Review → GA readiness
GA readiness.
GA-readiness scorecard for the 10-gate Epic DoD (ADR-0057). Each gate is a two-stage check: Stage 1 — the automated check passes (mechanical, runs on every push to main); Stage 2 — a human attests the artifacts are real quality (checkbox bound to the commit it was made against). A gate is green only when both stages pass; if files change after the attestation, the checkbox auto-invalidates and the gate falls back to yellow until re-checked.
Two "DoD" frameworks — orthogonal, not redundant.
This page is the 10-gate Epic DoD (ADR-0057) — per-epic engineering-readiness for GA (tests, docs, security, a11y, demo-asset… two-stage mechanical + human attestation). It is distinct from the 5-gate Definition-of-Done verification ladder (ADR-0067) — per-acceptance-criterion functional verification (G1 spec → G2 prototype → G3 presence → G4 behavior → G5 live), which answers "does the feature actually work?" rather than "is the epic quality-ready?". The two axes compose: an epic can be GA-ready (10-gate) while individual ACs are still climbing the verification ladder, and vice-versa. The per-AC G4/G5 view lives in Review → Verification ladder.
Mechanical re-derived 2026-07-01 17:47Z @ b083f095 · last attestation 2026-05-19 · 0 / 28 epics fully gated
Both stages
27
Mech ✓, awaiting attestation
61
↻ Needs re-attestation
15
Mech ✗
177
Gates:1 Feature complete ·2 Hardened ·3 Security reviewed ·4 Performance baselined ·5 Tested at risk tier ·6 Documented ·7 User-guided ·8 Demo-asset-ready ·9 Knowledge-transferred ·10 Change-managed. Hover any cell for mechanical-vs-operator detail.
Green
27
10% of scored cells
Yellow
76
in flight / partial
Red
177
not started
Epics
28
10 gates each
| Epic / Risk | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | % green |
|---|---|---|---|---|---|---|---|---|---|---|---|
Phase 1aReal merchant can install + run one cycle 8 epics · 13/80 green (16%) | |||||||||||
Epic 1 Merchant install & BC app authentication P0 | 0% | ||||||||||
Epic 2 Processor onboarding P0 | 10% | ||||||||||
Epic 4 Enable subscription on a BC product P2 | 20% | ||||||||||
Epic 5 Plan design P2 | 20% | ||||||||||
Epic 10 Charge scheduling & execution P0 | 20% | ||||||||||
Epic 14 BC order generation from charges P0 | 20% | ||||||||||
Epic 17 Subscriber portal access & auth P1 | 20% | ||||||||||
Epic 19 Payment method & address management P0 | 20% | ||||||||||
Phase 1bReal merchant can manage subscribers via storefront 7 epics · 14/70 green (20%) | |||||||||||
Epic 8 Storefront subscription widget P1 | 20% | ||||||||||
Epic 9 Cart & checkout subscription intent capture P0 | 20% | ||||||||||
Epic 11 Dunning, retries & decline recovery P0 | 20% | ||||||||||
Epic 18 Lifecycle actions (skip/swap/pause/cancel) P1 | 20% | ||||||||||
Epic 21 Merchant dashboard, KPIs, exception queue P1 | 20% | ||||||||||
Epic 23 Notifications & external integrations P1 | 20% | ||||||||||
Epic 28 Compliance, trust & audit P0 | 20% | ||||||||||
Phase 2Full features behind 1a/1b foundation 9 epics · 0/90 green (0%) | |||||||||||
Epic 3 Migration from legacy subscription apps P3 | 0% | ||||||||||
Epic 7 Scoping (channels, customer groups, Price Lists) P2 | 0% | ||||||||||
Epic 12 Refunds, credits & manual charges P0 | 0% | ||||||||||
Epic 13 Reconciliation & observability P0 | 0% | ||||||||||
Epic 15 Inventory, tax, shipping recalc at renewal P1 | 0% | ||||||||||
Epic 16 Order bundling across subscriptions P1 | 0% | ||||||||||
Epic 20 Churn prevention flows P1 | 0% | ||||||||||
Epic 22 Manual subscription creation & CS tools P2 | 0% | ||||||||||
Epic 27 Developer platform (REST API, webhooks, SDK) P1 | 0% | ||||||||||
Phase 3Advanced 4 epics · 0/40 green (0%) | |||||||||||
Epic 6 Advanced subscription types P2 | 0% | ||||||||||
Epic 24 B2B Edition support P3 | 0% | ||||||||||
Epic 25 Subscription-aware promotions & discounts P2 | 0% | ||||||||||
Epic 26 Eligibility, inclusion & exclusion rules P2 | 0% | ||||||||||
Gate definitions
- 1Feature complete
- 2Hardened
- 3Security reviewed
- 4Performance baselined
- 5Tested at risk-appropriate rates
- 6Documented
- 7User-guided
- 8Demo-asset-ready
- 9Knowledge-transferred
- 10Change-managed
Framework: epic-definition-of-done.md · ratified per ADR-0057 · phase cohorts per ADR-0021.
