Model Versioning & Deployment

The previous lesson ended with a precision candidate blocked until a target-GPU profile could prove its speed and stability. Suppose that missing profile now passes. You still don't have something safe to deploy. A live answer can change because of weights, a support gate, a prompt, a tokenizer, a policy, a container image, or a schema.

For the delivery-support system you've been building, deployment means answering one exact question: which complete, evaluated release produced this response, and how quickly can traffic return to the last known good release?

A release is more than model weights

The service now contains an answer model plus the carrier-evidence-classifier-v2 gate trained in the previous lesson. That gate blocks answers whose delivery claim isn't supported by a carrier scan. If you roll back only its weights but leave a newer prompt or policy active, you haven't restored previous behavior.

This is the release-bundle idea: store every input that can change visible output or operational safety in one immutable manifest. ML systems accumulate hidden dependencies between data, code, configuration, and serving infrastructure; deployment records need to make those dependencies reviewable.^[1][2]

Start with two full bundles. stable represents what's serving today. candidate changes the evidence gate after the profiled BF16 training run has passed outside the previous lesson's blocked fixture.

A version name such as v2 is useful for people, but it doesn't prove contents stayed fixed. The next cell derives identity from the canonical manifest. Change a prompt or image digest and the release ID changes too.

This lab abbreviates each SHA-256 digest to 12 hexadecimal characters so the state transitions stay readable. A production registry should retain the full digest as identity and use short prefixes only for display.

Artifacts stay fixed; aliases move

A registry record stores an immutable bundle. An alias such as production or canary is a mutable pointer used by traffic. This separation is what makes rollback simple: preserve both bundles and move the pointer back.

MLflow's current Model Registry workflow provides version aliases and tags, and its documentation marks fixed Model Stages as deprecated. That distinction matters: a model version is history; an alias expresses the current deployment decision.^[3]

The small registry below enforces that rule. register() keeps a deep copy of the bundle, and move_alias() only points at a registered ID.

Promotion begins with controlled evidence

Registration isn't approval. Continuous delivery for machine learning adds evaluation and monitoring to ordinary build-and-deploy practices because a valid artifact can still produce unacceptable behavior.^[4]

In this running system, don't introduce a generic "quality score" after spending several lessons defining a grounded support contract. The release gate should use the same measurements the incident, evaluation, and experiment lessons established:

• supported_evidence_f1 measures whether supported delivery claims are served correctly.
• unsupported_serve_count must remain zero in the frozen high-risk suite.
• p95_latency_ms prevents a behaviorally acceptable gate from breaking the response budget.
• Schema and evaluation-suite hashes prevent incomparable evidence from entering the decision.

Passing the offline gate permits further evaluation; it doesn't immediately replace production. Open a canary alias while production still points to the known-good bundle.

Managed models need a documented pin

When your team owns weights, a digest can identify them directly. If a service calls a hosted model, the bundle must instead record the strongest fixed identifier that provider documents. For example, OpenAI model pages that expose snapshots describe snapshots as locking a particular model version for consistent behavior.^[5]

This matters because a provider can change the model behind a name you thought was stable, shifting your outputs with no deploy on your side. A controlled study comparing the March and June 2023 releases of GPT-4 and GPT-3.5 reported large behavior swings on the same tasks between snapshots, so the "same" service was not always the same service.^[6] Pinning a documented snapshot reduces that risk but doesn't remove it: snapshots get deprecated, and a golden-set monitor against production still earns its keep.^[7]

Don't generalize that guarantee to every provider or every alias. Verify the exact provider documentation, store the chosen model identifier in the bundle, monitor deprecation notices, and rerun release gates before changing it.

Shadow evaluation must be read-only

Offline fixtures can't cover every real request shape. A shadow sends a sanitized copy of a production request to the candidate while the stable release alone supplies the user-visible answer. It can reveal latency or evidence-support problems without exposing the candidate's text to customers.

The critical safety rule is easy to miss: a shadow isn't permitted to execute tools, send messages, change orders, or write customer state. Its output is evaluation data only. The envelope below also redacts an order identifier before queuing the shadow request.

In a deployed service, enqueue this envelope to a bounded worker queue and count dropped or failed comparisons. Don't start an untracked background task in request scope and assume its evaluation record will survive process restarts.

The boolean in this teaching envelope is metadata, not an authorization boundary. Its worker still needs a read-only tool allowlist and credentials that can't write production state. Reject a shadow request if it asks for a side effect.

Canary traffic is visible and sticky

Shadow results can justify limited exposure, not automatic promotion. A canary sends a small share of real conversations to the candidate and returns those candidate responses to users. For conversational systems, one thread must remain on one bundle throughout the rollout. Otherwise a user can receive conflicting answers from stable and candidate releases in adjacent turns.

