Review → GA readiness

GA readiness.

GA-readiness scorecard for the 10-gate Epic DoD (ADR-0057). Each gate is a two-stage check: Stage 1 — the automated check passes (mechanical, runs on every push to main); Stage 2 — a human attests the artifacts are real quality (checkbox bound to the commit it was made against). A gate is green only when both stages pass; if files change after the attestation, the checkbox auto-invalidates and the gate falls back to yellow until re-checked.

Two "DoD" frameworks — orthogonal, not redundant.

This page is the 10-gate Epic DoD (ADR-0057) — per-epic engineering-readiness for GA (tests, docs, security, a11y, demo-asset… two-stage mechanical + human attestation). It is distinct from the 5-gate Definition-of-Done verification ladder (ADR-0067) — per-acceptance-criterion functional verification (G1 spec → G2 prototype → G3 presence → G4 behavior → G5 live), which answers "does the feature actually work?" rather than "is the epic quality-ready?". The two axes compose: an epic can be GA-ready (10-gate) while individual ACs are still climbing the verification ladder, and vice-versa. The per-AC G4/G5 view lives in Review → Verification ladder.

Mechanical re-derived 2026-07-01 17:47Z @ b083f095 · last attestation 2026-05-19 · 0 / 28 epics fully gated

Both stages

27

Mech ✓, awaiting attestation

61

↻ Needs re-attestation

15

Mech ✗

177

Green — Stage 1 + Stage 2 both passYellow — Stage 1 passes; Stage 2 unchecked or staleRed — Stage 1 fails (artifacts missing)Gray — N/A needs re-attestation (files changed since checkbox)

Gates:1 Feature complete ·2 Hardened ·3 Security reviewed ·4 Performance baselined ·5 Tested at risk tier ·6 Documented ·7 User-guided ·8 Demo-asset-ready ·9 Knowledge-transferred ·10 Change-managed. Hover any cell for mechanical-vs-operator detail.

Green

27

10% of scored cells

Yellow

76

in flight / partial

Red

177

not started

Epics

28

10 gates each

Epic / Risk12345678910% green
Phase 1aReal merchant can install + run one cycle
8 epics · 13/80 green (16%)
Epic 1

Merchant install & BC app authentication

P0
0%
Epic 2

Processor onboarding

P0
10%
Epic 4

Enable subscription on a BC product

P2
20%
Epic 5

Plan design

P2
20%
Epic 10

Charge scheduling & execution

P0
20%
Epic 14

BC order generation from charges

P0
20%
Epic 17

Subscriber portal access & auth

P1
20%
Epic 19

Payment method & address management

P0
20%
Phase 1bReal merchant can manage subscribers via storefront
7 epics · 14/70 green (20%)
Epic 8

Storefront subscription widget

P1
20%
Epic 9

Cart & checkout subscription intent capture

P0
20%
Epic 11

Dunning, retries & decline recovery

P0
20%
Epic 18

Lifecycle actions (skip/swap/pause/cancel)

P1
20%
Epic 21

Merchant dashboard, KPIs, exception queue

P1
20%
Epic 23

Notifications & external integrations

P1
20%
Epic 28

Compliance, trust & audit

P0
20%
Phase 2Full features behind 1a/1b foundation
9 epics · 0/90 green (0%)
Epic 3

Migration from legacy subscription apps

P3
0%
Epic 7

Scoping (channels, customer groups, Price Lists)

P2
0%
Epic 12

Refunds, credits & manual charges

P0
0%
Epic 13

Reconciliation & observability

P0
0%
Epic 15

Inventory, tax, shipping recalc at renewal

P1
0%
Epic 16

Order bundling across subscriptions

P1
0%
Epic 20

Churn prevention flows

P1
0%
Epic 22

Manual subscription creation & CS tools

P2
0%
Epic 27

Developer platform (REST API, webhooks, SDK)

P1
0%
Phase 3Advanced
4 epics · 0/40 green (0%)
Epic 6

Advanced subscription types

P2
0%
Epic 24

B2B Edition support

P3
0%
Epic 25

Subscription-aware promotions & discounts

P2
0%
Epic 26

Eligibility, inclusion & exclusion rules

P2
0%
Gate definitions
  1. 1Feature complete
  2. 2Hardened
  3. 3Security reviewed
  4. 4Performance baselined
  5. 5Tested at risk-appropriate rates
  6. 6Documented
  7. 7User-guided
  8. 8Demo-asset-ready
  9. 9Knowledge-transferred
  10. 10Change-managed

Framework: epic-definition-of-done.md · ratified per ADR-0057 · phase cohorts per ADR-0021.

Cross-cutting capabilities.

Substrate-level signal derived from tools/state-derive/ that doesn't map to a per-epic gate. These families measure platform conventions, ratified architecture decisions, NFRs, persona scenarios, and infrastructure hygiene. Each card is a roll-up across N capabilities; click to expand the per-capability list.