Cross-cutting capabilities.
Substrate-level signal derived from tools/state-derive/ that doesn't map to a per-epic gate. These families measure platform conventions, ratified architecture decisions, NFRs, persona scenarios, and infrastructure hygiene. Each card is a roll-up across N capabilities; click to expand the per-capability list.
BigEng platform conventions
12 wire/schema/operations conventions from the BigCommerce platform audit (ADR-0030).
12/1212 COMPLIANT
BigEng platform conventions
12 wire/schema/operations conventions from the BigCommerce platform audit (ADR-0030).
- C
bigeng-01-snake-case-wire— snake_case wire fields — JSON request/response keys are snake_case on the wire - C
bigeng-02-store-id-in-payload— store_hash present as payload field, not header-only - C
bigeng-03-offset-cursor-pagination— Offset + cursor pagination, mutually exclusive — bigeng convention #3 - C
bigeng-04-typed-errors— Typed domain ADTs for errors (vs ad-hoc { error: string } shapes) - C
bigeng-05-principal-envelope— Auth principal envelope {id, type} on requests - C
bigeng-06-uuid-owned-entities— UUID for owned entities; integer for legacy BC FKs - C
bigeng-07-soft-delete-flag— Soft-delete via is_deleted INTEGER (vs hard-delete + cascade) - C
bigeng-08-timestamp-defaults— TIMESTAMP DEFAULT CURRENT_TIMESTAMP on created_at / updated_at columns - C
bigeng-09-operations-ledger— Operations-table saga ledger (replaces inline cron-driven orchestration) - C
bigeng-10-scope-entitlements— Scope / resource entitlements (per-subscriber, not just store-wide) - C
bigeng-11-audit-decorator— Audit emission via decorator wrapping (vs inline INSERT INTO events) - C
bigeng-12-audit-payload-shape— Audit payload shape — target/resource/summary/operation_type + request-scoped MDC
Phase-1 ADR commitments
Ratified architecture decisions whose implementation is mechanically verifiable.
9/99 COMPLIANT
Phase-1 ADR commitments
Ratified architecture decisions whose implementation is mechanically verifiable.
- C
adr-0007-uninstall-sweep— ADR-0007: GDPR-driven uninstall retention sweep (30-day tombstone before hard delete) - C
adr-0009-tenant-scope-guards— ADR-0009: tenant data isolation via store_hash scope guards on every owned-entity read - C
adr-0011-failed-permanently— ADR-0011: failed_permanently terminal state — scheduler ratchets stuck charges - C
adr-0014-typed-error-format— ADR-0014: typed-error wire format (couples with BigEng convention #4) - C
adr-0024-per-instance-overrides— ADR-0024: per-delivery-instance override mutation API (skip / swap_product / reschedule_to) - C
adr-0028-eligibility-engine— ADR-0028: eligibility-engine architecture pattern (Epic 26 inclusion + exclusion rules) - C
adr-0029-marketplace-first— ADR-0029: marketplace-first, native-ready posture - C
adr-0030-bigeng-alignment— ADR-0030: BigEng pattern alignment — ratify the 12-convention catalog - C
adr-0037-stored-instruments-canonical-rail— ADR-0037: stored-instruments vault ratified as the canonical charge rail — ADR file exists and bc-vault-client.ts service ships
BRD non-functional requirements
Latency, uptime, PCI scope, RLS, WCAG, GDPR — measured against committed thresholds.
1/81 COMPLIANT7 MANUAL_REVIEW
BRD non-functional requirements
Latency, uptime, PCI scope, RLS, WCAG, GDPR — measured against committed thresholds.
- M
brd-nfr-7-1-charge-latency-p99— P99 charge execution latency < 3s from scheduler pickup to processor call initiated - M
brd-nfr-7-1-webhook-ingestion-latency— P99 webhook ingestion < 250ms to 2xx response (processing is async) - M
brd-nfr-7-2-platform-uptime-sla— 99.95% platform uptime SLA; at-least-once delivery on external webhook deliveries; at-most-once charge execution enforced via idempotency key = charge.id - C
brd-nfr-7-3-pci-scope-zero— No PAN, CVV, or full card data ever stored or transmitted through our servers; processor adapters hold tokens only; TLS 1.3 in transit; AES-256-GCM for secrets at rest - M
brd-nfr-7-4-rls-tenant-isolation— Single-tenant resource isolation via Postgres row-level security (RLS) partitioned by store_hash - M
brd-nfr-7-5-event-row-per-state-transition— Every state transition emits an Event row (append-only, per-store partitioned); every external call logged with latency, status, correlation ID - M
brd-nfr-7-6-wcag-aa— WCAG 2.2 AA for merchant admin and subscriber portal; keyboard-navigable; screen-reader tested - M
brd-nfr-7-8-gdpr-ccpa-compliance— GDPR data subject access + erasure within 30 days; CCPA with "do not sell"; PCI DSS SAQ-A maintained; EU data residency by Phase 2
Persona scenario coverage
BDD scenarios for the five subscription personas (Maya/Alex/Jordan/Sam/Taylor).
