arckit-analyze
$
npx mdskill add tractorjuice/arc-kit/arckit-analyzeAudit architecture artifacts for governance gaps and compliance failures.
- Detects conflicts between requirements and non-negotiable architecture principles.
- Validates UK government compliance against mandatory policy frameworks.
- Prioritizes issues by severity level based on principle violations.
- Outputs structured reports to the project directory for audit trails.
SKILL.md
.github/skills/arckit-analyzeView on GitHub ↗
---
name: arckit-analyze
description: "Perform comprehensive governance quality analysis across architecture artifacts (requirements, principles, designs, assessments)"
---
## User Input
```text
$ARGUMENTS
```
## Goal
Identify inconsistencies, gaps, ambiguities, and compliance issues across all architecture governance artifacts before implementation or procurement. This command performs **non-destructive analysis** and produces a structured report saved to the project directory for tracking and audit purposes.
## Operating Constraints
**Non-Destructive Analysis**: Do **not** modify existing artifacts. Generate a comprehensive analysis report and save it to the project directory for tracking, sharing, and audit trail.
**Architecture Principles Authority**: The architecture principles (`ARC-000-PRIN-*.md` in `projects/000-global/`) are **non-negotiable**. Any conflicts with principles are automatically CRITICAL and require adjustment of requirements, designs, or vendor proposals—not dilution or reinterpretation of the principles.
**UK Government Compliance Authority** (if applicable): TCoP, AI Playbook, and ATRS compliance are mandatory for UK government projects. Non-compliance is CRITICAL.
## Execution Steps
### 0. Read the Template
**Read the template** (with user override support):
- **First**, check if `.arckit/templates/analysis-report-template.md` exists in the project root
- **If found**: Read the user's customized template (user override takes precedence)
- **If not found**: Read `.arckit/templates/analysis-report-template.md` (default)
> **Tip**: Users can customize templates with `$arckit-customize analyze`
### Hook-Aware Shortcut
If the hook has injected a `## Governance Scan Pre-processor Complete` section in the context, follow this protocol. If no hook data is present, proceed with Steps 1-2 as normal.
**Rule 1 — Hook tables are primary data.** Use them directly for all detection passes. Do NOT re-read any artifact file listed in the Artifact Inventory table.
**Rule 2 — Targeted reads only.** When a detection pass needs evidence beyond hook tables, use Grep (search for specific patterns) or Read with offset/limit (specific sections). NEVER read an entire artifact file.
**Rule 3 — Skip Steps 1-2 entirely.** Go directly to Step 3. Still read the template (Step 0) for output formatting.
#### Hook Data to Detection Pass Mapping
Use this table to identify the primary data source for each detection pass. Only perform a targeted read when the hook data is genuinely insufficient for a specific check.
| Detection Pass | Primary Hook Data | Targeted Read (only if needed) |
|---|---|---|
| A. Requirements Quality | Requirements Inventory, Priority Distribution, Placeholder Counts | Hook data sufficient for all Pass A checks |
| B. Principles Alignment | Principles table + Requirements Inventory | Grep PRIN files for full validation criteria of specific principles flagged as violated |
| C. Req-Design Traceability | Coverage Summary, Orphan Requirements, Cross-Reference Map | Hook data sufficient for all Pass C checks |
| D. Vendor Procurement | Vendor Inventory + Cross-Reference Map | Grep vendor HLD/DLD for specific requirement IDs missing from cross-ref map |
| E. Stakeholder Traceability | Artifact Inventory (STKE presence) + Requirements Inventory | Grep STKE for driver-goal-outcome chains when validating orphan requirements |
| F. Risk Management | Risks table + Requirements Inventory | Grep RISK file for "Risk Appetite" section only (appetite thresholds) |
| G. Business Case | Artifact Inventory (SOBC presence) + Risks table | Grep SOBC for benefits table and option analysis section |
| H. Data Model Consistency | Requirements Inventory (DR-xxx) + Cross-Reference Map | Grep DATA file for entity catalog when validating DR-entity mapping |
| I. UK Gov Compliance | Compliance Artifact Presence | Grep TCOP for per-point scores; Grep AIPB for risk level and principle status |
| J. MOD SbD Compliance | Compliance Artifact Presence | Grep SECD-MOD for SbD principle scores and NIST CSF function scores |
| K. Cross-Artifact Consistency | All hook tables (Document Control, coverage, cross-refs) | Hook data sufficient for all Pass K checks |
#### Targeted Read Examples
Correct (surgical):
- `Grep "Risk Appetite" in projects/001-*/ARC-*-RISK-*.md` then read only 10-20 lines around match
- `Grep "### 5\. Cloud" in projects/000-global/ARC-000-PRIN-*.md` to get one principle's full criteria
- `Read ARC-001-TCOP-v1.0.md offset=50 limit=30` to get just the scoring table
Wrong (wasteful — this data is already in hook tables):
- `Read ARC-001-REQ-v1.0.md` — entire requirements file (use Requirements Inventory table)
- `Read ARC-001-RISK-v1.0.md` — entire risk register (use Risks table)
- `Read ARC-000-PRIN-v1.0.md` — entire principles file (use Principles table, grep only for specific criteria)
### 1. Discover Project Context
Identify the project directory to analyze:
- If user specifies project: Use specified project directory
- If only one project exists: Analyze that project
- If multiple projects: Ask user which project to analyze
Expected structure:
```text
projects/
└── {project-dir}/
├── ARC-{PROJECT_ID}-STKE-v*.md (RECOMMENDED - stakeholder analysis)
├── ARC-{PROJECT_ID}-RISK-v*.md (RECOMMENDED - risk register)
├── ARC-{PROJECT_ID}-SOBC-v*.md (RECOMMENDED - business case)
├── ARC-{PROJECT_ID}-REQ-v*.md (requirements)
├── ARC-{PROJECT_ID}-DATA-v*.md (if DR-xxx requirements exist - data model)
├── ARC-*-SOW-*.md (if vendor procurement)
├── ARC-*-EVAL-*.md (if vendor procurement)
├── vendors/
│ └── {vendor-name}/
│ ├── hld-v1.md
│ ├── dld-v1.md
│ └── reviews/
├── ARC-*-TCOP-*.md (if UK Gov)
├── ARC-*-AIPB-*.md (if UK Gov AI)
├── ARC-*-ATRS-*.md (if UK Gov AI)
├── ARC-*-SECD-MOD-*.md (if MOD project)
└── ARC-{PROJECT_ID}-TRAC-v*.md (traceability matrix)
```
### 2. Load Artifacts (Progressive Disclosure)
Load only minimal necessary context from each artifact:
**From any `ARC-000-PRIN-*.md` file in `projects/000-global/`** (if exists):
- Strategic principles (Cloud-First, API-First, etc.)
- Security principles
- Data principles
- Technology standards
- Compliance requirements
**From any `ARC-*-STKE-*.md` file in `projects/{project-dir}/`** (if exists):
- Stakeholder roster with power-interest grid
- Driver types (STRATEGIC, OPERATIONAL, FINANCIAL, COMPLIANCE, PERSONAL, RISK, CUSTOMER)
- Driver → Goal → Outcome traceability
- Conflicts and resolutions
- RACI matrix for governance
**From any `ARC-*-RISK-*.md` file in `projects/{project-dir}/`** (if exists):
- Risk categories (Strategic, Operational, Financial, Compliance, Reputational, Technology)
- Inherent vs Residual risk scores (5×5 matrix)
- Risk responses (4Ts: Tolerate, Treat, Transfer, Terminate)
- Risk owners (should align with RACI matrix)
- Risk appetite and tolerance levels
**From any `ARC-*-SOBC-*.md` file in `projects/{project-dir}/`** (if exists):
- Strategic Case (problem, drivers, stakeholder goals)
- Economic Case (options, benefits, NPV, ROI)
- Commercial Case (procurement strategy)
- Financial Case (budget, TCO)
- Management Case (governance, delivery, change, risks, benefits realization)
**From any `ARC-*-REQ-*.md` file in `projects/{project-dir}/`** (if exists):
- Business requirements (BR-xxx)
- Functional requirements (FR-xxx)
- Non-functional requirements (NFR-xxx)
- Security (NFR-S-xxx)
- Performance (NFR-P-xxx)
- Compliance (NFR-C-xxx)
- Accessibility (NFR-A-xxx)
- Integration requirements (INT-xxx)
- Data requirements (DR-xxx)
- Success criteria
**From any `ARC-*-DATA-*.md` file in `projects/{project-dir}/`** (if exists):
- Entity-Relationship Diagram (ERD)
- Entity catalog (E-001, E-002, etc.)
