of file paths.
• Database migrations tag high. Auto-tag-high rule per DDL change regardless of code-line size; migrations carry irreversible blast radius.
• Documented pattern per rule. Explicit auto-classification logic per rule supports later tuning when patterns shift.

How to roll this out

Roll out with three tiers, visible labels in PRs, quarterly audit. Do not add more tiers until a real gap shows up; three tiers cover most patterns and adding more produces decision fatigue.

• Three tiers. Low/medium/high split per org; do not add more tiers until you feel a real gap.
• Classifier visible in PR labels. Labelled tier per PR; team sees the blast radius before approving rather than after merging.
• Quarterly audit. Tier-vs-actual-treatment audit per quarter; drift between tag and treatment means the system is not load-bearing.
• Named auditor per quarter. Responsible auditor per quarter catches drift before it normalises.