25/2525 COMPLIANT
Persona scenario coverage
BDD scenarios for the five subscription personas (Maya/Alex/Jordan/Sam/Taylor).
- C
scenario-subscription-lifecycle— Lifecycle scenario covers create → pause → resume → cancel with event timeline assertions - C
scenario-p1-maya-subscription-box— P1 Maya scenarios: annual wine subscription happy-path with U-20 calendar anchor + OOS exception queue surfacing (U-18 partial) + mid-year signup calendar anchor edge case - C
scenario-p2-alex-digital-content— P2 Alex persona BDD scenarios: AllotmentGrant lifecycle (debit + refresh), cancel, mid-cycle upgrade with proration - C
scenario-p3-jordan-gifting— P3 Jordan persona BDD scenarios: gift purchase (status=paused + extension + event), gift claim (recipient active), expired claim window (412) - C
scenario-p4-sam-b2b-enterprise— P4 Sam B2B persona BDD scenarios: CS-rep enrollment with PO, commitment_cycles data model (U-17 foundation), buyer-org AllotmentGrant quarterly refresh - C
scenario-p5-taylor-consumables— P5 Taylor persona BDD scenarios: subscribe-and-save renewal, dunning retry self-heal, dunning exhaustion → cancel - C
scenario-p1-maya-happy-path— P1 Maya: annual subscription signup → active → calendar-anchored next_charge_at (BRD §US-1.1 / US-9.2 / US-10.3) - C
scenario-p1-maya-oos-exception-queue— P1 Maya: OOS block at renewal → Exception Queue entry surfaced (BRD §US-15.1) - C
scenario-p1-maya-calendar-anchor— P1 Maya: mid-year signup → next_charge_at snaps to Jan 1, not signup+1yr (BRD §US-10.3) - C
scenario-p2-alex-allotment-grant— P2 Alex: AllotmentGrant create → 4 debits → balance=0 → month-boundary refresh → balance=4 (BRD §US-6.9) - C
scenario-p2-alex-cancel— P2 Alex: subscriber cancel → status=cancelled + subscription.cancelled event (BRD §US-18.5 / US-6.5) - C
scenario-p2-alex-upgrade— P2 Alex: mid-cycle Standard→Premium upgrade → proration charge + plan_id updated + plan_upgraded event (BRD §US-14.6) - C
scenario-p3-jordan-gift-purchase— P3 Jordan: Gift purchase → status=paused + gift extension + subscription.gift_purchased event (BRD §US-6.1) - C
scenario-p3-jordan-gift-claim— P3 Jordan: Gift claim → recipient subscription status=active, gift marked claimed (BRD §US-6.1) - C
scenario-p3-jordan-expired-gift-claim— P3 Jordan: Expired gift claim window → 412 precondition_failed (BRD §US-6.1) - C
scenario-p4-sam-b2b-enrollment— P4 Sam: CS-rep B2B enrollment with PO reference → status=active + subscription.b2b_enrolled event (BRD §US-22.9 / ADR-0023) - C
scenario-p4-sam-commitment-cycles— P4 Sam: commitment_cycles=12 persisted on plan — data-model foundation for U-17 cancel lock (BRD §US-5.7) - C
scenario-p4-sam-allotment-quarterly-refresh— P4 Sam: Buyer-org AllotmentGrant 50 wellness_credits/quarter → balance drained → quarterly refresh → balance=50 (BRD §US-6.9) - C
scenario-p5-taylor-renewal-charge— P5 Taylor: Subscribe-and-save 3-cycle commitment + successful renewal charge (BRD §US-5.7 / US-11.1) - C
scenario-p5-taylor-dunning-retry— P5 Taylor: Dunning retry scheduled on failure → charge succeeds on retry → subscription stays active (BRD §US-11.2) - C
scenario-p5-taylor-dunning-exhaustion— P5 Taylor: Dunning all 3 stages exhaust → subscription.status=cancelled + charge.failed_permanently (BRD §US-11.2) - C
scenario-u17-cancel-lock-p4-sam— U-17 P4 Sam: cancel lock 409 enforcement + CS-rep override with audit trail (BRD §US-5.7 + synthesis fa3dc5f3) - C
scenario-u17-cancel-lock-p5-taylor— U-17 P5 Taylor: cancel lock 409 for 3-cycle commitment (BRD §US-5.7 + synthesis fa3dc5f3) - C
scenario-u19-future-start-date— U-19 P3 Jordan: future start date → pending_start → scheduler activation (BRD §US-N.M + synthesis fa3dc5f3) - C
scenario-u20-calendar-billing-anchor— U-20 P4 Sam: calendar billing anchor billing_anchor_month/day → April 1 fiscal-year anchor (BRD §US-N.M + synthesis fa3dc5f3)
Infrastructure & tooling
CI hygiene (Dependabot, gitleaks), testing baseline, observability, internal tooling.