- PII identification and GDPR compliance
- Data governance matrix (owners, stewards, custodians)
- CRUD matrix (component access patterns)
- Data integration mapping (upstream/downstream)
- DR-xxx requirement traceability to entities
**From `projects/{project-dir}/ARC-*-SOW-*.md`** (if exists):
- Scope of work
- Deliverables
- Technical requirements
- Timeline and budget
**From `projects/{project-dir}/vendors/{vendor}/hld-v*.md`** (if exists):
- Architecture overview
- Component design
- Technology stack
- Security architecture
- Data architecture
**From `projects/{project-dir}/vendors/{vendor}/dld-v*.md`** (if exists):
- Component specifications
- API contracts
- Database schemas
- Security implementation
**From UK Government Assessments** (if exist):
- `ARC-*-TCOP-*.md`: TCoP compliance status
- `ARC-*-AIPB-*.md`: AI Playbook compliance status
- `ARC-*-ATRS-*.md`: ATRS record completeness
**From MOD Assessment** (if exists):
- `ARC-*-SECD-MOD-*.md`: MOD SbD compliance status
- 7 SbD Principles assessment
- NIST CSF (Identify, Protect, Detect, Respond, Recover)
- CAAT registration and self-assessment completion
- Three Lines of Defence
- Delivery Team Security Lead (DTSL) appointment
- Supplier attestation (for vendor-delivered systems)
### 3. Build Semantic Models
Create internal representations (do not include raw artifacts in output):
**Stakeholder Traceability Matrix** (if ARC-*-STKE-*.md exists):
- Each stakeholder with drivers, goals, outcomes
- RACI roles for governance
- Conflicts and resolutions
- Which requirements trace to which stakeholder goals?
**Risk Coverage Matrix** (if ARC-*-RISK-*.md exists):
- Each risk with category, inherent/residual scores, response
- Risk owners from RACI matrix
- Which requirements address risk mitigation?
- Which design elements mitigate risks?
**Business Case Alignment Matrix** (if ARC-*-SOBC-*.md exists):
- Benefits mapping to stakeholder goals
- Benefits mapping to requirements
- Costs mapping to requirements scope
- Risks from risk register reflected in Management Case
**Requirements Inventory**:
- Each requirement with ID, type, priority (MUST/SHOULD/MAY)
- Map to principles (which principles does this requirement satisfy?)
- Map to stakeholder goals (which goals does this requirement address?)
- Map to success criteria
**Data Model Coverage Matrix** (if ARC-*-DATA-*.md exists):
- Each DR-xxx requirement mapped to entities
- Each entity with PII flags, governance owners, CRUD access
- Data owners from stakeholder RACI matrix
- Database schema in DLD matches data model entities
**Principles Compliance Matrix**:
- Each principle with validation criteria
- Which requirements/designs satisfy each principle?
**Design Coverage Matrix**:
- Which requirements are addressed in HLD/DLD?
- Which components implement which requirements?
**UK Government Compliance Matrix** (if applicable):
- TCoP: 13 points with compliance status
- AI Playbook: 10 principles + 6 themes with compliance status
- ATRS: Mandatory fields completion status
**MOD Compliance Matrix** (if ARC-*-SECD-MOD-*.md exists):
- 7 SbD Principles with compliance status
- NIST CSF functions (Identify, Protect, Detect, Respond, Recover)
- CAAT registration status
- Three Lines of Defence implementation
### 4. Detection Passes (Token-Efficient Analysis)
Focus on high-signal findings. Limit to 50 findings total; aggregate remainder in overflow summary.
#### A. Requirements Quality Analysis
**Duplication Detection**:
- Near-duplicate requirements across BR/FR/NFR categories
- Redundant requirements that should be consolidated
**Ambiguity Detection**:
- Vague adjectives lacking measurable criteria ("fast", "secure", "scalable", "intuitive")
- Missing acceptance criteria for functional requirements
- Unresolved placeholders (TODO, TBD, TBC, ???, `<placeholder>`)
**Underspecification**:
- Requirements with verbs but missing measurable outcomes
- Missing non-functional requirements (no security, no performance, no compliance)
- Missing data requirements (system handles sensitive data but no DR-xxx)
- Missing integration requirements (integrates with external systems but no INT-xxx)
**Priority Issues**:
- All requirements marked as MUST (no prioritization)
- No MUST requirements (everything is optional)
- Conflicting priorities
#### B. Architecture Principles Alignment
**Principle Violations** (CRITICAL):
- Requirements or designs that violate architecture principles
- Technology choices that conflict with approved stack
- Security approaches that violate security-by-design principle
- Cloud architecture that violates Cloud-First principle
**Missing Principle Coverage**:
- Principles not reflected in requirements
- Principles not validated in design reviews
**Principle Drift**:
- Inconsistent interpretation of principles across artifacts
#### C. Requirements → Design Traceability
**Coverage Gaps**:
- Requirements with zero design coverage (not addressed in HLD/DLD)
- Critical MUST requirements not covered
- Security requirements (NFR-S-xxx) not reflected in security architecture
- Performance requirements (NFR-P-xxx) not validated in design
- Compliance requirements (NFR-C-xxx) not addressed
**Orphan Design Elements**:
- Components in HLD/DLD not mapped to any requirement
- Technology choices not justified by requirements
- Architecture complexity not justified by requirements
**Traceability Completeness**:
- Does traceability matrix exist?
- Are all requirements mapped?
- Are all design elements mapped?
#### D. Vendor Procurement Analysis (if applicable)
**SOW Quality**:
- SOW requirements match ARC-*-REQ-*.md?
- All technical requirements from ARC-*-REQ-*.md included in SOW?
- Missing evaluation criteria?
- Ambiguous acceptance criteria?
**Vendor Evaluation**:
- Evaluation criteria align with requirements priorities?
- Scoring methodology fair and unbiased?
- All critical requirements included in evaluation?
**Vendor Design Review**:
- HLD addresses all SOW requirements?
- Technology stack matches approved standards?
- Security architecture meets NFR-S requirements?
- Performance architecture meets NFR-P requirements?
#### E. Stakeholder Traceability Analysis (if ARC-*-STKE-*.md exists)
**Stakeholder Coverage**:
- All requirements traced to stakeholder goals?
- Orphan requirements (not linked to any stakeholder goal)?
- Requirements missing stakeholder justification?
**Conflict Resolution**:
- Requirement conflicts documented and resolved?
- Stakeholder impact of conflict resolutions documented?
- Decision authority identified for conflicting requirements?
**RACI Governance Alignment**:
- Risk owners from stakeholder RACI matrix?
- Data owners from stakeholder RACI matrix?
- Delivery roles aligned with RACI assignments?
**Missing Stakeholder Analysis**:
- Project has requirements but no stakeholder analysis document (RECOMMENDED to run `$arckit-stakeholders`)
#### F. Risk Management Analysis (if ARC-*-RISK-*.md exists)
**Risk Coverage**:
- High/Very High inherent risks have mitigation requirements?
- Risks reflected in design (risk mitigation controls in HLD/DLD)?
- Risk owners assigned and aligned with RACI matrix?
- Risk responses appropriate (4Ts: Tolerate, Treat, Transfer, Terminate)?
**Risk-SOBC Alignment** (if ARC-*-SOBC-*.md exists):
- Strategic risks reflected in Strategic Case urgency?
- Financial risks reflected in Economic Case cost contingency?
- Risks from risk register included in Management Case Part E?
**Risk-Requirements Alignment**:
- Risk mitigation actions translated into requirements?
- Security risks addressed by NFR-S-xxx requirements?
- Compliance risks addressed by NFR-C-xxx requirements?
**Missing Risk Assessment**:
- Project has requirements but no risk register document (RECOMMENDED to run `$arckit-risk`)
#### G. Business Case Alignment (if ARC-*-SOBC-*.md exists)
**Benefits Traceability**:
- All benefits in Economic Case mapped to stakeholder goals?
- All benefits supported by requirements?
- Benefits measurable and verifiable?
- Benefits realization plan in Management Case?
**Option Analysis Quality**:
- Do Nothing baseline included?
- Options analysis covers build vs buy?
- Recommended option justified by requirements scope?
- Costs realistic for requirements complexity?
**SOBC-Requirements Alignment**:
- Strategic Case drivers reflected in requirements?
- Economic Case benefits delivered by requirements?
- Financial Case budget adequate for requirements scope?
- Management Case delivery plan realistic for requirements?
**SOBC-Risk Alignment**:
- Risks from risk register included in Management Case?
- Cost contingency reflects financial risks?
- Strategic risks justify urgency ("Why Now?")?
**Missing Business Case**:
- Project has requirements but no SOBC (RECOMMENDED for major investments to run `$arckit-sobc`)
#### H. Data Model Consistency (if ARC-*-DATA-*.md exists)
**DR-xxx Requirements Coverage**:
- All DR-xxx requirements mapped to entities?
- All entities traced back to DR-xxx requirements?
- Missing data requirements (system handles data but no DR-xxx)?
**Data Model-Design Alignment**:
- Database schemas in DLD match data model entities?
- CRUD matrix aligns with component design in HLD?
- Data integration flows in HLD match data model upstream/downstream mappings?
**Data Governance Alignment**:
- Data owners from stakeholder RACI matrix?
- Data stewards and custodians assigned?
- PII identified and GDPR compliance documented?
**Data Model Quality**:
- ERD exists and renderable (Mermaid syntax)?
- Entities have complete attribute specifications?
- Relationships properly defined (cardinality, foreign keys)?
- Data quality metrics defined and measurable?
**Missing Data Model**:
- Project has DR-xxx requirements but no data model (RECOMMENDED to run `$arckit-data-model`)
#### I. UK Government Compliance (if applicable)
**Technology Code of Practice (TCoP)**:
- Assessment exists?
- All 13 points assessed?
- Critical issues resolved?
- Evidence provided for each point?
**AI Playbook** (for AI systems):
- Assessment exists for AI/ML systems?
- Risk level determined (High/Medium/Low)?
- All 10 principles assessed?
- All 6 ethical themes assessed?
- Mandatory assessments completed (DPIA, EqIA, Human Rights)?
- Bias testing completed?
- Human oversight model defined?
**ATRS** (for AI systems):
- ATRS record exists for algorithmic tools?
- Tier 1 (public summary) completed?
- Tier 2 (technical details) completed?
- All mandatory fields filled?
- Ready for GOV.UK publication?
**Compliance Alignment**:
- Requirements aligned with TCoP?
- Design complies with TCoP (Cloud First, Open Standards, Secure)?
- AI requirements comply with AI Playbook?
- ATRS record reflects requirements and design?
#### J. MOD Secure by Design Compliance (if ARC-*-SECD-MOD-*.md exists)
**7 SbD Principles Assessment**:
- Principle 1 (Understand and Define Context): Context documented, data classification determined?
- Principle 2 (Apply Security from the Start): Security embedded from inception, not bolt-on?
- Principle 3 (Apply Defence in Depth): Layered security controls implemented?
- Principle 4 (Follow Secure Design Patterns): NCSC/NIST guidance applied?
- Principle 5 (Continuously Manage Risk): Risk register maintained, continuous testing?
- Principle 6 (Secure the Supply Chain): SBOM maintained, supplier attestations obtained?
- Principle 7 (Enable Through-Life Assurance): Continuous monitoring, incident response capability?
**NIST Cybersecurity Framework Coverage**:
- **Identify**: Asset inventory, business environment, governance, risk assessment?
- **Protect**: Access control, data security, protective technology, training?
- **Detect**: Continuous monitoring, anomaly detection, security testing?
- **Respond**: Incident response plan, communications to MOD CERT, analysis?
- **Recover**: Recovery planning, backup/DR/BC, post-incident improvements?
**Continuous Assurance Process** (replaced RMADS August 2023):
- CAAT (Cyber Activity and Assurance Tracker) registration completed?
- CAAT self-assessment question sets completed based on 7 SbD Principles?
- CAAT continuously updated (not one-time submission)?
- Delivery Team Security Lead (DTSL) appointed?
- Security Assurance Coordinator (SAC) appointed (if applicable)?
- Project Security Officer (PSyO) appointed for SECRET+ systems?
**Three Lines of Defence Implementation**:
- **First Line**: Delivery team owns security, DTSL leads day-to-day management?
- **Second Line**: Technical Coherence assurance, security policies, independent reviews?
- **Third Line**: Independent audit, penetration testing, external audit (NAO, GIAA)?
**Supplier Attestation** (if vendor-delivered system):
- Suppliers attest systems are secure (ISN 2023/10)?
- Supplier-owned continuous assurance (not MOD accreditation)?
- Supplier security requirements in contracts?
**Classification-Specific Requirements**:
- OFFICIAL: Cyber Essentials baseline, basic access controls?
- OFFICIAL-SENSITIVE: Cyber Essentials Plus, MFA, enhanced logging, DPIA?
- SECRET: SC personnel, CESG crypto, air-gap/assured network, enhanced physical security?
- TOP SECRET: DV personnel, compartmented security, strict access control?
**Critical Issues (Deployment Blockers)**:
- SECRET+ data without appropriate controls?
- No encryption at rest or in transit?
- Personnel lacking security clearances?
- No threat model or risk assessment?
- Critical vulnerabilities unpatched?
**Missing MOD SbD Assessment**:
- Project for MOD but no SbD assessment (MANDATORY to run `$arckit-mod-secure`)
#### K. Consistency Across Artifacts
**Terminology Drift**:
- Same concept named differently across files
- Inconsistent capitalization/formatting of terms
- Conflicting definitions
**Data Model Consistency**:
- Data entities referenced in requirements match design
- Database schemas in DLD match data requirements (DR-xxx)
- Data sharing agreements align across artifacts
**Technology Stack Consistency**:
- Stack choices in HLD match principles
- Technology in DLD matches HLD
- Third-party dependencies consistently listed
**Timeline/Budget Consistency** (if vendor procurement):
- SOW timeline realistic for requirements scope?
- Budget adequate for requirements complexity?
- Vendor proposal timeline/budget match SOW?
#### G. Security & Compliance Analysis
**Security Coverage**:
- Security requirements (NFR-S-xxx) exist?
- Threat model documented?
- Security architecture in HLD?
- Security implementation in DLD?
- Security testing plan?
**Compliance Coverage**:
- Compliance requirements (NFR-C-xxx) exist?
- Regulatory requirements identified (GDPR, PCI-DSS, HIPAA, etc.)?
- Compliance validated in design?
- Audit requirements addressed?
**Data Protection**:
- Personal data handling defined?
- GDPR/UK GDPR compliance addressed?
- Data retention policy defined?
- Data breach procedures defined?
