Feature flags: ship dark, ramp, and retire

Build a small HTTP service with a minimal feature-flag layer, ship one feature dark, ramp it through a sticky percentage rollout with a working kill-switch, then run the full retirement lifecycle — proving deploy/release decoupling, stickiness, fail-open evaluation, and clean removal with evidence at each step.

• Build a small HTTP service (any runtime) with a flag layer that evaluates locally against an in-memory ruleset and refreshes it in the background — no network round-trip on the per-request flag check.
• Implement sticky percentage rollout: hash a stable key (userId plus a salt) into a fixed 0–99 bucket and gate on bucket < rolloutPercent, so a given user always lands on the same variant.
• Ship one real feature dark behind a release flag (default off): deploy the code to production with the flag off, prove via logs/metrics that the feature is present but no user sees it.
• Ramp the flag 1% → 5% → 25% → 100%, capturing at each step that the served fraction matches the target and that individual users stay on a stable variant across repeated requests (stickiness check).
• Wire one ops/kill-switch flag around a subsystem (e.g. a downstream call). Evaluate it with a safe default so that when the flag source is unreachable the service degrades to last-known config instead of failing the request; demonstrate the kill-switch flipping the subsystem off in seconds.
• Record each flag's type, owner, and (for the release flag) an expiry/removal ticket in a flag registry or metadata block — type recorded, not guessed.
• Run the retirement lifecycle on the release flag once it is at 100%: delete the flag and its now-dead else branch, confirm no references remain in code or config, and close the cleanup ticket.

• A rollout log/table showing served fraction at 1/5/25/100% matching the target, plus evidence that a fixed sample of users stayed on one variant across requests (proving stickiness, not per-call randomness).
• A kill-switch demonstration: the subsystem turns off within seconds of the toggle, and a forced flag-source outage shows the service still serving on last-known config rather than erroring (fail-open verified, not assumed).
• A flag registry entry per flag with type, owner, and the release flag's expiry/removal ticket.
• A diff (or PR) that removes the release flag and its dead branch, with a grep/search showing zero remaining references and the cleanup ticket closed — the lifecycle completed, not left at 100%.