Go-Live
Launch a venture to production with mandatory secret rotation and readiness checks.
go-live dc # launch Draft Crane go-live ke # launch Kid Expenses
Do NOT follow docs/process/secrets-rotation-runbook.md - it references decommissioned tooling.
Step 1: Parse & Validate
Parse the arguments provided by the user for a venture code. Then:
- •Read
config/ventures.json - •Find the venture by
code - •If not found, stop: "Unknown venture code. Available: {list codes with status}"
- •If
portfolio.statusis"launched", stop: "Already launched." - •If no argument provided, stop with usage: "go-live {venture-code}"
Step 2: Pre-flight Checks (automated)
Run these checks without user input. Report pass/fail for each.
- •Golden Path compliance - Read
docs/standards/golden-path.mdcompliance dashboard row for this venture. Note Sentry, CI/CD, Monitoring, Docs status. If the venture is missing from the dashboard, flag it as a gap. - •Infisical prod secrets - Run
infisical secrets --path /{venture} --env prod --silent 2>/dev/null | grep '|' | grep -v 'SECRET NAME' | grep -v '---' | sed 's/|/|/g' | cut -d'|' -f2 | sed 's/^ *//;s/ *$//'to extract key names only. NEVER run bareinfisical secrets- it displays values in the transcript. - •Infisical dev secrets - Same key-names-only extraction for
--env dev. - •Production worker health - If the venture has a known health endpoint,
curlit and confirm 200. - •DNS/custom domain - If
portfolio.urlis set in ventures.json, verify DNS resolves.
Present results as a checklist. If any critical check fails (no prod secrets, no worker health), stop: "Fix these before proceeding."
Step 3: Secret Inventory
Pull and display key names only (NEVER values):
- •Extract key names from Infisical (reuse the key-names-only command from Step 2 - NEVER display values).
- •Read the Shared Credentials table from
docs/infra/secrets-management.md. - •Read the Revocation Behavior by Type table from
docs/infra/secrets-management.md. - •Cross-reference: flag any shared credentials and note rotation impact.
- •Categorize each secret by revocation behavior (immediate vs dual-key vs self-generated).
Present the full inventory, then ask the user:
"Rotate all {N} secrets at their sources, update Infisical (prod AND dev), then confirm."
Include in the question context:
- •Shared credentials and which ventures they affect
- •Immediate-revocation secrets (test each one right after rotating)
- •Dual-key/self-generated secrets (can batch)
Options:
- •"All rotated and updated in Infisical" - proceed to push
- •"Skip rotation" - launch without rotating (for ventures where secrets were never exposed in transcripts)
- •"Cancel" - abort go-live
If cancelled, stop.
Step 4: Push to Workers (agent-safe)
Push secrets to Cloudflare Workers without exposing values:
cd {venture-worker-dir}
infisical export --format=json --path /{venture} --env prod | npx wrangler secret bulk
No secret values appear in the transcript. If the venture has multiple workers, push to each.
Step 5: Smoke Test
Run these checks and report pass/fail:
- •Health endpoint -
curlthe production health endpoint - •Auth flow - venture-specific auth check (describe what to test based on the venture's tech stack)
- •Sentry - verify Sentry project exists and is receiving events (if integrated)
- •Uptime monitor - confirm external monitoring is configured
If any fail: "Smoke test failures above. Fix before continuing. Old credentials have NOT been revoked yet."
If all pass, ask the user:
"Smoke tests passed. Revoke old credentials at their source consoles now. Self-generated tokens (like ENCRYPTION_KEY) don't need revocation - rotation was the control."
Options:
- •"Old credentials revoked" - proceed to ship
- •"Cancel" - abort (new credentials remain active, no rollback needed)
Step 6: Ship
- •Update
config/ventures.json:- •Set
portfolio.statusto"launched" - •Set
portfolio.urlif provided by user (ask if not already set) - •Update
bvmStageif appropriate
- •Set
- •Commit with message:
feat: launch {venture name} - •Create handoff via
crane_handoffMCP tool with summary of what was launched
Report: "{Venture Name} is live. ventures.json updated, handoff saved."
Important Notes
- •Transcript cleanup is optional hygiene. Rotation already invalidated any exposed values.
- •If smoke tests fail after rotating an immediate-revocation secret (like OAuth client secrets), the old value is already dead. Fix the issue with the new credential - don't try to rollback.
- •Shared credentials require coordination. If GOOGLE_CLIENT_SECRET is rotated for one venture, the old value dies immediately for all consumers. Push to all consuming ventures before revoking.