Istari Deploy Agent

Autonomous release validation for the Istari platform. Runs overnight on EC2 with Claude Code, testing fresh installs and upgrades against the CS sandbox before shipping to customers.
Sign out
Releases
All Runs
Analytics
Release Pipeline
How It Works
Loading...
Run ID Type Outcome Started Duration Chart Phases Logs
Loading...
Loading analytics...
End-to-End Release Validation
Every Istari platform release goes through this pipeline before shipping to customers. Two full deployment cycles (fresh install + upgrade) run autonomously overnight on the CS sandbox.
1
Plan Creation
~5 min (you)
2
Fresh Install
14 phases, ~10h
3
Review
~5 min (you)
4
Upgrade Test
8 phases, ~8h
5
Review
~5 min (you)
6
Ship to Customers
~10 min report
Timeline
Both runs fit in one overnight + one business day. ~25 minutes of engineer time total.
Evening
/release-test-coverage <name> in Claude Code. Queries JFrog, creates plans, uploads to S3, starts EC2.
You
Overnight
Agent runs fresh install: teardown, EKS, terraform, Zitadel, helm, SCS, MCP, SpiceDB, smoke tests. Slack updates arrive throughout.
Agent
Morning
Review fresh install results in Slack. If passed, trigger upgrade plan.
You
Daytime
Agent runs upgrade: pre-checks, breaking changes analysis, helm upgrade, post-verify, smoke tests.
Agent
Afternoon
Review upgrade results. Report to engineering. Both must pass before release ships.
You
Swimlane View
Who does what, and what moves where.
You
/release-test-coverage Confirm versions Plans created Review fresh Trigger upgrade Review upgrade Report
Deploy Agent
Pick up plan 14 phases (fresh) Finalize 8 phases (upgrade) Finalize Stop EC2
Outputs
Slack updates S3 logs Dashboard Git results Terraform package Release assessment
Fresh Install Phases (14)
Full deployment from scratch. Creates EKS cluster, RDS, all infrastructure, identity, platform, and runs end-to-end smoke tests.
Infrastructure
01
Teardown
Destroy previous deployment (terraform destroy, namespace wipe)
Opus
02
Env Setup
VPC discovery, subnet validation, AWS provider config
Opus
03
EKS Apply
EKS cluster, node groups, OIDC provider in BYOVPC
Opus
04
Pull Secret
JFrog registry credentials, image pull test
Sonnet
05
Full Terraform
RDS PostgreSQL, S3 buckets, IAM roles, KMS, security groups
Opus
06
ALB + DNS
Application Load Balancer, ACM cert, Route53 records
Sonnet
Identity & Secrets
07
Configurator
Zitadel org, admin user, OIDC clients (frontend, registry, MCP)
Opus
08
Secrets
K8s secrets for frontend, registry, fileservice, OIDC creds
Sonnet
08u
SCS Enablement
S3 inbox/outbox, DB schema, Zitadel client, SCS secrets
Opus
Platform
09
Helm Install
Platform chart with all subcharts enabled
Opus
10
Verify Pods
All pods running, readiness probes, no crash loops
Sonnet
11
MCP Enable
MCP service, health endpoint, AI chat connectivity
Sonnet
12
SpiceDB
Connection pool hardening, dispatch, permission latency
Opus
Validation
13
Final Validate
HTTPS endpoints, TLS certs, auth flow end-to-end
Sonnet
14
Smoke Tests
API tests (httpx + PAT auth) + browser tests (Playwright)
Python
Upgrade Phases (8)
Deploys the previous release, then upgrades to the new one. Skips infrastructure phases (03, 05, 06) since the cluster already exists.
Assessment
U01
Pre-Upgrade Check
Discover existing cluster state, endpoints, domains
Opus
U02
Pre-Upgrade Infra
Verify infrastructure is ready for upgrade
Opus
U03
Breaking Changes
Analyze release notes, plan migration steps
Opus
Migration
U04
Configurator Upgrade
Update Zitadel clients, add new OIDC configs
Opus
U05
SCS Enablement
Activate new SCS features, preserve existing state
Opus
U06
Platform Upgrade
Helm upgrade with schema migrations, new subcharts
Opus
Validation
U07
Post-Upgrade Verify
All services restart cleanly, data survives
Sonnet
U08
Smoke Tests
API + browser tests against upgraded platform
Python
Safety Architecture
Guardrails that prevent the agent from causing damage or running away with spend.
👁
Opus 4.7 Advisor
Independent model reviews every terraform apply and helm upgrade before execution. Can BLOCK the run.
💰
Per-Phase Budget Caps
Each phase has a max LLM spend ($1-$8). Prevents runaway token consumption on any single phase.
16-Hour Deadline
Warns at 15h, shuts down at 16h. Operator can reply "continue" in Slack to extend.
🔒
Permissions Boundary
IAM boundary denies IAM mutation, Organizations access, and tag-scoped resource creation.
📈
AWS Spend Guardrail
Monthly budget alert ($200). cost-check.sh runs before every deployment.
💬
Slack Check-in
9am ET EventBridge asks if the run should continue. Operator oversight without waking up overnight.
Finalization Flow
After all phases complete (or fail), the agent produces deliverables and notifies.
Determine
Classify outcome success.json / failure.json / advisor_block.json
Generate
Recommendation Worklog Release Assessment Version Check
Deliver
Sync logs to S3 Move plan (running → completed) Update dashboard manifest Terraform package Git commit results
Notify
Slack: result + AI summary Listen 15 min for replies Stop EC2