### 5. Severity Assignment
Use this heuristic to prioritise findings:
**CRITICAL**:
- Violates architecture principles (MUST)
- Missing core artifact (no ARC-*-REQ-*.md)
- MUST requirement with zero design coverage
- Stakeholder: Orphan requirements (not linked to any stakeholder goal)
- Risk: High/Very High risks with no mitigation in requirements or design
- Risk: Risk owners not from stakeholder RACI matrix (governance gap)
- SOBC: Benefits not traced to stakeholder goals or requirements
- SOBC: Costs inadequate for requirements scope (budget shortfall)
- Data Model: DR-xxx requirements with no entity mapping
- Data Model: PII not identified (GDPR compliance failure)
- Data Model: Data owners not from stakeholder RACI matrix
- UK Gov: TCoP non-compliance for mandatory points
- UK Gov: AI Playbook blocking issues for high-risk AI
- UK Gov: Missing mandatory ATRS for central government AI
- MOD: CAAT not registered (MANDATORY for all programmes)
- MOD: No DTSL appointed (required from Discovery phase)
- MOD: SECRET+ data without classification-specific controls
- MOD: Supplier attestation missing for vendor-delivered system
- Security requirement with no design coverage
- Compliance requirement with no validation
**HIGH**:
- Duplicate or conflicting requirements
- Ambiguous security/performance attribute
- Untestable acceptance criterion
- Missing non-functional requirements category (no security, no performance)
- Stakeholder: Requirement conflicts not documented or resolved
- Risk: Medium risks with no mitigation plan
- Risk: Risk responses not appropriate (4Ts misapplied)
- SOBC: Benefits not measurable or verifiable
- SOBC: Option analysis missing Do Nothing baseline
- Data Model: Database schema in DLD doesn't match data model entities
- Data Model: CRUD matrix doesn't align with HLD component design
- Vendor design doesn't address SOW requirements
- UK Gov: TCoP partial compliance with gaps
- UK Gov: AI Playbook non-compliance for medium-risk AI
- MOD: SbD Principles partially compliant with significant gaps
- MOD: NIST CSF functions not fully covered
**MEDIUM**:
- Terminology drift
- Missing optional non-functional requirement coverage
- Underspecified edge case
- Minor traceability gaps
- Documentation incomplete
- Stakeholder: Missing stakeholder analysis (recommended to add)
- Risk: Missing risk register (recommended to add)
- SOBC: Missing business case (recommended for major investments)
- Data Model: Missing data model (recommended if DR-xxx exist)
- Data Model: Data quality metrics not defined
- UK Gov: TCoP minor gaps
- MOD: CAAT self-assessment incomplete (some question sets missing)
- MOD: Third Line of Defence not fully implemented
**LOW**:
- Style/wording improvements
- Minor redundancy not affecting execution
- Documentation formatting
- Non-critical missing optional fields
### 6. Produce Comprehensive Analysis Report
Generate a comprehensive Markdown report and save it to `projects/{project-dir}/ARC-{PROJECT_ID}-ANAL-v1.0.md` with the following structure:
```markdown
# Architecture Governance Analysis Report
**Project**: {project-name}
**Date**: {current-date}
**Analyzed By**: ArcKit v{version}
---
## Executive Summary
**Overall Status**: ✅ Ready / ⚠️ Issues Found / ❌ Critical Issues
**Key Metrics**:
- Total Requirements: {count}
- Requirements Coverage: {percentage}%
- Critical Issues: {count}
- High Priority Issues: {count}
- Medium Priority Issues: {count}
- Low Priority Issues: {count}
**Recommendation**: [PROCEED / RESOLVE CRITICAL ISSUES FIRST / MAJOR REWORK NEEDED]
---
## Findings Summary
| ID | Category | Severity | Location(s) | Summary | Recommendation |
|----|----------|----------|-------------|---------|----------------|
| R1 | Requirements Quality | HIGH | ARC-*-REQ-*.md:L45-52 | Duplicate security requirements | Merge NFR-S-001 and NFR-S-005 |
| P1 | Principles Alignment | CRITICAL | ARC-*-REQ-*.md:L120 | Violates Cloud-First principle | Change to cloud-native architecture |
| T1 | Traceability | HIGH | No HLD coverage | NFR-P-002 (10K TPS) not addressed | Add performance architecture section to HLD |
| UK1 | UK Gov Compliance | CRITICAL | Missing DPIA | AI system requires DPIA before deployment | Complete DPIA for AI Playbook compliance |
---
## Requirements Analysis
### Requirements Coverage Matrix
| Requirement ID | Type | Priority | Design Coverage | Tests Coverage | Status |
|----------------|------|----------|-----------------|----------------|--------|
| BR-001 | Business | MUST | ✅ HLD | ❌ Missing | ⚠️ Partial |
| FR-001 | Functional | MUST | ✅ HLD, DLD | ✅ Tests | ✅ Complete |
| NFR-S-001 | Security | MUST | ❌ Missing | ❌ Missing | ❌ Not Covered |
**Statistics**:
- Total Requirements: {count}
- Fully Covered: {count} ({percentage}%)
- Partially Covered: {count} ({percentage}%)
- Not Covered: {count} ({percentage}%)
### Uncovered Requirements (CRITICAL)
| Requirement ID | Priority | Description | Why Critical |
|----------------|----------|-------------|--------------|
| NFR-S-003 | MUST | Encrypt data at rest | Security requirement |
| NFR-P-002 | MUST | Support 10K TPS | Performance critical |
---
## Architecture Principles Compliance
| Principle | Status | Evidence | Issues |
|-----------|--------|----------|--------|
| Cloud-First | ✅ COMPLIANT | AWS architecture in HLD | None |
| API-First | ⚠️ PARTIAL | REST APIs defined, missing OpenAPI specs | Document API contracts |
| Security-by-Design | ❌ NON-COMPLIANT | No threat model, missing security architecture | Add security sections |
**Critical Principle Violations**: {count}
---
## Stakeholder Traceability Analysis
**Stakeholder Analysis Exists**: ✅ Yes / ❌ No (RECOMMENDED)
**Stakeholder-Requirements Coverage**:
- Requirements traced to stakeholder goals: {percentage}%
- Orphan requirements (no stakeholder justification): {count}
- Requirement conflicts documented and resolved: ✅ Yes / ⚠️ Partial / ❌ No
**RACI Governance Alignment**:
| Artifact | Role | Aligned with RACI? | Issues |
|----------|------|-------------------|--------|
| Risk Register | Risk Owners | ✅ Yes / ❌ No | Missing 3 risk owners from RACI |
| Data Model | Data Owners | ✅ Yes / ❌ No | None |
| SOBC | Benefits Owners | ✅ Yes / ❌ No | 2 benefits lack owner assignment |
**Critical Issues**:
- Orphan requirements: {count} requirements not linked to stakeholder goals
- Unresolved conflicts: {count} requirement conflicts without resolution
---
## Risk Management Analysis
**Risk Register Exists**: ✅ Yes / ❌ No (RECOMMENDED)
**Risk Coverage**:
| Risk ID | Category | Inherent | Residual | Response | Mitigation in Req? | Mitigation in Design? |
|---------|----------|----------|----------|----------|-------------------|---------------------|
| R-001 | Strategic | Very High | High | Treat | ✅ BR-003 | ✅ HLD Section 4 |
| R-005 | Technology | High | Medium | Treat | ❌ Missing | ❌ Missing |
**High/Very High Risks Requiring Attention**:
| Risk ID | Description | Current Status | Required Action |
|---------|-------------|----------------|-----------------|
| R-005 | Cloud provider lock-in | No mitigation | Add multi-cloud requirements |
| R-012 | Data breach | Partial mitigation | Complete security architecture in HLD |
**Risk-SOBC Alignment** (if SOBC exists):
- Strategic risks reflected in Strategic Case: ✅ Yes / ❌ No
