Istari Deploy Agent

Autonomous release validation for the Istari platform. Runs overnight on EC2 with Claude Code, testing fresh installs and upgrades against the CS sandbox before shipping to customers.
Releases
All Runs
Analytics
How It Works
Loading...
Run ID Type Outcome Started Duration Chart Phases Logs
Loading...
Loading analytics...

What does the deploy agent test?

Before every platform release ships to customers, the deploy agent runs two full deployment cycles on the CS sandbox (AWS account 669640508343). Each cycle exercises the complete Istari infrastructure and application stack.

1
Fresh Install
Tears down everything and rebuilds from scratch: EKS cluster, RDS, ALB, DNS, Zitadel, platform helm chart, SCS, MCP, SpiceDB. Validates the full "day one" customer experience.
2
Upgrade Path
Deploys the previous release, then upgrades to the new one. Tests helm upgrade, database migrations, subchart activation, and verifies existing data survives.
3
Smoke Tests
API tests (httpx + PAT auth) and browser tests (Playwright) run against the live deployment. Login, create system, upload file, verify workflows.
4
Report
Results posted to Slack, logs archived in S3, artifacts committed to git. Both a fresh install and upgrade must pass before the release ships.

What each phase validates

PhaseNameWhat it tests
01TeardownClean destruction of previous deployment (terraform destroy, namespace wipe)
02Env SetupVPC discovery, subnet validation, AWS provider configuration, existing resource detection
03EKS ApplyEKS cluster creation in BYOVPC, node groups, OIDC provider (fresh install only)
04Pull SecretJFrog registry pull secret creation, image pull verification
05Full ApplyComplete terraform: RDS PostgreSQL, S3 buckets, IAM roles, security groups, KMS (fresh only)
06ALB+DNSApplication Load Balancer, ACM certificate, Route53 DNS records (fresh only)
07ConfiguratorZitadel identity: organization, admin user, OIDC clients for frontend/registry/MCP
08SecretsKubernetes secrets for frontend, registry service, fileservice, OIDC credentials
08uSCSSecure Connection Service: S3 inbox/outbox, database schema, Zitadel client, secrets
09PlatformHelm install/upgrade of the platform chart with all subcharts enabled
10VerifyAll pods running, readiness probes passing, no crash loops, resource utilization normal
11MCPMCP service enablement, health endpoint, AI chat connectivity
12SpiceDBConnection pool hardening, dispatch authority, permission resolution latency
13ValidateHTTPS endpoints responding, TLS certificates valid, authentication flow working
14SmokeAPI smoke tests (PAT auth, CRUD ops) + browser tests (Playwright login, upload, workflow)

How a run works

An engineer runs /release-test-coverage <name> in Claude Code. The skill queries JFrog for the latest gated chart versions, creates a plan JSON, pushes to git, uploads to S3, and starts the EC2 instance. The agent picks up the plan on boot and runs through all phases autonomously (8-10 hours for fresh, 6-8 for upgrade). An independent Opus 4.7 advisor reviews every terraform apply and helm upgrade before execution. Results go to Slack, S3, and this dashboard.