Gastown Feature Flags & Progressive Rollout

[jrf0110]

Parent

Part of #204 (Phase 3: Multi-Rig + Scaling)

Problem

Gastown is currently gated behind a binary is_admin check (#537). This is fine for internal development, but there's no path from "admins only" to "generally available" that doesn't involve a single big-bang flip. We need progressive rollout capabilities so we can:

1. Open Gastown to specific non-admin users/orgs for early testing
2. Roll out to a percentage of users
3. Instantly kill-switch back to admin-only if something goes wrong
4. Run different rollout stages for different Gastown surfaces (e.g., town creation open but convoy features still gated)

Goals

• Replace the binary is_admin gate with a feature flag system that supports progressive rollout
• Support rollout stages: admin-only → allowlist → percentage → GA
• Provide a kill-switch that immediately reverts to admin-only
• Gate at multiple layers: UI visibility, tRPC access, worker API access, container dispatch
• Keep the exact flag technology decision open — this should work whether we use LaunchDarkly, Cloudflare Feature Flags, a simple DB-backed system, or anything else

Rollout Stages

Stage 0: Admin-only (current state via #537)

Only is_admin users can see or use Gastown. This is where we are today.

Stage 1: Allowlist

Specific users or orgs are granted access alongside admins. Useful for design partners, early beta testers, friendly customers.

Stage 2: Percentage rollout

A configurable percentage of users (by user ID hash or org ID hash) get access. Percentage can be ramped up or down.

Stage 3: GA

Flag is removed, Gastown is available to all users.

Kill-switch

At any stage, an admin can instantly revert to Stage 0. All non-admin access is cut. In-flight operations (running agents, active containers) should continue — the kill-switch gates new access, not existing sessions.

What Needs to Be Gated

Surface	Current gate	Flag integration point
Next.js /gastown/* pages	is_admin redirect	Page middleware / layout guard
Gastown tRPC procedures	gastownAdminProcedure	Procedure middleware
Gastown worker HTTP API	CF Access + admin check	Request-level middleware
Sidebar nav items	is_admin conditional render	Component-level check
Town creation	Implicit (can't reach UI)	Explicit flag check on createTown
Container dispatch	None	Optional — could gate to prevent new containers for flagged-off users

Sub-Feature Flags

Beyond the top-level "can use Gastown" flag, individual features within Gastown should be independently flaggable:

• Convoy creation — gate gt_sling_batch and convoy UI
• PR merge strategy — gate the pr option, default everyone to direct
• Multi-rig — gate adding a second rig to a town
• Molecule/formula system — gate molecule creation tools

These sub-feature flags allow us to ship Gastown to GA while keeping newer/riskier features in staged rollout.

Acceptance Criteria

• Feature flag integration that supports admin-only, allowlist, percentage, and GA stages
• Top-level Gastown access flag replacing the is_admin gate from Gate Gastown UI to Kilo admins only #537
• Kill-switch that reverts to admin-only instantly
• Flag checks at all gate points: pages, tRPC, worker API, nav items
• Sub-feature flags for at least: convoys, PR merge strategy, multi-rig
• Flag evaluation is fast (no blocking network calls on every request — cache or edge-evaluate)
• Admin UI or config surface to manage flag state and allowlists
• Flag state changes are audit-logged

Notes

• No data migration needed — cloud Gastown hasn't deployed to production
• The specific feature flag technology is intentionally left open — this issue defines the requirements and integration points, not the vendor/tool choice
• The current is_admin gate (Gate Gastown UI to Kilo admins only #537) becomes Stage 0 of this system — it doesn't need to be ripped out, just wrapped
• Kill-switch should not terminate running agents or destroy active towns — it only prevents new access
• Flag evaluation should be org-scoped where possible (if one user in an org has access, all users in that org should)