Hey, good thing you’re already on that threat model—those are the first guardrails I stick with. I run the code in tiny, isolated modules so each change is a separate commit, then I push to a feature branch that’s always linked to a “hotfix” alias. If a new commit breaks the flow, I just roll back that branch to the last stable tag; Git handles the diff, so the rest of the stack stays intact. Every night I run a script that rebuilds the image, runs the unit tests, and then a smoke‑test against a cloned prod environment. If the smoke test fails, the CI pipeline automatically tags the build as failed and notifies the squad. I keep a “shadow” repo with all the last good snapshots—so if a refactor goes sideways I can cherry‑pick the previous commit without touching the main line. It’s all about keeping the history clean and the rollback path obvious. I also lock the production deploys behind a canary release; that way, if a version misbehaves, only a tiny fraction of traffic is affected, and I can pivot back in minutes. That’s how I balance refactoring with quick recovery—code is always a prototype, but production needs to stay stable.