BigEng platform conventions

12 wire/schema/operations conventions from the BigCommerce platform audit (ADR-0030).

12/12
12 COMPLIANT
  • Cbigeng-01-snake-case-wiresnake_case wire fields — JSON request/response keys are snake_case on the wire
  • Cbigeng-02-store-id-in-payloadstore_hash present as payload field, not header-only
  • Cbigeng-03-offset-cursor-paginationOffset + cursor pagination, mutually exclusive — bigeng convention #3
  • Cbigeng-04-typed-errorsTyped domain ADTs for errors (vs ad-hoc { error: string } shapes)
  • Cbigeng-05-principal-envelopeAuth principal envelope {id, type} on requests
  • Cbigeng-06-uuid-owned-entitiesUUID for owned entities; integer for legacy BC FKs
  • Cbigeng-07-soft-delete-flagSoft-delete via is_deleted INTEGER (vs hard-delete + cascade)
  • Cbigeng-08-timestamp-defaultsTIMESTAMP DEFAULT CURRENT_TIMESTAMP on created_at / updated_at columns
  • Cbigeng-09-operations-ledgerOperations-table saga ledger (replaces inline cron-driven orchestration)
  • Cbigeng-10-scope-entitlementsScope / resource entitlements (per-subscriber, not just store-wide)
  • Cbigeng-11-audit-decoratorAudit emission via decorator wrapping (vs inline INSERT INTO events)
  • Cbigeng-12-audit-payload-shapeAudit payload shape — target/resource/summary/operation_type + request-scoped MDC

Phase-1 ADR commitments

Ratified architecture decisions whose implementation is mechanically verifiable.

9/9
9 COMPLIANT
  • Cadr-0007-uninstall-sweepADR-0007: GDPR-driven uninstall retention sweep (30-day tombstone before hard delete)
  • Cadr-0009-tenant-scope-guardsADR-0009: tenant data isolation via store_hash scope guards on every owned-entity read
  • Cadr-0011-failed-permanentlyADR-0011: failed_permanently terminal state — scheduler ratchets stuck charges
  • Cadr-0014-typed-error-formatADR-0014: typed-error wire format (couples with BigEng convention #4)
  • Cadr-0024-per-instance-overridesADR-0024: per-delivery-instance override mutation API (skip / swap_product / reschedule_to)
  • Cadr-0028-eligibility-engineADR-0028: eligibility-engine architecture pattern (Epic 26 inclusion + exclusion rules)
  • Cadr-0029-marketplace-firstADR-0029: marketplace-first, native-ready posture
  • Cadr-0030-bigeng-alignmentADR-0030: BigEng pattern alignment — ratify the 12-convention catalog
  • Cadr-0037-stored-instruments-canonical-railADR-0037: stored-instruments vault ratified as the canonical charge rail — ADR file exists and bc-vault-client.ts service ships

BRD non-functional requirements

Latency, uptime, PCI scope, RLS, WCAG, GDPR — measured against committed thresholds.

1/8
1 COMPLIANT7 MANUAL_REVIEW
  • Mbrd-nfr-7-1-charge-latency-p99P99 charge execution latency < 3s from scheduler pickup to processor call initiated
  • Mbrd-nfr-7-1-webhook-ingestion-latencyP99 webhook ingestion < 250ms to 2xx response (processing is async)
  • Mbrd-nfr-7-2-platform-uptime-sla99.95% platform uptime SLA; at-least-once delivery on external webhook deliveries; at-most-once charge execution enforced via idempotency key = charge.id
  • Cbrd-nfr-7-3-pci-scope-zeroNo PAN, CVV, or full card data ever stored or transmitted through our servers; processor adapters hold tokens only; TLS 1.3 in transit; AES-256-GCM for secrets at rest
  • Mbrd-nfr-7-4-rls-tenant-isolationSingle-tenant resource isolation via Postgres row-level security (RLS) partitioned by store_hash
  • Mbrd-nfr-7-5-event-row-per-state-transitionEvery state transition emits an Event row (append-only, per-store partitioned); every external call logged with latency, status, correlation ID
  • Mbrd-nfr-7-6-wcag-aaWCAG 2.2 AA for merchant admin and subscriber portal; keyboard-navigable; screen-reader tested
  • Mbrd-nfr-7-8-gdpr-ccpa-complianceGDPR data subject access + erasure within 30 days; CCPA with "do not sell"; PCI DSS SAQ-A maintained; EU data residency by Phase 2

Persona scenario coverage

BDD scenarios for the five subscription personas (Maya/Alex/Jordan/Sam/Taylor).

25/25
25 COMPLIANT
  • Cscenario-subscription-lifecycleLifecycle scenario covers create → pause → resume → cancel with event timeline assertions
  • Cscenario-p1-maya-subscription-boxP1 Maya scenarios: annual wine subscription happy-path with U-20 calendar anchor + OOS exception queue surfacing (U-18 partial) + mid-year signup calendar anchor edge case
  • Cscenario-p2-alex-digital-contentP2 Alex persona BDD scenarios: AllotmentGrant lifecycle (debit + refresh), cancel, mid-cycle upgrade with proration
  • Cscenario-p3-jordan-giftingP3 Jordan persona BDD scenarios: gift purchase (status=paused + extension + event), gift claim (recipient active), expired claim window (412)
  • Cscenario-p4-sam-b2b-enterpriseP4 Sam B2B persona BDD scenarios: CS-rep enrollment with PO, commitment_cycles data model (U-17 foundation), buyer-org AllotmentGrant quarterly refresh
  • Cscenario-p5-taylor-consumablesP5 Taylor persona BDD scenarios: subscribe-and-save renewal, dunning retry self-heal, dunning exhaustion → cancel
  • Cscenario-p1-maya-happy-pathP1 Maya: annual subscription signup → active → calendar-anchored next_charge_at (BRD §US-1.1 / US-9.2 / US-10.3)
  • Cscenario-p1-maya-oos-exception-queueP1 Maya: OOS block at renewal → Exception Queue entry surfaced (BRD §US-15.1)
  • Cscenario-p1-maya-calendar-anchorP1 Maya: mid-year signup → next_charge_at snaps to Jan 1, not signup+1yr (BRD §US-10.3)
  • Cscenario-p2-alex-allotment-grantP2 Alex: AllotmentGrant create → 4 debits → balance=0 → month-boundary refresh → balance=4 (BRD §US-6.9)
  • Cscenario-p2-alex-cancelP2 Alex: subscriber cancel → status=cancelled + subscription.cancelled event (BRD §US-18.5 / US-6.5)
  • Cscenario-p2-alex-upgradeP2 Alex: mid-cycle Standard→Premium upgrade → proration charge + plan_id updated + plan_upgraded event (BRD §US-14.6)
  • Cscenario-p3-jordan-gift-purchaseP3 Jordan: Gift purchase → status=paused + gift extension + subscription.gift_purchased event (BRD §US-6.1)
  • Cscenario-p3-jordan-gift-claimP3 Jordan: Gift claim → recipient subscription status=active, gift marked claimed (BRD §US-6.1)
  • Cscenario-p3-jordan-expired-gift-claimP3 Jordan: Expired gift claim window → 412 precondition_failed (BRD §US-6.1)
  • Cscenario-p4-sam-b2b-enrollmentP4 Sam: CS-rep B2B enrollment with PO reference → status=active + subscription.b2b_enrolled event (BRD §US-22.9 / ADR-0023)
  • Cscenario-p4-sam-commitment-cyclesP4 Sam: commitment_cycles=12 persisted on plan — data-model foundation for U-17 cancel lock (BRD §US-5.7)
  • Cscenario-p4-sam-allotment-quarterly-refreshP4 Sam: Buyer-org AllotmentGrant 50 wellness_credits/quarter → balance drained → quarterly refresh → balance=50 (BRD §US-6.9)
  • Cscenario-p5-taylor-renewal-chargeP5 Taylor: Subscribe-and-save 3-cycle commitment + successful renewal charge (BRD §US-5.7 / US-11.1)
  • Cscenario-p5-taylor-dunning-retryP5 Taylor: Dunning retry scheduled on failure → charge succeeds on retry → subscription stays active (BRD §US-11.2)
  • Cscenario-p5-taylor-dunning-exhaustionP5 Taylor: Dunning all 3 stages exhaust → subscription.status=cancelled + charge.failed_permanently (BRD §US-11.2)
  • Cscenario-u17-cancel-lock-p4-samU-17 P4 Sam: cancel lock 409 enforcement + CS-rep override with audit trail (BRD §US-5.7 + synthesis fa3dc5f3)
  • Cscenario-u17-cancel-lock-p5-taylorU-17 P5 Taylor: cancel lock 409 for 3-cycle commitment (BRD §US-5.7 + synthesis fa3dc5f3)
  • Cscenario-u19-future-start-dateU-19 P3 Jordan: future start date → pending_start → scheduler activation (BRD §US-N.M + synthesis fa3dc5f3)
  • Cscenario-u20-calendar-billing-anchorU-20 P4 Sam: calendar billing anchor billing_anchor_month/day → April 1 fiscal-year anchor (BRD §US-N.M + synthesis fa3dc5f3)

Infrastructure & tooling

CI hygiene (Dependabot, gitleaks), testing baseline, observability, internal tooling.

