the pipeline · the hotfix path
The hotfix path — when rules are broken explicitly
The volume says: no production changes outside the pipeline. Full artifacts before pull. Three confirmations before merge. These are the right defaults. They are also rules that teams will need to break — and the discipline is breaking them explicitly and safely, rather than silently and dangerously.
The P0 hotfix
A production incident is active. Users are affected. The fix is identified. The normal pipeline takes 45 minutes. The abbreviated path:
- Branch from trunk. Fix. Write the minimum test that proves the fix works.
- Abbreviated review: tech lead + one other developer. Not three confirmations — two technical eyes on the code, confirming it doesn't make things worse.
- Merge and deploy through the pipeline — the pipeline still runs, it is not bypassed. The stages still catch regressions.
- Backfill within 24 hours: the full review happens after the incident is resolved. The PO confirms the fix doesn't violate the brief. QA adds the missing scenario. The designer checks for UI impact. The abbreviated review becomes a full review, retroactively.
Emergency flag disable
The fastest rollback: disable the feature flag. This does not go through the pipeline — it is a runtime configuration change. The feature disappears for users. Investigation happens in staging. The fix, when found, goes through the normal pipeline. The flag is re-enabled only after the fix passes staging.
Partial readiness
Sometimes a story is 80% ready but the remaining 20% is blocking the team's flow. The discipline from Part One applies: name the gap, record it on the card, decide whether to shape inline or defer. If the story is pulled with a named gap, the gap becomes a task that blocks the PR — the story cannot merge until the gap is filled. This is not an exception to the chain. It is the chain working at a lower confidence level, with the risk made visible.
The principle: every exception is named, recorded, and backfilled. An exception that is not recorded is not an exception — it is a gap in the chain that nobody will find when the bug it produces arrives six weeks later, the postmortem has no trail to follow, and the team makes the same decision again from scratch.