cm-safe-deploylisted

# Safe Deploy Pipeline v2 ## TL;DR - **Use before/during** deploying to staging or production - **Multi-gate**: secrets, build, stage, smoke, prod, rollback plan - **Identity**: verifies correct GitHub/Cloudflare/Supabase account - **Next**: cm-quality-gate (post-deploy) ## Overview A deploy without gates is a deploy with hope. Hope is not a strategy. **Core principle:** Every project needs a multi-gate deploy pipeline. Code passes through syntax → tests → i18n → build → verify → deploy, with hard stops at each gate. No gate skipping. No "it'll be fine." > [!CAUTION] > **March 2026 Incident:** 572 backend tests passed green while `app.js` had catastrophic syntax errors → white screen in production. This pipeline exists because `test:gate` alone was NOT enough. ## The Iron Law ``` NO DEPLOY WITHOUT PASSING ALL GATES. GATES ARE SEQUENTIAL. EACH MUST PASS BEFORE THE NEXT RUNS. SYNTAX CHECK IS GATE 1. IF IT FAILS, NOTHING ELSE RUNS. ``` ## When to Use **ALWAYS** when: - Setting up a new project's deployment infrastructure - A project has no test gate before deploy - Project deploys directly from `git push` - After a production incident caused by untested code - Adding CI/CD to an existing project ## The 8-Gate Pipeline ```dot digraph pipeline { rankdir=LR; gate0 [label="Gate 0\nSecret\nHygiene", shape=box, style=filled, fillcolor="#ffc0cb"]; gate05 [label="Gate 0.5\nSecurity\nScan", shape=box, style=filled, fillcolor="#f0b3ff"]; gate1 [label="Gate 1\nSy