275/287275 COMPLIANT7 MANUAL_REVIEW1 PARTIAL1 NON-COMPLIANT
Infrastructure & tooling
CI hygiene (Dependabot, gitleaks), testing baseline, observability, internal tooling.
- C
shipped-b2b-edition-detection— B2B Edition support — variant detection + admin enrollment (Epic 22, called "Phase 2 planned" by stale audit) - C
shipped-dsar-endpoint— DSAR endpoint — per-customer export + erasure (Epic 28, called "Phase 2 planned" by stale audit) - C
shipped-bigeng-slices-bcd— BigEng Slices B/C/D shipped — typed errors + schema retrofit + audit decorator (called "in flight" by stale audit) - C
ops-ledger-max-attempts— ADR-0031: operations.max_attempts column for per-row retry budget - C
ops-ledger-locked-until-reaper— ADR-0031: operations.locked_until column + reaper cron - C
job-configuration-table— ADR-0031: job_configuration sidecar table for per-cron per-store config - C
shipped-phase-2-gcp-scaffold— Phase 2 GCP Terraform scaffold (called "Phase-2 candidate / future" by stale audit; in flight now) - C
idempotency-keys-table— idempotency_keys ledger table for request-level idempotency (Hive #581) - C
idempotency-middleware— Middleware reads Idempotency-Key header, caches mutation responses, returns 409 on fingerprint mismatch - C
deprecation-handler-registered— DeprecationRegistry + middleware wired at app boot (ADR-0032) - C
api-version-namespace-v1— All API routes mounted under /api/v1/ prefix (ADR-0032) - C
deprecation-headers-emit-on-request— Deprecation, Sunset, Link headers emit on deprecated route calls (ADR-0032) - C
subscription-extensions-table— ADR-0033: polymorphic subscription_extensions substrate for Epic 6 extension types - C
extensions-scheduler-hooks— ADR-0033: scheduler invokes extension lifecycle hooks before each renewal - C
openapi-spec-exists— OpenAPI 3.0 spec at apps/api/openapi.yaml (Hive #580) - C
openapi-docs-route-exists— GET /docs Swagger UI handler exists (Hive #580) — route mount in worker.ts required - C
idempotency-cleanup-cron— 24h TTL cleanup cron for idempotency_keys table - C
openapi-drift-ci-gate— CI gate validates OpenAPI spec on PRs touching API or spec (Hive #580) - C
schema-charges-table— charges table — first-class entity for each subscription billing attempt - C
schema-customers-table— customers table — mirror of BC customers with subscription-specific fields (payment_customer_ref, consent_metadata) - C
schema-payment-methods-table— payment_methods table — gateway-tokenized PMs with NTI (Network Transaction ID) for MIT credential continuity - C
schema-reconciliation-runs-table— reconciliation_runs table — observability for the periodic reconcile sweep - C
dependabot-config— Dependabot configured for weekly dependency updates across all workspaces - C
gitleaks-workflow— Gitleaks CI workflow scans every PR for secrets; allowlist documented - C
changelog-md-exists— CHANGELOG.md exists at repo root - C
changelog-on-release-workflow— Workflow auto-generates changelog drafts on tag push - C
hive-1149-cdn-webcomponent-distribution— Webcomponent IIFE bundle is published to a reachable CDN (bc-subscriptions-cdn.pages.dev/v1/) and the API + admin reference that URL consistently - C
charges-retry-with-backoff— Failed charges retry up to 3 times with 1h/4h/24h exponential backoff (ADR-0011 gap 1) - C
pre-charge-hook-registry— Pre-charge hook chain for renewal-time pre-charge logic; hooks register via preChargeRegistry - C
sdk-substrate-scaffold— @bc-subscriptions/subscriber-sdk + @bc-subscriptions/react 2-package workspace scaffold + type-generation pipeline + npm release workflow (ADR-0034) - C
bdd-scenario-framework— Vitest scenario layer with defineScenario story helper + separate CI run (Hive #583) - C
processor-adapter-bc-payments-production— ADR-0035: BC Payments standard-rail adapter — production branch implemented (PAT mint + method lookup + payments.bigcommerce.com charge; throw at bc-payments.ts:70 replaced) - B
processor-adapter-bc-payments-webhook-extraction— ADR-0035: BC Payments stored-instrument extraction at order.created webhook — real BigPay token persisted via GET /v3/customers/{id}/stored-instruments - C
processor-adapter-stripe-production— ADR-0025: Stripe secondary-rail adapter — production branch implemented (PaymentIntent.create with off_session MIT; no pre-existing BC order required) - C
processor-adapter-stripe-decline-classification— Stripe adapter classifies hard vs soft declines via HARD_DECLINE_CODES set; StripeChargeError exposes isHardDecline for scheduler dunning logic - C
bc-payments-standard-rail-active— BC Payments adapter: HACKATHON_FIXTURE fixture guard fully removed from charge() — standard-rail (PAT/charge calls) is the only path per Payments P-2 - C
