# Production Prompt Release Checklist

Use this before changing a prompt that affects customers, operations, regulated data, or business records.

## Prompt Metadata

- Prompt name:
- Feature:
- Owner:
- Reviewer:
- Current version:
- Candidate version:
- Model:
- Release date:

## Architecture

- System, developer, and user/context layers are separated.
- User-provided content is clearly delimited.
- Dynamic data is not stored in the system prompt.
- Templates are versioned in source control or a prompt service.
- Sensitive production traces are not committed to source control.

## Output Contract

- Output schema is defined.
- Empty, malformed, or partial output has a fallback path.
- The application validates output before taking action.
- Low-confidence or ambiguous cases escalate to a human.

## Safety

- Prompt injection risks were reviewed.
- Tool calls are scoped to allowed actions.
- Customer-visible, financial, legal, HR, or destructive actions require approval.
- Secrets and personal data are redacted from logs where required.

## Evals

- Regression set passed.
- Safety cases passed.
- Known previous failures remained fixed.
- Candidate did not reduce the primary quality metric beyond tolerance.

## Observability

- Prompt template name and version are logged.
- Model, latency, tokens, and cost are logged.
- Inputs and outputs are redacted or sampled according to policy.
- Post-release review owner is assigned.

## Rollback

- Previous version is available.
- Rollback can happen without code surgery.
- Stop condition is documented.
- On-call or owner knows how to disable the feature.

## Decision

- Approved:
- Approved by:
- Notes: