Orders Service — Service Readiness
Status: populated Owner: TBD Last updated: 2026-04-18 Companion: Service Template · DEFINITION_OF_DONE · SERVICE_RISK_REGISTER
1. Purpose
This checklist defines the gates that must be satisfied before the orders-service is promoted to production. The service is patient-safety-critical and requires elevated readiness scrutiny.
Sign-off required from: Tech Lead + SRE + Clinical Safety Officer
2. Documentation Gates
| Gate | Status | Owner | Notes |
|---|---|---|---|
| All 17 canonical docs populated (not stubs) | In Progress | Tech Lead | SERVICE_OVERVIEW, DOMAIN_MODEL, APPLICATION_LOGIC, API_CONTRACTS, DATA_MODEL, SECURITY_MODEL, OBSERVABILITY, EVENT_SCHEMAS, TESTING_STRATEGY, SYNC_CONTRACT, AI_INTEGRATION complete; 6 stubs now resolved |
EPICS.md and USER_STORIES.md present | Not started | Product Owner | |
MIGRATION_PLAN.md approved by clinical informatics | Not started | Clinical Informatics |
3. Code and Quality Gates
| Gate | Required threshold | Notes |
|---|---|---|
| Unit test coverage — overall | ≥ 80% line / branch | pnpm test:cov |
| Unit test coverage — domain layer (CDS guard, state machine) | ≥ 90% | Safety-critical paths |
| Unit test coverage — aggregates | ≥ 95% per DEFINITION_OF_DONE | |
| All unit tests green | 0 failures | |
| All integration tests green | 0 failures | |
tenant-isolation.spec.ts passing | MUST pass | Blocking gate |
outbox.spec.ts passing | MUST pass | Blocking gate |
cds-guard.integration.spec.ts passing | MUST pass | Patient-safety gate |
| Contract tests green (Pact broker) | 0 failures | Verify against all consumers |
| Event schema conformance green | 0 failures | Schema registry validation |
| Linting + typecheck clean | 0 errors | CI enforced |
No CRITICAL or HIGH findings from security-reviewer | MUST be clean | Before prod |
| OpenAPI diff gate — no breaking changes without version bump | 0 violations | CI enforced |
4. Security Gates
| Gate | Status | Notes |
|---|---|---|
| RLS policies verified by integration tests | Not started | tenant-isolation.spec.ts |
| Keycloak RBAC matrix tested for all roles | Not started | CLINICIAN, PRESCRIBER, NURSE, PHARMACIST, PATIENT, ADMIN |
| CDS override audit log immutability verified | Not started | 7-year retention policy |
| Dual-sign for controlled substances implemented and tested | Not started | |
| No hardcoded secrets in codebase | Not started | security-reviewer gate |
MODULE_NOT_ENTITLED enforced for unlicensed tenants | Not started | |
PII masking in logs verified (orderedBy, clinicalSummary) | Not started | |
| Secrets injected via Vault (not ConfigMap) | Not started | SRE review |
5. Observability Gates
| Gate | Status | Notes |
|---|---|---|
| OpenTelemetry spans verified in staging (Grafana/Jaeger) | Not started | All spans from OBSERVABILITY.md Section 2 |
| Prometheus metrics confirmed scraping | Not started | All metrics from OBSERVABILITY.md Section 3 |
| Dashboards deployed and reviewed by SRE | Not started | Orders Overview, CDS Activity, Referral Tracking, Service Health |
| All alerts configured with runbooks | Not started | 5 alerts from OBSERVABILITY.md Section 6 |
| SLOs declared in Grafana SLO module | Not started | 6 SLOs from OBSERVABILITY.md Section 1 |
| Health endpoints verified in staging | Not started | /health/live, /health/ready, /health/startup |
6. Deployment and Ops Gates
| Gate | Status | Notes |
|---|---|---|
| Helm chart reviewed and merged | Not started | SRE |
| Terraform module for DB and secrets | Not started | SRE |
PodDisruptionBudget configured (minAvailable: 2) | Not started | SRE |
| HPA configured (min 3, max 8 for prod) | Not started | SRE |
| Canary deploy completed in staging — 5% / 30 min — rollback verified | Not started | SRE |
| Rolling update strategy verified (zero downtime) | Not started | SRE |
| Database migrations run as pre-deploy Job (not inline) | Not started | |
| On-call rotation assigned | Not started | Engineering Manager |
7. Migration Gates (if migrating from legacy CPOE)
| Gate | Status | Notes |
|---|---|---|
| Historical data migration count validated (0 discrepancy) | Not started | Migration engineer |
| 10% sample of active orders validated by clinical team | Not started | Clinical informatics |
| FHIR ID redirect table populated and tested | Not started | interop-service team |
| Legacy service replicas set to 0 (post-cutover) | Not started | SRE |
| Rollback plan documented and rehearsed | Not started | SRE |
8. Clinical Safety Gates
| Gate | Status | Notes |
|---|---|---|
| CDS hard-stop ADMIN override path tested end-to-end | Not started | Clinical Safety Officer |
| Allergy cache staleness scenario documented and mitigated | Not started | Clinical Safety Officer |
| CDS degraded mode behavior documented, tested, accepted by clinical team | Not started | Clinical informatics |
| Duplicate order prevention validated with clinical scenarios | Not started | Clinical informatics |
| Controlled substance dual-sign workflow validated | Not started | Clinical Safety Officer |
9. Sign-Off
| Role | Name | Date | Signature |
|---|---|---|---|
| Tech Lead | TBD | — | — |
| SRE | TBD | — | — |
| Clinical Safety Officer | TBD | — | — |
The service MUST NOT be promoted to production until all gates in Sections 3–8 are marked complete and all three sign-offs are recorded above.