- Financial risks in Economic Case cost contingency: ✅ Yes / ❌ No
- Risks included in Management Case Part E: ✅ Yes / ❌ No
**Risk Governance**:
- Risk owners from stakeholder RACI: ✅ Yes / ⚠️ Partial / ❌ No
- Risk appetite compliance: {count} risks within tolerance
---
## Business Case Analysis
**SOBC Exists**: ✅ Yes / ❌ No (RECOMMENDED for major investments)
**Benefits Traceability**:
| Benefit ID | Description | Stakeholder Goal | Requirements | Measurable? | Status |
|------------|-------------|------------------|--------------|-------------|--------|
| B-001 | Reduce costs 40% | CFO Goal G-1 | BR-002, NFR-P-003 | ✅ Yes | ✅ Complete |
| B-003 | Improve UX | CTO Goal G-5 | FR-008, NFR-A-001 | ❌ No | ❌ Not measurable |
**Benefits Coverage**:
- Total benefits: {count}
- Benefits traced to stakeholder goals: {percentage}%
- Benefits supported by requirements: {percentage}%
- Benefits measurable and verifiable: {percentage}%
**Option Analysis Quality**:
- Do Nothing baseline included: ✅ Yes / ❌ No
- Options analyzed: {count} options
- Recommended option: {option name}
- Justification: ✅ Strong / ⚠️ Weak / ❌ Missing
**SOBC-Requirements Alignment**:
- Strategic Case drivers in requirements: ✅ Yes / ⚠️ Partial / ❌ No
- Economic Case benefits achievable with requirements: ✅ Yes / ⚠️ Questionable / ❌ No
- Financial Case budget adequate: ✅ Yes / ⚠️ Tight / ❌ Insufficient
**Critical Issues**:
- Non-measurable benefits: {count}
- Benefits without requirement support: {count}
- Budget shortfall: £{amount} (requirements scope exceeds budget)
---
## Data Model Analysis
**Data Model Exists**: ✅ Yes / ❌ No (RECOMMENDED if DR-xxx exist)
**DR-xxx Requirements Coverage**:
| Requirement ID | Description | Entities | Attributes | Status |
|----------------|-------------|----------|------------|--------|
| DR-001 | Store customer data | E-001: Customer | customer_id, email, name | ✅ Complete |
| DR-005 | GDPR erasure | E-001: Customer | [All PII] | ✅ Complete |
| DR-008 | Payment history | ❌ No entity | N/A | ❌ Missing |
**Data Requirements Coverage**:
- Total DR-xxx requirements: {count}
- DR-xxx mapped to entities: {percentage}%
- Entities traced to DR-xxx: {percentage}%
**Data Model Quality**:
- ERD exists and renderable: ✅ Yes / ❌ No
- Entities with complete specs: {count}/{total}
- PII identified: ✅ Yes / ⚠️ Partial / ❌ No
- GDPR compliance documented: ✅ Yes / ⚠️ Partial / ❌ No
**Data Governance**:
| Entity | Data Owner (from RACI) | Data Steward | Technical Custodian | Status |
|--------|------------------------|--------------|---------------------|--------|
| E-001: Customer | CFO (from stakeholder RACI) | Data Governance Lead | Database Team | ✅ Complete |
| E-003: Payment | ❌ Not assigned | ❌ Not assigned | Database Team | ❌ Missing owners |
**Data Model-Design Alignment**:
- Database schemas in DLD match entities: ✅ Yes / ⚠️ Partial / ❌ No / N/A
- CRUD matrix aligns with HLD components: ✅ Yes / ⚠️ Partial / ❌ No / N/A
- Data integration flows match upstream/downstream: ✅ Yes / ⚠️ Partial / ❌ No / N/A
**Critical Issues**:
- DR-xxx requirements with no entity mapping: {count}
- PII not identified (GDPR risk): {count} entities
- Data owners not from RACI matrix: {count} entities
---
## UK Government Compliance Analysis
### Technology Code of Practice (TCoP)
**Overall Score**: {score}/130 ({percentage}%)
**Status**: ✅ Compliant / ⚠️ Partial / ❌ Non-Compliant
| Point | Requirement | Status | Score | Issues |
|-------|-------------|--------|-------|--------|
| 1 | Define User Needs | ✅ | 9/10 | Minor: User research from 2023 (update) |
| 5 | Use Cloud First | ✅ | 10/10 | AWS cloud-native |
| 6 | Make Things Secure | ❌ | 3/10 | Missing: Cyber Essentials, threat model |
**Critical TCoP Issues**: {count}
### AI Playbook (if AI system)
**Risk Level**: HIGH-RISK / MEDIUM-RISK / LOW-RISK
**Overall Score**: {score}/160 ({percentage}%)
**Status**: ✅ Compliant / ⚠️ Partial / ❌ Non-Compliant
**Blocking Issues**:
- [ ] DPIA not completed (MANDATORY for high-risk)
- [ ] No human-in-the-loop (REQUIRED for high-risk)
- [ ] ATRS not published (MANDATORY for central government)
### ATRS (if AI system)
**Completeness**: {percentage}%
**Status**: ✅ Ready for Publication / ⚠️ Incomplete / ❌ Missing
**Missing Mandatory Fields**:
- [ ] Senior Responsible Owner
- [ ] Bias testing results
- [ ] Fallback procedures
---
## MOD Secure by Design Analysis
**MOD SbD Assessment Exists**: ✅ Yes / ❌ No (MANDATORY for MOD projects)
**Overall SbD Maturity**: Level {0-5} (Target: Level 3+ for operational systems)
### 7 SbD Principles Compliance
| Principle | Status | Score | Issues |
|-----------|--------|-------|--------|
| 1. Understand and Define Context | ✅ | 9/10 | Minor: Data classification pending final review |
| 2. Apply Security from the Start | ⚠️ | 6/10 | Security architecture not in initial specs |
| 3. Apply Defence in Depth | ❌ | 3/10 | Missing: Network segmentation, IDS/IPS |
| 4. Follow Secure Design Patterns | ✅ | 8/10 | NCSC guidance applied, minor OWASP gaps |
| 5. Continuously Manage Risk | ✅ | 9/10 | Risk register active, continuous monitoring planned |
| 6. Secure the Supply Chain | ⚠️ | 5/10 | Missing: SBOM, supplier attestations |
| 7. Enable Through-Life Assurance | ⚠️ | 6/10 | Monitoring planned, incident response incomplete |
**Overall Score**: {score}/70 ({percentage}%)
### NIST Cybersecurity Framework Coverage
| Function | Status | Coverage | Critical Gaps |
|----------|--------|----------|---------------|
| Identify | ✅ | 90% | Asset inventory incomplete for contractor systems |
| Protect | ⚠️ | 65% | MFA not implemented, PAM missing |
| Detect | ❌ | 40% | No SIEM integration, limited monitoring |
| Respond | ⚠️ | 70% | Incident response plan exists, not tested |
| Recover | ✅ | 85% | Backup/DR tested, BC plan approved |
**Overall CSF Score**: {percentage}%
### Continuous Assurance Process
**CAAT (Cyber Activity and Assurance Tracker)**:
- CAAT registered: ✅ Yes / ❌ No (MANDATORY)
- Registration date: {date}
- Self-assessment question sets completed: {count}/{total}
- Based on 7 SbD Principles: ✅ Yes / ⚠️ Partial / ❌ No
- Continuously updated: ✅ Yes / ⚠️ Sporadic / ❌ One-time only
- Last update: {date}
**Key Roles**:
- Delivery Team Security Lead (DTSL) appointed: ✅ Yes / ❌ No (REQUIRED)
- DTSL name: {name}
- Security Assurance Coordinator (SAC) appointed: ✅ Yes / ❌ No / N/A
- Project Security Officer (PSyO) for SECRET+: ✅ Yes / ❌ No / N/A
### Three Lines of Defence
| Line | Responsibility | Implementation | Status |
|------|----------------|----------------|--------|
| First Line | Delivery team owns security (DTSL) | DTSL appointed, day-to-day management | ✅ Effective |
| Second Line | Technical Coherence assurance | Quarterly reviews scheduled | ⚠️ Partial |
| Third Line | Independent audit (NAO, GIAA) | Pen test planned Q2 | ⚠️ Planned |
**Overall Governance**: ✅ Strong / ⚠️ Adequate / ❌ Weak
### Supplier Attestation (if vendor-delivered)
**Supplier Attestation Required**: ✅ Yes / ❌ No / N/A
**Attestation Status**:
- Suppliers attest systems are secure (ISN 2023/10): ✅ Yes / ❌ No
- Supplier-owned continuous assurance: ✅ Yes / ❌ No
- Supplier security requirements in contracts: ✅ Yes / ⚠️ Partial / ❌ No
- Contract includes CAAT self-assessment obligations: ✅ Yes / ❌ No
