> ## Documentation Index
> Fetch the complete documentation index at: https://docs.duvo.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Promote to Production

> The pre-promotion checklist, how to switch on a schedule or trigger, soft-launch options, team access, and the runbook to hand an agent over to your team.

Before you turn on a schedule or trigger and hand an agent over to your team, run through this guide. It covers the decisions and steps that builders most often skip — and regret later.

The path from a tested build to a stable production agent follows a predictable flow.

```mermaid theme={"dark"}
flowchart TD
    A[Pre-promotion checklist] --> B[Switch on the schedule or trigger]
    B --> C[Soft-launch: volume cap, time window, or restricted source]
    C --> D[Share access and onboard operators]
    D --> E[Notifications and runbook in place]
    E --> F[Agent live in production]
    F -->|Something goes wrong| G[Toggle off the schedule, trigger, or connection]
    G --> H[Revert to the last known-good revision]
    H --> B
```

## Pre-Promotion Checklist

Work through this list before enabling any schedule or trigger. Each item represents a category of surprise that commonly appears in the first week of production use.

### Testing signed off

* At least three end-to-end test Runs have run without unexpected failures.
* HITL approval gates have been exercised — you have seen real approval requests, denied one, and confirmed the agent handles denial gracefully.
* Edge cases identified during testing have been handled in the AOP or accepted as known gaps.
* The run debugger shows no unexplained errors in recent Runs.

See [Guardrails for High-Risk Automations](/user-guide/security/high-risk-guardrails) for risk scoring and shadow-mode testing guidance before going live with high-stakes agents.

### Connections scoped to production Logins

* All connections in the agent point to production accounts, not personal or sandbox accounts.
* Logins and Secrets used by the agent belong to a service account or shared Login where appropriate — not a personal user account that could be disabled.
* Connection permissions are scoped to the minimum required. An agent that only reads data from Salesforce does not need write permissions.

### Human-in-the-Loop coverage validated

* Every action that is irreversible, expensive, or externally visible has an approval gate.
* Approval descriptions give reviewers enough context to decide without opening another system.
* Escalation paths are defined: what happens if a request is ignored for 24 hours, or denied twice.

### Cost and latency within target

* Estimated cost per Run is acceptable for the expected Run frequency.
* Typical Run duration fits within the business process SLA (for example, a nightly report that takes four hours is a problem if stakeholders expect it before 08:00).
* If cost or duration is higher than expected, investigate before going live rather than hoping it improves.

### Owner and escalation contact named

* One named person is responsible for this agent in production.
* That person knows they are the owner and understands what the agent does.
* A backup contact is identified for when the primary owner is unavailable.

### Rollback path documented

* The previous working revision is identified and accessible via [Agent Versions](/user-guide/advanced/assignment-versions).
* The team knows how to pause the schedule or trigger — and who is allowed to do it.

## Switching On the Trigger or Schedule

Enable the schedule or trigger only after the checklist above is complete.

<Tabs>
  <Tab title="Schedule">
    <Steps>
      <Step title="Open the agent" icon="folder-open">
        Open the agent.
      </Step>

      <Step title="Open the schedule controls" icon="calendar">
        Click the **Schedule** button (or calendar icon) in the agent header.
      </Step>

      <Step title="Set the frequency" icon="clock">
        Set the frequency. See [Scheduling Agents](/user-guide/assignment-features/scheduling-assignments) for all options.
      </Step>

      <Step title="Save the schedule" icon="save">
        Click **Add schedule** to save.
      </Step>
    </Steps>

    The agent now runs automatically. Scheduled Runs appear in the Runs list with a clock icon so you can distinguish them from manual runs.
  </Tab>

  <Tab title="Trigger">
    <Steps>
      <Step title="Open the agent" icon="folder-open">
        Open the agent.
      </Step>

      <Step title="Open the Triggers tab" icon="zap">
        Click the **Schedule** button and select the **Triggers** tab (lightning bolt icon).
      </Step>

      <Step title="Configure the trigger source" icon="settings">
        Configure the trigger source — email, Slack message, file drop, status change, or webhook.
      </Step>

