# feature-control — INTENT Status: Draft v0.1 Date: 2026-06-14 Owner: feature-control initiative Repository role: Umbrella repository for feature availability control infrastructure Primary repo-facing standard: OpenFeature Terminology alignment: InfoTechCanon-compatible; extends InfoTechCanon where feature availability requires additional precision. See `docs/canon-mapping.md` (delivered via FEATURE-WP-0002) for detailed mappings, ownership boundaries (consumed ITC-ORG/ACCESS/LAND/GOV vs owned Feature availability control), the EvaluationScope terminology decision, OpenFeature grounding, and proposed canon extensions (Feature as ProducerCapability specialization etc.). --- ## 1. Intent `feature-control` exists to provide a shared, low-impact, cross-repository infrastructure for controlling feature availability in multi-vendor, multi-tenant, multi-domain software landscapes. The project enables software systems to ship code independently from feature availability decisions. It allows platform operators, product owners, tenant administrators, SREs, developers, and agent operators to turn features on, off, hidden, visible-disabled, read-only, degraded, variant-controlled, or remotely configured at runtime without redeploying consuming repositories. In consuming repositories, `feature-control` should manifest primarily as **OpenFeature** usage. Repositories should not depend directly on a concrete feature flag backend. They should evaluate feature decisions through OpenFeature SDKs, thin organization-provided wrappers, canonical feature keys, generated constants, and test/local providers. --- ## 2. Why this project exists Modern platform landscapes need to release continuously while controlling what is available to whom, where, and under which operational conditions. Without a shared feature-control infrastructure, repositories tend to accumulate ad hoc booleans, tenant-specific branches, hidden configuration switches, and poorly documented rollout logic. This leads to hard-coded customer behavior, unnecessary compute consumption, unsafe emergency handling, unclear ownership, and architectural erosion. `feature-control` addresses this by introducing a canonical feature availability model, OpenFeature-based repository integration, backend-independent provider architecture, explainable feature decisions, governance rules, lifecycle management, auditability, and operational controls. The project is intended to help establish good architecture, reduce unnecessary compute usage, and keep feature availability decisions explicit, observable, and reversible. --- ## 3. Core stance `feature-control` treats feature flagging as one mechanism inside a broader **feature availability control plane**. It explicitly distinguishes: | Concern | Meaning | |---|---| | Feature availability | Whether a feature is effectively enabled, disabled, hidden, degraded, read-only, or variant/config controlled. | | Entitlement | Whether a tenant, customer, vendor, organization, user, or agent has been granted commercial or administrative access. | | Authorization | Whether an actor is permitted to perform an operation according to security policy. | | Visibility | Whether the user interface should show, hide, disable, or expose a feature as preview/upgrade. | | Operational control | Whether a feature should be disabled, degraded, or rerouted for safety, incident handling, dependency failure, or compute control. | Feature-control may compose signals from entitlement, authorization, policy, and operations, but it must not become the sole authorization system. Security-critical access must still be enforced by backend authorization and policy checks. --- ## 4. Scope The project covers the standards, models, infrastructure, APIs, provider integrations, tooling, and governance needed to control feature availability across repositories and deployments. ### In scope - Canonical feature terminology and metadata. - Feature key naming conventions. - OpenFeature-based repository integration guidance. - Evaluation context model for multi-scope decisions. - Decision model with value, reason, source, and metadata. - Scope model for platform, installation, environment, deployment, vendor, tenant, domain, organization, group, user, service, repository, and agent. - Backend provider abstraction and adapter strategy. - Local/test provider support for low-friction adoption. - Runtime evaluation, caching, fallback, and safe defaults. - Feature lifecycle governance and stale-flag cleanup. - Audit logging for feature changes. - Operational kill switches and degraded modes. - Compute-control use cases, such as disabling expensive processing paths per tenant or installation. - Agent-aware capability availability control. - Integration points with InfoTechCanon, IAM, entitlement, policy, observability, and deployment infrastructure. ### Out of scope for the first stage - Replacing the central authorization system. - Replacing product billing, contract management, or entitlement source-of-truth. - Requiring all repositories to adopt a custom SDK instead of OpenFeature. - Building a full experimentation analytics suite as the first milestone. - Treating client-side feature flags as security enforcement. - Becoming a generic configuration database for unrelated application settings. - Forcing a final backend decision before practical implementation learning has been gathered. --- ## 5. Design principles ### 5.1 OpenFeature first Repository