### Classification-Specific Requirements
**Data Classification**: OFFICIAL / OFFICIAL-SENSITIVE / SECRET / TOP SECRET
**Classification Requirements Met**:
| Requirement | Status | Evidence |
|-------------|--------|----------|
| Personnel security clearances | ✅ / ❌ | All SC cleared for OFFICIAL-SENSITIVE |
| Cryptography (CESG-approved) | ✅ / ❌ | AES-256, TLS 1.3 |
| Network security (air-gap/assured) | ✅ / ⚠️ / ❌ | Assured connectivity approved |
| Physical security | ✅ / ❌ | Enhanced access controls in place |
| Cyber Essentials / Cyber Essentials Plus | ✅ / ❌ | Cyber Essentials Plus certified |
### Critical Issues (Deployment Blockers)
**Blocking Issues**:
- [ ] CAAT not registered (MANDATORY for all programmes)
- [ ] No DTSL appointed (required from Discovery phase)
- [ ] SECRET+ data without SC cleared personnel
- [ ] No encryption at rest or in transit
- [ ] No threat model or risk assessment
- [ ] Critical vulnerabilities unpatched
- [ ] Supplier attestation missing for vendor-delivered system
**Deployment Readiness**: ✅ Ready / ⚠️ Issues to resolve / ❌ BLOCKED
---
## Traceability Analysis
**Traceability Matrix**: ✅ Exists / ❌ Missing
**Forward Traceability** (Requirements → Design → Tests):
- Requirements → HLD: {percentage}%
- HLD → DLD: {percentage}%
- DLD → Tests: {percentage}%
**Backward Traceability** (Tests → Requirements):
- Orphan components (not linked to requirements): {count}
**Gap Summary**:
- {count} requirements with no design coverage
- {count} design elements with no requirement justification
- {count} components with no test coverage
---
## Vendor Procurement Analysis
### SOW Quality
**Status**: ✅ Complete / ⚠️ Issues / ❌ Insufficient
**Issues**:
- [ ] SOW missing NFR-P-xxx performance requirements
- [ ] Acceptance criteria ambiguous for deliverable 3
- [ ] Timeline unrealistic for scope (6 months vs 50 requirements)
### Vendor Evaluation
**Evaluation Criteria Defined**: ✅ Yes / ❌ No
**Alignment Check**:
- All MUST requirements in scoring? ✅ Yes / ❌ No
- Scoring methodology fair? ✅ Yes / ⚠️ Issues / ❌ No
- Technical evaluation covers all areas? ✅ Yes / ⚠️ Gaps / ❌ No
### Vendor Design Review
**HLD Review Completed**: ✅ Yes / ❌ No
**DLD Review Completed**: ✅ Yes / ❌ No
**Coverage Analysis**:
| SOW Requirement | HLD Coverage | DLD Coverage | Status |
|-----------------|--------------|--------------|--------|
| Cloud infrastructure | ✅ | ✅ | Complete |
| Security architecture | ❌ | ❌ | Missing |
| Performance (10K TPS) | ⚠️ | ❌ | Insufficient |
---
## Security & Compliance Summary
### Security Posture
- Security requirements defined: ✅ Yes / ❌ No
- Threat model documented: ✅ Yes / ❌ No
- Security architecture in HLD: ✅ Yes / ⚠️ Partial / ❌ No
- Security implementation in DLD: ✅ Yes / ⚠️ Partial / ❌ No
- Security testing plan: ✅ Yes / ❌ No
**Security Coverage**: {percentage}%
### Compliance Posture
- Regulatory requirements identified: ✅ Yes / ❌ No
- GDPR/UK GDPR compliance: ✅ Yes / ⚠️ Partial / ❌ No
- Industry compliance (PCI-DSS, HIPAA, etc.): ✅ Yes / ⚠️ Partial / ❌ No / N/A
- Audit readiness: ✅ Yes / ⚠️ Partial / ❌ No
**Compliance Coverage**: {percentage}%
---
## Recommendations
### Critical Actions (MUST resolve before implementation/procurement)
1. **[P1] Add Cloud-First architecture**: Current design violates Cloud-First principle. Redesign with AWS/Azure/GCP.
2. **[R1] Cover security requirements**: NFR-S-003, NFR-S-007, NFR-S-012 have no design coverage. Add security architecture to HLD.
3. **[UK1] Complete DPIA**: HIGH-RISK AI system requires completed DPIA before deployment (AI Playbook MANDATORY).
### High Priority Actions (SHOULD resolve before implementation/procurement)
1. **[T1] Document API contracts**: Add OpenAPI specifications for all REST APIs.
2. **[T2] Add performance architecture**: NFR-P-002 (10K TPS) not addressed in design. Add performance section to HLD.
3. **[V1] Update SOW acceptance criteria**: Deliverable 3 acceptance criteria too vague. Add measurable criteria.
### Medium Priority Actions (Improve quality)
1. **[Q1] Consolidate duplicate requirements**: Merge NFR-S-001 and NFR-S-005 (identical).
2. **[Q2] Fix terminology drift**: "User" vs "Customer" used inconsistently. Standardize.
3. **[D1] Complete traceability matrix**: Add backward traceability from tests to requirements.
### Low Priority Actions (Optional improvements)
1. **[S1] Improve requirement wording**: Replace "fast" with measurable criteria (e.g., "< 200ms p95").
2. **[S2] Add edge case documentation**: Document edge cases for error handling.
---
## Metrics Dashboard
### Requirement Quality
- Total Requirements: {count}
- Ambiguous Requirements: {count}
- Duplicate Requirements: {count}
- Untestable Requirements: {count}
- **Quality Score**: {percentage}%
### Architecture Alignment
- Principles Compliant: {count}/{total}
- Principles Violations: {count}
- **Alignment Score**: {percentage}%
### Traceability
- Requirements Covered: {count}/{total}
- Orphan Components: {count}
- **Traceability Score**: {percentage}%
### Stakeholder Traceability (if applicable)
- Requirements traced to stakeholder goals: {percentage}%
- Orphan requirements: {count}
- Conflicts resolved: {percentage}%
- RACI governance alignment: {percentage}%
- **Stakeholder Score**: {percentage}%
### Risk Management (if applicable)
- High/Very High risks mitigated: {percentage}%
- Risk owners from RACI: {percentage}%
- Risks reflected in design: {percentage}%
- Risk-SOBC alignment: {percentage}%
- **Risk Management Score**: {percentage}%
### Business Case (if applicable)
- Benefits traced to stakeholder goals: {percentage}%
- Benefits supported by requirements: {percentage}%
- Benefits measurable: {percentage}%
- Budget adequacy: ✅ Adequate / ⚠️ Tight / ❌ Insufficient
- **Business Case Score**: {percentage}%
### Data Model (if applicable)
- DR-xxx requirements mapped to entities: {percentage}%
- Entities traced to DR-xxx: {percentage}%
- PII identified: {percentage}%
- Data governance complete: {percentage}%
- Data model-design alignment: {percentage}%
- **Data Model Score**: {percentage}%
### UK Government Compliance (if applicable)
- TCoP Score: {score}/130 ({percentage}%)
- AI Playbook Score: {score}/160 ({percentage}%)
- ATRS Completeness: {percentage}%
- **UK Gov Compliance Score**: {percentage}%
### MOD Compliance (if applicable)
- 7 SbD Principles Score: {score}/70 ({percentage}%)
- NIST CSF Coverage: {percentage}%
- CAAT registered and updated: ✅ Yes / ❌ No
- Three Lines of Defence: {percentage}%
- **MOD SbD Score**: {percentage}%
### Overall Governance Health
**Score**: {percentage}%
**Grade**: A / B / C / D / F
**Grade Thresholds**:
- A (90-100%): Excellent governance, ready to proceed
- B (80-89%): Good governance, minor issues
- C (70-79%): Adequate governance, address high-priority issues
- D (60-69%): Poor governance, major rework needed
- F (<60%): Insufficient governance, do not proceed
---
## Next Steps
### Immediate Actions
1. **If CRITICAL issues exist**: ❌ **DO NOT PROCEED** with implementation/procurement until resolved.
- Run: `$arckit-requirements` to fix requirements issues
- Run: `$arckit-hld-review` to address design gaps
- Run: `$arckit-ai-playbook` (if AI system) to complete mandatory assessments
2. **If only HIGH/MEDIUM issues**: ⚠️ **MAY PROCEED** with caution, but address issues in parallel.
