cpflow 4.1.1 → 5.0.0.rc.0

data/Gemfile.lock

@@ -1,106 +1,125 @@
 PATH
   remote: .
   specs:
-    cpflow (4.1.1)
-      dotenv (~> 2.8.1)
-      jwt (~> 2.8.1)
-      psych (~> 5.1.0)
-      thor (~> 1.2.1)
+    cpflow (5.0.0.rc.0)
+      dotenv (~> 3.1)
+      jwt (~> 3.1)
+      psych (~> 5.2)
+      thor (~> 1.4)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.8.7)
-      public_suffix (>= 2.0.2, < 7.0)
-    ast (2.4.2)
-    base64 (0.2.0)
-    bigdecimal (3.1.8)
-    childprocess (4.1.0)
-    crack (1.0.0)
+    addressable (2.8.9)
+      public_suffix (>= 2.0.2, < 8.0)
+    ast (2.4.3)
+    base64 (0.3.0)
+    bigdecimal (4.1.0)
+    childprocess (5.1.0)
+      logger (~> 1.5)
+    crack (1.0.1)
       bigdecimal
       rexml
-    debug (1.9.2)
+    date (3.5.1)
+    debug (1.11.1)
       irb (~> 1.10)
       reline (>= 0.3.8)
-    diff-lcs (1.5.1)
-    docile (1.4.0)
-    dotenv (2.8.1)
-    hashdiff (1.1.0)
+    diff-lcs (1.6.2)
+    docile (1.4.1)
+    dotenv (3.2.0)
+    erb (6.0.2)
+    gem-release (2.2.4)
+    hashdiff (1.2.1)
     iniparse (1.5.0)
-    io-console (0.7.2)
-    irb (1.13.2)
+    io-console (0.8.2)
+    irb (1.17.0)
+      pp (>= 0.6.0)
+      prism (>= 1.3.0)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
-    json (2.7.2)
-    jwt (2.8.2)
+    json (2.19.3)
+    jwt (3.1.2)
       base64
-    language_server-protocol (3.17.0.3)
-    overcommit (0.60.0)
-      childprocess (>= 0.6.3, < 5)
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
+    logger (1.7.0)
+    overcommit (0.69.0)
+      childprocess (>= 0.6.3, < 6)
       iniparse (~> 1.4)
-      rexml (~> 3.2)
-    parallel (1.25.1)
-    parser (3.3.3.0)
+      rexml (>= 3.3.9)
+    parallel (1.28.0)
+    parser (3.3.11.1)
       ast (~> 2.4.1)
       racc
-    psych (5.1.2)
+    pp (0.6.3)
+      prettyprint
+    prettyprint (0.2.0)
+    prism (1.9.0)
+    psych (5.3.1)
+      date
       stringio
-    public_suffix (6.0.0)
-    racc (1.8.0)
+    public_suffix (7.0.5)
+    racc (1.8.1)
     rainbow (3.1.1)
-    rake (13.2.1)
-    rdoc (6.7.0)
+    rake (13.3.1)
+    rdoc (7.2.0)
+      erb
       psych (>= 4.0.0)
-    regexp_parser (2.9.2)
-    reline (0.5.9)
+      tsort
+    regexp_parser (2.11.3)
+    reline (0.6.3)
       io-console (~> 0.5)
-    rexml (3.3.1)
-      strscan
-    rspec (3.12.0)
-      rspec-core (~> 3.12.0)
-      rspec-expectations (~> 3.12.0)
-      rspec-mocks (~> 3.12.0)
-    rspec-core (3.12.3)
-      rspec-support (~> 3.12.0)
-    rspec-expectations (3.12.4)
+    rexml (3.4.4)
+    rspec (3.13.2)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.6)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.7)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.8)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
+      rspec-support (~> 3.13.0)
     rspec-retry (0.6.2)
       rspec-core (> 3.3)
-    rspec-support (3.12.2)
-    rubocop (1.64.1)
+    rspec-support (3.13.7)
+    rubocop (1.86.0)
       json (~> 2.3)
-      language_server-protocol (>= 3.17.0)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
       parallel (~> 1.10)
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8, < 3.0)
-      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.31.1, < 2.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.49.0, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.31.3)
-      parser (>= 3.3.1.0)
-    rubocop-rake (0.6.0)
-      rubocop (~> 1.0)
-    rubocop-rspec (3.0.1)
-      rubocop (~> 1.61)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.49.1)
+      parser (>= 3.3.7.2)
+      prism (~> 1.7)
+    rubocop-rake (0.7.1)
+      lint_roller (~> 1.1)
+      rubocop (>= 1.72.1)
+    rubocop-rspec (3.9.0)
+      lint_roller (~> 1.1)
+      rubocop (~> 1.81)
     ruby-progressbar (1.13.0)
     simplecov (0.22.0)
       docile (~> 1.1)
       simplecov-html (~> 0.11)
       simplecov_json_formatter (~> 0.1)
-    simplecov-html (0.12.3)
+    simplecov-html (0.13.2)
     simplecov_json_formatter (0.1.4)
-    stringio (3.1.1)
-    strscan (3.1.0)
-    thor (1.2.2)
+    stringio (3.2.0)
+    thor (1.5.0)
     timecop (0.9.10)
-    unicode-display_width (2.5.0)
-    webmock (3.18.1)
+    tsort (0.2.0)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.2.0)
+    webmock (3.26.2)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
@@ -112,16 +131,17 @@ PLATFORMS
 DEPENDENCIES
   cpflow!
   debug (~> 1)
-  overcommit (~> 0.60.0)
+  gem-release (~> 2.2)
+  overcommit (~> 0.69.0)
   rake (~> 13.0)
-  rspec (~> 3.12.0)
+  rspec (~> 3.13)
   rspec-retry (~> 0.6.2)
-  rubocop (~> 1.64.1)
-  rubocop-rake (~> 0.6.0)
-  rubocop-rspec (~> 3.0.1)
+  rubocop (~> 1.81)
+  rubocop-rake (~> 0.7.1)
+  rubocop-rspec (~> 3.8)
   simplecov (~> 0.22.0)
-  timecop (~> 0.9.6)
-  webmock (~> 3.18.1)
+  timecop (~> 0.9.10)
+  webmock (~> 3.26)
 
