Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Decision Finder

Status: Accepted | Date: 2026-07-11 | Review: 2027-07-11

Use this page to find the right starting point for common delivery needs. Start with a reference architecture when one matches the project. Use ADRs directly when you need a specific decision or control.

Reference architectures display their status at the top of each page. Accepted architectures are active project-kickoff guidance. Proposed architectures remain evaluation aids and require explicit project approval, including approval of their Proposed dependencies.

Project Preflight

Before choosing a pattern, record:

  • Users, service outcome, accountable owners, critical journeys, and non-goals
  • Existing and legacy constraints, agency capability, support model, and budget
  • Information classification, privacy, sharing, records, processing locations, suppliers, and offshoring requirements
  • Accessibility and assisted-digital needs
  • Criticality, service levels, RTO, RPO, degraded operation, and incident coverage
  • Migration, interoperability, data/configuration export, rollback, and exit needs

Start by Project Type

Project needStarting pointStatusThen check
Bounded AI assistance with human accountabilityAI-Assisted Digital ServicesProposedADR 011: AI Tool and Agent Governance, ADR 007: Logging
Public website, intranet, content portal, or static publishingContent ManagementAcceptedADR 016: Edge Protection, ADR 013: Identity Federation, ADR 020: Frontend UI
Independently owned apps that may share entry, identity, messaging, or channel capabilitiesFederated Application PortalProposedIdentity Federation, OpenAPI Backends
Governed batch, streaming, warehouse, lakehouse, or analytical data movementData PipelinesAcceptedADR 015: Data Pipeline Quality, ADR 018: Databases and Lakehouses
OIDC or legacy SAML federation for workforce, citizen, customer, partner, or privileged usersIdentity FederationProposedADR 013: Identity Federation, ADR 012: Privileged Remote Access
Agency-controlled HTTP API accurately described by OpenAPIOpenAPI BackendsAcceptedADR 003: HTTP API Contracts, ADR 016: Edge Protection, ADR 004: CI/CD

Adoption Bundles

Use these bundles to start project discovery, not as universal control sets. Add or remove ADRs according to the preflight, selected architecture variant, and project risk. A Proposed reference architecture or ADR still requires explicit project approval.

Public Website or Content Service

Start with: Accepted Content Management.

Minimum ADR set: ADR 020: Frontend UI Foundations, ADR 016: Edge Protection, ADR 004: CI/CD, ADR 009: Release Standards, ADR 007: Logging, and ADR 014: Backups and Recovery. Add ADR 013: Identity Federation when users or editors sign in.

Kickoff deliverables:

  • Service and content brief, audiences, critical journeys, content ownership, publication workflow, and selected architecture variant
  • Accessibility and design-system assessment with representative user testing
  • Content, media, URL, redirect, integration, records, and retention inventory
  • Edge and origin design, release path, service objectives, support model, recovery test, migration plan, and export or exit plan

Agency-Controlled HTTP API

Start with: Accepted OpenAPI Backends.

Minimum ADR set: ADR 003: HTTP API Contract Standards, ADR 004: CI/CD, ADR 005: Secrets Management, ADR 007: Logging, and ADR 009: Release Standards. Add ADR 013: Identity Federation for user delegation, ADR 016: Edge Protection for Internet exposure, and ADR 014: Backups and Recovery for stateful services.

Kickoff deliverables:

  • Version-controlled OpenAPI contract, named consumers, ownership, lifecycle, compatibility policy, and deprecation plan
  • Exposure and trust-boundary diagram, authentication and operation or resource authorisation model, data classification, limits, and abuse cases
  • Contract, behaviour, security, compatibility, and failure test plan
  • Service objectives, monitoring, support and incident runbooks, recovery plan, consumer migration plan, and provider-exit record

Data Pipeline or Analytical Data Service

Start with: Accepted Data Pipelines.

Minimum ADR set: ADR 015: Data Pipeline Quality, ADR 018: Databases and Lakehouses, ADR 004: CI/CD, ADR 005: Secrets Management, ADR 007: Logging, ADR 010: Infrastructure as Code, and ADR 014: Backups and Recovery. Add ADR 017: Analytical Publications for bounded publications and Proposed ADR 021: Workload mTLS when approved for Kubernetes-hosted pipeline services.

Kickoff deliverables:

  • Source, consumer, authority, purpose, classification, sharing, retention, and processing-location record
  • Versioned data contracts, data-flow diagram, quality thresholds, lineage design, quarantine, replay, and reconciliation approach
  • Freshness and service objectives, capacity and cost forecast, RTO, RPO, support model, and incident runbooks
  • Representative quality, lineage, performance, recovery, migration, interoperability, and exit tests

AI-Assisted Service or Workflow

Start with: Proposed AI-Assisted Digital Services, with explicit project approval, and ADR 011: AI Tool and Agent Governance.

Minimum ADR set: ADR 011: AI Tool and Agent Governance, ADR 001: Application Isolation, ADR 005: Secrets Management, and ADR 007: Logging. Add ADR 004: CI/CD for released software and the ADRs required by the authoritative source service.

Kickoff deliverables:

  • Bounded use case, excluded uses, risk tier, accountable human, human decision boundary, and non-AI fallback
  • Information classification, privacy, records, supplier, processing-location, offshoring, retention, and threat assessments
  • Representative evaluation set with quality, safety, accessibility, security, refusal, and human-review acceptance thresholds
  • Prompt and model change controls, monitoring and incident runbook, usage and cost limits, data and configuration export, and provider-exit test

Federated Application Set

Start with: Proposed Federated Application Portal, with explicit project approval. Select only shared capabilities with demonstrated user or operational value.

