// Reversible by default, gate the irreversible · lesson 08
Reversibility is a day-one design constraint
Everything in this track gets dramatically easier if you decide one thing up front: this system will be reversible by design. Reversibility is not a feature you bolt on after your first scare. It is a constraint you build in from the first line, and it changes what you build.
When reversibility is a day-one constraint, you make different choices automatically. Actions produce drafts before they produce sends. Changes land on branches before they land on main. Destructive operations get a dry-run mode that shows what they would do before they do it. Deletes go to a recoverable state before they go to gone. Bulk operations write a backup first. None of that is expensive when you design it in. All of it is painful to add after the fact, which is exactly when people try to add it, standing in the wreckage of the thing that was not reversible.
What does designing for undo actually look like?
It looks like asking, for every action that will exist, "what is the undo, and does it already exist before I need it." If the answer is "we would build the undo if something went wrong," you have not designed for reversibility, you have designed a fire drill. The undo has to exist before the action does. A branch is undo that exists before the bad merge. A backup is undo that exists before the bad migration. A draft queue is undo that exists before the bad send, because a draft you never approve is an action that never happened.
This connects the whole track to the guardrails idea from Track 4: the strongest control is the one built into the structure, not the one you promise to remember. "Be careful with deletes" is a hope. A soft-delete that moves rows to a recoverable table and a nightly backup are structure. When reversibility lives in the architecture, you get to move fast on top of it without being reckless, because the safety net was woven in before you started walking the wire.
Design it in early and the rest of this track becomes cheap. Bolt it on late and every irreversible action you already shipped is a bill waiting to come due.
The takeaway: Decide up front that the system is reversible by design, so the undo exists before the action does. Drafts, branches, dry-runs, and backups are cheap to build in and expensive to retrofit.