qbflow · Deployment Runbook

Design draft v2 (research-grounded) — frontend not built yet. English for review; app ships Russian.

🎛 Stays safe: every gate defaults to report · shadow — observes & logs, never blocks real work. Graduate a step to enforce per workflow only after the shadow data is clean.

Patterns from real tools — task-sequence progress (MDT/SCCM) · stage trees + auto-expand-on-failure (GitHub Actions/GitLab) · 3-state audit→warn→deny chip (OPA Gatekeeper) · Count-vs-Block evidence (AWS WAF) · plan-then-apply diff (Terraform) · affected-set (Bazel) · No-Data neutral state (Datadog) · gated promotion + audit (Azure DevOps).

1 · Runbook (operator)

2 · Admin: gates & source

3 · Part change (preview)

ЯМ-7782 · Gaming PC RTX 4060

workflow mkt · brand ROO24 · per-order view (= per-machine, ConfigMgr)

Deploy: 4 of 6 done · 1 would-block · 0 blocking

SHADOW · would-block ×1

step-count only — guidance, not an ETA (SCCM TSProgressInfoLevel); gate truth comes from each step's state

Activity / audit (auto-status flips + gate evaluations)

14:02 image · system → done 14:09 software · a.leonov→ NVIDIA exit 1 (would-block, mode=report) 14:21 license · system → would-block: slmgr 0xC004F074 (mode=enforce) 14:21 status · system → «in progress» (deploy started)

✓ done⚠ would-block (shadow)⛔ blocks (enforce) 🔁 stale○ not run (No Data)

🩺 AI deployment diagnosis = sysadmin/dev only (hidden internal process to debug the module's own custom code). NOT an operator button — reached from the admin console, never the card.

One smart button (Ship). Gate reason + re-run live behind the status chip — never a second card button (one-button law).

🔐 Gate modes (admin only)

3-state per (workflow × step): off · report(shadow) · enforce (OPA Gatekeeper audit→warn→deny). New cells default to report. Workflows are dynamic — office & future appear automatically.

Step \ Workflow

Evidence beside each report cell = “would-have-blocked N× · last reason” (AWS WAF Count metric) so graduation is data-backed, not a guess. Payment gate = off everywhere.

💽 Deployment source (per workflow)

A workflow installs from a per-board core image, a custom NTLite ISO, or both (image when a board matches, else ISO fallback).

Workflow	Source	Core-image baseline	Custom ISO path

Core image is built on the smallest 256 GB SSD variant; larger disks expand C: up (partition profiles). Paths are tokenized — never hardcoded.

🛠 Part change — preview re-deploy

A plan-then-apply diff (Terraform), not an “Are you sure?”. Covers a defect, a stock substitution, or an upgrade — same cascade, honest reason. Nothing changes until you commit.

Part: Reason:

Preview re-deploy — nothing changes yet

Verbs map to the runbook glyphs — ~ re-run, -/+ forced replace (Terraform), unaffected dimmed (Bazel affected-set — never “redo everything”). In report/off this is labeled would-invalidate (shadow); only enforce re-arms. The deploy-start auto-advance fires only on commit, never on a preview.