The Artifact

DORA dashboard + canary timeline.

Pick a release. Watch the canary tick up. See every flag toggle. Every DORA delta is a receipt.

Open the explorer Watch the scenario

Cnr

Dimension

Canary controller

1.62 J · Argo 1.7

per call

Argo Rollouts steps: 5 → 25 → 50 → 100% over 12 minutes.

The Rollout CRD declares the canary recipe; the controller drives weight via the service-mesh Splitter. Each step pauses, runs an Analysis template against Prometheus, and only advances on `Successful`. A failed analysis fires the abort path, draining canary pods in under 90 seconds.

Sample receipt

JWP ReceiptPayload

kind "delivery.canary.stepped"

strategy canary

analysis prometheus-slo-burn

joules 1.62

cite "Argo Rollouts 1.7"

sig "ed25519:0x4f...c1a"

Anatomy — operational specs

mesh

Linkerd 2.16 (SMI TrafficSplit)

abort_threshold

p99>+10% OR 5xx>0.01

Flg

Dimension

Feature flag

0.55 J · OpenFeature 1.7

per call

jouledb-fast-path · bucket-hashed targeting.

Per OpenFeature spec, the SDK queries the flag store with evaluation context (user_id, region, tenant). Targeting rule hashes user_id into 100 buckets and admits buckets 0–4 for the 5% canary. Every eval emits a CloudEvents 1.0 event that DORA, Insights, and ComplianceOS can replay.

Sample receipt

JWP ReceiptPayload

kind "delivery.flag.evaluated"

flag jouledb-fast-path

eval_p99_ms 0.6

joules 0.55

cite "OpenFeature 1.7 · CloudEvents 1.0"

sig "ed25519:0x4f...c1a"

Anatomy — operational specs

provider

flagd 0.11

evals_per_canary

482116

Dor

Dimension

DORA dashboard

0.29 J · 30-day window

per call

Lead time · Change failure rate · MTTR · Deploy frequency.

DORA's four metrics computed from the CD event stream — not from a spreadsheet. Lead time = time from commit-merge to prod-ready; CFR = (rolled-back releases / total releases); MTTR = mean time from incident-open to incident-resolved; deploy frequency = releases per day. Every value is a receipt query.

Sample receipt

JWP ReceiptPayload

kind "delivery.dora.snapshot"

lead_time_min_p50 38

deploy_freq_per_day 11

joules 0.29

cite "DORA 2024 State of DevOps"

sig "ed25519:0x4f...c1a"

Anatomy — operational specs

window

rolling 30d

source

release event stream

Rbk

Dimension

Rollback envelope

0.18 J · RTO 90s

per call

Pre-armed reverse step. Image + migration + flag-off.

Before any canary hits 100%, the controller signs a rollback envelope: previous image digest, the down-migration script (or `none`) for any schema change, and the flag-disable command. On SLO breach the envelope is replayed in one shot — round-trip under 14 minutes, RTO under 90 seconds for the pod swap.

Sample receipt

JWP ReceiptPayload

kind "delivery.rollback.armed"

previous_image sha256:8aef…0c33

down_migration none

joules 0.18

cite "GitOps · Argo Rollouts abort"

sig "ed25519:0x4f...c1a"

Anatomy — operational specs

rto_s

rpo_s

0 (stateless)

Att

Dimension

Release attestation

0.21 J · SLSA v1.0

per call

in-toto Statement linking source → build → image.

The release artifact carries an in-toto v1.0 Statement with SLSA Provenance v1.0 predicate. Materials include the git commit, the builder ID, and 47 resolved dependency pins; products are the OCI image digest. Pushed to Rekor; verifiable by any auditor without a server call beyond Rekor itself.

Sample receipt

JWP ReceiptPayload

kind "delivery.attestation.slsa"

predicate_type https://slsa.dev/provenance/v1

materials 47

joules 0.21

cite "SLSA v1.0 · in-toto v1.0 · Rekor"

sig "ed25519:0x4f...c1a"

Anatomy — operational specs

builder_id

https://buildkite.com/deliveryos/build

rekor_index

17420914

DeliveryOS, in one line

ship, made inspectable.

Click anything. The same primitives that compose the rest of the Transaction Science family — receipts, joules, signed transport — show up here too. The family is one system.

← Watch the scenario Back to Transaction Science →