coulomb/feature-control
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fa39883aec537e381ab4e0ef19cf90b51698a23f
feature-control/specs/ProductRequirementsDocument.md
tegwick 571e2f7127 feat(bootstrap): finish FEATURE-WP-0001 State Hub integration workstream 
- T01 (Review Generated Integration Files): Reviewed INTENT.md, SCOPE.md, AGENTS.md, .custodian-brief.md. Refined SCOPE.md (removed generic generated placeholder, added repo-specific In/Out Scope, Current State noting completion of WP-0001 and WP-0002, canon alignment). Refined README.md with links to canon-mapping and workplans. Confirmed INTENT and AGENTS already specific.
- T02 (Verify Local Developer Workflow): Confirmed pure-docs repo (no build/test files). Added 'Local Developer Workflow' section to AGENTS.md documenting verification commands (cat/ls for review, hub curls, make fix-consistency from state-hub, progress POSTs) and extension guidance.
- Updated FEATURE-WP-0001 workplan: T01/T02 marked done with detailed notes; frontmatter status set to finished.
- Includes completion of FEATURE-WP-0002 (canon alignment for PRD/UCC, docs/canon-mapping.md + interface card stub, terminology updates with EvaluationScope and ITC mappings).
- Ran make fix-consistency REPO=feature-control after changes (synced hub, set workstreams to finished).

All per AGENTS.md session protocol, workplan instructions, and custodian brief.

Bootstrap workstream now 3/3 complete; no active workstreams remaining.
2026-06-14 21:24:46 +02:00

1147 lines
42 KiB
Markdown
Executable File
Raw Blame History

# feature-control — Product Requirements Document
Status: Draft v0.1
Date: 2026-06-14
Owner: feature-control initiative
Primary integration standard: OpenFeature
Terminology alignment: InfoTechCanon-compatible; extends InfoTechCanon where feature availability requires additional precision. See `docs/canon-mapping.md` (and the research summary in workplan FEATURE-WP-0002) for detailed entity/relationship mappings, ownership boundaries, EvaluationScope terminology decision, and canon extension candidates.
---
## 1. Product summary
`feature-control` is a cross-repository feature availability control infrastructure for multi-vendor, multi-tenant, multi-domain software landscapes.
It allows platform operators, product owners, tenant administrators, SREs, and agent operators to control feature availability at runtime without redeploying services. It supports turning features on, off, hidden, visible-disabled, read-only, degraded, variant-controlled, or remotely configured across **evaluation scopes / targeting dimensions** (realized via ITC-ORG Membership + ITC-LAND resources such as Environment/Deployment/Service/Repository; see `docs/canon-mapping.md` for the qualified "EvaluationScope" terminology that avoids clash with canon producer-scope / ScopePressure concepts) such as platform, installation, deployment, environment, vendor, tenant, domain, organization, group, user, service, repository, and agent.
For consuming repositories, `feature-control` manifests primarily as **OpenFeature** usage. Repositories should not depend directly on a concrete feature flag backend. They should use OpenFeature SDKs, organization-provided wrappers, generated feature key constants, and test providers.
---
## 2. Problem statement
Modern multi-tenant software landscapes need to ship code continuously while controlling which features are actually available to whom, where, and under which operational conditions.
Without a shared feature-control infrastructure:
- repositories implement ad hoc booleans and configuration switches;
- tenant-specific behavior becomes hard-coded;
- feature availability is confused with authorization, entitlement, and UI visibility;
- compute-heavy capabilities run even when not needed;
- emergency shutdown requires redeployment or manual intervention;
- feature flag debt accumulates without ownership or cleanup;
- multi-vendor and multi-tenant feature decisions become opaque;
- agent capabilities cannot be governed consistently;
- architecture quality suffers because control points are local, undocumented, and inconsistent.
`feature-control` solves this by providing a canonical feature availability decision model, an OpenFeature-based repository integration model, a backend-agnostic provider architecture, governance/lifecycle rules, auditability, and operational control.
---
## 3. Goals
### G1 — Low-impact repository adoption
Repositories shall be able to adopt feature-control with minimal changes:
- add OpenFeature SDK or a thin organization wrapper;
- use canonical feature keys;
- provide safe defaults;
- optionally use generated constants;
- support local/test providers.
### G2 — Backend independence
Repositories shall not depend directly on a specific backend such as Unleash, Flagsmith, flagd, GO Feature Flag, LaunchDarkly, ConfigCat, or GrowthBook. OpenFeature shall be the default abstraction.
### G3 — Multi-scope feature availability
The system shall support decisions scoped to platform, installation, environment, deployment, vendor, tenant, domain, organization, group, user, service, repository, and agent.
### G4 — Rich availability semantics
The system shall support more than boolean on/off:
- enabled;
- disabled;
- hidden;
- visible-disabled;
- read-only;
- degraded;
- variant;
- configured;
- unavailable/fallback.
### G5 — Architecture hygiene
Every feature shall have canonical metadata, ownership, lifecycle classification, expected lifetime, and cleanup governance.
### G6 — Compute efficiency
Feature-control shall help reduce compute and operating cost by disabling unused, expensive, or background capabilities per scope.
