# Developer Offboarding # Developer Offboarding Guide > **Project:** Bilko > **Version:** 0.1 > **Date:** 2026-02-23 > **Author:** Ops Architect > **Status:** Draft > **Reviewers:** Alem Bašić ## Document History | Version | Date | Author | Changes | |---------|------|--------|---------| | 0.1 | 2026-02-23 | Ops Architect | Initial draft | --- ## Overview This guide covers the process for offboarding a developer from the Bilko project. Complete all items within 5 business days of the developer's last working day. The offboarding manager is responsible for completing the checklist. **Offboarding manager:** Alem Bašić (or designated Tech Lead) **Required:** All P0 items must be completed on the developer's last day or before --- ## 1. Pre-Offboarding (2 Weeks Before Last Day) ### Knowledge Transfer - [ ] Developer documents all work-in-progress in GitHub Issues or Mission Control - [ ] Developer reviews open PRs — complete or hand off each one - [ ] Developer documents any undocumented systems or processes they own - [ ] Knowledge transfer sessions scheduled (30 min per significant area) - [ ] Access to any personal accounts used for Bilko work shared or transferred ### Codebase Handoff - [ ] All local branches pushed to GitHub (or explicitly discarded) - [ ] All work-in-progress committed or stashed in a handoff branch: `handoff/-` - [ ] Any local configuration or environment modifications documented - [ ] Developer reviews CLAUDE.md files they may have modified — confirm still accurate --- ## 2. Last Day Checklist ### P0 — Complete on Last Day **GitHub Access** - [ ] All open PRs reviewed: merge, close with explanation, or assign to another developer - [ ] GitHub organization membership removed: GitHub → Organization Settings → Members → Remove - [ ] Repository-specific access revoked (if different from org membership) **Infrastructure Access** - [ ] Railway access removed: Railway → Project → Settings → Members → Remove - [ ] Vercel access removed: Vercel → Team Settings → Members → Remove - [ ] Cloudflare access removed (if granted): Cloudflare → Account → Manage account → Members **Secrets and Credentials** - [ ] Any personal API tokens/PATs used for Bilko rotated immediately - [ ] Verify developer does not have production secrets stored locally (confirm via discussion) - [ ] If developer had production Railway access: rotate all production secrets: - `JWT_SECRET` (this invalidates all user sessions — notify users) - `JWT_REFRESH_SECRET` - `SENDGRID_API_KEY` (only if developer had SendGrid access) - `R2_ACCESS_KEY_ID` / `R2_SECRET_ACCESS_KEY` (only if developer had R2 access) **Communication** - [ ] Developer removed from Slack #bilko-dev and #bilko-deploys - [ ] GitHub Issues/PRs reassigned from developer to active team members --- ## 3. Post-Offboarding (Within 5 Business Days) ### Audit - [ ] Review audit log (Railway logs) for any unusual activity in last 30 days - [ ] Review `LoggedAction` table for developer's user ID (if they had production access) - [ ] Verify no unauthorized changes to production configuration - [ ] Review GitHub audit log for developer's last week of activity ### Documentation Update - [ ] Developer removed from team roster / org chart - [ ] Any documentation with developer's name as contact updated - [ ] On-call rotation updated if developer was on-call - [ ] `CLAUDE.md` files updated if developer was listed as a contact ### Knowledge Gap Assessment - [ ] Identify any areas where the developer was the sole owner - [ ] Create GitHub Issues for knowledge gaps that need documentation - [ ] Assign ownership of developer's areas to remaining team members --- ## 4. Offboarding Checklist (Per Developer) Create a copy of this section for each offboarding: **Developer:** ___________________ **Last working day:** YYYY-MM-DD **Offboarding manager:** ___________________ ### Access Revocation Log | System | Access Removed | Date | By | |--------|---------------|------|----| | GitHub | [ ] Yes | | | | Railway | [ ] Yes | | | | Vercel | [ ] Yes | | | | Cloudflare | [ ] N/A or [ ] Yes | | | | Sentry | [ ] N/A or [ ] Yes | | | | Slack | [ ] Yes | | | | BetterStack | [ ] N/A or [ ] Yes | | | ### Secret Rotation (if developer had production access) | Secret | Rotated | Date | Notes | |--------|---------|------|-------| | JWT_SECRET | [ ] Yes / [ ] N/A | | Users notified: Yes/No | | JWT_REFRESH_SECRET | [ ] Yes / [ ] N/A | | | | Other: _________ | [ ] Yes / [ ] N/A | | | ### Open Work Disposition | Item | Type | Disposition | Assigned To | |------|------|-------------|-------------| | PR #XXX | Pull Request | Merged / Closed / Reassigned | | | Issue #XXX | GitHub Issue | Closed / Reassigned | | | [Feature X] | WIP | Handoff branch created | | --- ## 5. Data Retention Per GDPR Article 17 and Bilko data retention policy: - Developer's commits remain in git history (normal — cannot be removed without rebasing) - Developer's user account in `bilko_prod` database: mark as inactive (do not delete — audit trail) - `LoggedAction` audit records: retained indefinitely (regulatory requirement) - Personal data of the developer stored in Bilko systems: delete per GDPR right to erasure if requested --- ## Approval | Role | Name | Date | Signature | |------|------|------|-----------| | Offboarding Manager | | | | | Approver | Alem Bašić | | |