stripe-adapter-active— Stripe adapter: HACKATHON_FIXTURE fixture guard fully removed from charge() — PaymentIntent.create is the only path per ADR-0025 / Payments P-2 - C
fixture-payment-method-retired-from-production— ensureFixturePaymentMethod removed from all production route handlers — subscriptions.ts + webhooks.ts use real instrument resolution; db.ts export retained for tests - C
fixture-mode-gated-to-test— HACKATHON_FIXTURE is absent from all production route handlers and adapter charge() bodies — fixture mode is test-only (db.ts export and types.ts optional field remain) - C
auto-detect-stored-payments-enabled-check— processor-auto-detect returns storedPaymentsEnabled field — probes GET /v3/payments/stored-instruments and surfaces warning when disabled - C
portal-stored-instruments-picker-shipped— Portal stored-instruments picker: GET /api/v1/portal/stored-instruments route + StoredInstrumentsPicker.svelte — shoppers pick from vaulted instruments (ADR-0037) - C
portal-add-stored-instrument-iat-flow-shipped— Portal add-PM IAT flow: POST /api/v1/portal/stored-instruments/iat route + AddStoredInstrumentButton.svelte — shopper adds new card via BC hosted flow (ADR-0037) - C
processor-adapter-registry— Adapter discovery registry (adapter-registry.ts) exists and scheduler routes charges through getAdapter() rather than hardcoded createBcPaymentsAdapter() - C
stripe-rail-sandbox-validated— Stripe adapter end-to-end sandbox scenario exists — validates charge + off-session renewal + idempotency against Stripe test-mode API (Payments P-1) - C
processor-config-encrypted-at-rest— Tier α T1S: processor_connections.config stripe_secret_key is encrypted at write (encryptForStore in processor-connections.ts create handler) and decrypted at read (adapter-registry.ts getAdapter Stripe case). - C
per-store-key-derivation— Tier α T1S: per-store AES-256 keys derived via HKDF from deploy-time master (CREDENTIAL_ENCRYPTION_KEY) using store_hash as HKDF info. deriveStoreKey + encryptForStore + decryptForStore in crypto.ts. - C
cross-sub-instrument-selection-fixed— Portal stored-instrument select: backend rejects empty subscription_id with invalidBody; UpdatePaymentForm no longer passes subscriptionId="" to picker in cross-sub mode (proposal #774) - C
authorize-stripe— ADR-0038 P2-A: Stripe adapter implements authorize() via PaymentIntent.create with capture_method=manual, returns AuthorizeResult with processorTransactionId. authWindowDays=7 per Stripe documented card auth window. - C
capture-stripe— ADR-0038 P2-A: Stripe adapter implements capture() via PaymentIntent capture endpoint with amount_to_capture and Idempotency-Key (ADR-0011). voidAuth() implemented via PaymentIntent cancel. - B
authorize-bc-payments— ADR-0038 P2-A: BC Payments authorize() stub — documents that payments.bigcommerce.com is atomic and does not support per-request auth-only mode. Throws not_implemented_phase_2_requires_bc_partner_track. Verified 2026-05-15 against BC payments overview + transactions-api docs.
Cross-cutting work662 of 730 proposals (91%) — no BRD epic affiliation
Traceability gap. 662 of 730 tracked proposals (91%) carry no [Epic-N] prefix. This is substrate, tooling, methodology, CI, and refactor work — load-bearing for the project but invisible against the BRD spec. To improve: add epic: N to hive-meta on future proposals, or file [Epic-Foundation] umbrella trackers for substrate work itself.
About this dashboard
Quick orientation (read this first)
This page tracks how ready bc-subscriptions is to ship. The product is split into ~28 epics (think: features). Each epic must pass 10 quality gates before it counts as "ready." The grid above shows which gates each epic has passed.
For a stakeholder skimming this in 30 seconds:
- The top-of-matrix counters (Green / Yellow / Red) summarize where the whole project stands.
- Each row is one epic. Each dot is one of its 10 gates.● Green = passed.● Yellow = partial / in progress.● Red = not started.
- The % green column at the right is the epic's overall score.
- Click an epic title to open its full audit document with the evidence behind every gate.
That's the whole dashboard. The rest of this page explains how it works and what each gate means.
What an "epic" is here
An epic is one product capability. Examples from the grid above: "Merchant install & BC app authentication" (Epic 1), "Charge scheduling & execution" (Epic 10), "Subscriber portal access & auth" (Epic 17). The full list lives in the Business Requirements Document (BRD).
Each epic also carries a risk tier (the small P0/P1/P2/P3 chip next to the epic name): P0 = critical (charge engine, payment, install); P1 = important (subscriber portal, dashboards); P2 = useful (advanced flows); P3 = nice-to-have. Higher-risk epics need stricter evidence to pass certain gates.
