RFCs should not end in “approved.” They should end in architecture that can be operated, measured, and challenged by evidence.
The durable unit is not the page. It is the decision lifecycle.
Move from uncertainty to an accountable decision, then prove readiness and validate the result in production.
Tap a stage or reasoning principle to understand its purpose, SDLC placement, template, and next step.
The product is a repeatable path from uncertainty to an accountable, testable, operational decision.
RFCs should not end in “approved.” They should end in architecture that can be operated, measured, and challenged by evidence.
The durable unit is not the page. It is the decision lifecycle.
Assess reversibility, blast radius, affected contracts, risk, and the required artifact tier.
OUTPUT → decision class + approverUse an RFD when the idea is still incomplete and the team needs to shape the problem before defending a solution.
OUTPUT → RFDState one decision, the evidence, credible alternatives, constraints, trade-offs, rollout, rollback, and success criteria.
OUTPUT → RFC / enhancement proposalAttach benchmarks, evaluation datasets, prototypes, cost models, threat analysis, and failure evidence.
OUTPUT → evidence packageClassify comments, dispose of objections visibly, and prevent preference from masquerading as a blocking risk.
OUTPUT → review dispositionOne accountable approver accepts, rejects, defers, withdraws, or conditionally accepts the proposal.
OUTPUT → decisionRecord the choice, consequences, guardrails, conformance rules, and explicit supersession triggers.
OUTPUT → ADRLink Jira, repositories, contracts, tests, diagrams, dashboards, and implementation milestones.
OUTPUT → executable planValidate ownership, SLOs, runbooks, capacity, auditability, failure modes, rollback, and incident response.
OUTPUT → ORRCompare promised outcomes with actual quality, cost, reliability, risk, adoption, and architectural conformance.
OUTPUT → evidence-driven evolutionTwelve artifacts cover exploration, decision, implementation truth, risk, readiness, migration, and enforcement. Open any term for its full guide and template.
An Architectural Design Decision is the choice itself. The Architecture Decision Record is the durable artifact that preserves that choice, its rationale, and its consequences.
Is this idea worth developing? Use it while the problem and solution space are still fluid.
Should we adopt this substantial proposal? Invite structured challenge before committing.
How does a capability mature from alpha through general availability, deprecation, and removal?
What did we decide, why, under which guardrails, and what would trigger reconsideration?
How does the selected architecture work now? Keep this current as implementation evolves.
What behavior, schemas, compatibility, authorization, and failure semantics can consumers rely on?
What reproducible evidence supports the proposal across quality, latency, cost, safety, and failure?
What can fail, be abused, leak, overreach, or create unacceptable organizational risk?
Can the owning team safely run, observe, recover, support, and retire the system?
Why is a standard being violated, who accepts the risk, and exactly when does the exception expire?
How will consumers move, compatibility end, data transition, and the old capability be safely removed?
How will tests, policy, telemetry, service catalogs, and review detect divergence from the decision?
Each anchor provides the purpose, SDLC placement, and next handoff. The modal adds the full operating detail and a copyable template without leaving the current context.
Move from uncertainty to an explicit, durable choice.
Explore a consequential idea before the solution hardens.
The problem matters, but the right approach, scope, or ownership is still uncertain.
Discovery and pre-design. It belongs before formal architecture review, vendor commitment, or implementation planning.
Advance to an RFC or Enhancement Proposal, record why the idea was stopped, or split the problem into smaller investigations.
Request a concrete decision on a substantial proposal.
A cross-team, high-impact, costly, risky, or hard-to-reverse change needs explicit review.
Architecture and planning. Use it before implementing platform services, public contracts, new trust boundaries, or material AI capabilities.
Record the outcome. Accepted RFCs usually create one or more ADRs, delivery work, risk actions, and readiness gates.
Govern a platform capability through maturity and retirement.
A capability needs staged delivery, graduation criteria, compatibility commitments, and long-term lifecycle ownership.
Planning through retirement. It spans design, implementation, release, adoption, and deprecation.
Each stage produces delivery milestones, readiness evidence, adoption reviews, and explicit graduation or rollback decisions.
Preserve the final decision, rationale, and guardrails.
A significant architectural choice must remain understandable after the proposal discussion is over.
Decision formalization and implementation handoff. Create it after approval and before the decision spreads across teams.
Link current design and conformance checks. If the decision changes, publish a new ADR that supersedes the original.
Describe the current system and the contracts consumers depend on.
Explain how the selected architecture works now.
Engineers, operators, and integrators need a current implementation model rather than historical decision debate.