275/287
275 COMPLIANT7 MANUAL_REVIEW1 PARTIAL1 NON-COMPLIANT
  • Cshipped-b2b-edition-detectionB2B Edition support — variant detection + admin enrollment (Epic 22, called "Phase 2 planned" by stale audit)
  • Cshipped-dsar-endpointDSAR endpoint — per-customer export + erasure (Epic 28, called "Phase 2 planned" by stale audit)
  • Cshipped-bigeng-slices-bcdBigEng Slices B/C/D shipped — typed errors + schema retrofit + audit decorator (called "in flight" by stale audit)
  • Cops-ledger-max-attemptsADR-0031: operations.max_attempts column for per-row retry budget
  • Cops-ledger-locked-until-reaperADR-0031: operations.locked_until column + reaper cron
  • Cjob-configuration-tableADR-0031: job_configuration sidecar table for per-cron per-store config
  • Cshipped-phase-2-gcp-scaffoldPhase 2 GCP Terraform scaffold (called "Phase-2 candidate / future" by stale audit; in flight now)
  • Cidempotency-keys-tableidempotency_keys ledger table for request-level idempotency (Hive #581)
  • Cidempotency-middlewareMiddleware reads Idempotency-Key header, caches mutation responses, returns 409 on fingerprint mismatch
  • Cdeprecation-handler-registeredDeprecationRegistry + middleware wired at app boot (ADR-0032)
  • Capi-version-namespace-v1All API routes mounted under /api/v1/ prefix (ADR-0032)
  • Cdeprecation-headers-emit-on-requestDeprecation, Sunset, Link headers emit on deprecated route calls (ADR-0032)
  • Csubscription-extensions-tableADR-0033: polymorphic subscription_extensions substrate for Epic 6 extension types
  • Cextensions-scheduler-hooksADR-0033: scheduler invokes extension lifecycle hooks before each renewal
  • Copenapi-spec-existsOpenAPI 3.0 spec at apps/api/openapi.yaml (Hive #580)
  • Copenapi-docs-route-existsGET /docs Swagger UI handler exists (Hive #580) — route mount in worker.ts required
  • Cidempotency-cleanup-cron24h TTL cleanup cron for idempotency_keys table
  • Copenapi-drift-ci-gateCI gate validates OpenAPI spec on PRs touching API or spec (Hive #580)
  • Cschema-charges-tablecharges table — first-class entity for each subscription billing attempt
  • Cschema-customers-tablecustomers table — mirror of BC customers with subscription-specific fields (payment_customer_ref, consent_metadata)
  • Cschema-payment-methods-tablepayment_methods table — gateway-tokenized PMs with NTI (Network Transaction ID) for MIT credential continuity
  • Cschema-reconciliation-runs-tablereconciliation_runs table — observability for the periodic reconcile sweep
  • Cdependabot-configDependabot configured for weekly dependency updates across all workspaces
  • Cgitleaks-workflowGitleaks CI workflow scans every PR for secrets; allowlist documented
  • Cchangelog-md-existsCHANGELOG.md exists at repo root
  • Cchangelog-on-release-workflowWorkflow auto-generates changelog drafts on tag push
  • Chive-1149-cdn-webcomponent-distributionWebcomponent IIFE bundle is published to a reachable CDN (bc-subscriptions-cdn.pages.dev/v1/) and the API + admin reference that URL consistently
  • Ccharges-retry-with-backoffFailed charges retry up to 3 times with 1h/4h/24h exponential backoff (ADR-0011 gap 1)
  • Cpre-charge-hook-registryPre-charge hook chain for renewal-time pre-charge logic; hooks register via preChargeRegistry
  • Csdk-substrate-scaffold@bc-subscriptions/subscriber-sdk + @bc-subscriptions/react 2-package workspace scaffold + type-generation pipeline + npm release workflow (ADR-0034)
  • Cbdd-scenario-frameworkVitest scenario layer with defineScenario story helper + separate CI run (Hive #583)
  • Cprocessor-adapter-bc-payments-productionADR-0035: BC Payments standard-rail adapter — production branch implemented (PAT mint + method lookup + payments.bigcommerce.com charge; throw at bc-payments.ts:70 replaced)
  • Bprocessor-adapter-bc-payments-webhook-extractionADR-0035: BC Payments stored-instrument extraction at order.created webhook — real BigPay token persisted via GET /v3/customers/{id}/stored-instruments
  • Cprocessor-adapter-stripe-productionADR-0025: Stripe secondary-rail adapter — production branch implemented (PaymentIntent.create with off_session MIT; no pre-existing BC order required)
  • Cprocessor-adapter-stripe-decline-classificationStripe adapter classifies hard vs soft declines via HARD_DECLINE_CODES set; StripeChargeError exposes isHardDecline for scheduler dunning logic
  • Cbc-payments-standard-rail-activeBC Payments adapter: HACKATHON_FIXTURE fixture guard fully removed from charge() — standard-rail (PAT/charge calls) is the only path per Payments P-2
  • Cstripe-adapter-activeStripe adapter: HACKATHON_FIXTURE fixture guard fully removed from charge() — PaymentIntent.create is the only path per ADR-0025 / Payments P-2
  • Cfixture-payment-method-retired-from-productionensureFixturePaymentMethod removed from all production route handlers — subscriptions.ts + webhooks.ts use real instrument resolution; db.ts export retained for tests
  • Cfixture-mode-gated-to-testHACKATHON_FIXTURE is absent from all production route handlers and adapter charge() bodies — fixture mode is test-only (db.ts export and types.ts optional field remain)
  • Cauto-detect-stored-payments-enabled-checkprocessor-auto-detect returns storedPaymentsEnabled field — probes GET /v3/payments/stored-instruments and surfaces warning when disabled
  • Cportal-stored-instruments-picker-shippedPortal stored-instruments picker: GET /api/v1/portal/stored-instruments route + StoredInstrumentsPicker.svelte — shoppers pick from vaulted instruments (ADR-0037)
  • Cportal-add-stored-instrument-iat-flow-shippedPortal add-PM IAT flow: POST /api/v1/portal/stored-instruments/iat route + AddStoredInstrumentButton.svelte — shopper adds new card via BC hosted flow (ADR-0037)
  • Cprocessor-adapter-registryAdapter discovery registry (adapter-registry.ts) exists and scheduler routes charges through getAdapter() rather than hardcoded createBcPaymentsAdapter()
  • Cstripe-rail-sandbox-validatedStripe adapter end-to-end sandbox scenario exists — validates charge + off-session renewal + idempotency against Stripe test-mode API (Payments P-1)
  • Cprocessor-config-encrypted-at-restTier α T1S: processor_connections.config stripe_secret_key is encrypted at write (encryptForStore in processor-connections.ts create handler) and decrypted at read (adapter-registry.ts getAdapter Stripe case).
  • Cper-store-key-derivationTier α T1S: per-store AES-256 keys derived via HKDF from deploy-time master (CREDENTIAL_ENCRYPTION_KEY) using store_hash as HKDF info. deriveStoreKey + encryptForStore + decryptForStore in crypto.ts.
  • Ccross-sub-instrument-selection-fixedPortal stored-instrument select: backend rejects empty subscription_id with invalidBody; UpdatePaymentForm no longer passes subscriptionId="" to picker in cross-sub mode (proposal #774)
  • Cauthorize-stripeADR-0038 P2-A: Stripe adapter implements authorize() via PaymentIntent.create with capture_method=manual, returns AuthorizeResult with processorTransactionId. authWindowDays=7 per Stripe documented card auth window.
  • Ccapture-stripeADR-0038 P2-A: Stripe adapter implements capture() via PaymentIntent capture endpoint with amount_to_capture and Idempotency-Key (ADR-0011). voidAuth() implemented via PaymentIntent cancel.
  • Bauthorize-bc-paymentsADR-0038 P2-A: BC Payments authorize() stub — documents that payments.bigcommerce.com is atomic and does not support per-request auth-only mode. Throws not_implemented_phase_2_requires_bc_partner_track. Verified 2026-05-15 against BC payments overview + transactions-api docs.