code should depend on OpenFeature concepts, not a specific vendor or backend. This keeps adoption lightweight and preserves backend reversibility. ### 5.2 Low impact on consuming repositories A repository should be able to start with: - one dependency or wrapper; - a small number of feature evaluations; - canonical feature keys; - local defaults; - test-provider support; - no direct dependency on the control-plane backend. ### 5.3 Explicit decisions, not mysterious booleans A feature evaluation should be explainable. The decision should make clear what value was returned, why, from which scope, under which context, and with which fallback behavior. ### 5.4 Separate concerns, compose decisions Feature availability, entitlement, authorization, visibility, rollout, and operational safety should remain conceptually distinct, even when composed into one effective runtime decision. ### 5.5 Safe defaults Every feature must have a safe default. Evaluation failure must be predictable and appropriate for the feature category. Security-sensitive and costly features should usually fail closed. ### 5.6 Governance without friction The infrastructure should improve architecture and operations without creating excessive process overhead. Temporary release flags should be easy to create and remove; sensitive production flags should be controlled and audited. ### 5.7 Compute efficiency as a first-class use case Feature-control should help systems avoid running capabilities that are not needed, not entitled, not used, not trusted, or temporarily too expensive. ### 5.8 Agent-aware but security-conscious Agents, automation actors, and workers are first-class evaluation subjects. Feature-control may gate agent capabilities, but actual tool execution must still be authorized by the relevant security and policy systems. --- ## 6. Canonical concepts | Concept | Meaning | |---|---| | Feature | A named capability, behavior, UI element, workflow path, integration, compute path, or configuration-controlled functional slice. | | Feature Key | Stable identifier used by code and control plane. | | Feature Availability | Effective availability state of a feature for a context. | | Feature Decision | Evaluated result including value, reason, source, and metadata. | | Evaluation Context | Runtime facts used to evaluate a feature decision. | | Scope | Level or dimension where a rule or override applies. | | Feature Rule | Conditional logic that contributes to a feature decision. | | Segment | Reusable group or condition set for targeting. | | Variant | Alternative treatment, mode, or value of a feature. | | Remote Config | Feature-associated value such as threshold, limit, model, provider, or mode. | | Kill Switch | High-priority operational override to disable or degrade behavior quickly. | | Entitlement | Commercial, contractual, or administrative grant. | | Visibility | UI presentation state derived from or related to feature availability. | | Agent | Non-human actor such as AI agent, automation, bot, worker, or tool-using runtime subject. | --- ## 7. Expected repository experience A consuming repository should experience feature-control as a small, predictable integration pattern. Example developer flow: 1. Add OpenFeature SDK or organization wrapper. 2. Import generated feature keys or declare a new key through the canonical process. 3. Provide a safe default. 4. Evaluate a feature decision using a context. 5. Add tests with a local/test provider. 6. Document feature ownership and lifecycle metadata. 7. Avoid direct backend-specific calls unless implementing a provider or platform component. Example pseudo-flow: ```text Repository code -> feature-control wrapper / OpenFeature client -> provider -> feature-control backend or local evaluator -> FeatureDecision -> runtime behavior ``` --- ## 8. Infrastructure shape The project may evolve into multiple components, but the umbrella intent remains stable. Potential components: | Component | Purpose | |---|---| | feature-canon | Canonical terminology, schemas, naming, and lifecycle rules. | | feature-sdk | Thin organization wrappers and generated constants around OpenFeature. | | feature-provider | Provider adapters for selected backends and local/test modes. | | feature-control-api | Internal management and evaluation APIs. | | feature-control-ui | Administration UI for platform, vendor, tenant, domain, group, user, and agent scopes. | | feature-resolver | Decision composition engine for rules, overrides, entitlements, policies, and fallbacks. | | feature-audit | Append-only audit trail for changes and decisions where required. | | feature-sync | GitOps import/export and synchronization with repositories. | | feature-observe | Metrics, evaluation logs, stale-flag detection, and operational insight. | The first implementation may use an existing backend such as Unleash, Flagsmith, flagd, GO Feature Flag, or another OpenFeature-compatible provider. The architecture should remain backend-reversible. --- ## 9. Relationship to InfoTechCanon `feature-control` should conform to InfoTechCanon terminology where possible and extend it where feature availability requires more precise concepts. The authoritative reference is `docs/canon-mapping.md` (produced under FEATURE-WP-0002), which contains entity/relationship tables, ownership (e.g. Entitlement/Grant and AuthorizationDecision under ITC-ACCESS; Environment/Deployment/Service/Repository under ITC-LAND; Actor/Agent/Membership