Phase 12 Release Execution Runbook¶
Status: Prepared; execution prohibited until Phase 11 and global release gates authorize formal Phase 12
Audience: Release owner, Android engineer, platform/on-call, support, verification operations and incident owner
1. Entry gate¶
Do not begin release-candidate signing or Play activity until all of these are evidenced:
- Phase 11 11C–11H primary pilot is complete.
- Phase 11J decision is
PROCEED. - Qualified Zambia legal/privacy/consumer review is signed and applicable DPC registration/overseas storage-transfer evidence is recorded.
- Final privacy notice, terms, policy versions, retention/deletion and rights handling are live.
- Account deletion works end-to-end from both in-app and public web request paths.
- Android production client no longer exposes synthetic/preview marketplace paths.
- Production support and verification staffing is operational and access-tested.
- Production monitoring/alert routes and incident escalation are active and exercised.
- Production backup restore evidence exists.
- Current Google Play requirements are rechecked on the release date.
- Exact release candidate passes accessibility/device/performance/security/regression gates.
Only after evidence is reviewed may the five source-controlled latches in android/direkt-app/release/eligibility.properties be changed from false in the same controlled release change:
DIREKT_FORMAL_PHASE12_AUTHORIZEDDIREKT_PRODUCTION_CLIENT_READYDIREKT_ACCOUNT_DELETION_READYDIREKT_PRODUCTION_OPERATIONS_READYDIREKT_PLAY_RELEASE_READY
The latches are evidence assertions, not substitutes for the evidence. The protected signing latch and Play publication authorization remain separate controls.
2. Freeze exact source¶
- select one approved commit SHA;
- confirm
mainand the implementation lane are synchronized; - advance
versionCodeabove every version code already used in Play Console; - change
versionNameto the reviewed release-candidate label; - change release channel to
release-candidate; - record the exact OpenAPI/backend compatibility target;
- prohibit unrelated source changes after release-candidate freeze.
3. Recheck Play and declarations¶
On the exact release date:
- confirm target API deadline and current Play policy changes from official Google sources;
- rebuild the manifest/permissions inventory from the exact candidate;
- revalidate every SDK against current Data Safety disclosure guidance;
- finalize Data Safety answers, app access instructions, content rating, target audience, ads declaration and country/device availability;
- verify privacy-policy and account-deletion URLs are public and functional;
- verify listing copy/screenshots/feature graphic match actual release behavior.
4. Protected signing¶
Use the protected environment only:
- materialize the Play upload keystore outside the repository checkout;
- disable Gradle configuration cache;
- set
DIREKT_RELEASE_SIGNING_ENABLED=true; - provide all required
DIREKT_UPLOAD_*inputs from the protected secret store; - run the release contract validator;
- run full exact-source regression/security/documentation gates;
- build the signed AAB twice under the approved reproducibility procedure;
- verify signed artifact SHA-256, signature/certificate evidence and source provenance;
- delete ephemeral signing material from the runner.
No service-account or upload-key secret may be committed or copied into public artifacts.
5. Play internal testing¶
- upload only the signed reviewed AAB;
- verify package/version/signature;
- configure approved non-production tester identities;
- verify clean install and update path;
- test authentication, consent, account deletion request, discovery, provider workspace, evidence controls, enquiries/reviews/complaints and support routes that are present in the final app;
- validate deep links/notifications only if actually shipped;
- inspect Play pre-launch report and Android vitals;
- record defects and block promotion for unresolved P0/P1 or unaccepted high/critical issues.
6. Closed testing¶
- satisfy the actual developer-account testing eligibility rules;
- use the approved bounded tester cohort;
- keep support and incident coverage active;
- collect structured install/update/device/accessibility/connectivity and task-completion evidence;
- confirm Data Safety/listing/app-access instructions still match the tested artifact;
- do not substitute internal/synthetic evidence for real closed-test results.
7. Production environment pre-traffic activation¶
Before public Android rollout:
- deploy immutable approved backend/portal images with public traffic still disabled;
- bind numeric Secret Manager versions and least-privilege runtime identities;
- apply/verify migrations;
- verify private storage and authorization canaries;
- restore an actual production backup into isolation and record integrity/application/access checks;
- enable production monitoring/notification routes;
- run rollback, kill-switch and incident-escalation exercise;
- verify support/verification staffing coverage and queue capacity.
Production traffic must remain disabled until the final go/no-go record is approved.
8. Staged rollout¶
Sequence:
- internal;
- closed;
- production 5%;
- 10%;
- 25%;
- 50%;
- 100% only within the approved geography/categories.
Use docs/phase12/release/monitoring_rollback_rollout.json for observation windows and stop criteria. Promotion between stages requires an explicit recorded decision; elapsed time alone never promotes a release.
9. Stop and rollback¶
Immediately stop affected rollout/processing for:
- unauthorized private data/evidence/location disclosure;
- authentication/authorization bypass or cross-provider access;
- source/signature/artifact provenance mismatch;
- invalid trust claims without current required evidence;
- production secret/signing-material exposure.
For release-correlated failure:
- halt Play rollout;
- disable new admissions/intake as appropriate;
- rollback backend to last known-good immutable revision using the proven floating-
LATEST-safe procedure; - do not reduce Android
versionCode; deliver a corrected higher-version release; - rotate/revoke affected credentials when required;
- open incident record and preserve bounded evidence.
10. Release record¶
A release is not complete until the record contains:
- exact source SHA and release tag;
- version code/name/channel;
- signed AAB SHA-256 and signing evidence;
- exact CI results;
- current Play-policy check date;
- Data Safety/privacy/content-rating/listing versions;
- Play track/test cohort and results;
- production backend/migration/backup evidence;
- monitoring/staffing/incident readiness evidence;
- rollout decisions and observation windows;
- known risks/accepted defects;
- final status and rollback target.
Current boundary¶
As of 2026-07-19, this runbook is prepared but cannot be executed through signed release or Play publication. Phase 11 primary evidence/11J, legal/regulatory approvals, deletion/client cutover, staffing, production environment evidence, signing credentials and Play activity remain real gates.