Cross-cutting work662 of 730 proposals (91%) — no BRD epic affiliation

Traceability gap. 662 of 730 tracked proposals (91%) carry no [Epic-N] prefix. This is substrate, tooling, methodology, CI, and refactor work — load-bearing for the project but invisible against the BRD spec. To improve: add epic: N to hive-meta on future proposals, or file [Epic-Foundation] umbrella trackers for substrate work itself.

About this dashboard

Quick orientation (read this first)

This page tracks how ready bc-subscriptions is to ship. The product is split into ~28 epics (think: features). Each epic must pass 10 quality gates before it counts as "ready." The grid above shows which gates each epic has passed.

For a stakeholder skimming this in 30 seconds:

  • The top-of-matrix counters (Green / Yellow / Red) summarize where the whole project stands.
  • Each row is one epic. Each dot is one of its 10 gates.● Green = passed.● Yellow = partial / in progress.● Red = not started.
  • The % green column at the right is the epic's overall score.
  • Click an epic title to open its full audit document with the evidence behind every gate.

That's the whole dashboard. The rest of this page explains how it works and what each gate means.

What an "epic" is here

An epic is one product capability. Examples from the grid above: "Merchant install & BC app authentication" (Epic 1), "Charge scheduling & execution" (Epic 10), "Subscriber portal access & auth" (Epic 17). The full list lives in the Business Requirements Document (BRD).

Each epic also carries a risk tier (the small P0/P1/P2/P3 chip next to the epic name): P0 = critical (charge engine, payment, install); P1 = important (subscriber portal, dashboards); P2 = useful (advanced flows); P3 = nice-to-have. Higher-risk epics need stricter evidence to pass certain gates.