      <Step title="Save the trigger" icon="save">
        Save the trigger.
      </Step>
    </Steps>

    See [Event-Driven Triggers](/user-guide/assignment-features/event-driven-triggers) for setup details by trigger type.
  </Tab>
</Tabs>

### Soft-launch options

Running at full volume immediately is rarely the right move. Consider these options for the first days of production:

**Volume cap** — Add an explicit cap to the AOP to limit how many records or actions the agent processes per Run. Once you are confident it is behaving correctly, remove the cap.

```
Process at most 10 records per Run for the first two weeks.
Log a message if the cap is reached: "Volume cap active — [count] records processed."
```

**Time-window restriction** — Limit write operations to business hours so a human can respond quickly if something goes wrong.

```
Only perform write actions between 08:00 and 18:00 Monday–Friday.
Outside these hours, queue the action and process it at 08:00 on the next business day.
```

**Restricted source** — If the agent handles inbound events (emails, Slack messages, file drops), configure the trigger to accept events from one team or channel before expanding to all.

### Toggling off in seconds

If something goes wrong, you can stop the agent immediately:

* **Disable a schedule**: Open the agent, go to Schedule, and toggle the schedule off. Runs already running continue to completion; no new Runs start.
* **Disable a trigger**: Open the agent, go to Triggers, and disable the trigger. No new Runs are created from that trigger.
* **Revoke a connection**: Go to the Connections page, find the connection, and disconnect it. The agent fails immediately if it tries to use that connection — the fastest way to stop a write-heavy agent when you are not sure whether damage is still occurring.

## Sharing Access with Your Team

### Roles required

| What the person does                         | Minimum role needed                 |
| -------------------------------------------- | ----------------------------------- |
| Builds and edits the agent                   | Builder (for own agents) or Manager |
| Reviews and approves HITL requests           | Member                              |
| Monitors own Run results                     | Member                              |
| Views all team Run results and Team Insights | Administrator                       |
| Changes the agent AOP or schedule            | Manager or higher                   |
| Manages team members and permissions         | Administrator or higher             |

See [Roles and Permissions](/user-guide/teams/roles-and-permissions) for the full permissions matrix.

### Memory scope decisions

If the agent uses [Agent Memory](/user-guide/assignment-features/assignment-memory), decide before going live whether memory should be per-user or shared across the team:

* **Per-user memory**: Each person who runs the agent starts from their own memory context. Best for personal productivity agents where each user's context is independent.
* **Shared memory**: All runs read from and write to the same memory context. Best for team workflows where state needs to persist across different users triggering the agent.

<Warning>
  Changing memory scope after an agent has been running in production can cause unexpected behavior. Make this decision before the first production run.
</Warning>

### Logins and Secrets access

* Logins and Secrets used by the agent must be accessible when the agent runs — not locked to a personal account.
* If operators will trigger the agent manually, confirm they can see the agent in their workspace.
* If the agent uses a login stored in your personal vault, consider moving it to a shared or service Login before going live.

### Onboarding operators

The people who will trigger and monitor the agent — but did not build it — need a short handoff. Cover:

<Steps>
  <Step title="Explain what the agent does" icon="info">
    What the agent does and what triggers it.
  </Step>

  <Step title="Show where to find Runs" icon="list">
    Where to find Runs and how to read the status indicators.
  </Step>

  <Step title="Show how to respond to HITL requests" icon="user-check">
    How to respond to HITL requests in [Requests](/user-guide/assignment-features/requests).
  </Step>

  <Step title="Name the escalation contact" icon="phone">
    Who to contact if something looks wrong.
  </Step>

  <Step title="Show the emergency pause" icon="octagon-x">
    How to pause the agent in an emergency (see above).
  </Step>
</Steps>

## Notifications and Runbook

### Where alerts go

Configure at least one notification path before going live. Options include:

* **Slack**: Have the agent post a summary to a team channel after each run.
* **Email**: Use a Gmail or Outlook connection to send a status email to the owner.
* **HITL escalation**: Set a fallback in the AOP to create a HITL request if the Run fails, so the owner sees it in Requests.

