Architecture Decision Records

These records capture the non-obvious architectural and product decisions taken during the project. The goal is not to document every choice — small choices live in commit messages — but to record the ones where the rationale would be easy to forget and expensive to re-derive.

Index

• ADR-0001 — Pydantic v2 as the canonical schema layer
• ADR-0002 — Structurally deterministic JSON outputs
• ADR-0003 — Typer for the CLI
• ADR-0004 — Schema-first, evidence-first product framing
• ADR-0005 — Replaceable control catalog with org overrides
• ADR-0006 — CLI command modularization
• ADR-0007 — in-toto predicate-type variants
• ADR-0008 — AI evidence types and provenance
• ADR-0009 — Risk-weighted release verdict
• ADR-0010 — Reachability as optional SCA evidence field
• ADR-0011 — CRA and FedRAMP 20x profiles
• ADR-0012 — GUAC graph integration
• ADR-0013 — Release versioning process

Format

Each ADR follows a compressed MADR template:

• Status — proposed, accepted, deprecated, superseded.
• Context — what forced the decision.
• Decision — what we chose, in one paragraph.
• Consequences — positive and negative effects, including the ones we knowingly accept.

ADRs are immutable. To change a decision, write a new ADR that supersedes the old one and update the Status of the original.