What each gate means (in plain language)

#NameThe question it answersHow we check
1Feature completeDid we actually build the feature the spec describes? Every required user story has working code shipped to production?Automated cross-check: scans the codebase for routes, screens, and tables each user story requires; flags anything missing or only half-built.
2HardenedWhen things go wrong (network blip, payment processor down, bad input), does the code fail gracefully? Are there tests proving it?Checks that the epic has a "failure-injection" test file — automated tests that deliberately simulate failures and confirm the code handles them.
3Security reviewedHave we considered how a bad actor could abuse this feature, and put protections in place? Are PCI / GDPR / SOC2 obligations met?Requires a written security review document walking through threat scenarios per the industry-standard STRIDE framework (see glossary).
4Performance baselinedWill this feature be fast enough when many subscribers use it at once? Have we measured?Checks for a performance budget doc (target response times) plus an automated load-test script using the open-source k6 tool.
5Tested at risk tierDo we have automated tests proving this feature works end-to-end? Higher-risk epics need more tests.Counts the unit, integration, and E2E test files. P0 features additionally need a workflow that runs tests nightly against a real BC test store.
6DocumentedIf something breaks at 2am, can the on-call engineer figure out what to do without paging the original developer?Requires an on-call runbook listing the top failure modes, severity classification, and what to do for each.
7User-guidedCan a merchant set this feature up by themselves, without filing a support ticket?Requires a merchant-facing guide doc: what the feature does, step-by-step setup, common troubleshooting.
8Demo-asset-readyCan we show this feature to a prospect in 90 seconds? Is there a polished demo video?Requires a written demo storyboard plus an operator-recorded MP4. The video can only be produced by a human, so this gate often lingers yellow even when the feature itself works.
9Knowledge-transferredIf a new engineer joined the team, could they understand what this epic does, what its known limitations are, and where the follow-up work is?Requires a per-epic handoff document covering shipped state, known limitations, and follow-up roadmap.
10Change-managedWill we know if this feature breaks in production? Are alerts set up?Requires alert thresholds plus runtime telemetry hooks wired into the code, so when a real merchant uses the feature we emit metrics we can graph and alert on.

How are these 10 gates chosen? (vs industry standards)

Short answer: the 10-gate framework is project-specific (custom to bc-subscriptions), but every gate maps to a well-known industry concept. It's an opinionated synthesis, not a published standard.

The canonical gate-to-framework mapping + per-framework reference extracts live at docs/rag/sdlc-frameworks/ (filed via Hive #1244). The summary below is a snapshot; the corpus is the source of truth.

Where each gate comes from:

Our gateIndustry equivalent
1 Feature completeAgile "Definition of Done" — feature-completeness criterion. Universal.
2 HardenedISO/IEC 25010 "Reliability" quality attribute. Google SRE Handbook "resilience testing." Netflix Chaos Engineering tradition.
3 Security reviewedOWASP ASVS (Application Security Verification Standard) + Microsoft STRIDE threat modeling + SOC2 Trust Services Criteria. Industry-mandatory for fintech.
4 Performance baselinedGoogle SRE SLI/SLO methodology — defining service-level indicators + objectives before declaring a service ready.
5 Tested at risk tierStandard test pyramid (Cohn) — unit / integration / E2E coverage proportional to risk. Risk-tiered gating is common in regulated industries.
6 DocumentedGoogle SRE "Production Readiness Review" runbook requirement. Standard for any operationally-supported service.
7 User-guidedDiátaxis documentation framework (tutorials / how-tos / reference / explanation). Standard product practice.
8 Demo-asset-readyProject-specific. Most engineering DoD frameworks don't include marketing assets. We do because bc-subscriptions ships as a marketplace app where demos drive merchant adoption.
9 Knowledge-transferred"Bus factor" / "Truck factor" hygiene — informal industry concept, rarely a formal gate. Atlassian + GitLab have similar handoff norms.
10 Change-managedSRE observability requirement (instrument before launch) + ITIL change-management discipline. Standard for production services.

What's distinctive about this framework (vs typical 3-5 gate DoD checklists):

  • 10 gates instead of 5 — Most teams collapse Gates 2/3/4 into one "Quality" gate, or combine Gates 6/7/9 into one "Documentation" gate. We split them so each can be measured independently.
  • Evidence-based, not checkbox-based — Most DoD frameworks are "the team agrees this is done." Ours requires a specific committed artifact (test file, runbook, security doc) before a gate flips green.
  • Two-phase signal, not self-reported — Most checklists collapse "evidence exists" and "evidence is good" into one signal. We split them: mechanical CI confirms artifacts are present (and caps at yellow); the operator audit confirms quality. Drift between the two layers is surfaced, not hidden.
  • Gate 8 (Demo) is unusual — Marketing-readiness isn't a typical engineering gate. We include it because we ship as a marketplace app, so a feature isn't actually "shippable" until it can be demonstrated to merchants.

