Match Ceremony to Blast Radius - Albert Masoliver's learning site

## Definition **Match ceremony to blast radius** is a spec-ceremony calibration heuristic: the overhead of a formal specification process should scale with the potential damage of getting the change wrong. A typo fix needs no proposal; a public-API change does. ## The heuristic Blast radius is the measure of how many things break — users, integrations, downstream agents, contracts — when a change is wrong. Low blast radius means the cost of a mistake is small and local; high blast radius means the cost propagates widely and is expensive to reverse. The calibration rule follows directly: match the weight of your spec ceremony to this estimate. | Blast radius | Typical change | Ceremony level | |---|---|---| | Low | Internal refactor, typo fix, private helper | None or a comment | | Medium | New internal endpoint, isolated UI change | Spec-Anchored with named ACs | | High | Public-API change, auth flow, schema migration | Spec-First with proposal + review | A useful proxy for "high blast radius" is **low reversibility**: if the change is hard or impossible to undo once deployed, treat it as high ceremony regardless of apparent scope. This maps onto the [[SDD Spectrum]] decision rule: move toward Spec-First for new public surfaces and high-blast-radius changes. ## Why it matters for agentic work Agents act on whatever spec — or absence of spec — they are given. An under-specified high-blast-radius change produces confident, wrong code fast. The ceremony is not bureaucracy; it is the mechanism that forces the expensive questions to surface before the agent guesses at them. The heuristic also guards against the inverse failure: applying full OpenSpec ceremony to every single-line change drowns the team in process and trains everyone to skip the framework even when it matters. ## The "small change" trap The module's Common Pitfalls section captures the failure directly: "small changes that break public contracts cause the most expensive incidents." A change can look small by lines-of-code while having a very wide blast radius — an API deprecation, a silent auth-header renaming, a schema field removal. Ceremony must track *impact*, not *size*. ## Related - [[SDD Spectrum]] - [[Spec-Driven Development]] - [[OpenSpec]] - [[Deriving Scope from Goals]] ## Sources - [[Modern AI Software Engineering - The Orchestrators Playbook]]