- Document exceptions for HIGH issues
- Create remediation plan for MEDIUM issues
3. **If only LOW issues**: ✅ **READY TO PROCEED**
- Address LOW issues during implementation as improvements
### Suggested Commands
Based on findings, consider running:
**Governance Foundation**:
- `$arckit-principles` - Create/update architecture principles
- `$arckit-stakeholders` - Analyze stakeholder drivers, goals, conflicts (RECOMMENDED)
- `$arckit-risk` - Create risk register using Orange Book framework (RECOMMENDED)
- `$arckit-sobc` - Create Strategic Outline Business Case using Green Book 5-case model (RECOMMENDED for major investments)
**Requirements & Design**:
- `$arckit-requirements` - Refine requirements to address ambiguity/gaps
- `$arckit-data-model` - Create data model with ERD, GDPR compliance (RECOMMENDED if DR-xxx exist)
- `$arckit-hld-review` - Re-review HLD after addressing issues
- `$arckit-dld-review` - Re-review DLD after addressing issues
**UK Government Compliance**:
- `$arckit-tcop` - Complete TCoP assessment for UK Gov projects
- `$arckit-ai-playbook` - Complete AI Playbook assessment for AI systems
- `$arckit-atrs` - Generate ATRS record for algorithmic tools
- `$arckit-secure` - UK Government Secure by Design review
**MOD Compliance**:
- `$arckit-mod-secure` - MOD Secure by Design assessment with CAAT (MANDATORY for MOD projects)
**Vendor Procurement**:
- `$arckit-sow` - Generate statement of work for RFP
- `$arckit-evaluate` - Update vendor evaluation criteria
**Analysis & Traceability**:
- `$arckit-traceability` - Generate/update traceability matrix
- `$arckit-analyze` - Re-run this analysis after fixes
### Re-run Analysis
After making changes, re-run analysis:
```bash
$arckit-analyze
```text
Expected improvement in scores after addressing findings.
---
## Detailed Findings
(Expand top findings with examples and specific recommendations)
### Finding R1: Duplicate Security Requirements (HIGH)
**Location**: `ARC-*-REQ-*.md:L45-52` and `ARC-*-REQ-*.md:L120-125`
**Details**:
```text
NFR-S-001: System MUST encrypt data at rest using AES-256
NFR-S-005: All stored data SHALL be encrypted with AES-256 encryption
```
**Issue**: These are duplicate requirements with inconsistent language (MUST vs SHALL).
**Impact**: Confuses implementation team, wastes evaluation points in vendor scoring.
**Recommendation**:
1. Keep NFR-S-001 (clearer wording)
2. Delete NFR-S-005
3. Update traceability matrix
**Estimated Effort**: 10 minutes
---
### Finding P1: Violates Cloud-First Principle (CRITICAL)
**Location**: `ARC-*-REQ-*.md:L120`, Architecture Principles violation
**Details**:
```text
FR-025: System SHALL deploy to on-premise servers in corporate datacenter
```
**Issue**: Violates "Cloud-First" architecture principle defined in `projects/000-global/ARC-000-PRIN-*.md`. Principle states "MUST use public cloud (AWS/Azure/GCP) unless explicitly justified exception."
**Impact**: Architecture doesn't align with organization standards. Blocks procurement approval.
**Recommendation**:
1. Change FR-025 to require AWS/Azure/GCP deployment
2. OR: Document formal exception with justification (security, regulatory, etc.)
3. Get exception approved by Architecture Review Board
**Estimated Effort**: 2 hours (requirement change + design update)
---
(Continue with detailed findings for top 10-20 issues)
---
## Appendix: Analysis Methodology
**Artifacts Analyzed**:
- {list of files}
**Detection Rules Applied**:
- {count} duplication checks
- {count} ambiguity patterns
- {count} principle validations
- {count} traceability checks
**Analysis Runtime**: {duration}
**Analysis Version**: ArcKit v{version}
---
**END OF ANALYSIS REPORT**
<!-- markdownlint-disable-next-line MD040 -->
```
---
**CRITICAL - Auto-Populate Document Control Fields**:
Before completing the document, populate ALL document control fields in the header:
**Construct Document ID**:
- **Document ID**: `ARC-{PROJECT_ID}-ANAL-v{VERSION}` (e.g., `ARC-001-ANAL-v1.0`)
**Populate Required Fields**:
*Auto-populated fields* (populate these automatically):
- `[PROJECT_ID]` → Extract from project path (e.g., "001" from "projects/001-project-name")
- `[VERSION]` → "1.0" (or increment if previous version exists)
- `[DATE]` / `[YYYY-MM-DD]` → Current date in YYYY-MM-DD format
- `[DOCUMENT_TYPE_NAME]` → "Governance Analysis Report"
- `ARC-[PROJECT_ID]-ANAL-v[VERSION]` → Construct using format above
- `[COMMAND]` → "arckit.analyze"
*User-provided fields* (extract from project metadata or user input):
- `[PROJECT_NAME]` → Full project name from project metadata or user input
- `[OWNER_NAME_AND_ROLE]` → Document owner (prompt user if not in metadata)
- `[CLASSIFICATION]` → Default to "OFFICIAL" for UK Gov, "PUBLIC" otherwise (or prompt user)
*Calculated fields*:
- `[YYYY-MM-DD]` for Review Date → Current date + 30 days
*Pending fields* (leave as [PENDING] until manually updated):
- `[REVIEWER_NAME]` → [PENDING]
- `[APPROVER_NAME]` → [PENDING]
- `[DISTRIBUTION_LIST]` → Default to "Project Team, Architecture Team" or [PENDING]
**Populate Revision History**:
```markdown
| 1.0 | {DATE} | ArcKit AI | Initial creation from `$arckit-analyze` command | [PENDING] | [PENDING] |
```
**Populate Generation Metadata Footer**:
The footer should be populated with:
```markdown
**Generated by**: ArcKit `$arckit-analyze` command
**Generated on**: {DATE} {TIME} GMT
**ArcKit Version**: {ARCKIT_VERSION}
**Project**: {PROJECT_NAME} (Project {PROJECT_ID})
**AI Model**: [Use actual model name, e.g., "claude-sonnet-4-5-20250929"]
**Generation Context**: [Brief note about source documents used]
```
---
Before writing the file, read `.arckit/references/quality-checklist.md` and verify all **Common Checks** plus the **ANAL** per-type checks pass. Fix any failures before proceeding.
### 7. Write Analysis Report to File
Save the complete analysis report generated in Step 6 to:
**`projects/{project-dir}/ARC-{PROJECT_ID}-ANAL-v1.0.md`**
The saved report must include:
- ✅ All sections from Executive Summary to Detailed Findings
- ✅ Complete metrics dashboard
- ✅ Actionable recommendations with priorities
- ✅ Next steps and suggested commands
- ✅ Traceability to source artifacts
**CRITICAL - Show Summary Only**:
After writing the file, show ONLY the concise summary below. Do NOT output the full analysis report content in your response, as analysis reports can be 1000+ lines with detailed findings and metrics tables.
