Skip to main content

SERVICE_READINESS — pricing-service

Sibling: DEPLOYMENT_TOPOLOGY · OBSERVABILITY · SECURITY_MODEL · FAILURE_MODES · SERVICE_RISK_REGISTER

This is the production-readiness checklist for pricing-service. A green tick on every line plus an Operational Readiness Review (ORR) sign-off is required to:

  • ship the service to production for the first time, or
  • ship a change classified as major (DB migration, breaking API change, new event subject, new external dependency, AI capability change, RBAC change, KMS rotation policy change).

Last review: draft — pre-GA.

1. Domain & contracts

  • Domain model documented in DOMAIN_MODEL with invariants, state machines, value objects, and aggregate boundaries.
  • Bounded context boundary explicit; not-owned concerns listed (inventory, capture, folio).
  • Public REST surface documented in API_CONTRACTS with examples.
  • OpenAPI generated and committed; CI fails on drift.
  • Event subjects documented in EVENT_SCHEMAS with JSON Schemas.
  • Inbox subscriptions documented and wired.
  • Backwards-compatibility policy stated.
  • Sync contract for Electron desktop documented in SYNC_CONTRACT.

2. Data

  • DDL migration is forward-only; no destructive migrations.
  • RLS enabled and verified on every tenant-scoped table.
  • Indexes verified for the hot read paths (rate-plan resolve, rate-rule by plan/priority, fx latest, tax applicable).
  • PriceQuote partitioning + TTL job in place; verified on staging at 1 M rows/day.
  • Outbox + inbox tables with explicit cleanup policy.
  • Backups (PITR) configured: 35 days retention.
  • Cross-region read replica for DR.
  • CMEK on disk + Pub/Sub + GCS.

3. Reliability

  • SLOs defined and codified in OBSERVABILITY §1.
  • Burn-rate alerts configured (5%/1h, 10%/6h).
  • Synthetic checks running every 60 s from 4 regions.
  • DR runbook exists; quarterly drill scheduled.
  • Rate limiting at API Gateway per API_CONTRACTS §6.
  • Circuit breakers on FX provider, AI orchestrator, and Memorystore.
  • Idempotency on every public mutation (24h dedupe).
  • OCC (If-Match) on every PATCH; tested.
  • Failure modes catalogued in FAILURE_MODES with runbooks.

4. Security

  • Multi-layer tenant isolation: gateway header, ALS, RLS, cache-key prefix, CMEK namespace.
  • CI test asserts cross-tenant queries return zero rows.
  • Authn via OAuth2 + workload JWTs for S2S; mTLS in mesh.
  • Step-up auth required for :archive and :accept operations.
  • Audit events emitted for every state-changing admin action and authorization denial.
  • No PII stored in pricing-service.
  • Secrets in Secret Manager; injected via Workload Identity; never in env vars on disk.
  • Threat model reviewed (top 5 in SECURITY_MODEL §11).
  • Trivy / Grype scan in CI; image must be CVE-clean (Critical=0, High=0).
  • Binary Authorization enforces signed images in production.

5. Compliance

  • No PCI scope (no card data).
  • GDPR/CCPA: no PII in service; data subject requests routed elsewhere.
  • Sharia compliance enforced in domain layer; AI suggestions constrained.
  • Local tax law (AF/TJ/IR) supported via tax_rules with overlap-free EXCLUDE constraint.
  • Data residency: all primary + replica data in EMEA jurisdictions.

6. Observability

  • OTel traces emitted for every endpoint and use case.
  • Required span attributes documented and enforced via lint.
  • Structured JSON logs; PII denylist enforced.
  • Three Grafana dashboards committed and rendered.
  • Alerting routes configured: PagerDuty (P1/P2), Slack (P3/P4).
  • On-call rotation defined: pricing-oncall PagerDuty schedule, primary + secondary.

7. Testing

  • Domain unit coverage ≥ 95% branches.
  • Service line coverage ≥ 85%.
  • Property-based tests for derivation, FX rounding, sharia guard, promo race.
  • Integration tests with Postgres + Pub/Sub emulator covering happy/error/race paths.
  • Contract tests against committed JSON Schemas.
  • OpenAPI conformance test.
  • E2E tests in platform repo cover booking funnel + HITL flow.
  • k6 load test: 500 RPS sustained, p99 ≤ 250 ms, zero 5xx.
  • Mutation score ≥ 80% on domain layer (nightly).
  • Chaos drills weekly.

8. Deployment

  • Cloud Run + GKE topology codified in Terraform; reviewed.
  • Two entrypoints (HTTP / worker) from a single image.
  • Cloud Run min-instances = 2 to avoid cold starts.
  • Health probes wired (/livez, /readyz).
  • Rolling deploy with revision-based traffic split (5% → 25% → 100% with 5-minute soak).
  • Rollback runbook tested.
  • Cron jobs (quote-expiry, fx-refresh, dynamic-suggestion-batch) scheduled and idempotent.
  • Outbox publisher leader-election via PG advisory lock.

9. Documentation

  • All 17 service docs present and current.
  • Service summary in docs/03-microservices/pricing-service.md.
  • Architectural decisions referenced (ADR-0001, ADR-0002, ADR-0003).
  • Onboarding runbook for a new contributor lives in LOCAL_DEV_SETUP.
  • Cross-links to sibling services valid (reservation-service, inventory-service, billing-service, payment-gateway-service, tenant-service, property-service, ai-orchestrator-service, desktop-sync-service).

10. Pre-launch sign-off

RoleOwnerStatusDate
Service ownerTBA — Pricing eng leadPending
ArchitectTBA — Platform architectPending
SecurityTBA — AppSecPending
SRETBA — Platform SREPending
Revenue OpsTBA — Director of RevenuePending
ComplianceTBA — Sharia council liaisonPending

ORR meeting agenda template lives at docs/operational/ORR-template.md.