### G7 — Operational safety
Feature-control shall support kill switches, degraded modes, dependency avoidance, rollback, and incident correlation.
### G8 — Security and governance
Feature-control shall provide RBAC/ABAC-aware administration, audit logs, approval workflows for sensitive flags, environment isolation, and safe default behavior.
### G9 — Distinguish adjacent concerns
Feature-control shall not collapse feature availability, entitlement, authorization, and UI visibility into one ambiguous boolean. These concerns must be represented separately and composed into an effective decision.
### G10 — Agent-aware capability control
Feature-control shall support AI agents, automation actors, and worker processes as first-class evaluation subjects, without replacing tool authorization or security policy enforcement.
---
## 4. Non-goals
The first version of feature-control shall not:
1. Replace the central authorization system.
2. Replace product billing, contract, or entitlement source-of-truth unless explicitly integrated later.
3. Require all repositories to adopt a custom SDK instead of OpenFeature.
4. Require a single final backend decision from day one.
5. Provide full experimentation analytics as a first milestone.
6. Store sensitive user traits unnecessarily.
7. Allow client-side feature decisions to enforce security-critical access.
8. Force every feature into tenant-admin self-service.
9. Become a general configuration-management database for unrelated application settings.
10. Require redeployments for normal feature availability changes.
---
## 5. Canon Alignment and Terminology
This document (and the companion `specs/UseCaseCatalog.md` and `INTENT.md`) targets strong compatibility with **InfoTechCanon** (see the dedicated `docs/canon-mapping.md` produced under FEATURE-WP-0002 for the complete current mapping, ownership matrix, read-model projections, gaps, and validation hooks).
Key principles applied:
- **Consume, do not redefine**: Organization/Actor/Agent/Membership (ITC-ORG), Entitlement/Grant/AuthorizationDecision (ITC-ACCESS), Environment/Deployment/Service/Repository (ITC-LAND), Policy/Decision/Control/Evidence/ProducerCapability/ScopePressure (ITC-GOV + purpose-demand extension), Tagging (ITC-TaggingStandard), Task (ITC-TASK).
- **Qualify overloaded terms**: Unqualified "Scope" (producer scope / scope pressure in canon) is replaced in canon-facing text with **EvaluationScope** / **TargetingScope** (realized via ITC-ORG Membership + Assignment combined with ITC-LAND dimensions and tenant patterns from the small-saas profile).
- **Extensions proposed** (recorded in `docs/canon-mapping.md` "Extension Candidates" for assimilation feedback into canon): Feature as ProducerCapability specialization, FeatureAvailability / decision model, EvaluationScope, KillSwitchControl, etc.
- **OpenFeature surface remains primary** for consuming repos (thin wrapper + generated keys + local/test provider), with feature-control resolver/composition layer providing the rich availability states, multi-signal precedence, and explainability on top of canon facts.
- **Boundaries explicitly called out**: Feature availability ≠ authorization (ITC-ACCESS/GOV), ≠ entitlement source-of-truth (ITC-ACCESS), ≠ general config. Agent capabilities always require both feature decision + separate tool authorization.
All core entities, FRs, lifecycle rules, decision sources, and examples now reference the mapping and/or specific ITC model paths. Re-research canon models and re-validate OpenFeature conformance before final sign-off on later phases.
See also the research summary embedded in `workplans/FEATURE-WP-0002-canon-prd-ucc-alignment.md`.
**Canon Interface Card:** A stub is maintained at `docs/canon-interface-card.md` (modeled on canon agent brief / interface-card templates) declaring produced concepts, consumed ITC models, purposes, and scope pressure signals for assimilation feedback.
---
## 6. Users and stakeholders
| Stakeholder | Needs |
|---|---|
| Repository maintainer | Minimal integration burden, typed feature keys, local tests, safe defaults. |
| Platform engineer | Backend independence, reliable SDK/provider setup, observability, multi-repo inventory. |
| Product owner | Controlled rollout, tenant/package mapping, preview features, experiments. |
| Tenant admin | Delegated self-service within safe bounds. |
| Vendor admin | Vendor-scoped feature availability for integrations and apps. |
| SRE / incident commander | Kill switches, degraded modes, safe rollback, incident correlation. |
| Security/compliance owner | Audit, approvals, scope isolation, environment separation, no authorization bypass. |
| Cost owner | Disable expensive compute paths and measure savings. |
| Agent operator | Control agent capabilities and tool exposure by scope. |
| Support engineer | Temporary user or tenant overrides with explanations. |
| Architect | Consistent terminology, lifecycle hygiene, InfoTechCanon alignment (see `docs/canon-mapping.md`). |
---
## 7. Conceptual model
### 6.1 Core entities
See `docs/canon-mapping.md` for the full current mapping of these entities to InfoTechCanon (ITC-ORG, ITC-ACCESS, ITC-LAND, ITC-GOV + purpose-demand, Tagging, Task) plus OpenFeature surface and feature-control-owned extensions. Key alignments (summary):
| Entity | Canon mapping (high-level; see docs/canon-mapping.md) |
|---|---|
| Feature | ProducerCapability (ITC-GOV extension) + Feature (extension candidate); see Scope→Ability→Capability→Feature chain in repo-scoping evaluations |
| FeatureKey | Stable identifier (owned by feature-control; relates to ITC-LAND resources + Tagging) |
| FeatureDecision | ITC-GOV.Decision + Evidence overlay + OpenFeature FlagEvaluationDetails (reason, variant, flagMetadata) |
| FeatureContext / EvaluationContext | OpenFeature EvaluationContext (targetingKey + custom fields) projected from ITC-LAND + ITC-ORG (Actor/Agent/Membership) + ITC-ACCESS facts |
| FeatureEntitlement | ITC-ACCESS.Entitlement + Grant (consumed/reference only) |
| FeatureVisibility | feature-control owned (feature-derived); future reference to Landscape/Data (distinct from availability & AuthorizationDecision) |
| FeatureAuditEvent | ITC-GOV Evidence / Audit (reference) |
| FeatureLifecycleRecord | ITC-TASK (reviews/cleanup) + ITC-GOV (approvals) + Tagging (categories) |
| Evaluation scopes (tenant, environment, etc.) | EvaluationScope / TargetingScope (proposed) realized via ITC-ORG Membership/Assignment + ITC-LAND dimensions; avoids bare "Scope" clash with canon producer scope / ScopePressure |
(The original simple descriptions are retained below for readability; the mapping is authoritative for canon alignment.)
| Entity | Description |
|---|---|
| Feature | Canonical controlled capability or behavior. |
| FeatureKey | Stable unique identifier used in code and registry. |
| FeatureDefinition | Description, type, owner, default, expected value schema, and lifecycle metadata. |
| FeatureRule | Rule that determines availability for a context. |
| FeatureSegment | Reusable group/condition set for targeting. |
| FeatureContext | Runtime facts used for evaluation. |
| FeatureDecision | Effective result for a feature and context. |
| FeatureOverride | Explicit scoped configuration that changes default behavior. |
| FeatureEntitlement | Grant or package-level availability constraint. |
| FeatureVisibility | UI display decision derived from or associated with availability. |
| FeatureVariant | Named alternative treatment/value. |
| FeatureConfig | Structured remote configuration value. |
| FeatureAuditEvent | Immutable record of configuration or governance change. |
| FeatureLifecycleRecord | Ownership, review, expiry, cleanup, and debt state. |
### 6.2 Availability states
```text
enabled
disabled
hidden
visible_disabled
readonly
degraded
variant
configured
unavailable
fallback
```
### 6.3 Feature categories
| Category | Typical lifetime | Example |
|---|---:|---|
| Release | Short | New upload flow. |
| Experiment | Short/medium | Variant A/B of onboarding. |
| Operational | Long | Kill switch for external API. |
| Entitlement | Long | Advanced export package. |
| Migration | Medium | New storage adapter. |
| Remote Config | Long | Max upload size, model selection. |
| UI Visibility | Medium/long | Hide unfinished navigation item. |
| Agent Capability | Medium/long | Allow agent to use extraction tool. |
| Compliance | Long | Disable non-EU processing. |
| Compute Control | Medium/long | Disable costly OCR path. |
### 6.4 Decision sources
```text
global_default
platform_rule
installation_rule
environment_rule
deployment_rule
vendor_rule
tenant_rule
domain_rule
organization_rule
group_rule
user_rule
agent_rule
entitlement_rule
authorization_signal
experiment_assignment
kill_switch
fallback_default
```
### 6.5 Decision precedence
Initial precedence recommendation:
1. Security/compliance hard deny
2. Emergency global/platform kill switch
3. Installation or environment hard disable
4. Dependency unavailable/degraded override
5. Entitlement/package eligibility
6. Vendor policy
7. Tenant policy
8. Domain/organization policy
9. Group/user/agent targeting
10. Experiment or rollout assignment
11. Feature default
12. Safe fallback
This order may later become policy-configurable, but the first implementation should prefer explicitness over excessive flexibility.
---
## 8. Functional requirements
### FR-1 — OpenFeature integration
**Requirement:** The primary repository integration model shall use OpenFeature SDKs.
**Details:**
- Provide language-specific integration guidance.
- Provide optional organization wrapper for context enrichment and default conventions.
- Support local/test/in-memory providers.
- Support provider replacement without repository code changes.
**Acceptance criteria:**
- A sample repository can evaluate boolean, string, number, and object flags through OpenFeature.
- Repository code does not import backend-specific SDKs for normal use.
- Tests can run with deterministic test values.
---
### FR-2 — Canonical feature registry
**Requirement:** The system shall maintain a canonical registry of feature definitions.
**Required metadata:**
- feature key;
- name;
- description;
- owner;
- owning repo/service/domain;
- category;
- default value;
- value type/schema;
- safe fallback;
- lifecycle state;
- expected lifetime;
- review/expiry date for temporary features;
- compute/resource classification;
- security/compliance sensitivity;
- tenant-configurability;
- documentation link.
**Acceptance criteria:**
- Feature without owner cannot be registered.
- Temporary feature without review/expiry date is rejected or flagged.
- Feature keys follow naming convention.
---
### FR-3 — Feature key naming convention
**Requirement:** Feature keys shall be stable, namespaced, and semantically meaningful.
**Recommended format:**
```text
<domain>.<capability>.<feature>[.<mode>]
```
Examples:
```text
mail.dispatch.new_renderer
mail.portal.download_confirmation
identity.login.passkey_preview
document.ocr.compute_heavy_path
agent.invoice_classifier.extract_recipient
```
**Acceptance criteria:**
- Feature keys are immutable once used in production.
- Reusing a key for a different semantic purpose is prohibited.
- Deprecated keys remain documented until removed from code and control plane.
---
### FR-4 — Evaluation context model
**Requirement:** The system shall define a canonical `FeatureContext` model that can be passed to OpenFeature providers.
**Required supported attributes:**
- targeting key;
- actor type;
- installation ID;
- environment;
- deployment ID;
- vendor ID;
- tenant ID;
- domain ID;
- organization/community/family ID where applicable;
- group IDs;
- user ID;
- agent ID;
- roles/capabilities;
- plan/package;
- region;
- application;
- service;
- repository;
- request/correlation ID where appropriate.
**Acceptance criteria:**
- Context can represent human users, services, workers, and agents.
- Missing optional attributes do not break evaluation.
- Sensitive attributes are minimized and documented.
---
### FR-5 — Rich decision API
**Requirement:** The internal feature-control decision model shall include value, state, reason, source, and metadata.
**Example:**
```json
{
"feature_key": "document.ocr.compute_heavy_path",
"state": "disabled",
"value": false,
"reason": "tenant_policy",
"source": "tenant_rule",
"evaluation_scope": "tenant:tenant-acme", // EvaluationScope / TargetingScope per docs/canon-mapping.md (maps to ITC-ORG Membership + ITC-LAND)
"fallback": false,
"variant": null,
"config": null,
"evaluated_at": "2026-06-14T10:15:00Z"
}
```
**Acceptance criteria:**
- Decision explanations are available to authorized users.
- Application logs can include decision reason without leaking sensitive data.
- API supports boolean and non-boolean values.
---
### FR-6 — Evaluation scope / targeting dimension based rules (EvaluationScope)
**Requirement:** The system shall evaluate rules by evaluation scope / targeting dimension (qualified term: **EvaluationScope** or **TargetingScope** to avoid clash with canon "producer scope" / "ScopePressure" concepts in ITC-GOV purpose-demand extension and Core; see `docs/canon-mapping.md`). These are realized via ITC-ORG Membership + Assignment facts combined with ITC-LAND resources (Environment, Deployment, Service, Repository, etc.) plus tenant/organization patterns.
**Supported evaluation scopes / targeting dimensions (examples):**
- platform;
- installation;
- environment;
- deployment;
- vendor;
- tenant;
- domain (business/organizational unit — maps to ITC-ORG OrganizationalUnit or Tagging);
- organization/community/family;
- group/segment (maps to ITC-ORG Group/Team or Tagging selector, tenant-bound);
- user;
- agent (ITC-ORG.Agent, first-class and distinct from human users);
- service/repository (ITC-LAND).
**Acceptance criteria:**
- Tenant A rules cannot affect Tenant B (tenant isolation via Membership + explicit boundaries).
- User and group rules can be constrained by tenant/environment.
- Agent rules are explicitly separate from user rules (distinct Actor/Agent + capability gating + separate tool authorization per ITC-ACCESS).
---
### FR-7 — Entitlement integration
**Requirement:** Feature-control shall integrate with, but not necessarily own, product/package/contract entitlements (see `docs/canon-mapping.md`: consumed/reference to ITC-ACCESS.Entitlement + Grant; distinct from but composable with ITC-ORG authority and ITC-GOV policy).
**Details:**
- Feature decision may include entitlement state.
- Missing entitlement can produce `disabled`, `hidden`, or `visible_disabled` depending on visibility policy.
- Entitlement source of truth may be external (feature-control must not become billing/contract source of truth).
**Acceptance criteria:**
- Decision can distinguish `disabled_by_flag` from `entitlement_missing`.
- Entitlement checks cannot be bypassed by UI visibility flags.
- Commercial package mapping is auditable.
---
### FR-8 — Authorization boundary
**Requirement:** Feature-control shall not replace authorization (see `docs/canon-mapping.md`: consumed/reference to ITC-ACCESS.AuthorizationDecision / Principal / EnforcementPoint and ITC-GOV Policy/Control; feature-control emits availability signals only).
**Details:**
- Client-side feature decisions must never be trusted as final security enforcement.
- Server-side APIs must enforce authorization independently (ITC-ACCESS).
- Feature-control may provide availability signals used by authorization/policy layers (ITC-GOV).
**Acceptance criteria:**
- Documentation states that flags are not authorization.
- Security-critical operations have server-side policy checks.
- Agent capabilities require both feature availability and tool authorization where applicable (ITC-ORG.Agent + ITC-ACCESS).
---
### FR-9 — UI visibility control
**Requirement:** Feature-control shall support UI visibility outcomes.
**Supported visibility states:**
- hidden;
- visible enabled;
- visible disabled;
- visible preview;
- readonly;
- admin-only;
- support-only.
**Acceptance criteria:**
- UI visibility and backend execution availability are independently representable.
- Hidden features remain protected server-side.
- Visibility decisions include reason for support/admin views.
---
### FR-10 — Operational kill switches
**Requirement:** Authorized operators shall be able to disable or degrade features rapidly.
**Details:**
- Kill switches have high precedence.
- Kill switches support platform, installation, tenant, domain, service, provider, and feature scopes.
- Kill switches must be auditable and reversible.
**Acceptance criteria:**
- Kill switch change is visible in audit log.
- Affected services react without redeployment.
- Kill switch behavior is tested in non-production.
---
### FR-11 — Compute-aware feature control
**Requirement:** Feature definitions shall be able to describe compute impact and resource class.
**Compute metadata examples:**
- CPU-heavy;
- GPU-heavy;
- memory-heavy;
- external API cost;
- LLM token cost;
- background job volume;
- storage-intensive;
- network-intensive.
**Acceptance criteria:**
- Feature-control can disable compute-heavy paths per tenant/domain/service.
- Background workers can pause or drain work according to feature decisions.
- Metrics can correlate feature decisions and compute usage.
---
### FR-12 — Remote configuration
**Requirement:** Feature-control shall support typed remote configuration values, not just booleans.
**Examples:**
```json
{
"max_upload_mb": 250,
"ocr_mode": "cheap",
"llm_model": "small-local",
"retry_policy": { "max_retries": 2, "backoff": "exponential" }
}
```
**Acceptance criteria:**
- Config values have schemas.
- Invalid config falls back safely.
- Repositories can test default and configured values locally.
---
### FR-13 — Segments and groups
**Requirement:** The system shall support reusable targeting segments.
**Segment examples:**
- beta testers;
- tenant admins;
- enterprise tenants;
- EU tenants;
- pilot customers;
- support users;
- internal agents;
- high-trust automations.
**Acceptance criteria:**
- Segments can be reused across features.
- Segment membership source is documented.
- Segment rules respect tenant and environment boundaries.
---
### FR-14 — Rollout and variants
**Requirement:** The system shall support staged rollout and variants.
**Details:**
- Percentage rollout;
- stable bucketing by targeting key;
- variants/treatments;
- tenant- or segment-constrained rollout;
- rollback without redeploy.
**Acceptance criteria:**
- Same context receives stable assignment.
- Rollout can be paused and reverted.
- Variant value is visible in decision metadata.
---
### FR-15 — Audit log
**Requirement:** Every production-relevant feature-control change shall be audited.
**Audit fields:**
- event ID;
- timestamp;
- actor;
- action;
- feature key;
- scope;
- previous value;
- new value;
- reason;
- approval reference;
- correlation ID;
- source IP/session where applicable.
**Acceptance criteria:**
- Audit records are append-only or tamper-evident.
- Audit records can be exported.
- Emergency changes are explicitly marked.
---
### FR-16 — Approval workflows
**Requirement:** Sensitive feature changes shall support approval workflows.
**Sensitive categories:**
- security;
- compliance;
- production-critical;
- high-cost compute;
- customer-visible paid entitlement;
- agent tool capability.
**Acceptance criteria:**
- Policy determines required approvers.
- Emergency override exists but is audited.
- Approval status is visible in change history.
---
### FR-17 — Lifecycle management and stale flag detection
**Requirement:** The system shall detect and report stale, expired, unused, permanently-on, or permanently-off flags.
**Acceptance criteria:**
- Temporary flags require review/expiry.
- Reports identify flags needing cleanup.
- Repository scanner can compare code usage with registry.
- Long-lived flags require justified category.
---
### FR-18 — Observability
**Requirement:** Feature-control shall emit metrics and events sufficient for operations, debugging, and cost control.
**Observability dimensions:**
- feature key;
- decision state;
- reason;
- provider readiness;
- evaluation latency;
- cache hit/miss;
- fallback usage;
- service/repo/environment;
- tenant/domain where safe and permitted.
**Acceptance criteria:**
- Metrics do not leak sensitive context values by default.
- Evaluation failure rates are alertable.
- Configuration changes can be correlated with incidents.
---
### FR-19 — Provider architecture
**Requirement:** The system shall support multiple backends through providers.
**Candidate providers:**
- Unleash;
- Flagsmith;
- flagd;
- GO Feature Flag;
- local file;
- in-memory/test;
- future custom feature-control resolver.
**Acceptance criteria:**
- Provider can be switched by configuration/environment.
- Provider behavior is contract-tested.
- Provider-specific limitations are documented.
---
### FR-20 — GitOps baseline and runtime overrides
**Requirement:** The system should support both declarative baseline definitions and runtime changes.
**Details:**
- Feature definitions and safe defaults may live in Git.
- Runtime overrides may live in control-plane database/backend.
- Emergency changes may bypass Git but must be audited and later reconciled.
**Acceptance criteria:**
- Git-defined features can be imported/exported.
- Runtime overrides are visible and explainable.
- Drift between Git and runtime can be reported.
---
### FR-21 — Tenant-admin delegation
**Requirement:** Selected features may be delegated to tenant admins for self-service control.
**Acceptance criteria:**
- Delegation is opt-in per feature.
- Tenant admin can only affect own tenant scope.
- Platform hard disables and compliance restrictions cannot be overridden.