What this framework deliberately doesn't gate (some industry checklists do):

  • Accessibility (WCAG) — Not currently gated. Covered partially via Gate 7 (merchant guide) but no explicit WCAG audit per epic.
  • Internationalization (i18n) — Implicit (all admin strings flow through an i18n layer per ADR-0006) but not gated per-epic.
  • Backwards compatibility — Tracked at the API-versioning level, not as an epic-level gate.
  • Disaster recovery — Backup/restore testing is currently project-level, not gated per epic.
  • Cost/economics — Per-epic cost dimensions are tracked (Gate 10 sub-criterion) but not a primary gate.

Alignment with BigCommerce Engineering DoD

Because bc-subscriptions ships as a BigCommerce marketplace app, BigCommerce's own Engineering DoD is the most-relevant framework — not just an industry reference. Every gate either aligns with a BigEng mandate, diverges deliberately, or carries an honest gap.

Full alignment matrix + per-gate analysis lives at docs/rag/sdlc-frameworks/bigcommerce-bigeng.md. Summary:

AlignmentGates
✅ AlignedGate 1 (Feature complete), Gate 2 (Hardened), Gate 5 (Tested)
⚠️ Partial alignmentGate 3 (merchant-facing audit-log bridge missing), Gate 4 (our budgets looser than BC's <2s page load / <100ms p95 public-API bar), Gate 6 (we use project-local docs vs BC's KB), Gate 10 (we lack phased rollouts + 2-business-day postmortem cadence)
❌ BC-mandated gapsGate 7 — BC requires WCAG 2.2 AA, localization, BigDesign components, Design team review. We don't gate any of these per-epic.
N/AGate 8 (BC doesn't gate demo readiness), Gate 9 (BC has incident RCA process but not per-feature handoff)

Distribution-model context for gaps:

  • If we stay a marketplace app: WCAG 2.2 AA + localization gaps are LOW severity (marketplace apps aren't audited the way native features are).
  • If we ever graduate to a native BC feature: WCAG, localization, merchant-facing audit log, phased rollouts, and postmortem cadence all become HIGH severity — they're hard requirements.
  • If we ever expose a public API: BC's API DoD applies (p95 < 100ms, snake_case keys, cursor pagination, 1-year sunset rule for internal-with-path-to-public).

The full gate definitions + sub-criteria + rationale live in the Definition-of-Done methodology doc (v0.4).

How states are computed

Every gate is a two-stage check. A gate is green only when both stages pass:

  1. Stage 1 — Mechanical check. Runs on every push to main. Boolean: passed or failed. For Gate 1 it reads _state.json and confirms every matching capability is COMPLIANT or MANUAL_REVIEW (no PARTIAL, no NON_COMPLIANT, no ABSENT). For Gates 2-10 it confirms the required artifacts exist on disk (runbook present, E2E spec present, etc.). Self-updates with every commit.
  2. Stage 2 — Human attestation. A checkbox written to the audit doc frontmatter (attested: block). The operator reads the artifacts Stage 1 found, confirms they're real quality (not just present), and records the date + git commit they audited against. The attestation is bound to that commit: if any of the gate's dependent files change after the attestation, the checkbox auto-invalidates and the gate falls back to yellow with a re-attestation indicator until checked again.

Color computation:

  • Green — Stage 1 ✓ + Stage 2 ✓ (attestation fresh: dependent files unchanged since checkbox).
  • Yellow — Stage 1 ✓ + Stage 2 ☐ (no attestation) or Stage 1 ✓ + Stage 2 ↻ (attestation stale because files changed).
  • Red — Stage 1 ✗ (required artifacts missing). Stage 2 doesn't matter — gate is red until the mechanical check passes.
  • badge — gate is yellow specifically because the attestation went stale (mechanical passes, files moved); the operator needs to re-check the box.

The header counters break the 280 cells down by the four combinations of the two booleans. The actionable signals are Mech ✓, awaiting attestation (Stage 1 done; needs a human checkbox) and ↻ Needs re-attestation (the file the attestation depended on has been edited since).

