Architecture Review #17 · March 20, 2026

Grade: A-

Every major platform change triggers a full architecture review. 14 AI expert personas — cloud architect, security lead, statistician, product architect, adversarial reviewer — vote, score, and issue findings. This is a real review from the 17th cycle.

A-
Composite grade

Review #17 covers v3.7.47 through v3.7.82 — 35 releases that shipped a 12-page public website, public-facing AI Q&A endpoints, subscriber management, 2 new intelligence features, and 5 completed sprints.

The grade drops from A (R16) to A- not because of regression, but because the platform crossed a critical threshold — public exposure with AI endpoints — and the security and observability controls hadn’t fully caught up to the new risk surface.

Board Grades

Each of the 14 board personas independently grades their domain. The composite is a weighted average.

Priya Nakamura
Architecture
A-
Marcus Webb
AWS
A-
Yael Cohen
Security + IAM
B+
Jin Park
SRE
A-
Elena Reyes
Code Quality
A
Omar Khalil
Data
A
Anika Patel
AI / LLM
A
Henning Brandt
Statistics
A
Sarah Chen
Product
A-
Raj Srinivasan
Startup / CTO
B+
Viktor Sorokin
Adversarial
B+
Dana Torres
FinOps
A
Ava Moreau
UX
A-
Jordan Kim
Growth
B+

What the System Does Well

Architectural coherence: The three-layer architecture (Ingest → Store → Serve) is clean and consistently applied. The Compute→Store→Read pattern separates concerns and supports multiple consumers.

IAM discipline: 49 dedicated, least-privilege IAM roles — one per Lambda — all CDK-managed. No role has dynamodb:Scan. The site-api role is genuinely read-only.

Statistical rigour: BH FDR correction across 23 correlation pairs, n-gating that downgrades labels at low sample sizes, log-transform for HRV z-scores. The correlative-not-causal framing is maintained throughout all AI prompts.

Cost discipline: ~$13/month for 49 Lambdas, DynamoDB, S3, CloudFront, SES, and 7 AI-generated email digests per week. Remarkable for the scope.

Key Findings (Selected)

13 total findings were issued. The most significant are shown below.

R17-F01
Public AI endpoints without WAF. The site-api Lambda serves AI responses with only in-memory rate limiting, which resets on Lambda cold start. No WAF, no persistent rate store.
Critical
R17-F02
In-memory rate limiting is not rate limiting. Lambda cold starts reset all rate counters. Under sustained load, every new Lambda instance starts with a clean slate.
High
R17-F05
Cross-region architecture split. Site-api in us-east-1, MCP + data in us-west-2, creates latency for public API reads and operational complexity.
High
R17-F03
No CloudWatch dashboard for site-api. Public-facing Lambda has no latency percentiles, error rate tracking, or invocation spike detection.
Medium
R17-F06
No PITR restore drill on record. DynamoDB Point-in-Time Recovery is enabled but has never been tested. Untested backups are not backups.
Medium

Full Review History

17 architecture reviews since inception. Each triggered by a major platform change. Grade trajectory shows the journey from early builds to production-grade system.

Review
Grade
What changed
R1–R4
C–B
Early builds. Single-table design established. First ingest Lambdas. No CI/CD, no monitoring, manual deploys only.
R5–R8
B–B+
MCP server launched. Character sheet engine. KMS encryption added. Secrets Manager migration from .env files. 25 data sources integrated.
R9–R12
B+
Intelligence layer: correlation engine, hypothesis generation, adaptive mode. Ingestion validator. PITR enabled. Still no CI/CD — deployment incidents accumulating.
R13
B+
Turning point. First comprehensive external-style review. 15 findings. #1 risk: no CI/CD pipeline. 8 deployment-related incidents documented. Triggered the 30-60-90 day remediation plan.
R14
A
X-Ray tracing on all Lambdas. MCP synthetic canary every 4h. Security hardening: OIDC, OAuth 2.1, HMAC. R13 critical findings resolved.
R15
A
Platform steady state. Zero dimension changes from R14. All 6 R15 findings resolved. Google Calendar deliberately deferred (data governance).
R16
A
CI/CD pipeline activated. GitHub Actions with OIDC federation. Manual approval gate + auto-rollback. R13 #1 finding officially closed.
R17
A-
Current. Public site with AI endpoints expanded the attack surface. Grade dips from A to A- because security/observability controls are catching up to the new risk profile. 13 findings, 0 critical.
The pattern: Grade drops when the platform takes on new risk (public endpoints, AI integration, new data sources). Grade recovers when controls catch up. The R13→R14 jump from B+ to A is the sharpest improvement — that's what happens when you fix the deployment pipeline.

// This is a real architecture review from a 14-member AI expert board.
// The full review is 3,000+ words with detailed findings and remediation plans.
// The platform has addressed all Critical and High findings from previous reviews.
// Back to Platform →