 BUNDLED WITH
-   2.3.26
+  4.0.7

data/README.md

@@ -22,9 +22,17 @@ _If you need a free demo account for Control Plane (no CC required), you can con
 
 ---
 
-Be sure to see the [demo app](https://github.com/shakacode/react-webpack-rails-tutorial/tree/master/.controlplane), which includes simple YAML configurations and setup for `cpflow`.
+To bootstrap a new project, run three commands from the repo root:
 
-Also, check [how the `cpflow` gem (this project) is used in the Github actions](https://github.com/shakacode/react-webpack-rails-tutorial/blob/master/.github/actions/deploy-to-control-plane/action.yml).
+1. **`cpflow github-flow-readiness`** — gate for common rollout blockers (missing Rails runtime scaffold, legacy Ruby or Bundler toolchains, unpublished exact-pinned gems or npm packages, missing production Dockerfiles). Exits non-zero on any blocker.
+2. **`cpflow generate`** — creates `.controlplane/` scaffolding. Infers the app prefix from the repo directory, the base Ruby version from `.ruby-version`/`.tool-versions`/`Gemfile`, the JS package manager from `package.json`, repo-defined frontend precompile hooks (Shakapacker `precompile_hook`, React on Rails auto bundle generation), and switches to persistent `db` + `storage` volume templates when `config/database.yml` shows SQLite in production.
+3. **`cpflow generate-github-actions`** — adds the reusable GitHub Actions pipeline for review apps, staging deploys, and manual production promotion.
+
+The generated scaffold is a starting point. After generation, adapt `.controlplane/` for app-specific workloads (Sidekiq, Node renderer), wire any private-dependency Docker build settings (SSH key, optional known-host overrides), and verify that the production Docker build succeeds.
+
+See [CI automation](./docs/ci-automation.md) for the full setup and required GitHub secrets and variables. For an AI agent rollout, see the [AI rollout prompt](./docs/ai-github-flow-prompt.md) or run `cpflow ai-github-flow-prompt` inside the target repo to print a copy-paste prompt with that repo's default app prefix filled in.
+
+For a live reference, see the [demo app](https://github.com/shakacode/react-webpack-rails-tutorial/tree/master/.controlplane) and its [GitHub Actions flow](https://github.com/shakacode/react-webpack-rails-tutorial/tree/master/.github).
 Here is a brief [video overview](https://www.youtube.com/watch?v=llaQoAV_6Iw).
 
 ---
@@ -37,7 +45,7 @@ many "Heroku" abstractions and naming conventions.
 
 Control Plane provides access to raw cloud computing power but lacks the simple abstractions of Heroku. The `cpflow` CLI bridges this gap, delivering a streamlined and familiar experience for developers.
 
-While this repository simplifies migration from Heroku, the `cpflow` CLI is versatile and can be used for new applications as well. It follows a **concept mapping** and **helper CLI** approach to streamline deployment workflows and minimize manual effort.
+While this repository simplifies migration from Heroku, the `cpflow` CLI is versatile and can be used for any application. This document contains **concept mapping** and **helper CLI** approach to streamline deployment workflows and minimize manual effort.
 
 Additionally, the documentation includes numerous examples and practical tips for teams transitioning from Heroku to Kubernetes, helping them make the most of Control Plane's advanced features.
 
@@ -64,6 +72,7 @@ Additionally, the documentation includes numerous examples and practical tips fo
 - Extensive Heroku-to-Control Plane migration examples included in the documentation.
 - Convention-driven configuration to simplify workflows and reduce custom scripting requirements.
 - Easy to understand Heroku to Control Plane conventions in setup and naming.
+- GitHub Actions generator for on-demand review apps, automatic staging deploys, and manual promotion to production.
 - **Safe, production-ready** equivalents of `heroku run` and `heroku run:detached` for Control Plane.
 - Automatic sequential release tagging for Docker images.
 - A project-aware CLI that enables working on multiple projects.
@@ -82,7 +91,7 @@ On Control Plane, we can map a Heroku app to a GVC (Global Virtual Cloud). Such
 be anything that can run as a container.
 
 | Heroku           | Control Plane                               |
-| ---------------- | ------------------------------------------- |
+|------------------|---------------------------------------------|
 | _app_            | _GVC_ (Global Virtual Cloud)                |
 | _dyno_           | _workload_                                  |
 | _add-on_         | either a _workload_ or an external resource |
@@ -105,7 +114,12 @@ For the typical Rails app, this means:
 | in-memory db    | `redis`, `memcached` | add-on        | external provider or can be set up for development/testing with Docker image (lacks persistence between restarts) |
 | others          | `mailtrap`           | add-on        | external provider or can be set up for development/testing with Docker image (lacks persistence between restarts) |
 
-## Installation
+## Migration Strategy
+See this doc for [detailed migration steps](./docs/migrating-heroku-to-control-plane.md) from Heroku to Control Plane. Even if you are coming from a platform other than Heroku, you can still benefit from the migration steps.
+
+## System Prerequisites
+
+_Note, if you want to use Terraform with cpflow, you will start the same way below._
 
 1. Ensure your [Control Plane](https://shakacode.controlplane.com/) account is set up. Set up an `organization` `<your-org>` for testing in that account and modify the value for `aliases.common.cpln_org` in `.controlplane/controlplane.yml`, or you can also set it with the `CPLN_ORG` environment variable. If you need an organization, please [contact Shakacode](mailto:controlplane@shakacode.com).
 
@@ -113,7 +127,9 @@ For the typical Rails app, this means:
 
 3. Install [Ruby](https://www.ruby-lang.org/en/) (required for these helpers).
 
-4. Install Control Plane CLI, and configure access ([docs here](https://shakadocs.controlplane.com/quickstart/quick-start-3-cli#getting-started-with-the-cli)).
+4. Purely local bootstrap commands can run before Control Plane CLI is installed. That includes `cpflow help`, `cpflow version`, `cpflow github-flow-readiness`, `cpflow ai-github-flow-prompt`, `cpflow generate`, `cpflow generate-github-actions`, and `cpflow terraform generate`. Install Control Plane CLI before any `cpflow` command that talks to Control Plane infrastructure.
+
+5. Install Control Plane CLI, and configure access ([docs here](https://shakadocs.controlplane.com/quickstart/quick-start-3-cli#getting-started-with-the-cli)).
 
 ```sh
 # Install CLI
@@ -126,19 +142,15 @@ cpln login
 npm update -g @controlplane/cli
 ```
 
-5. Run `cpln image docker-login --org <your-org>` to ensure that you have access to the Control Plane Docker registry.
+6. Run `cpln image docker-login --org <your-org>` to ensure that you have access to the Control Plane Docker registry.
 
-6. Install Control Plane Flow `cpflow` CLI as a [Ruby gem](https://rubygems.org/gems/cpflow): `gem install cpflow`. If you want to use `cpflow` from Rake tasks in a Rails project, use `Bundler.with_unbundled_env { `cpflow help` } or else you'll get an error that `cpflow` cannot be found. While you can add `cpflow` to your Gemfile, it's not recommended because it might trigger conflicts with other gems.
+7. Install Control Plane Flow `cpflow` CLI as a [Ruby gem](https://rubygems.org/gems/cpflow): `gem install cpflow`. If you want to use `cpflow` from Rake tasks in a Rails project, use `Bundler.with_unbundled_env { `cpflow help` } or else you'll get an error that `cpflow` cannot be found. While you can add `cpflow` to your Gemfile, it's not recommended because it might trigger conflicts with other gems.
 
-7. You can use [this Dockerfile](https://github.com/shakacode/react-webpack-rails-tutorial/blob/master/.controlplane/Dockerfile) as an example for your project. Ensure that you have Docker running.
+8. You will need a production-ready Dockerfile. If you're using Rails, consider the default one that ships with Rails 8. You can use [this Dockerfile](https://github.com/shakacode/rails-v8-kamal-v2-terraform-gcp-tutorial/blob/master/Dockerfile) as an example for your project. Ensure that you have Docker running.
 
 **Note:** Do not confuse the `cpflow` CLI with the `cpln` CLI. The `cpflow` CLI is the Control Plane Flow playbook CLI.
 The `cpln` CLI is the Control Plane CLI.
 
-## Steps to Migrate
-
-Click [here](https://www.shakacode.com/control-plane-flow/docs/migrating/) to see the steps to migrate.
-
 ## Configuration Files
 
 The `cpflow` gem is based on several configuration files within a `/.controlplane` top-level directory in your project.
@@ -147,20 +159,22 @@ The `cpflow` gem is based on several configuration files within a `/.controlplan
 .controlplane/
 ├─ templates/
 │  ├─ app.yml
-│  ├─ postgres.yml
+│  ├─ postgres.yml or db.yml + storage.yml
 │  ├─ rails.yml
 ├─ controlplane.yml
 ├─ Dockerfile
 ├─ entrypoint.sh
+├─ release_script.sh
 ```
 
-1. `controlplane.yml` describes the overall application. Be sure to have `<your-org>` as the value for `aliases.common.cpln_org`, or set it with the `CPLN_ORG` environment variable.
-2. `Dockerfile` builds the production application. `entrypoint.sh` is an _example_ entrypoint script for the production application, referenced in your Dockerfile.
-3. `templates` directory contains the templates for the various workloads, such as `rails.yml` and `postgres.yml`.
-4. `templates/app.yml` defines your project's GVC (like a Heroku app). More importantly, it contains ENV values for the app.
-5. `templates/rails.yml` defines your Rails workload. It may inherit ENV values from the parent GVC, which is populated from the `templates/app.yml`. This file also configures scaling, sizing, firewalls, and other workload-specific values.
-6. For other workloads (like lines in a Heroku `Procfile`), you create additional template files. For example, you can base a `templates/sidekiq.yml` on the `templates/rails.yml` file.
-7. You can have other files in the `templates` directory, such as `redis.yml` and `postgres.yml`, which could setup Redis and Postgres for a testing application.
+1. `controlplane.yml` describes the overall application. The generated version includes staging, review, and production entries named from the repo directory, plus `setup_app_templates` and `release_script` defaults. Be sure to update `<your-org>` as the value for `aliases.common.cpln_org`, or set it with the `CPLN_ORG` environment variable.
+2. `Dockerfile` builds the production application. The generated example includes Node.js, package-manager auto-detection (`npm`, Yarn, or `pnpm`), a Ruby base-image hint derived from `.ruby-version`, `.tool-versions`, or the app's `Gemfile`, and any detected repo-defined asset precompile hook such as a Shakapacker `precompile_hook` or React on Rails auto bundle generation step so Rails apps with frontend assets can precompile from a clean clone. `entrypoint.sh` is an _example_ entrypoint script for the production application, referenced in your Dockerfile.
+3. `release_script.sh` is the generated release-phase entrypoint used by `cpflow deploy-image --run-release-phase` and `cpflow promote-app-from-upstream --run-release-phase`.
+4. `templates` directory contains the templates for the various workloads, such as `rails.yml` and either `postgres.yml` or the SQLite `db.yml` and `storage.yml` pair.
+5. `templates/app.yml` defines your project's GVC (like a Heroku app). More importantly, it contains ENV values for the app.
+6. `templates/rails.yml` defines your Rails workload. It may inherit ENV values from the parent GVC, which is populated from the `templates/app.yml`. This file also configures scaling, sizing, firewalls, and other workload-specific values.
+7. For other workloads (like lines in a Heroku `Procfile`), you create additional template files. For example, you can base a `templates/sidekiq.yml` on the `templates/rails.yml` file.
+8. You can have other files in the `templates` directory, such as `redis.yml`, `postgres.yml`, or SQLite-backed `db.yml` and `storage.yml`, depending on the application runtime.
 
 Here's a complete example of all supported config keys explained for the `controlplane.yml` file:
 
@@ -329,8 +343,25 @@ apps:
 
 ## Workflow
 
+### Bootstrap a New Repo
+
+```sh
+# Check the repo for common rollout blockers before generating files
+cpflow github-flow-readiness
+
+# Create the .controlplane/ scaffolding
+cpflow generate
+
+# Create reusable GitHub Actions for review apps, staging, and production promotion
+cpflow generate-github-actions
+```
+
+`cpflow github-flow-readiness` exits non-zero when it finds blockers such as unpublished exact-pinned packages or a missing production Dockerfile, so use it as the gate before generation. Then review the generated `.controlplane/controlplane.yml` entries, adjust any app-specific workloads, and configure the GitHub repository variables and secrets described in [CI automation](./docs/ci-automation.md), including the optional Docker build settings for private GitHub dependencies and custom SSH known hosts. `cpflow generate` already switches to persistent `db` and `storage` volumes when `config/database.yml` shows SQLite in production and preserves detected frontend precompile hooks, but you should still confirm that the generated Dockerfile picked a Ruby base image compatible with the app's declared Ruby requirement and that the emitted workload set matches the real app. If you want an AI agent to do this end to end, start with the [AI rollout prompt](./docs/ai-github-flow-prompt.md) or run `cpflow ai-github-flow-prompt` in the target repo rather than giving a vague "set up CI" request.
+
 For a live example, see the [react-webpack-rails-tutorial](https://github.com/shakacode/react-webpack-rails-tutorial/blob/master/.controlplane/readme.md) repository.
 
+You can use this repository as a reference for setting up your own project.
+
 This example should closely match the below example.
 
 Suppose your app is called `tutorial-app`. You can run the following commands.
@@ -384,7 +415,7 @@ cpflow build-image -a tutorial-app --commit ABCD
 
 ### Real World
 
-Most companies will configure their CI system to handle the above steps. Please [contact Shakacode](mailto:controlplane@shakacode.com) for examples of how to do this.
+Most teams will automate the above steps in CI. Run `cpflow generate-github-actions` to scaffold the GitHub Actions flow, then follow [CI automation](./docs/ci-automation.md) to wire it to your `.controlplane/controlplane.yml` and repository settings.
 
 You can also join our [**Slack channel**](https://reactrails.slack.com/join/shared_invite/enQtNjY3NTczMjczNzYxLTlmYjdiZmY3MTVlMzU2YWE0OWM0MzNiZDI0MzdkZGFiZTFkYTFkOGVjODBmOWEyYWQ3MzA2NGE1YWJjNmVlMGE) for ShakaCode open source projects.
 

data/cpflow.gemspec

@@ -13,12 +13,12 @@ Gem::Specification.new do |spec|
   spec.homepage    = "https://github.com/shakacode/control-plane-flow"
   spec.license     = "MIT"
 
-  spec.required_ruby_version = ">= 2.7.0"
+  spec.required_ruby_version = ">= 3.0.0"
 
-  spec.add_dependency "dotenv",   "~> 2.8.1"
-  spec.add_dependency "jwt",      "~> 2.8.1"
-  spec.add_dependency "psych",    "~> 5.1.0"
-  spec.add_dependency "thor",     "~> 1.2.1"
+  spec.add_dependency "dotenv",   "~> 3.1"
+  spec.add_dependency "jwt",      "~> 3.1"
+  spec.add_dependency "psych",    "~> 5.2"
+  spec.add_dependency "thor",     "~> 1.4"
 
   spec.files = `git ls-files -z`.split("\x0").reject do |file|
     file.match(%r{^(coverage|pkg|spec|tmp)/})

data/docs/ai-github-flow-prompt.md

@@ -0,0 +1,61 @@
+# AI Rollout Prompt for Control Plane GitHub Flow
+
+Use this file when you want an AI agent to add the reusable `cpflow` review-app,
+staging, and production-promotion flow to a repository.
+
+If `cpflow` is already installed in the target repo, you can print the current
+copy-paste version of this prompt with:
+
+```sh
+cpflow ai-github-flow-prompt
+```
+
+That local-only command works even before `cpln` is installed and fills in the
+repo-name default app prefix for the current checkout. You can also run
+`cpflow github-flow-readiness` first to check the same blocker categories the
+prompt tells the agent to stop on.
+
+## Recommended Prompt
+
+```text
+Set up Control Plane GitHub Flow for this repo. Start with `cpflow github-flow-readiness` and stop on any reported blockers. The repo must be deployable from a clean clone: published package versions, complete runtime scaffold, and a production Dockerfile that can build the app. If any package version is unpublished, inaccessible from CI, or requires credentials that are not already modeled in the repo or GitHub settings, stop and report the blocker instead of generating workflow files. If the repo is a legacy sample pinned to an obsolete Ruby or Bundler toolchain, if it does not even have a production Dockerfile yet, or if it is a monorepo without an already-decided single app boundary for this flow, stop and report that as a prerequisite instead of forcing the rollout.
+
+If `.controlplane/` is missing, run `cpflow generate`. Treat the generated app names as the repo-name default and rename them only if the project needs a different prefix. Then run `cpflow generate-github-actions` (or `cpflow generate-github-actions --staging-branch BRANCH` when staging should deploy from a branch other than `main`/`master`), keep review apps opt-in via `/deploy-review-app`, make sure any `STAGING_APP_BRANCH` repository variable is also present in the generated staging workflow's `on.push.branches` filter, and list the GitHub secrets and variables that must be configured.
+
+Keep Node available in the final image if asset compilation or SSR depends on ExecJS, Yarn, `pnpm`, or npm after the main install layer. Make sure the generated Dockerfile uses a Ruby base image compatible with the app's declared Ruby requirement. Preserve repo-defined frontend build hooks: if `config/shakapacker.yml` defines a `precompile_hook`, or React on Rails enables `config.auto_load_bundle = true`, confirm the generated Dockerfile runs that codegen step before `rails assets:precompile`. If `config/database.yml` shows SQLite in production, confirm that the generated scaffold uses persistent `db` and `storage` volumes plus a release script that runs `rails db:prepare`; otherwise keep the default Postgres workload. If the public workload is not named `rails`, set `PRIMARY_WORKLOAD` or adjust the generated workflows. Inspect the Dockerfile and package sources for private GitHub dependencies or `RUN --mount=type=ssh`; if present, wire `DOCKER_BUILD_SSH_KEY`, optionally set `DOCKER_BUILD_SSH_KNOWN_HOSTS` for non-GitHub SSH hosts, and keep `DOCKER_BUILD_EXTRA_ARGS` to newline-delimited single tokens such as `--build-arg=FOO=bar`.
+
+Run the real local validations you can: Docker build if feasible, repo tests or smoke checks, YAML validation, and any CI-equivalent build steps. Push the branch and check the GitHub Actions results. Only stop early for a real external blocker or a product decision that changes scope.
+```
+
+## Hard Stop Conditions
+
+Stop and report the blocker instead of generating `cpflow-*` workflow files when:
+
+- the repo is a partial sample or generator snapshot rather than a deployable app
+- the app depends on unpublished or inaccessible gem or npm package versions
+- the repo is pinned to a legacy Ruby or Bundler toolchain that you cannot validate in the current environment
+- there is no production Dockerfile and the app's production build path is still undefined
+- the repo is a monorepo or contains multiple deployable apps and the flow target is not already decided
+- the local checkout does not match the intended remote repository
+- the app needs product decisions about workload shape, secrets, or promotion behavior that are not already implied by the repo
+
+## Definition of Done
+
+The rollout is done when all of the following are true:
+
+- `.controlplane/` exists and matches the actual app shape
+- `.github/actions/cpflow-*` and `.github/workflows/cpflow-*` are in place
+- review apps are opt-in, staging auto-deploys from one branch, and production promotion is manual
+- required GitHub secrets and variables are documented for the repo
+- the production image build path is validated for the real app
+- repo-specific runtime concerns are handled, such as SQLite volumes, sidekiq workloads, SSR runtime Node access, React on Rails pack generation hooks, or private dependency fetches
+- the branch is pushed and the relevant GitHub checks are either green or blocked only by an external system failure
+
+## React on Rails Notes
+
+For React on Rails and React on Rails Pro apps, explicitly verify:
+
+- SSR or renderer workloads do not lose Node or package-manager access in the final image
+- sidecar renderers or worker processes bind to `0.0.0.0`, not container-local `localhost`
+- writable caches, bundle outputs, or SQLite files live in runtime-writable paths
+- old demo repos are treated as legacy exceptions unless they can still build from a clean clone