---
### FR-22 — Agent capability control
**Requirement:** The system shall support feature-controlled capabilities for AI agents and automation actors.
**Acceptance criteria:**
- Agent is represented in evaluation context.
- Agent feature decisions are auditable for sensitive capabilities.
- Feature availability does not replace tool authorization.
---
## 9. Non-functional requirements
### NFR-1 — Reliability
- Feature evaluation must remain available during backend disruptions through caching and safe fallbacks.
- Critical services must define fail-open or fail-closed behavior per feature category.
### NFR-2 — Performance
- Feature evaluation overhead must be low enough for frequent application use.
- Hot-path evaluations should be cached locally or via relay/sidecar where appropriate.
- High-cardinality context logging must be avoided by default.
### NFR-3 — Security
- Administration APIs require strong authentication and authorization.
- Backend tokens and SDK keys are secrets.
- Environment-specific credentials must be separated.
- Client-side flags must not be used as security controls.
### NFR-4 — Auditability
- Production-impacting changes must be attributable.
- Audit records must include reason and scope.
- Audit logs must be exportable for compliance and incident review.
### NFR-5 — Multi-tenancy
- Tenant isolation is mandatory.
- Tenant admins must not see or control other tenants.
- Explanations and diagnostics must not leak cross-tenant data.
### NFR-6 — Portability
- Repository integration must remain backend-agnostic through OpenFeature.
- Provider-specific behavior must be normalized where possible.
### NFR-7 — Operability
- System health, provider readiness, evaluation error rate, propagation delay, and fallback usage must be observable.
- Kill switch paths must be operationally tested.
### NFR-8 — Maintainability
- Feature definitions must be discoverable.
- Stale flags must be reported.
- Naming and lifecycle rules must be enforced.
---
## 10. Architecture proposal
### 9.1 Logical components
```text
feature-control
├── feature-canon
│ ├── terminology
│ ├── schemas
│ ├── naming rules
│ └── lifecycle rules
├── feature-sdk
│ ├── OpenFeature wrapper conventions
│ ├── context enrichment
│ ├── generated constants
│ └── test provider utilities
├── feature-registry
│ ├── feature definitions
│ ├── owners
│ ├── lifecycle metadata
│ └── registry API/export
├── feature-resolver
│ ├── rule evaluation
│ ├── precedence
│ ├── entitlement integration
│ ├── visibility composition
│ └── decision explanation
├── feature-control-api
│ ├── management API
│ ├── decision explanation API
│ ├── import/export API
│ └── admin/delegation API
├── feature-control-ui
│ ├── platform admin UI
│ ├── tenant admin UI
│ ├── support UI
│ └── audit/change view
├── feature-provider
│ ├── OpenFeature providers/adapters
│ ├── backend configuration
│ └── provider contract tests
├── feature-audit
│ ├── append-only change log
│ ├── approvals
│ └── export
├── feature-observe
│ ├── metrics
│ ├── logs
│ ├── traces
│ └── stale flag reports
└── feature-sync
├── GitOps import/export
├── repo scanning
└── drift detection
```
### 9.2 Repository integration path
```text
Repository code
-> organization feature SDK wrapper or OpenFeature SDK
-> OpenFeature provider
-> relay / sidecar / backend / resolver
-> FeatureDecision / value
```
### 9.3 Recommended deployment pattern
Initial deployment should favor:
```text
OpenFeature SDK in repos
+ local/test provider for development
+ provider adapter to selected backend
+ optional relay/proxy for production services
+ feature registry and governance metadata in Git
+ runtime control plane for overrides and operations
```
This hybrid approach keeps repo impact low while preserving future control-plane sovereignty.
---
## 10. Backend strategy
### 10.1 Candidate backends
| Backend | Fit |
|---|---|
| Unleash | Strong open-source/self-hosted candidate for activation strategies, progressive delivery, and enterprise feature management. |
| Flagsmith | Strong open-source/self-hosted candidate for identity/trait/segment-oriented feature and remote config management. |
| flagd | Lightweight OpenFeature-native evaluation engine; good for Kubernetes/cloud-native patterns, less complete as governance UI. |
| GO Feature Flag | Lightweight OpenFeature-compatible relay/proxy approach with file-based configuration options. |
| LaunchDarkly | Mature commercial reference for multi-context targeting and enterprise workflows. |
| GrowthBook | Strong later option if experimentation/analytics becomes central. |
### 10.2 Recommendation
Start with an OpenFeature-first integration layer and evaluate Unleash and Flagsmith as practical initial backends. In parallel, keep flagd/GO Feature Flag as candidates for a leaner custom infrastructure path.
The backend decision should be reversible because repositories should bind to OpenFeature, not to the backend.
