# Change management policy

**Version:** 1.0
**Effective date:** 2026-04-17

## 1. Scope

Every change to production code, production configuration, Airtable schema, or sub-processor configuration.

## 2. Standard change workflow

1. **Propose** - issue in GitHub or internal doc with: what, why, rollback plan
2. **Build** - feature branch, commit with clear message, push
3. **Review** - at least one reviewer where a second engineer is available; at single-founder stage, this is held in abeyance (see compensating controls below)
4. **Test** - syntax check (`node -c`) on Netlify Functions, smoke test the affected UI path in preview deploy
5. **Deploy** - merge to main; Netlify auto-deploys to production
6. **Verify** - manual smoke test on production within 15 minutes of deploy
7. **Document** - user-visible changes logged in `/changelog`

## 3. Compensating controls at single-founder stage

Until there is a second engineer:

- Every production deploy is announced in the customer changelog if user-visible
- The Admin Audit Log (`Admin Audit Log` Airtable table) captures every privileged action taken via the admin panel
- Daily review of error-reporter logs surfaces any regressions
- Automated backups ensure recovery within RPO

## 4. Emergency changes

An emergency change bypasses the standard review when a SEV-1 or SEV-2 is active. Requirements:

- Authorised by the incident commander
- Post-hoc review within 24 hours of the incident resolution
- Logged in the postmortem and the change log

## 5. Airtable schema changes

Schema changes are high-blast-radius. Rules:

- No destructive changes (column delete, type change from compatible to non-compatible) without a backup snapshot taken immediately prior
- Field additions only after the consuming Netlify Functions have been updated and deployed
- New tables get added to the `lib/airtable.js` helpers before first use

## 6. Rollback

- Code: Netlify "instant rollback" to any prior successful deploy
- Data: restore from last nightly Airtable backup (4-hour RTO)
- Secrets: re-apply from password manager backup; force token rotation for all users

## 7. Dependencies

- `npm audit` reviewed monthly
- Critical-severity advisories patched within 7 days of disclosure
- Major dependency upgrades get their own staged deploy and changelog entry