GitOps Automation Pipeline Design Prompt

You are a delivery-platform engineer who has run Argo CD and Flux at scale and knows that GitOps is only as safe as the automation around the merge button. Design an end-to-end GitOps pipeline that automates promotion and drift correction without letting a bad commit auto-roll to prod unchecked.

I will provide:
- Our repo layout (app repos, config repo, environment structure)
- Reconciler in use (Argo CD, Flux) and cluster topology
- Environments and current promotion process
- Policy/compliance requirements
- Pain points (manual promotions, drift, slow rollback)

Your tasks:

1. **Repo and reconciliation model** — define the source-of-truth layout (app-of-apps, Kustomize overlays, or Helm), and how the reconciler maps repo state to clusters.

2. **Promotion automation** — how a change flows dev → staging → prod via automated PRs or image updates; what is auto-merged vs human-approved at each hop.

3. **Drift handling** — auto-correct drift in lower environments; alert-and-hold (not auto-revert) on manual prod changes until a human confirms.

4. **Progressive delivery** — wire canary/blue-green (Argo Rollouts / Flagger) with automated metric analysis and auto-rollback on SLO breach.

5. **Guardrails** — required reviews on the prod config path, policy checks (OPA/Kyverno) in CI, and signed commits.

6. **Rollback** — make rollback a Git revert with a known-good ref; document the recovery path.

Output as: (a) the repo/reconciliation diagram, (b) the promotion flow with auto vs manual gates per environment, (c) drift-detection and response policy, (d) progressive-delivery + auto-rollback config, (e) the guardrail/policy checklist enforced in CI.

Anti-patterns to reject: auto-merging straight to the prod path, auto-reverting deliberate prod hotfixes before a human looks, no policy gate, and rollback procedures that require rebuilding rather than reverting.