Cloud Approvals
ByteOr Cloud enforces approval workflows for governed actions. This page covers the Cloud-specific approval experience.
When Approvals Are Required
Approvals are required when the target environment posture or action type demands governed execution:
- Production deployments — deploying to environments marked as production
- Execute-mode replay — replaying against governed environments
- Capability-gated actions — actions requiring named capabilities
Operator Flow
- Prepare the pipeline version and config bundle
- Start the deployment or replay action
- Review the environment, spec hash, and required capabilities
- Select an eligible approval or obtain one from an authorized reviewer
- Submit the action with the approval attached
- Confirm the audit trail records the actor, scope, and decision
What Cloud Validates
The Cloud control plane rejects requests when:
- The signing key is unknown
- The signature is invalid
- The approval does not match the spec hash
- The approval targets the wrong environment
- The credential has expired
- The capabilities are insufficient
Deployment Approvals
Before approving a deployment, verify:
- The pipeline version is the expected canonical build
- The config bundle matches the intended environment
- The deployment target environment is correct
- The approval scope covers the deployment action
Replay Approvals
Execute-mode replay reuses deployment-style approval checks:
- Source artifact from the expected environment
- Pipeline version matches the incident spec hash
- Approval scope valid for replay execution
Dry-run replay does not require execute privileges.
Best Practices
- Prefer short-lived approvals over broad standing coverage
- Use dry-run replay before requesting execute-mode approval
- Verify the spec hash and environment before requesting approval
- Review audit records after high-risk actions
- Treat missing audit trails for approval-sensitive actions as product defects