The Scenario

A canary: 5% → 100% in 12 minutes.
5.46 joules.

Release v2026.05.07 rolls from 5% to 100% over 12 minutes. Feature flag jouledb-fast-path on. DORA: lead time 38 minutes, change-failure rate 0.014. 4 joules per release.

Start the walkthrough Skip to the artifact

Build

OCI

0.36 J

CI builds release v2026.05.07 — an OCI image manifest with 7 layers.

OCI Image Spec v1.1 manifest with mediaType `application/vnd.oci.image.manifest.v1+json`; image digest sha256:4f2c…be19. Build provenance follows SLSA v1.0 level 3 — hermetic, parameterless, with the source commit pinned to abc123de.

JWP ReceiptPayload

kind "delivery.build.completed"

image_digest sha256:4f2c…be19

layers 7

joules 0.36

cite "OCI Image Spec v1.1 · SLSA v1.0"

sig "ed25519:0x4f...c1a"

Attest

in-toto

0.21 J

An in-toto SLSA Provenance v1.0 attestation is signed and pushed to Rekor.

Predicate type `https://slsa.dev/provenance/v1` records the builder ID, source URI, build invocation, and resolved dependencies (47 module pins). Pushed to Rekor at index 17,420,914. The image is now provenance-anchored before any traffic touches it.

JWP ReceiptPayload

kind "delivery.attestation.slsa"

predicate_type https://slsa.dev/provenance/v1

rekor_index 17420914

joules 0.21

cite "SLSA v1.0 Provenance · Rekor v1"

sig "ed25519:0x4f...c1a"

Gate

DevSecOps

1.84 J

DevSecOps gates pass: SAST, SCA, container scan, license.

Semgrep finds 0 high-severity issues. OSV-Scanner reports 0 known CVEs at HIGH+. Trivy container scan: 0 CRITICAL. ScanCode license scan: all Apache-2.0 / MIT — no copyleft drift. Gates pass; pipeline advances to canary deploy.

JWP ReceiptPayload

kind "delivery.gates.passed"

high_vulns 0

license_drift none

joules 1.84

cite "Semgrep 1.94 · OSV-Scanner 1.8 · Trivy 0.55"

sig "ed25519:0x4f...c1a"

Flag

OpenFeature

0.55 J

Feature flag jouledb-fast-path flips to enabled for 5% cohort.

OpenFeature SDK 1.7 reads from the flag store; targeting rule hashes the user ID into 100 buckets and admits buckets 0–4 (5%). Flag evaluation latency p99 is 0.6 ms; eval count over the canary window: 482,116. Each eval emits a structured event so DORA can reconstruct the rollout shape.

JWP ReceiptPayload

kind "delivery.flag.evaluated"

flag jouledb-fast-path

rollout_pct 5

joules 0.55

cite "OpenFeature 1.7 · CloudEvents 1.0"

sig "ed25519:0x4f...c1a"

Canary

Argo Rollouts

1.62 J

Canary controller stairs traffic 5 → 25 → 50 → 100% over 12 minutes.

Argo Rollouts 1.7 steps: pause(2m), setWeight(25), pause(3m), setWeight(50), pause(3m), setWeight(100). Analysis template compares p99 latency and 5xx rate to baseline at each step; both stay within 1σ. No automatic rollback fires.

JWP ReceiptPayload

kind "delivery.canary.stepped"

steps 5→25→50→100

duration_min 12

joules 1.62

cite "Argo Rollouts 1.7 · Kubernetes 1.31"

sig "ed25519:0x4f...c1a"

Analyze

PromQL

0.41 J

SLO analysis: p99 latency 84 ms vs. 87 ms baseline; error budget intact.

PromQL queries pulled from the canary's `/metrics` endpoint: histogram_quantile(0.99, ...) = 84 ms (baseline 87). 5xx rate: 0.0021. The fast-path shaved 3 ms off p99 without consuming error budget; analysis template returns `Successful`.

JWP ReceiptPayload

kind "delivery.analysis.passed"

p99_ms 84

error_rate 0.0021

joules 0.41

cite "Prometheus 2.55 · SLO multi-window burn-rate"

sig "ed25519:0x4f...c1a"

DORA

Metrics

0.29 J

DORA snapshot: lead time 38 min, CFR 0.014, MTTR n/a, deploy freq 11/day.

Computed from the CD event stream over the last 30 days: lead time for changes 38 min (p50), change failure rate 0.014, deployment frequency 11/day, MTTR not measured this window (zero incidents). Snapshot is itself a receipt — auditable, reproducible from the event log.

JWP ReceiptPayload

kind "delivery.dora.snapshot"

lead_time_min 38

change_failure_rate 0.014

joules 0.29

cite "DORA Capabilities · 2024 State of DevOps Report"

sig "ed25519:0x4f...c1a"

Rollback

Envelope

0.18 J

Rollback envelope is pre-armed: previous image + state migration reversal.

Before traffic hits 100%, the controller pre-signs the rollback envelope: image digest sha256:8aef…0c33 (v2026.05.06), the down-migration for any schema change (none in this release), and the flag-off command. SLO breach → one-shot rollback fires in under 90 s; total round-trip < 14 min.

JWP ReceiptPayload

kind "delivery.rollback.armed"

rollback_image sha256:8aef…0c33

rto_s 90

joules 0.18

cite "GitOps · Argo Rollouts 1.7 abort"

sig "ed25519:0x4f...c1a"

DeliveryOS, in one line

5.46 joules. One receipt.

DeliveryOS handles ship as a typed, signed, energy-metered operation. The whole pillar is one shape: take a claim, do the work, sign the receipt.

Open the artifact → See the receipt format →

A canary: 5% → 100% in 12 minutes. 5.46 joules.

CI builds release v2026.05.07 — an OCI image manifest with 7 layers.

An in-toto SLSA Provenance v1.0 attestation is signed and pushed to Rekor.

DevSecOps gates pass: SAST, SCA, container scan, license.

Feature flag jouledb-fast-path flips to enabled for 5% cohort.

Canary controller stairs traffic 5 → 25 → 50 → 100% over 12 minutes.

SLO analysis: p99 latency 84 ms vs. 87 ms baseline; error budget intact.

DORA snapshot: lead time 38 min, CFR 0.014, MTTR n/a, deploy freq 11/day.

Rollback envelope is pre-armed: previous image + state migration reversal.

5.46 joules. One receipt.

A canary: 5% → 100% in 12 minutes.
5.46 joules.