What each gate means (in plain language)
| # | Name | The question it answers | How we check |
|---|---|---|---|
| 1 | Feature complete | Did we actually build the feature the spec describes? Every required user story has working code shipped to production? | Automated cross-check: scans the codebase for routes, screens, and tables each user story requires; flags anything missing or only half-built. |
| 2 | Hardened | When things go wrong (network blip, payment processor down, bad input), does the code fail gracefully? Are there tests proving it? | Checks that the epic has a "failure-injection" test file — automated tests that deliberately simulate failures and confirm the code handles them. |
| 3 | Security reviewed | Have we considered how a bad actor could abuse this feature, and put protections in place? Are PCI / GDPR / SOC2 obligations met? | Requires a written security review document walking through threat scenarios per the industry-standard STRIDE framework (see glossary). |
| 4 | Performance baselined | Will this feature be fast enough when many subscribers use it at once? Have we measured? | Checks for a performance budget doc (target response times) plus an automated load-test script using the open-source k6 tool. |
| 5 | Tested at risk tier | Do we have automated tests proving this feature works end-to-end? Higher-risk epics need more tests. | Counts the unit, integration, and E2E test files. P0 features additionally need a workflow that runs tests nightly against a real BC test store. |
| 6 | Documented | If something breaks at 2am, can the on-call engineer figure out what to do without paging the original developer? | Requires an on-call runbook listing the top failure modes, severity classification, and what to do for each. |
| 7 | User-guided | Can a merchant set this feature up by themselves, without filing a support ticket? | Requires a merchant-facing guide doc: what the feature does, step-by-step setup, common troubleshooting. |
| 8 | Demo-asset-ready | Can we show this feature to a prospect in 90 seconds? Is there a polished demo video? | Requires a written demo storyboard plus an operator-recorded MP4. The video can only be produced by a human, so this gate often lingers yellow even when the feature itself works. |
| 9 | Knowledge-transferred | If a new engineer joined the team, could they understand what this epic does, what its known limitations are, and where the follow-up work is? | Requires a per-epic handoff document covering shipped state, known limitations, and follow-up roadmap. |
| 10 | Change-managed | Will we know if this feature breaks in production? Are alerts set up? | Requires alert thresholds plus runtime telemetry hooks wired into the code, so when a real merchant uses the feature we emit metrics we can graph and alert on. |
How are these 10 gates chosen? (vs industry standards)
Short answer: the 10-gate framework is project-specific (custom to bc-subscriptions), but every gate maps to a well-known industry concept. It's an opinionated synthesis, not a published standard.
The canonical gate-to-framework mapping + per-framework reference extracts live at docs/rag/sdlc-frameworks/ (filed via Hive #1244). The summary below is a snapshot; the corpus is the source of truth.
Where each gate comes from:
| Our gate | Industry equivalent |
|---|---|
| 1 Feature complete | Agile "Definition of Done" — feature-completeness criterion. Universal. |
| 2 Hardened | ISO/IEC 25010 "Reliability" quality attribute. Google SRE Handbook "resilience testing." Netflix Chaos Engineering tradition. |
| 3 Security reviewed | OWASP ASVS (Application Security Verification Standard) + Microsoft STRIDE threat modeling + SOC2 Trust Services Criteria. Industry-mandatory for fintech. |
| 4 Performance baselined | Google SRE SLI/SLO methodology — defining service-level indicators + objectives before declaring a service ready. |
| 5 Tested at risk tier | Standard test pyramid (Cohn) — unit / integration / E2E coverage proportional to risk. Risk-tiered gating is common in regulated industries. |
| 6 Documented | Google SRE "Production Readiness Review" runbook requirement. Standard for any operationally-supported service. |
| 7 User-guided | Diátaxis documentation framework (tutorials / how-tos / reference / explanation). Standard product practice. |
| 8 Demo-asset-ready | Project-specific. Most engineering DoD frameworks don't include marketing assets. We do because bc-subscriptions ships as a marketplace app where demos drive merchant adoption. |
| 9 Knowledge-transferred | "Bus factor" / "Truck factor" hygiene — informal industry concept, rarely a formal gate. Atlassian + GitLab have similar handoff norms. |
| 10 Change-managed | SRE observability requirement (instrument before launch) + ITIL change-management discipline. Standard for production services. |
What's distinctive about this framework (vs typical 3-5 gate DoD checklists):
- 10 gates instead of 5 — Most teams collapse Gates 2/3/4 into one "Quality" gate, or combine Gates 6/7/9 into one "Documentation" gate. We split them so each can be measured independently.
- Evidence-based, not checkbox-based — Most DoD frameworks are "the team agrees this is done." Ours requires a specific committed artifact (test file, runbook, security doc) before a gate flips green.
- Two-phase signal, not self-reported — Most checklists collapse "evidence exists" and "evidence is good" into one signal. We split them: mechanical CI confirms artifacts are present (and caps at yellow); the operator audit confirms quality. Drift between the two layers is surfaced, not hidden.
- Gate 8 (Demo) is unusual — Marketing-readiness isn't a typical engineering gate. We include it because we ship as a marketplace app, so a feature isn't actually "shippable" until it can be demonstrated to merchants.
What this framework deliberately doesn't gate (some industry checklists do):
- Accessibility (WCAG) — Not currently gated. Covered partially via Gate 7 (merchant guide) but no explicit WCAG audit per epic.
- Internationalization (i18n) — Implicit (all admin strings flow through an i18n layer per ADR-0006) but not gated per-epic.
- Backwards compatibility — Tracked at the API-versioning level, not as an epic-level gate.
- Disaster recovery — Backup/restore testing is currently project-level, not gated per epic.
- Cost/economics — Per-epic cost dimensions are tracked (Gate 10 sub-criterion) but not a primary gate.
Alignment with BigCommerce Engineering DoD
Because bc-subscriptions ships as a BigCommerce marketplace app, BigCommerce's own Engineering DoD is the most-relevant framework — not just an industry reference. Every gate either aligns with a BigEng mandate, diverges deliberately, or carries an honest gap.
Full alignment matrix + per-gate analysis lives at docs/rag/sdlc-frameworks/bigcommerce-bigeng.md. Summary:
| Alignment | Gates |
|---|---|
| ✅ Aligned | Gate 1 (Feature complete), Gate 2 (Hardened), Gate 5 (Tested) |
| ⚠️ Partial alignment | Gate 3 (merchant-facing audit-log bridge missing), Gate 4 (our budgets looser than BC's <2s page load / <100ms p95 public-API bar), Gate 6 (we use project-local docs vs BC's KB), Gate 10 (we lack phased rollouts + 2-business-day postmortem cadence) |
| ❌ BC-mandated gaps | Gate 7 — BC requires WCAG 2.2 AA, localization, BigDesign components, Design team review. We don't gate any of these per-epic. |
| N/A | Gate 8 (BC doesn't gate demo readiness), Gate 9 (BC has incident RCA process but not per-feature handoff) |
Distribution-model context for gaps:
- If we stay a marketplace app: WCAG 2.2 AA + localization gaps are LOW severity (marketplace apps aren't audited the way native features are).
- If we ever graduate to a native BC feature: WCAG, localization, merchant-facing audit log, phased rollouts, and postmortem cadence all become HIGH severity — they're hard requirements.
- If we ever expose a public API: BC's API DoD applies (p95 < 100ms, snake_case keys, cursor pagination, 1-year sunset rule for internal-with-path-to-public).
The full gate definitions + sub-criteria + rationale live in the Definition-of-Done methodology doc (v0.4).
How states are computed
Every gate is a two-stage check. A gate is green only when both stages pass:
- Stage 1 — Mechanical check. Runs on every push to
main. Boolean: passed or failed. For Gate 1 it reads_state.jsonand confirms every matching capability is COMPLIANT or MANUAL_REVIEW (no PARTIAL, no NON_COMPLIANT, no ABSENT). For Gates 2-10 it confirms the required artifacts exist on disk (runbook present, E2E spec present, etc.). Self-updates with every commit. - Stage 2 — Human attestation. A checkbox written to the audit doc frontmatter (
attested:block). The operator reads the artifacts Stage 1 found, confirms they're real quality (not just present), and records the date + git commit they audited against. The attestation is bound to that commit: if any of the gate's dependent files change after the attestation, the checkbox auto-invalidates and the gate falls back to yellow with a ↻ re-attestation indicator until checked again.
Color computation:
- Green — Stage 1 ✓ + Stage 2 ✓ (attestation fresh: dependent files unchanged since checkbox).
- Yellow — Stage 1 ✓ + Stage 2 ☐ (no attestation) or Stage 1 ✓ + Stage 2 ↻ (attestation stale because files changed).
- Red — Stage 1 ✗ (required artifacts missing). Stage 2 doesn't matter — gate is red until the mechanical check passes.
- ↻ badge — gate is yellow specifically because the attestation went stale (mechanical passes, files moved); the operator needs to re-check the box.
The header counters break the 280 cells down by the four combinations of the two booleans. The actionable signals are Mech ✓, awaiting attestation (Stage 1 done; needs a human checkbox) and ↻ Needs re-attestation (the file the attestation depended on has been edited since).
Glossary
Technical terms used above and in the audit docs, for non-developer readers:
- BigEng / BigCommerce Engineering DoD
- BigCommerce's internal Definition-of-Done for engineering teams. Mandates include WCAG 2.2 AA accessibility conformance, localization for storefront + control panel strings, <2s page load (or <200ms TTFB), audit-log events for all merchant-facing actions, fault tolerance / graceful degradation, deployments controlled by experiment flags with phased rollouts, postmortem within ~2 business days, and use of BigDesign UI components.
