Skip to content

PATTERN Cited by 1 source

Rollout escape hatch

A time-bound, individual-scope safety valve that users flip themselves when a new enforcement blocks them during rollout — reverts their node to the prior, non-enforcing behaviour while security / platform investigates and adds rules. Retired when the rollout hits 100% coverage.

Different from sibling safety-valve patterns:

  • patterns/fast-rollbackplatform-scope, operated by the rollout owner, reverts the whole fleet.
  • patterns/emergency-bypassindividual-scope but permanent, for incident-response workflow that skips normal gates even in steady state.
  • Rollout escape hatchindividual-scope, temporary, operated by the affected user, retired at rollout completion.

Shape

  • One command. The user runs a single, documented command — a Slack slash-command, a CLI subcommand, a support-portal button — to flip their own node back to the pre-enforcement mode. No ticket, no waiting.
  • Scoped to the invoker's device / account only. The fleet stays in lockdown; only the one invoker's machine reverts. Other users cannot be protected by this command.
  • Audited and observable. Every use is logged with actor + time
  • reason (optional free-text). Dashboards surface escape-hatch usage in real time — it's the clearest rollout-pain signal the team has.
  • Time-bound from the start. The command exists because rollout is in progress; the retirement date is announced when the command is launched.
  • Paired with rule-addition workflow. Every escape-hatch invocation is a work item: add the rule that would have prevented this invocation, and close the loop with the user ("we've added rules for X, let us know if you hit blocks again").
  • Retired at 100% coverage. Once all cohorts are in enforcement mode and the tail has had a hardening sweep, remove the command. If the rollout-end population still genuinely needs bypass capability, that's now a proper steady-state patterns/emergency-bypass with stricter gates (documented justification, on-call only, etc.) — a new design, not a leftover.

Why this is a pattern and not a gap

Without an explicit escape hatch during rollout:

  • Users blocked by an enforcement they don't know the rules for either file a ticket and wait (productivity cost) or work around it (downloading the blocked app from a different machine, running off-fleet, etc. — security posture erodes unofficially).
  • The rollout owner has no clean read on "how many users this is hurting" beyond ticket volume — a lagging, lossy signal.
  • A fleet-wide rollback is too heavy an intervention for one team's edge case, so the team in pain gets stuck.

An official escape hatch converts the signal from anecdotal tickets into machine-readable telemetry and gives the platform team a clear signal of which cohorts need more rule work before advancing.

Seen in

  • sources/2026-04-21-figma-rolling-out-santa-without-freezing-productivity — Figma's Santa rollout exposed /santa disable as a Slack slash-command. Any user running it flipped their own machine back to monitoring mode (enforcer still running, just not blocking). Command retired at 100% cohort, when lockdown mode was promoted to part of the Endpoint Security Baseline (ESB) — out-of-compliance = blocked from internal systems. The 98% cohort hardening pause explicitly investigated /santa disable invocations and added the rules needed to let those users succeed in lockdown. Canonical wiki instance.

Contrast

  • patterns/emergency-bypass — different scope: permanent, steady-state, gated by role + ticket. Rollout escape hatch is broader (any affected user) but narrower (only during rollout) and typically less gated (the whole point is no ticket required).
  • patterns/fast-rollback — different scope: platform-wide, one operator, undoes the rollout itself.
  • patterns/golden-path-with-escapes — end-state concept: the rollout escape hatch is a rollout-phase escape that later becomes unnecessary, while golden-path escapes are the permanent customisation surface for specialised needs.
Last updated · 200 distilled / 1,178 read