---
## 11. Data model sketch
### 11.1 FeatureDefinition
```yaml
feature_key: document.ocr.compute_heavy_path
name: Compute-heavy OCR path
description: Enables GPU/LLM-assisted OCR processing for selected tenants and domains.
owner: document-processing-team
domain: document-processing
repository: document-service
category: compute_control
value_type: boolean
default_value: false
safe_fallback: false
lifecycle_state: active
expected_lifetime: long_lived
review_date: 2026-09-30
compute_class:
- gpu_heavy
- external_api_cost
security_sensitivity: medium
tenant_configurable: false
requires_approval: true
documentation: docs/features/document-ocr-compute-heavy-path.md
```
### 11.2 FeatureRule
```yaml
feature_key: document.ocr.compute_heavy_path
scope_type: tenant
scope_id: tenant-acme
environment: production
state: enabled
value: true
reason: pilot_customer
valid_from: 2026-06-14T00:00:00Z
valid_until: 2026-07-31T23:59:59Z
created_by: user:platform-admin-1
approval_ref: change-12345
```
### 11.3 FeatureDecision
```yaml
feature_key: document.ocr.compute_heavy_path
state: enabled
value: true
reason: explicit_override
source: tenant_rule
scope_type: tenant
scope_id: tenant-acme
variant: null
config: null
fallback_used: false
evaluated_at: 2026-06-14T10:15:00Z
correlation_id: req-abc-123
```
---
## 12. Security model
### 12.1 Principles
1. Feature-control changes application behavior and must be treated as a production control plane.
2. Client-side flags are never final authorization.
3. Tenant isolation is mandatory.
4. Least privilege applies to feature administration.
5. Production-sensitive changes require audit and sometimes approval.
6. Backend and SDK credentials are secrets.
7. Safe fallback behavior must be explicit.
### 12.2 Administrative roles
| Role | Capabilities |
|---|---|
| Platform Feature Admin | Manage platform-wide features and kill switches. |
| Domain Feature Owner | Manage features within owned domain. |
| Tenant Feature Admin | Manage delegated tenant features only. |
| Vendor Feature Admin | Manage delegated vendor features only. |
| Release Manager | Manage rollout and environment-specific rules. |
| SRE / Incident Commander | Activate/deactivate kill switches. |
| Support Operator | Create temporary scoped overrides where allowed. |
| Security Approver | Approve sensitive feature changes. |
| Auditor | Read audit and change history. |
---
## 13. Lifecycle model
See `docs/canon-mapping.md` for alignment: lifecycle states and reviews map to ITC-TASK (tasks for review/expiry/cleanup/remediation) + ITC-GOV (approvals, exceptions, decisions) + ITC-TaggingStandard (for categories). feature-control owns the feature-specific registry + hygiene rules on top of these.
### 13.1 Lifecycle states
```text
proposed
registered
implemented
active
pilot
production
sunsetting
deprecated
removed
```
### 13.2 Required lifecycle rules
- Temporary release flags require review/expiry date (spawns or links to ITC-TASK).
- Experiment flags require outcome review (Governance Review / Decision).
- Migration flags require removal plan (Task).
- Operational, entitlement, compliance, remote-config, and compute-control flags may be long-lived but require explicit category (Tagging) + owner (ITC-ORG Ownership/Stewardship).
- Removed flags must be removed from code and control plane.
---
## 14. MVP proposal
### 14.1 MVP scope
The MVP should deliver enough to make repository adoption useful and low-impact while proving multi-scope control.
MVP includes:
1. Feature-control INTENT and terminology alignment.
2. Canonical feature definition schema.
3. Canonical evaluation context schema.
4. OpenFeature integration guide.
5. Local/test provider pattern.
6. Backend evaluation spike with Unleash and/or Flagsmith.
7. Minimal feature registry in Git.
8. Example repository integration.
9. Basic tenant/environment/installation targeting.
10. Basic audit log for feature changes.
11. Basic stale flag report.
12. One compute-control use case.
13. One kill-switch use case.
14. One agent-capability use case.
### 14.2 MVP non-scope
- Full tenant-admin UI.
- Full experimentation analytics.
- Complex approval workflows.
- Complete entitlement system.
- Custom replacement for mature backend.
- Full multi-region HA control plane.
### 14.3 MVP success criteria
- A repository can adopt feature-control in less than one small implementation task.
- One feature can be controlled by environment, installation, tenant, group, user, and agent context in a test scenario.
- Feature decisions can be explained.
- A compute-heavy background path can be disabled for a tenant.
- A kill switch can disable a feature without redeploy.
- Provider can be changed in a test setup without changing business code.
---
## 15. Roadmap
### Phase 0 — Research and canonization
- Consolidate terminology.
- Decide repository name and package naming.
- Create schemas for FeatureDefinition, FeatureContext, FeatureDecision, FeatureRule.
- Map concepts to InfoTechCanon.
### Phase 1 — OpenFeature adoption kit
- Provide examples for first languages/frameworks.
- Provide local/test provider pattern.
- Provide generated constants pattern.
- Provide repo scanner prototype.
### Phase 2 — Backend candidate evaluation
- Evaluate Unleash.
- Evaluate Flagsmith.
- Evaluate flagd/GO Feature Flag for lightweight path.
- Define provider contract tests.
### Phase 3 — Minimal control plane
- Implement registry.
- Implement management API or backend integration conventions.
- Implement audit events.
- Implement basic decision explanation.
### Phase 4 — Governance and operations
- Add lifecycle reports.
- Add stale flag detection.
- Add kill-switch process.
- Add observability dashboards.
### Phase 5 — Delegation and productization
- Add tenant-admin control.
- Add entitlement integration.
- Add feature package mapping.
- Add approval workflows.
### Phase 6 — Agent and compute optimization
- Add agent capability model.
- Add compute metadata and cost dashboards.
- Add worker-control patterns.
---
## 16. Risks and mitigations
| Risk | Impact | Mitigation |
|---|---|---|
| Feature flags become hidden authorization system | Security failures | Separate feature availability and authorization; enforce server-side checks. |
| Flag sprawl and stale flags | Architecture debt | Lifecycle metadata, expiry dates, scanner, cleanup reports. |
| Backend lock-in | Future migration cost | OpenFeature-first integration and provider contract tests. |
| Too much repo burden | Low adoption | Thin wrapper, generated constants, local provider, examples. |
| High evaluation overhead | Performance/cost issues | Caching, relay/sidecar, evaluation metrics. |
| Tenant data leakage | Compliance/security issue | Scope isolation and explanation access control. |
| Inconsistent semantics across backends | Confusing decisions | Canonical FeatureDecision model and provider normalization. |
| Overloading feature-control with entitlements/billing | Product complexity | Integrate entitlement source but keep responsibility boundaries. |
| Client-side visibility mistaken for enforcement | Unauthorized access | Document and test backend enforcement. |
| Emergency changes bypass process permanently | Governance gap | Emergency path requires audit and post-incident reconciliation. |
---
## 17. Open questions
(See also the open questions carried in FEATURE-WP-0002 and `docs/canon-mapping.md` Extension Candidates / Gaps sections.)
1. Which backend should be the first implementation candidate: Unleash, Flagsmith, flagd, or GO Feature Flag?
2. Should feature-control build a custom resolver from the start, or initially rely on backend provider semantics?
3. Which repositories should be used as first adoption pilots?
4. What languages must be supported first?
5. Where should canonical feature definitions live: central repo only, consuming repo, or both?
6. Should generated feature constants be mandatory?
7. Which InfoTechCanon category / model should own or host the primary Feature / FeatureAvailability concepts (governance ProducerCapability extension, new landscape/governance module, or cross-cutting)? See ITC-GOV purpose-demand + repo-scoping Capability→Feature chain.
8. What minimum audit retention is required (tied to ITC-GOV Evidence)?
9. Which feature categories require approval in MVP (Governance policy)?
10. How should tenant entitlement data be sourced (ITC-ACCESS)?
11. Which compute metrics are most useful for early cost optimization?
12. Which agent capabilities should be controlled first (ITC-ORG.Agent + ITC-ACCESS)?
---
## 18. External research anchors
Implementation should continue to review and track these sources:
- OpenFeature overview: https://openfeature.dev/
- OpenFeature flag evaluation specification: https://openfeature.dev/specification/sections/flag-evaluation
- OpenFeature evaluation context: https://openfeature.dev/specification/sections/evaluation-context
- OpenFeature providers: https://openfeature.dev/docs/reference/concepts/provider
- OpenFeature hooks: https://openfeature.dev/specification/sections/hooks
- OpenFeature events: https://openfeature.dev/docs/reference/concepts/events
- OpenFeature tracking: https://openfeature.dev/specification/sections/tracking
- OpenFeature SDK architecture patterns: https://openfeature.dev/blog/feature-flags-sdks-architectures
- Unleash feature flags: https://docs.getunleash.io/concepts/feature-flags
- Unleash activation strategies: https://docs.getunleash.io/concepts/activation-strategies
- Unleash segments: https://docs.getunleash.io/concepts/segments
- Flagsmith feature flag and remote config documentation: https://docs.flagsmith.com/
- Flagsmith identities: https://docs.flagsmith.com/flagsmith-concepts/identities
- Flagsmith segments: https://docs.flagsmith.com/flagsmith-concepts/segments
- flagd: https://flagd.dev/
- GO Feature Flag relay proxy: https://gofeatureflag.org/docs/relay-proxy
- Martin Fowler / Pete Hodgson, Feature Toggles: https://martinfowler.com/articles/feature-toggles.html
---
## 19. Initial implementation hypothesis
Use OpenFeature in every consuming repository. Start with a small organization-level feature SDK wrapper that standardizes context construction, safe defaults, local testing, generated keys, and telemetry hooks (see OF flag-evaluation and evaluation-context specs for exact contracts on EvaluationDetails, context merge precedence, and error handling).
Evaluate Unleash and Flagsmith as immediate backend candidates for the control plane. Keep flagd and GO Feature Flag as lightweight alternatives for a future custom or GitOps-heavy architecture.
Define `FeatureDefinition`, `FeatureContext`, `FeatureDecision`, and `FeatureRule` (and the qualified EvaluationScope) as canonical InfoTechCanon-compatible schemas per `docs/canon-mapping.md`. Keep feature availability, entitlement (ITC-ACCESS), authorization (ITC-ACCESS/GOV), and UI visibility distinct, then compose them into an effective feature decision (feature-control resolver layer on top of canon facts).
Prioritize low repository impact, operational safety, compute reduction, tenant isolation, auditability, and cleanup discipline over advanced experimentation in the first implementation. The `docs/canon-mapping.md` (and FEATURE-WP-0002 research summary) is the authoritative reference for terminology and ownership boundaries during implementation.
Reference in New Issue View Git Blame Copy Permalink