What does the deploy agent test?

Before every platform release ships to customers, the deploy agent runs two full deployment cycles on the CS sandbox (AWS account 669640508343). Each cycle exercises the complete Istari infrastructure and application stack.

1
Fresh Install
Tears down everything and rebuilds from scratch: EKS cluster, RDS, ALB, DNS, Zitadel, platform helm chart, SCS, MCP, SpiceDB. Validates the full "day one" customer experience.
2
Upgrade Path
Deploys the previous release, then upgrades to the new one. Tests helm upgrade, database migrations, subchart activation, and verifies existing data survives.
3
Smoke Tests
API tests (httpx + PAT auth) and browser tests (Playwright) run against the live deployment. Login, create system, upload file, verify workflows.
4
Report
Results posted to Slack, logs archived in S3, artifacts committed to git. Both a fresh install and upgrade must pass before the release ships.

What each phase validates

PhaseNameWhat it tests
01TeardownClean destruction of previous deployment (terraform destroy, namespace wipe)
02Env SetupVPC discovery, subnet validation, AWS provider configuration, existing resource detection
03EKS ApplyEKS cluster creation in BYOVPC, node groups, OIDC provider (fresh install only)
04Pull SecretJFrog registry pull secret creation, image pull verification
05Full ApplyComplete terraform: RDS PostgreSQL, S3 buckets, IAM roles, security groups, KMS (fresh only)
06ALB+DNSApplication Load Balancer, ACM certificate, Route53 DNS records (fresh only)
07ConfiguratorZitadel identity: organization, admin user, OIDC clients for frontend/registry/MCP
08SecretsKubernetes secrets for frontend, registry service, fileservice, OIDC credentials
08uSCSSecure Connection Service: S3 inbox/outbox, database schema, Zitadel client, secrets
09PlatformHelm install/upgrade of the platform chart with all subcharts enabled
10VerifyAll pods running, readiness probes passing, no crash loops, resource utilization normal
11MCPMCP service enablement, health endpoint, AI chat connectivity
12SpiceDBConnection pool hardening, dispatch authority, permission resolution latency
13ValidateHTTPS endpoints responding, TLS certificates valid, authentication flow working
14SmokeAPI smoke tests (PAT auth, CRUD ops) + browser tests (Playwright login, upload, workflow)

How a run works

An engineer runs /release-test-coverage <name> in Claude Code. The skill queries JFrog for the latest gated chart versions, creates a plan JSON, pushes to git, uploads to S3, and starts the EC2 instance. The agent picks up the plan on boot and runs through all phases autonomously (8-10 hours for fresh, 6-8 for upgrade). An independent Opus 4.7 advisor reviews every terraform apply and helm upgrade before execution. Results go to Slack, S3, and this dashboard.