OrgEdge
Architecture governance

53 standards as nodes. Gaps as edges that don't exist.

Every architecture decision your team has made — or hasn't made — is visible in the graph. Standards without an addressing ADR are gaps. A single query finds them. A single team review closes them.

The model

Standards as nodes. Decisions as edges.

53 industry standards across Execution, Development, Operations, Security, and Infrastructure architecture are stored in the graph, sourced from 12-factor, OWASP, NIST, SRE practice, and cloud-native patterns. Each standard links to an Architecture Decision Record (ADR) via an ADDRESSES edge. Standards with no ADDRESSES edge are gaps — returned by a single query.

$ # Standards with no Architecture Decision Record $ python3 cli/sys_edge.py analyse --orphans --instance architect Architecture standards with no addressing decision (4): SEC-BP02 Audit log for write operations → no ADR SEC-BP03 Rate limiting on auth endpoints → no ADR OPS-S03 Metrics wired to all service binaries → no ADR OPS-BP03 Runbooks for Sev-1 incidents → no ADR

An initial audit on a live codebase identified 14 genuine gaps and 8 compliant-but-undocumented standards in one session.

Standards domains

Five domains. 53 standards. One query to find gaps.

Security
OWASP Top 10, authentication patterns, PII handling, audit logging, rate limiting, and secrets management.
14 standards
Development
12-factor application principles, API design, error handling, idempotency, and code-level quality gates.
12 standards
Operations
SRE principles, observability, runbooks, SLO definition, on-call readiness, and incident response.
11 standards
Infrastructure
Container image pinning, network isolation, secret injection, immutable infrastructure, and dependency scanning.
9 standards
Architecture
ADR governance, dependency direction, module boundary enforcement, and architectural fitness functions.
7 standards

Formbricks — the PII defect, architecture-level

Three standards with no ADR. One defect that followed.

Running the orphan query against the Formbricks instance surfaced the direct architecture-level cause of DEF-FBK-001 (PII included in anonymised survey exports):

$ python3 cli/sys_edge.py analyse --orphans --instance surveys Architecture standards with no addressing decision: SEC-PII-001 PII must be excluded from exports when anonymisation is enabled → no ADR SEC-PII-002 Export operations must be logged with actor identity and scope → no ADR DATA-MIN-001 API responses must be minimised to requesting actor's scope → no ADR
SEC-PII-001 existed as a standard in the graph. The code didn't address it. That gap — three unaddressed standards with no decision — is the architecture-level cause of DEF-FBK-001. The graph made it queryable in seconds rather than discoverable through a security audit months after the fact.

Architecture Decision Records

ADRs as first-class nodes. Decisions linked to standards and modules.

Architecture Decision Records are SysArchDecision nodes with ADDRESSES edges to standards and CONSTRAINED_BY edges from modules. Sessions see the architecture state at session start — not just the code, but the decisions behind it.

ADR-027 V-model test alignment status: adopted date: 2026-04-01 addresses: ARCH-TEST-001, ARCH-TEST-002 constrained: MOD-auth, MOD-delegation, MOD-survey decision: Four-tier test model: component/integration/usecase/e2e
/import-architecture — import existing architecture documents into the graph as ADRs and standards. Review-and-confirm before any write.
53 standards. One query to find gaps.

Architecture compliance as a graph query, not a review.

The architecture standards YAML is included in the SysEdge bootstrap kit. Load the standards once, link your ADRs, and every session starts knowing which standards are addressed and which are gaps. Unaddressed standards become queryable facts — not surprises discovered six months later in a security audit.

53 standards across 5 domains
security · development · operations · infrastructure · architecture
Standards as graph nodes
ADDRESSES edges to ADRs — gaps have no edge
One query surfaces all gaps
analyse --orphans returns unaddressed standards instantly
ADRs as first-class nodes
CONSTRAINED_BY links decisions to the modules they govern
14 gaps found in one session
live codebase · cold start · real open-source project
/import-architecture
existing arch docs become ADR + standard nodes