Use deterministic hashing of a conversation ID to choose new conversations reproducibly across workers. Python's built-in hash() is intentionally process-dependent, so it's the wrong bucketing function for that job. Hashing alone isn't enough, though: when canary traffic widens from 1% to 10%, the higher threshold could move an existing conversation from stable to candidate. Persist the first resolved release ID for the conversation lifetime.

The dictionary is a teaching fixture. A real router persists assignments in conversation state or a rollout store, expires them when each conversation ends, and records the resolved release ID in traces. Stickiness is normal-routing behavior, not permission to keep serving a failed candidate: an abort must override it.

A canary window answers a new question

Offline evidence proves behavior on frozen examples. A live window tests traffic mix, serving latency, error rate, and evidence failures under actual request volume. Define those thresholds before sending any candidate traffic.

Abort a canary; roll back a promotion

These actions sound similar but refer to different alias states:

• If the candidate fails while only the canary alias receives traffic, abort the rollout. production never moved.
• If a candidate was already promoted and later fails, roll back by repointing production to the retained stable release.

Keeping the distinction explicit prevents an incident report from claiming production was rolled back when the candidate was never production.

Real progressive-delivery controllers encode the same operational mechanics. Argo Rollouts supports weighted canary steps and pauses; its background analysis can abort an unsuccessful rollout. With traffic routing, keeping the stable replica set available allows traffic to move back immediately on abort, at the cost of additional capacity during rollout.^[8]

Record the decision a later engineer can reconstruct

A pipeline that moves aliases but doesn't persist why it moved them still creates mystery during an incident. Store the release IDs, evidence references, gate verdicts, rollout windows, and final alias state as append-only events.

The candidate below is correctly rejected for production after its 10% canary window serves unsupported delivery claims. The release isn't deleted. It remains available for diagnosis, while traffic stays with the known-good bundle.

Where this maps to production systems

The lab deliberately uses plain Python so the state transitions are visible. A deployed stack usually splits the same responsibilities:

Feature flags remain useful, but their values must resolve to registered immutable release IDs. A flag that points at an arbitrary model name makes rapid changes easy and incident reconstruction impossible.

Mastery check

Key concepts

• Release bundle: all pinned components that determine served behavior and operational compatibility.
• Release ID: a content-derived identity for one immutable bundle.
• Alias: a movable traffic pointer such as production or canary.
• Offline gate: comparable controlled evidence required before any user exposure.
• Shadow: read-only candidate evaluation on sanitized production-shaped traffic.
• Canary: limited user-visible candidate traffic with predefined live thresholds.
• Abort versus rollback: stop a not-yet-promoted candidate versus restore production after promotion.

Practice tasks

1. Add corpus_version to ReleaseBundle. Show that a new policy-document snapshot creates a different release ID even if weights and prompts remain fixed.
2. Add a gate that blocks candidates with a missing gate_training_run. Explain why this prevents a registered model from escaping experiment lineage.
3. Add a rollback_ready check that refuses canary exposure unless the stable serving target is healthy and warm.
4. Write a release trace for a candidate that passes at 1% and 10%, is promoted, then rolls back after a latency incident at 100%.

Evaluation rubric

• Foundational: Explains why weights alone don't identify served behavior and names the prompt, policy, tokenizer, runtime, schema, and evidence suite as bundle dependencies.
• Foundational: Distinguishes an immutable release ID from mutable production and canary aliases.
• Intermediate: Implements a controlled offline gate that compares the candidate against the declared support and latency contract.
• Intermediate: Explains why shadow execution is read-only and why canary routing must be sticky by conversation.
• Advanced: Distinguishes a canary abort from a production rollback using alias state and retained evidence.
• Advanced: Produces an append-only decision record from which an incident reviewer can reconstruct what was exposed and why traffic stayed or moved.

Self-check questions

Common pitfalls

Only weights are versioned

Symptom: A rollback restores model files, but answers still differ from the last known good release. Cause: Prompt, policy, tokenizer, schema, or serving image continued to float. Fix: Content-address the complete release bundle and log its resolved ID per request.

Offline metrics change between candidates

Symptom: Candidate appears better, but its score came from a newer or easier evaluation suite. Cause: Promotion compared different evidence contracts. Fix: Pin eval_suite in the bundle and reject evidence produced for another suite.

Shadow evaluation performs actions

Symptom: A candidate that users never saw still duplicates a workflow action or touches customer state. Cause: Shadow execution reused the live tool path instead of a read-only evaluation path. Fix: Disable side effects in the shadow envelope, sanitize payloads, and monitor dropped comparisons.

Conversation routing flickers

Symptom: One customer thread switches between answers during canary rollout. Cause: Request-level randomness, process-local hashing, or a widening threshold reassigns an existing thread. Fix: Use deterministic bucketing for new conversations, then persist the first resolved release ID for each conversation lifetime.

Rollback target is cold

Symptom: The pointer moves back immediately, but recovery still produces timeouts. Cause: The stable deployment was scaled down or unloaded too early. Fix: Keep stable capacity ready until the candidate passes burn-in, then test rollback in a drill.