- STRIDE
- A standard security threat-modeling framework developed at Microsoft. Acronym for six attack categories: Spoofing (pretending to be someone else), Tampering (modifying data illegitimately), Repudiation (denying an action you took), Information disclosure (leaking data), Denial of service (crashing the system), Elevation of privilege (gaining permissions you shouldn't have).
- k6
- An open-source load-testing tool from Grafana Labs. You write a script that simulates many concurrent users; k6 runs it and reports response-time statistics. Used for Gate 4 to prove the feature handles realistic traffic.
- p95 latency
- "95th percentile response time." If we say "p95 ≤ 800ms," it means 95% of requests complete in 800 milliseconds or less. Industry-standard way to talk about performance because the slowest 5% often matter most for user experience.
- PCI / GDPR / SOC2
- Three compliance frameworks bc-subscriptions must respect. PCI DSS (Payment Card Industry Data Security Standard) regulates how systems handle credit card data. GDPR (EU General Data Protection Regulation) governs personal data handling and subscriber rights (deletion, export). SOC2 (Service Organization Control 2) is an audit framework for security controls — used by enterprise customers to vet vendors.
- SRE / SLI / SLO
- SRE = Site Reliability Engineering, the discipline Google formalized for operating production services. SLI = Service Level Indicator (a metric you measure, e.g., "% of requests under 500ms"). SLO = Service Level Objective (the target for an SLI, e.g., "99.5% under 500ms"). Defining SLIs/SLOs before launch is the SRE prerequisite for production readiness.
- Definition of Done (DoD)
- An agile concept: the shared checklist a team uses to decide if work is actually finished. Most teams have 3-7 items; ours has 10 gates and a heavier evidence requirement.
- ISO/IEC 25010
- The international standard for software quality attributes. Lists 8 top-level dimensions including reliability, performance, security, maintainability, and usability. Our 10 gates map to several of these dimensions.
- OWASP ASVS
- Application Security Verification Standard, published by the Open Web Application Security Project. A checklist of security controls organized by risk level. Our Gate 3 (Security reviewed) implicitly references ASVS-level controls.
- ITIL
- Information Technology Infrastructure Library, the most widely-adopted IT service management framework. Includes change-management discipline relevant to our Gate 10.
- ADR (Architecture Decision Record)
- A short document capturing one significant architectural decision (e.g., "we chose Cloudflare Workers over AWS Lambda because…"). ADRs live in
docs/decisions/and are numbered sequentially (ADR-0001, ADR-0002, …). - BRD (Business Requirements Document)
- The product spec. Defines every epic and its acceptance criteria.
BRD.mdin the repository root. - Runbook
- The on-call playbook for when something goes wrong in production. Lists known failure modes, how to diagnose them, and what to do about each.
- Webhook
- A way for two systems to notify each other automatically. Example: when a subscriber checks out on BigCommerce, BC sends a webhook to bc-subscriptions saying "this order just happened," and bc-subscriptions creates the subscription record.
- OpenAPI
- An industry-standard format for documenting an API. Defines every endpoint, what it accepts, and what it returns.
- End-to-end (E2E) test
- An automated test that drives the actual user interface (clicks buttons, fills forms) and verifies the whole flow works. Heavier than a unit test but catches things unit tests miss.
- Sandbox-scenario CI
- An automated test that runs nightly against a real BigCommerce test store (called a "sandbox"). Catches integration issues that mocked tests miss. CI = "Continuous Integration" = the automated build/test pipeline.
- Cloudflare Workers / D1 / KV
- Cloud infrastructure components bc-subscriptions runs on. Workers = the code execution platform. D1 = a SQL database. KV = a key-value cache.
- Phase 1a / 1b / 2 / 3
- The cohorts (groups) of epics, ordered by delivery sequence. Phase 1a = foundation features. Phase 1b = lifecycle features. Phase 2 = full feature set. Phase 3 = advanced. Phasing per ADR-0021.
- Wave 1 / Wave 3 / cold-read
- Project-specific terminology for the close-out methodology. Each epic goes through multiple "waves" of work: Wave 1 lands the artifacts; Wave 3 is when an independent reviewer cold-reads the work to catch drift before sign-off.
- Stage 1 / Stage 2 / re-attestation
- Every gate is two booleans. Stage 1 is the automated check — did the required artifacts exist as of the last push? Boolean, computed deterministically. Stage 2 is the human checkbox — does a person attest the artifacts are good (not just present)? Bound to a git commit. When the dependent files change after the attestation, the checkbox auto-invalidates → "needs re-attestation" — not because anyone made a mistake, but because the evidence beneath the audit shifted.
For developers / engineering reviewers
Methodology references for the gate definitions, derivation logic, and walk-back procedures:
epic-definition-of-done.md— full 10-gate spec, v0.4 (sub-criteria, evidence requirements, edge cases)- ADR-0021 — why epics are sequenced into these specific phase cohorts
METHODOLOGY.md— dual-track agile, trust axioms, derive-first principle- Trust-restoration lessons (2026-05-13) — why we derive evidence mechanically rather than trusting prose audits