Compliance

Change Management Policy

Effective March 23, 2026. This policy governs how code changes, deployments, database migrations, and infrastructure updates are managed across the Oceum platform.

1. Version Control

All application source code is version-controlled in Git and hosted in a private GitHub repository. Every change is tracked with a full audit trail of commits, authors, and timestamps.

All changes are committed with descriptive messages and co-author attribution where applicable.
No code is deployed to production without first being committed to the repository.
Branch protection rules prevent direct pushes to the main branch without review.

2. Continuous Integration & Continuous Deployment

Oceum uses a CI/CD pipeline to ensure code quality before any change reaches production.

Automated Testing. GitHub Actions runs the full vitest suite (329 tests) on every push and pull request. Merges are blocked if tests fail.
Dependency Auditing. npm audit runs automatically in CI to detect known vulnerabilities in third-party packages.
Deployment. Deployments are handled via Vercel. Pushes to the main branch trigger automatic preview deployments. Production deployments require an explicit vercel deploy --prod command.

3. Deployment & Rollback

Preview Deployments. Every pull request and branch push generates a unique preview URL for testing and review before production release.
Production Deploys. Production deployments are manual and require explicit authorization from the founding team.
Instant Rollback. Vercel maintains a full history of every deployment. Any previous deployment can be instantly promoted back to production with zero downtime.

4. Database Changes

Migration Scripts. All database schema changes are defined as SQL migration scripts stored in the scripts/ directory of the repository.
Review Required. Every migration script is reviewed before execution against the production database.
No Direct Modifications. There are no direct production database modifications. All changes go through versioned API endpoints or reviewed SQL scripts.

5. Dependency Management

Security Monitoring. The Security agent monitors all package versions daily and alerts the team when dependencies drift from their latest stable versions.
Lock File. A package-lock.json is committed to the repository to ensure deterministic builds across all environments.
Update Policy. Security patches are applied within 48 hours of disclosure. Non-security updates are batched and reviewed on a weekly basis.

6. Emergency Changes

In the event of a critical security vulnerability or production outage, emergency changes may bypass the standard review process. Emergency changes must still be committed to Git and documented with a post-incident review within 24 hours.

7. Contact

Questions about this policy can be directed to hello@oceum.ai.