After writing the file, provide a summary message to the user:
```text
✅ Governance Analysis Complete
**Project**: {project-name}
**Report Location**: projects/{project-dir}/ARC-{PROJECT_ID}-ANAL-v1.0.md
**Overall Status**: ✅ Ready / ⚠️ Issues Found / ❌ Critical Issues
**Governance Health Score**: {score}/100 ({grade})
**Issue Summary**:
- Critical Issues: {count}
- High Priority Issues: {count}
- Medium Priority Issues: {count}
- Low Priority Issues: {count}
**Key Metrics**:
- Requirements Coverage: {percentage}%
- Principles Compliance: {percentage}%
- Traceability Score: {percentage}%
- Stakeholder Alignment: {percentage}%
- Risk Management: {percentage}%
- UK Gov Compliance: {percentage}% (if applicable)
- MOD SbD Compliance: {percentage}% (if applicable)
**Top 3 Critical Issues**:
1. {issue} - {location}
2. {issue} - {location}
3. {issue} - {location}
**Recommendation**: {PROCEED / RESOLVE CRITICAL ISSUES FIRST / MAJOR REWORK NEEDED}
**Next Steps**:
- {action}
- {action}
- {action}
📄 Full analysis report saved to: projects/{project-dir}/ARC-{PROJECT_ID}-ANAL-v1.0.md
```
### 8. Provide Remediation Guidance
After outputting the report, ask:
> **Would you like me to suggest concrete remediation steps for the top {N} critical/high priority issues?**
>
> I can provide:
>
> 1. Specific edits to fix requirements
> 2. Design review guidance
> 3. Command sequences to address gaps
> 4. Templates for missing artifacts
>
> (I will NOT make changes automatically - you must approve each action)
## Operating Principles
### Context Efficiency
- **Minimal high-signal tokens**: Focus on actionable findings, not exhaustive documentation
- **Progressive disclosure**: Load artifacts incrementally; don't dump all content into analysis
- **Token-efficient output**: Limit findings table to 50 rows; summarize overflow
- **Deterministic results**: Rerunning without changes should produce consistent IDs and counts
### Analysis Guidelines
- **DO NOT modify existing artifacts** (non-destructive analysis)
- **DO write analysis report** to `projects/{project-dir}/ARC-{PROJECT_ID}-ANAL-v1.0.md`
- **NEVER hallucinate missing sections** (if absent, report them accurately)
- **Prioritize principle violations** (these are always CRITICAL)
- **Prioritize UK Gov compliance issues** (mandatory for public sector)
- **Use examples over exhaustive rules** (cite specific instances, not generic patterns)
- **Report zero issues gracefully** (emit success report with metrics)
- **Be specific**: Cite line numbers, requirement IDs, exact quotes
- **Be actionable**: Every finding should have a clear recommendation
- **Be fair**: Flag real issues, not nitpicks
### Enterprise Architecture Focus
Unlike Spec Kit's focus on code implementation, ArcKit analyze focuses on:
- **Governance compliance**: Principles, standards, policies
- **Requirements quality**: Completeness, testability, traceability
- **Procurement readiness**: SOW quality, vendor evaluation fairness
- **Design alignment**: Requirements → design traceability
- **UK Government compliance**: TCoP, AI Playbook, ATRS (if applicable)
- **Security & compliance**: Not just mentioned, but architected
- **Decision quality**: Objective, defensible, auditable
## Example Usage
User: `$arckit-analyze`
You should:
1. Identify project (if multiple, ask which)
2. Load artifacts progressively:
- Architecture principles
- Stakeholder drivers (if exists - RECOMMENDED)
- Risk register (if exists - RECOMMENDED)
- SOBC business case (if exists - RECOMMENDED)
- Requirements (BR, FR, NFR, INT, DR)
- Data model (if exists - RECOMMENDED if DR-xxx)
- Designs (HLD, DLD)
- UK Gov assessments (TCoP, AI Playbook, ATRS)
- MOD assessment (SbD with CAAT)
- Traceability matrix
3. Run detection passes:
- Requirements quality (duplication, ambiguity, underspecification)
- Stakeholder traceability (requirements to goals, conflict resolution, RACI alignment)
- Risk coverage (high/very high risks mitigated, risk-requirements alignment, risk-SOBC alignment)
- Business case alignment (benefits to stakeholders, benefits to requirements, costs adequacy)
- Data model consistency (DR-xxx to entities, data governance, design alignment)
- Principles alignment (violations, coverage)
- Traceability (coverage gaps, orphans)
- UK Gov compliance (TCoP, AI Playbook, ATRS)
- MOD compliance (7 SbD Principles, NIST CSF, CAAT, Three Lines of Defence)
- Consistency (terminology, data model, tech stack)
- Security & compliance coverage
4. Assign severity (CRITICAL, HIGH, MEDIUM, LOW)
5. Generate comprehensive report with:
- Executive summary
- Findings table
- Coverage matrices
- Stakeholder traceability analysis
- Risk management analysis
- Business case analysis
- Data model analysis
- UK Gov compliance dashboard
- MOD compliance dashboard
- Metrics dashboard
- Next steps and recommendations
6. Ask if user wants remediation guidance
Example output: "Architecture Governance Analysis Report" with 18 findings (3 CRITICAL, 6 HIGH, 7 MEDIUM, 2 LOW), 87% requirements coverage, 92% stakeholder traceability, 85% risk mitigation, TCoP score 98/130 (75%), MOD SbD score 58/70 (83%), recommendation: "Resolve 3 CRITICAL issues (1 stakeholder orphan, 2 high risks unmitgated) before procurement"
## Important Notes
- This is **non-destructive analysis** - existing artifacts are not modified
- Analysis report is saved to `projects/{project-dir}/ARC-{PROJECT_ID}-ANAL-v1.0.md` for audit trail
- Run `$arckit-analyze` after major changes to requirements, designs, or assessments
- Ideal times to run:
- Before issuing SOW/RFP to vendors
- After receiving vendor proposals
- Before design review meetings
- Before implementation kickoff
- Before deployment to production
- Analysis identifies issues; you decide how to resolve them
- Re-run after fixing issues to verify improvements
- Target: 90%+ governance health score before proceeding
- **Markdown escaping**: When writing less-than or greater-than comparisons, always include a space after `<` or `>` (e.g., `< 3 seconds`, `> 99.9% uptime`) to prevent markdown renderers from interpreting them as HTML tags or emoji
## Related Commands
After analysis, you may need:
**Governance Foundation**:
- `$arckit-principles` - Create/update architecture principles
- `$arckit-stakeholders` - Analyze stakeholder drivers and conflicts
- `$arckit-risk` - Create Orange Book risk register
- `$arckit-sobc` - Create Green Book business case
**Requirements & Data**:
- `$arckit-requirements` - Fix requirements issues
- `$arckit-data-model` - Create data model with ERD and GDPR compliance
**Design Reviews**:
- `$arckit-hld-review` - Re-review high-level design
- `$arckit-dld-review` - Re-review detailed design
**UK Government Compliance**:
- `$arckit-tcop` - Complete TCoP assessment
- `$arckit-ai-playbook` - Complete AI Playbook assessment
- `$arckit-atrs` - Generate ATRS record
- `$arckit-secure` - UK Government Secure by Design review
**MOD Compliance**:
- `$arckit-mod-secure` - MOD Secure by Design assessment with CAAT
**Traceability**:
- `$arckit-traceability` - Update traceability matrix
More from tractorjuice/arc-kit
- architecture-workflowThis skill should be used when the user asks how to start an architecture project, which ArcKit commands to run and in what order, what workflow to follow, getting started, new project setup, guide me through, or what comes next.
- arckit-adrDocument architectural decisions with options analysis and traceability
- arckit-ai-playbookAssess UK Government AI Playbook compliance for responsible AI deployment
- arckit-at-bvergg[COMMUNITY] Generate Austrian public procurement documentation aligned with Bundesvergabegesetz 2018 — Oberschwellen/Unterschwellen determination, ANKÖ publication, BVergGVS secondary rules, and BVwG review pathway
- arckit-at-dsgvo[COMMUNITY] Assess Austrian DSG / DSGVO obligations — Datenschutzbehörde patterns, §§12–13 DSG special provisions, image processing (§12 DSG), and Austrian enforcement practice
- arckit-at-nisg[COMMUNITY] Assess Austrian NISG obligations (BGBl. I Nr. 94/2025) — AT transposition of NIS2, BKA (GovCERT) / BMI (SPOC) reporting, KSÖ coordination, and Austrian sectoral rules for Essential/Important entities
- arckit-atrsGenerate Algorithmic Transparency Recording Standard (ATRS) record for AI/algorithmic tools
- arckit-aws-researchResearch AWS services and architecture patterns using AWS Knowledge MCP for authoritative guidance
- arckit-azure-researchResearch Azure services and architecture patterns using Microsoft Learn MCP for authoritative guidance
- arckit-backlogGenerate prioritised product backlog from ArcKit artifacts - convert requirements to user stories, organise into sprints