under ITC-ORG; Decision/Evidence/ProducerCapability under ITC-GOV + purpose-demand), the qualified EvaluationScope term (to avoid clash with canon producer-scope / ScopePressure), gaps, validation hooks, and extension candidates. Expected alignment points (see mapping for details + ITC IDs): - identity and actor modeling (ITC-ORG Actor/Agent/Person + ITC-ACCESS Subject/Principal); - tenant/vendor/organization/community modeling (ITC-ORG + small-saas tenant patterns); - access control and authorization terminology (ITC-ACCESS); - policy and governance concepts (ITC-GOV, including Purpose, ScopePressure, Decision, Evidence); - deployment and installation terminology (ITC-LAND); - operational control and observability; - canonical data model conventions; - task/tag/lifecycle governance (ITC-TASK + TaggingStandard). Expected extensions (proposed in the mapping for assimilation): - feature availability decision model; - feature key canon; - feature lifecycle taxonomy (on top of Task + Governance); - feature evaluation context (OF + canon fact projection); - feature visibility semantics (distinct derived concern); - rollout and variant semantics (OF-native + governance); - agent capability availability controls (ITC-ORG.Agent + ITC-ACCESS); - compute-control feature patterns. Where overlap exists with access control, feature-control should avoid redefining authorization. It should instead describe how authorization and policy signals are referenced, composed, or checked alongside feature availability (per the strong boundaries in the mapping and PRD/UCC FR-7/FR-8). --- ## 10. Initial lifecycle model Every feature should have lifecycle metadata. Suggested lifecycle states: ```text proposed registered implemented internal preview beta general-availability deprecated sunset removed ``` Suggested flag categories: ```text release experiment operational entitlement visibility migration remote-config compute-control agent-capability compliance ``` Temporary flags should have an expected removal or review date. Long-lived flags should be explicitly classified and owned. --- ## 11. Initial success criteria The project is successful when: 1. A repository can adopt feature-control using OpenFeature with minimal code changes. 2. A feature can be controlled per installation, tenant, group, user, and agent. 3. A feature decision can explain its value, source, and reason. 4. Expensive compute paths can be disabled where not needed. 5. Emergency kill switches can be applied without redeployment. 6. Feature availability is not confused with authorization. 7. Feature metadata includes owner, category, lifecycle, and safe default. 8. Tests can run without a live backend. 9. Backend choice remains reversible. 10. The model fits naturally into InfoTechCanon terminology. --- ## 12. First milestones ### M1 — Canonical model Create schemas and terminology for feature keys, metadata, evaluation context, decision states, decision reasons, scopes, and lifecycle. ### M2 — Repository integration pattern Define the OpenFeature wrapper pattern, generated constants approach, test-provider pattern, and low-impact adoption guide. ### M3 — Backend evaluation spike Compare Unleash, Flagsmith, flagd, and GO Feature Flag against the canonical model and integration requirements. ### M4 — Resolver and decision explanation Prototype effective decision composition across defaults, scopes, overrides, entitlements, visibility, and operational kill switches. ### M5 — Compute-control pilot Apply feature-control to one expensive or optional background capability and measure reduction in unnecessary work. ### M6 — Tenant and agent pilot Control one tenant-level feature and one agent capability using the shared evaluation context. --- ## 13. Open questions 1. Which backend should be used for the first operational implementation? 2. Should feature-control own an internal resolver, or initially delegate rule evaluation to an existing backend? 3. Which feature metadata should be mandatory from day one? 4. How tightly should entitlement data be integrated into feature decisions? 5. Which decisions require audit at evaluation time, not only at change time? 6. How should tenant-admin self-service be bounded? 7. How should feature keys be namespaced across repos and domains? 8. How should stale-flag cleanup be enforced? 9. Which features should fail open, fail closed, or fail degraded? 10. How should agent capability flags integrate with tool authorization and policy enforcement? --- ## 14. Repository documentation set This repository should initially contain: ```text INTENT.md ProductRequirementsDocument.md UseCaseCatalog.md ``` Likely next documents: ```text ArchitectureOverview.md FeatureContextSchema.md FeatureDecisionSchema.md FeatureKeyNamingStandard.md OpenFeatureIntegrationGuide.md BackendEvaluation.md LifecycleAndGovernanceStandard.md ComputeControlPatterns.md AgentCapabilityControl.md ``` --- ## 15. Stable intent vs evolving scope The stable intent of `feature-control` is to provide a shared, low-impact, OpenFeature-based control infrastructure for feature availability across multi-vendor, multi-tenant software landscapes. The implementation scope may evolve as practical learning accumulates. Backend choice, component boundaries, UI depth, resolver complexity, and entitlement integration are expected to change through experiments and pilots. The project should preserve the stable intent while allowing the actual scope to adapt.