Add the notification step directly to the AOP so it runs automatically.

### Runbook template

Copy and fill in this template before the agent goes live. Keep it somewhere the whole team can find it.

```
Agent: [Name]
Owner: [Name, contact]
Backup contact: [Name, contact]
What it does: [One sentence]
Runs: [Frequency or trigger]
Typical duration: [e.g., 5–10 minutes]
Typical cost per run: [e.g., $0.08]

Failure response:
1. Check the run debugger for the failed Run to identify which step failed.
2. If a Connection is down, check the third-party service status page.
3. If the AOP logic failed, revert to the previous revision via Agent Versions.
4. Notify [stakeholder] if more than [N] Runs fail in a 24-hour window.

Pause procedure:
1. Open the assignment.
2. Disable the schedule or trigger.
3. Notify [Slack channel / email list] with a brief explanation.

Rollback procedure:
1. Open the assignment.
2. Go to the revision selector in the builder toolbar.
3. Select the last known-good revision.
4. Re-enable the schedule or trigger.
5. Monitor the next two Runs manually.
```

## Assigning Owners

Every production agent needs a named owner. Ownership is not the same as the team role — it is an informal accountability designation that complements the permissions model.

### Owner types

| Role              | Responsibility                                                                                                              |
| ----------------- | --------------------------------------------------------------------------------------------------------------------------- |
| **Build owner**   | Responsible for the AOP, connections, and making changes. Usually the Builder or Manager who created the agent.             |
| **Ops owner**     | Responsible for day-to-day monitoring, HITL responses, and escalation. This may be a different person from the build owner. |
| **HITL operator** | Handles approval requests in Requests. There can be multiple operators covering different time zones.                       |

### Escalation when the owner is unavailable

Define the escalation path before the agent goes live:

1. **Primary owner** — first contact for any issue.
2. **Backup owner** — covers when the primary is OOO. Must have at least Manager role.
3. **Escalation Manager** — for issues the backup cannot resolve. Has permission to pause, revert, or disable the agent.

The "owner of last resort" pattern: designate one Administrator who can take emergency action on any agent regardless of who built it. This person does not need to be involved day to day — they exist so there is always someone who can act.

### When ownership changes

When the build owner changes roles or leaves the team:

<Steps>
  <Step title="Transfer Logins and Secrets" icon="key">
    Transfer the relevant Logins and Secrets to the new owner's access or to a shared Login.
  </Step>

  <Step title="Update the runbook" icon="file-pen">
    Update the runbook with the new owner's contact details.
  </Step>

  <Step title="Schedule a handoff session" icon="users">
    Schedule a handoff session so the new owner understands the agent's AOP and known edge cases.
  </Step>

  <Step title="Have the new owner run a manual Run" icon="play">
    Have the new owner run at least one manual Run before the next scheduled run.
  </Step>
</Steps>

## What's Next?

Your agent is live. The first week is the highest-risk period — monitor it closely before settling into a routine cadence.

<CardGroup cols={2}>
  <Card title="Test Safely Before Going Live" icon="shield-check" href="/user-guide/getting-started/test-safely">
    The testing checklist and environment separation patterns that feed into this guide.
  </Card>

  <Card title="Guardrails for High-Risk Automations" icon="shield-alert" href="/user-guide/security/high-risk-guardrails">
    Apply the right controls before enabling autonomous write operations.
  </Card>

  <Card title="Agent Versions" icon="git-branch" href="/user-guide/advanced/assignment-versions">
    How to review and revert to a previous revision.
  </Card>

  <Card title="Designing Human-in-the-Loop Workflows" icon="user-check" href="/user-guide/assignment-features/hitl-design">
    Risk tiers, approval shapes, and escalation chains.
  </Card>

  <Card title="Requests" icon="inbox" href="/user-guide/assignment-features/requests">
    Where HITL requests land and how to respond.
  </Card>

  <Card title="Team Insights" icon="chart-line" href="/user-guide/analytics/team-insights-overview">
    Run volume, failure rates, and cost trends across your team.
  </Card>
</CardGroup>
