docs: add Risk Radar ADRs (ADR-011, ADR-012, ADR-013) by raifdmueller · Pull Request #284 · docToolchain/dacli

raifdmueller · 2026-02-12T09:17:13Z

Summary

Add Architecture Decision Records (Nygard format) documenting the Risk Radar Tier 2 assessment and mitigation implementation that was completed in previous commits.

Changes

New ADRs in arc42 documentation:

ADR-011: Risk Classification - dacli CLI (Tier 2)
ADR-012: Risk Classification - dacli-mcp (Tier 2)
ADR-013: Security Mitigations - Tier 2 Implementation

Updated files:

src/docs/arc42/chapters/09_architecture_decisions.adoc - Include new ADRs
CLAUDE.md - Add links to ADRs from Risk Radar Assessment section

ADR Content

Each ADR documents:

Context: Dimension scoring with evidence (Code Type, Language, Deployment, Data Sensitivity, Blast Radius)
Decision: Tier 2 classification and mitigation strategy
Pugh Matrix: Comparison of alternatives (Tier 1 vs Tier 2 vs Tier 3, repository-wide vs module-specific)
Consequences: Positive (comprehensive testing, automated gates) and negative (CI overhead, maintenance burden)
Implementation: Timeline with commit references for all 9 Tier 1+2 measures (100% complete)

Key Decisions Documented

Tier 2 classification based on max(Code Type=2, Language=2, Blast Radius=2)
Repository-wide mitigation strategy (both modules share codebase)
All Tier 1 measures: Ruff linter, pre-commit hooks, pip-audit, CI with 713 tests
All Tier 2 measures: CodeQL SAST, Hypothesis property-based tests, SonarCloud, AI review, PR review policy (20-30% sampling)
Rejected alternatives: Tier 1 (insufficient), Tier 3 (overkill), module-specific approach (unnecessary complexity)

Related Work

These ADRs document decisions already implemented in commits:

66a6614 - Set up pre-commit hooks
6eeadc5 - Add pip-audit dependency scanning
97804d1 - Fix dependency vulnerabilities
5eb6870 - Add CodeQL SAST
aea5a24 - Add Hypothesis property-based tests
35db3c7 - Create PR review policy
fc74085 - Add SonarCloud integration

Breaking Changes

None

Generated with 🤖 Claude Code (AI-assisted development)

Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com

Created three Architecture Decision Records (Nygard format) documenting the Risk Radar assessment and mitigation implementation: - ADR-011: Risk Classification - dacli CLI (Tier 2) - ADR-012: Risk Classification - dacli-mcp (Tier 2) - ADR-013: Security Mitigations - Tier 2 Implementation Key decisions documented: - Tier 2 classification based on Code Type=2, Language=2, Blast Radius=2 - Repository-wide mitigation strategy (both modules share codebase) - 100% Tier 1+2 measure implementation (9/9 measures complete) - PR review policy with risk-based sampling (20-30%) - Security fixes: cryptography 46.0.5, pip 26.0.1 Each ADR includes: - Context with dimension scoring and evidence - Decision rationale with tier requirements - Pugh Matrix comparing alternatives - Consequences (positive and negative) - Implementation timeline with commit references Updated CLAUDE.md with links to new ADRs. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

raifdmueller merged commit 7dca913 into docToolchain:main Feb 12, 2026
2 of 3 checks passed

raifdmueller mentioned this pull request Feb 12, 2026

Add AsciiDoc linter as pre-commit hook #285

Closed

7 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

docs: add Risk Radar ADRs (ADR-011, ADR-012, ADR-013)#284

docs: add Risk Radar ADRs (ADR-011, ADR-012, ADR-013)#284
raifdmueller merged 1 commit intodocToolchain:mainfrom
raifdmueller:security/tier2-mitigations

raifdmueller commented Feb 12, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

raifdmueller commented Feb 12, 2026

Summary

Changes

ADR Content

Key Decisions Documented

Related Work

Breaking Changes

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant