> ## Documentation Index > Fetch the complete documentation index at: https://specs.flux.employinc.io/llms.txt > Use this file to discover all available pages before exploring further. # Wave 5: Platform & Trust # Wave 5: Platform & Trust **Status**: IN PROGRESS **Domain**: Everything that makes Flux a trustworthy platform: billing and pricing, feature flags, evaluations, observability, deploy hardening, security, compliance, staging, production infrastructure. **Owner**: @pj *** ## Scope Wave 5 owns the non-functional guarantees: performance, reliability, security, auditability, fairness, cost control, rollback safety. It is the wave that transforms "a working product" into "a platform you can bet a business on." Specifically: * **Billing & Pricing** (Cycle 211.1): Clerk Billing integration, plan gating, overage metering. * **Feature Flags** (Cycle 213 feature flags variant): OpenFeature + Flipt for controlled rollout. * **Evals**: Cycle 365 Pilot Evals Harness (new) as the regression gate; Cycle 218 AI Response Feedback (PR #300) as the production human-feedback loop. * **Observability**: Cycles 301.1 (k3d foundation), 301.2 (SLO alerts + routing), 301.3 (GKE staging deployment). The autonomous-operations extensions (301.4, 301.5) belong to Wave 6 — they add AI capabilities on top of this foundation. * **Deploy Hardening** (Cycle 213 deploy-hardening variant): Alembic pre-sync migrations, Doppler bootstrap recovery, PVC monitoring, production safeguards. * **Production Infrastructure** (Cycle 382, 382.1, 382.2): dedicated production GKE cluster, release-branch gating, three-class secret taxonomy, pipeline hardening. * **Staging** (Cycle 209.1): operational staging environment for pre-production verification. * **Quality + Production Readiness** (Cycle 207): E2E Playwright tests covering the full hiring lifecycle, compliance validation, performance benchmarks. * **Paychex Pilot Finishing** (Cycle 364, new): security audit, performance baseline, runbooks, Go/No-Go gate — pilot-scoped platform work. *** ## Cycles | Cycle | Title | Status | Milestone | | ------- | ------------------------------------------------------------------- | --------------------- | ---------------------- | | 207 | Quality + Production (E2E + EU AI Act validation) | Draft | M1 partial; full in M7 | | 209.1 | Staging Operational | Draft | **M1 floor** | | 211.1 | Pricing Integration (Clerk Billing) | Draft | M1 stretch | | 213 | Deploy Hardening — Migrations, Secrets Bootstrap, PVC Monitoring | In progress (PR #225) | **M1 floor** | | 213 | Feature Flags (OpenFeature + Flipt) — see naming-collision flag | Plan-reviewed | M1 stretch | | 218 | AI Response Feedback (PR #300) — see naming-collision flag | Approved, mergeable | M1 stretch | | 301.1 | k3d Observability Foundation | Plan merged (PR #384) | **M1 floor** | | 301.2 | SLO Alerts & Routing | Plan merged | **M1 floor** | | 301.3 | GKE Staging Deployment (observability stack) | Plan merged | **M1 floor** | | **364** | **Paychex Pilot Finishing** (UI, E2E, security, runbooks, Go/No-Go) | New (2026-04-17) | **M1 floor** | | **365** | **Pilot Evals Harness** (golden-set CI gate) | New (2026-04-17) | **M1 floor** | | 382 | Production Environment Bootstrap (parent) | Plan in PR #420 | **M1 floor** | | 382.1 | Production Infrastructure | Plan in PR #420 | **M1 floor** | | 382.2 | Pipeline Hardening | Plan in PR #420 | **M1 floor** | *** ## M1 Paychex Pilot Contribution Wave 5 carries the largest M1 workload — the pilot infrastructure, quality, and observability foundation. **Floor**: * 209.1, 213 (deploy hardening), 301.1, 301.2, 301.3, 382.1, 382.2, 364 (new), 365 (new). **Stretch** (capacity-governed, not cut-line): * 211.1 Pricing Integration — pilot tenants can be manually onboarded; enforcement lands at M1 if capacity, M7 otherwise. * 213 Feature Flags — helpful de-risk for pilot rollbacks; if cut, env-var toggles suffice. * 218 AI Response Feedback (PR #300) — merges if CI-approved; not a launch blocker. **Cut-line governed**: * CL-4 (10-concurrent load) lives in Cycle 364 §4. * CL-5 (security audit CRITICAL/HIGH = 0) lives in Cycle 364 §3. **Post-M1 deepening**: * Cycle 207 full scope (full E2E Playwright coverage, formal EU AI Act validation) → M7 SOC2 prep. * 50-concurrent load test → post-pilot (Wave 5 hardening). *** ## Dependencies * Wave 0: CI/CD (Cycle 209), Helm charts, k3d patterns. * Wave 1–4: the functional features that Wave 5 hardens. No Wave 5 cycle ships without something to deploy, test, secure, observe. *** ## Naming-Collision Flags * **Two Cycle 213s**: "Deploy Hardening" vs. "Feature Flags". Currently distinguished by filename (`cycle213-deploy-hardening.md` vs `cycle213-feature-flags.md`) but sharing a cycle number is confusing. Recommend aliasing Feature Flags as 213.1 or 223. Tracked post-pilot. * **Multiple Cycle 218s**: AI Response Feedback (this wave, PR #300) vs. Candidate Match Agent (Wave 4) vs. Unified SSE Auth (Wave 3 prerequisite). Predates Cycle 381 issue-number IDs. Recommend aliasing. Tracked post-pilot. *** ## Strategic Importance Wave 5 is the wave that determines whether Flux is actually production-grade. The pilot ships on top of 382.1/382.2/209.1/213 (infrastructure), 301.1/.2/.3 (observability), 364 (security + runbooks + Go/No-Go), and 365 (regression gate). Any single failure in these cycles degrades the pilot launch from "credible partnership demonstration" to "rushed demo with hidden fragility." The Paychex Pilot is the first real test of the Platform & Trust posture. Post-pilot (Wave 5 continuation + M7 SOC2), this wave extends to full security certification, 50-concurrent load, and the observability depth that larger customer onboarding requires. *** ## Historical Context Wave 5 was previously labeled "Wave 3: Production Hardening + Differentiation" and included items that were really Dark-Factory-flavored (autonomous ops, spec-driven dev, client-side interactive tools). In the 2026-04-17 domain-reorganization: those items moved to Wave 6 (Dark Factory SDLC); the pure platform/reliability/trust items stayed in what is now Wave 5. Cycle 207 (Quality + Production) moved from the old Wave 1 to Wave 5 — its scope is platform-wide quality, not MVP-specific.