Minimum ADR set: ADR 013: Identity Federation, ADR 003: HTTP API Contracts for shared APIs, ADR 020: Frontend UI Foundations, ADR 005: Secrets Management, and ADR 007: Logging. Add ADR 012: Privileged Remote Access for administration and ADR 016: Edge Protection for Internet-facing capabilities.

Kickoff deliverables:

  • Selected shared capabilities, accountable boundaries, funding and support model, application inventory, direct-access paths, and degraded modes
  • Cross-application journeys, accessibility and assisted-digital needs, identity assurance, claim definitions, and application-owned authorisation model
  • Versioned API, message, SDK, component, and native-bridge contracts where used
  • Trust-boundary and data-flow diagrams, service objectives, onboarding and offboarding checks, resilience tests, migration plan, and exit plan

Start by Capability

CapabilityPrimary ADRs
Application isolation and boundariesADR 001: Isolation
Managed Kubernetes for compatible workloadsADR 002: Managed Kubernetes
HTTP API contracts and testingADR 003: HTTP API Contracts
AI model access, abstraction, and provider exit assessmentAI-Assisted Digital Services, ADR 011: AI Tool and Agent Governance
Build, test, and deployment automationADR 004: CI/CD, ADR 009: Release Standards
Frontend UI, design-system components, CMS templates, or portal widgetsADR 020: Frontend UI Foundations
Secrets and credential handlingADR 005: Secrets Management
Policy-as-code and guardrailsADR 006: Policy Enforcement
Centralised logging and monitoringADR 007: Logging
Email domains and anti-spoofingADR 008: Email Authentication
Infrastructure and configuration as codeADR 010: Infrastructure as Code
AI tools and agentsADR 011: AI Tool and Agent Governance
Privileged accessADR 012: Privileged Remote Access
Identity federationADR 013: Identity Federation
Independent backup and recoveryADR 014: Backups and Recovery
Data contracts, runtime lineage, and qualityADR 015: Data Pipeline Quality
CDN, WAF, and edge protectionADR 016: Edge Protection
Reproducible analytical publicationsADR 017: Analytical Publications
Managed databases and open lakehousesADR 018: Databases and Lakehouses
Shared file accessADR 019: Shared File Access
Kubernetes workload identity, mTLS, and service authorisationADR 021: Workload mTLS

ADR Catalogue

This generated catalogue is the authoritative index of ADR status, review dates, and direct dependencies. Dependencies come from each ADR’s synopsis; update the source ADR and run just update-catalogue rather than editing this table.

ADRDomainStatusDecision dateReview dateDependencies
ADR 001: Application IsolationSecurityAccepted2026-07-112027-07-11ADR 021 (Proposed), ADR 006 (Proposed), ADR 007
ADR 002: Managed Kubernetes for Compatible WorkloadsOperationsAccepted2026-07-112027-07-11ADR 018, ADR 019, ADR 021 (Proposed)
ADR 003: HTTP API Contract StandardsDevelopmentAccepted2026-07-112027-07-11None
ADR 004: CI/CD Quality AssuranceDevelopmentAccepted2026-07-112027-07-11ADR 003, ADR 010
ADR 005: Secrets ManagementSecurityAccepted2026-07-112027-07-11None
ADR 006: Automated Policy EnforcementOperationsProposed2026-07-112027-07-11ADR 021 (Proposed), ADR 010, ADR 007
ADR 007: Centralised Security LoggingOperationsAccepted2026-07-112027-07-11None
ADR 008: Email Authentication ProtocolsSecurityAccepted2026-07-112027-07-11None
ADR 009: Release StandardsDevelopmentAccepted2026-07-112027-07-11ADR 007
ADR 010: Infrastructure and Configuration as CodeOperationsAccepted2026-07-112027-07-11ADR 009
ADR 011: AI Tool and Agent GovernanceSecurityAccepted2026-07-112027-07-11ADR 001
ADR 012: Privileged Remote AccessSecurityAccepted2026-07-112027-07-11ADR 007, ADR 010
ADR 013: Identity Federation StandardsSecurityAccepted2026-07-112027-07-11ADR 012, ADR 007
ADR 014: Independent Backups and RecoveryOperationsAccepted2026-07-112027-07-11None
ADR 015: Data Pipeline Contracts, Quality and LineageOperationsAccepted2026-07-112027-07-11ADR 007
ADR 016: Web Application Edge ProtectionSecurityAccepted2026-07-112027-07-11ADR 019, ADR 007
ADR 017: Reproducible Analytical PublicationsOperationsAccepted2026-07-112027-07-11ADR 016
ADR 018: Managed Relational Databases and Open LakehousesOperationsAccepted2026-07-112027-07-11ADR 014
ADR 019: Shared File AccessOperationsAccepted2026-07-112027-07-11ADR 016, ADR 014
ADR 020: Frontend UI FoundationsDevelopmentAccepted2026-07-112027-07-11None
ADR 021: Workload mTLS and Service AuthorisationSecurityProposed2026-07-112027-07-11ADR 001, ADR 006 (Proposed), ADR 010, ADR 007

Quality Checks Before Delivery

Before using a decision in a project kickoff, confirm that:

  • The ADR or reference architecture is not superseded
  • Accepted ADRs are used as active decisions; Proposed material has explicit project approval and does not silently establish a standard
  • The review date has not passed, or the decision owner accepts the risk
  • Compliance obligations are checked in Compliance Mapping
  • Related ADRs have been reviewed together, not in isolation
  • Project-specific deviations are documented in the project record