Glossary

Technical terms used above and in the audit docs, for non-developer readers:

BigEng / BigCommerce Engineering DoD
BigCommerce's internal Definition-of-Done for engineering teams. Mandates include WCAG 2.2 AA accessibility conformance, localization for storefront + control panel strings, <2s page load (or <200ms TTFB), audit-log events for all merchant-facing actions, fault tolerance / graceful degradation, deployments controlled by experiment flags with phased rollouts, postmortem within ~2 business days, and use of BigDesign UI components.
STRIDE
A standard security threat-modeling framework developed at Microsoft. Acronym for six attack categories: Spoofing (pretending to be someone else), Tampering (modifying data illegitimately), Repudiation (denying an action you took), Information disclosure (leaking data), Denial of service (crashing the system), Elevation of privilege (gaining permissions you shouldn't have).
k6
An open-source load-testing tool from Grafana Labs. You write a script that simulates many concurrent users; k6 runs it and reports response-time statistics. Used for Gate 4 to prove the feature handles realistic traffic.
p95 latency
"95th percentile response time." If we say "p95 ≤ 800ms," it means 95% of requests complete in 800 milliseconds or less. Industry-standard way to talk about performance because the slowest 5% often matter most for user experience.
PCI / GDPR / SOC2
Three compliance frameworks bc-subscriptions must respect. PCI DSS (Payment Card Industry Data Security Standard) regulates how systems handle credit card data. GDPR (EU General Data Protection Regulation) governs personal data handling and subscriber rights (deletion, export). SOC2 (Service Organization Control 2) is an audit framework for security controls — used by enterprise customers to vet vendors.
SRE / SLI / SLO
SRE = Site Reliability Engineering, the discipline Google formalized for operating production services. SLI = Service Level Indicator (a metric you measure, e.g., "% of requests under 500ms"). SLO = Service Level Objective (the target for an SLI, e.g., "99.5% under 500ms"). Defining SLIs/SLOs before launch is the SRE prerequisite for production readiness.
Definition of Done (DoD)
An agile concept: the shared checklist a team uses to decide if work is actually finished. Most teams have 3-7 items; ours has 10 gates and a heavier evidence requirement.
ISO/IEC 25010
The international standard for software quality attributes. Lists 8 top-level dimensions including reliability, performance, security, maintainability, and usability. Our 10 gates map to several of these dimensions.
OWASP ASVS
Application Security Verification Standard, published by the Open Web Application Security Project. A checklist of security controls organized by risk level. Our Gate 3 (Security reviewed) implicitly references ASVS-level controls.
ITIL
Information Technology Infrastructure Library, the most widely-adopted IT service management framework. Includes change-management discipline relevant to our Gate 10.
ADR (Architecture Decision Record)
A short document capturing one significant architectural decision (e.g., "we chose Cloudflare Workers over AWS Lambda because…"). ADRs live in docs/decisions/ and are numbered sequentially (ADR-0001, ADR-0002, …).
BRD (Business Requirements Document)
The product spec. Defines every epic and its acceptance criteria. BRD.md in the repository root.
Runbook
The on-call playbook for when something goes wrong in production. Lists known failure modes, how to diagnose them, and what to do about each.
Webhook
A way for two systems to notify each other automatically. Example: when a subscriber checks out on BigCommerce, BC sends a webhook to bc-subscriptions saying "this order just happened," and bc-subscriptions creates the subscription record.
OpenAPI
An industry-standard format for documenting an API. Defines every endpoint, what it accepts, and what it returns.
End-to-end (E2E) test
An automated test that drives the actual user interface (clicks buttons, fills forms) and verifies the whole flow works. Heavier than a unit test but catches things unit tests miss.
Sandbox-scenario CI
An automated test that runs nightly against a real BigCommerce test store (called a "sandbox"). Catches integration issues that mocked tests miss. CI = "Continuous Integration" = the automated build/test pipeline.
Cloudflare Workers / D1 / KV
Cloud infrastructure components bc-subscriptions runs on. Workers = the code execution platform. D1 = a SQL database. KV = a key-value cache.
Phase 1a / 1b / 2 / 3
The cohorts (groups) of epics, ordered by delivery sequence. Phase 1a = foundation features. Phase 1b = lifecycle features. Phase 2 = full feature set. Phase 3 = advanced. Phasing per ADR-0021.
Wave 1 / Wave 3 / cold-read
Project-specific terminology for the close-out methodology. Each epic goes through multiple "waves" of work: Wave 1 lands the artifacts; Wave 3 is when an independent reviewer cold-reads the work to catch drift before sign-off.
Stage 1 / Stage 2 / re-attestation
Every gate is two booleans. Stage 1 is the automated check — did the required artifacts exist as of the last push? Boolean, computed deterministically. Stage 2 is the human checkbox — does a person attest the artifacts are good (not just present)? Bound to a git commit. When the dependent files change after the attestation, the checkbox auto-invalidates → "needs re-attestation" — not because anyone made a mistake, but because the evidence beneath the audit shifted.

For developers / engineering reviewers

Methodology references for the gate definitions, derivation logic, and walk-back procedures:

  • epic-definition-of-done.md — full 10-gate spec, v0.4 (sub-criteria, evidence requirements, edge cases)
  • ADR-0021 — why epics are sequenced into these specific phase cohorts
  • METHODOLOGY.md — dual-track agile, trust axioms, derive-first principle
  • Trust-restoration lessons (2026-05-13) — why we derive evidence mechanically rather than trusting prose audits