ArchPilotExecutable architecture guardrails

Search docs

Docs search

Validation rule

Back to Rule Catalog
AP-SAFE-002Safety Controls

Missing rollback plan for risky architecture change

Flags risky changes without rollback plan evidence.

warningviolationNo auto-fix

How to fix

  1. Add rollback steps to the ADR, runbook, or migration notes.
  2. Name the conditions that trigger rollback.
  3. Document any irreversible steps clearly.

What it means

The change appears architecture-impacting, but ArchPilot could not find rollback guidance.

Why it matters

Rollback plans reduce operational risk when architecture, data, or dependency changes behave unexpectedly.

Common causes

  • A migration plan lacks a rollback section.
  • Rollback notes live outside the repository.
  • The change was treated as low-risk even though it affects a core boundary.

Example bad pattern

A data ownership migration has no rollback or pause criteria.

Example good pattern

The ADR includes rollback steps, owner, trigger conditions, and validation checks.

Related files/config

  • docs/adrs
  • docs/runbooks
  • db/sql

Related CLI commands

  • archpilot validate
  • archpilot validate --ci

Related docs

Rule CatalogPolicy & ADR WorkflowsFindings & Exceptions
AP-SAFE-002 - Missing rollback plan for risky architecture change | ArchPilot Docs