Detailed design, implementation, onboarding, operations, and maintenance.
Drive implementation, test plans, runbooks, contracts, and architecture reviews. Update it when the system changes.
Define what producers and consumers can safely rely on.
Multiple systems depend on stable behavior, schemas, compatibility, authorization, or failure semantics.
Detailed design, integration, implementation, release, and compatibility management.
Generate implementation work, consumer migration, contract testing, version management, and deprecation plans.
Establish evidence, bound risk, and validate operational readiness.
Support the decision with reproducible proof.
Quality, safety, latency, cost, resilience, or AI behavior must be compared across alternatives or releases.
Proposal evaluation, qualification, pre-release validation, and regression management.
Feed the RFC, threat assessment, ORR, and change-control process. Failed thresholds trigger redesign or rollback.
Identify how the system can fail, be abused, or create harm.
A change introduces a new trust boundary, sensitive data, external provider, agent action, or consequential user impact.
Discovery, design, pre-release review, and material change review.
Add controls to the RFC and design, create test cases, record residual risk, and verify mitigations during ORR.
Prove the owning team can run the system safely.
Implementation is substantially complete and a production release or major expansion needs an operational gate.
Pre-release and release. It sits between implementation completion and broad production rollout.
Launch with validation criteria, or create blocking remediation with named owners and dates.
Handle deviations, migrations, and continued architectural alignment.
Make a temporary deviation visible, owned, and expiring.
A team cannot currently comply with an approved standard or decision and needs time-bound risk acceptance.
Implementation, release, and operation whenever conformance cannot be achieved on schedule.
Remediate before expiry, renew with new evidence, or change the underlying standard through a new proposal.
Move consumers safely and retire the old capability.
An API, model, provider, schema, service, or platform capability must be replaced or removed.
Planning, implementation, release, adoption, and retirement.
Complete migrations, revoke exceptions, verify data and traffic movement, and archive or remove the retired capability.
Keep implementation aligned with the approved decision.
An architectural rule or platform standard must remain enforceable after approval.
Implementation, release, and operation. It is the continuity layer after approval.
Remediate violations, approve a time-bound waiver, or publish a new proposal when the original rule no longer fits reality.
The classic pair breaks down when it tries to carry organizational authority, AI evidence, production readiness, and ongoing conformance.
Without tiers, every change becomes bureaucracy—or important changes disappear into Slack and pull requests.
Comments do not create accountability. One person must own the final decision and residual risk.
Material objections need a visible outcome: accepted, modified, rejected, deferred, or moved out of scope.
A successful demo is not an evaluation. AI decisions need representative datasets, baselines, thresholds, and failure analysis.
An accepted architecture can still be impossible to operate. Readiness must be evaluated separately.
Decisions decay unless code, policy, contracts, telemetry, and review can detect implementation drift.
Classify feedback by consequence. Require blockers to name the quality attribute, failure scenario, and evidence needed to resolve the concern.
A requirement, safety boundary, or quality attribute cannot be met. Must be resolved before approval.
A material risk or trade-off exists. The approver may accept it explicitly with an owner and rationale.
Information is missing or ambiguous. The response should improve shared understanding.
An optional improvement. It should not silently become a veto or an untracked requirement.
Accepted · Accepted with conditions · Rejected · Deferred · Withdrawn · Superseded. Conditional approval must produce owned, dated, tracked conditions—not a vague future obligation.
Driver: moves the document. Approver: makes the decision. Contributors: provide required expertise. Informed: receive visibility without creating another veto point.
The tiering model prevents architecture theater for small changes while forcing discipline around irreversible, platform-wide decisions.
| Tier | Characteristics | Required artifacts | Review target |
|---|---|---|---|
| T0 · Local | Reversible. One repository. No external contract. | Ticket + pull request | Normal code review |
| T1 · Bounded | One service. Moderate impact. Reversible. | Mini-RFC or ADR | 2–3 business days |
| T2 · Cross-system | Multiple services or teams. API, SLO, security, cost, or data impact. | Full RFC + durable decision record | 5 business days |
| T3 · Strategic | Platform-wide. Hard to reverse. Vendor, regulated data, or agent autonomy. | Enhancement proposal + ADRs + evidence + threat model + ORR | 10 business days + decision review |
| Emergency | Incident containment or urgent compliance action. | Expedited record + exception | Retrospective review on a fixed date |
New platform service, trust boundary, provider, agent permission, public contract, data classification, SLO, multi-team dependency, irreversible migration, or material recurring cost.
The harder a decision is to unwind, the more evidence, explicit ownership, migration planning, and production controls it deserves.
Models, prompts, retrieval, tools, permissions, datasets, and providers can all change system behavior without changing the application code.
Version, region, data terms, context limits, fallback, deprecation, cost assumptions, portability, and change policy.
Baseline, provenance, metrics, human rubric, acceptance thresholds, results by configuration, and known limitations.
Injection, excessive agency, tool misuse, privilege propagation, memory poisoning, supply chain, and denial of wallet.
Standard metadata, automated registries, page approvals, Jira linkage, reminders, and status separation turn documentation into an operational system.
Content Properties Report · Jira linkage · Approval workflow · Automated staleness controls
| ID | Proposal | Governance | Delivery | Risk | Owner |
|---|---|---|---|---|---|
| RFC-AI-023 | Remote MCP authorization model | In review | Not started | T3 | Platform AI |
| RFC-AI-019 | AI gateway routing and fallback | Accepted | In progress | T3 | Core Platform |
| ADR-AI-017 | Signed tool manifests | Current | Released | T2 | Security |
| RFC-DATA-008 | Embedding deletion propagation | Blocked | Not started | T3 | Content Data |
| RFD-AI-031 | Evaluation-as-a-service | Ideation | — | T2 | AI Foundation |
Ideation, draft, review open, decision pending, accepted, rejected, deferred, withdrawn, superseded.
Not started, in progress, released, validated, retired. Do not hide implementation state inside approval state.
Current, review due, stale, historical. A released decision can still contain outdated operational guidance.
Open a focused template from the library, or use the fuller RFC, ADR, and AI-readiness examples below. Progressive disclosure keeps the page scannable.
Open a focused modal, copy the template, then return to the guide or full examples below.
Proposal, evidence, trade-offs, rollout, and decision.
# RFC-[DOMAIN]-[NUMBER]: [Decision-oriented title] ## Metadata Type · Status · Driver · Approver · Risk tier · Deadline Affected systems · Required reviews · Related work ## Executive summary ## Decision requested ## Current state and problem ## Goals / Non-goals ## Decision drivers and constraints ## Proposed architecture ## Interfaces and contracts ## Data, AI, security, and operations ## Rollout / Migration / Rollback ## Validation and evaluation ## Alternatives considered ## Risks and mitigations ## Material feedback disposition ## Decision and follow-up work
Decision, rationale, consequences, guardrails, and conformance.
# ADR-[DOMAIN]-[NUMBER]: [Decision as an action] ## Metadata Status · Date · Owner · Approver · Scope Supersedes · Superseded by · Related RFC ## Context ## Decision drivers ## Options considered ## Decision ## Rationale ## Consequences ## Guardrails ## Conformance ## Validation evidence ## Review and supersession triggers ## Follow-up actions
Intent, evidence, runtime controls, and launch gate.
# AI Evidence + Production Readiness ## System profile ## Intended use and prohibited use ## AI supply chain and versions ## Data profile and lineage ## Evaluation datasets and thresholds ## Human evaluation ## Failure analysis ## Agentic and LLM security testing ## Runtime authorization and guardrails ## Reliability, SLOs, and observability ## Incident response and kill switch ## Release decision ## Conditions and post-launch validation
Use these as an initial RFC backlog for foundational AI integrations across content delivery, MCP, knowledge, governance, and observability.
Control plane, data plane, routing, fallback, tenant isolation, and portability.
Define reliability, latency, support, and cost expectations by workload class.
Identity propagation, delegated access, invocation-time policy, audit, and revocation.
Ownership, signed manifests, discovery, approval, versioning, and emergency removal.
Define autonomy boundaries, approval UX, timeouts, and recovery.
Preserve access controls through retrieval, reranking, generation, caching, and citation.
Standardize source identity, excerpt traceability, confidence, and consumer obligations.
Guarantee removal through derived indexes, caches, summaries, and replicas.
Golden datasets, scoring, human review, regression gates, and reusable evidence.
Qualification, version pinning, deprecation, regression, fallback, and rollback.
Injection, excessive agency, tool misuse, memory poisoning, and supply-chain controls.
Time-bound deviation, residual risk ownership, compensating controls, and expiry.
Model, prompt, retrieval, tool, token, cost, quality, and correlation metadata.
Chargeback, tenant attribution, forecast, anomaly detection, and denial-of-wallet controls.
Routing, model availability, failover, content location, and compliance boundaries.
The process fails when it becomes theater, consensus machinery, stale history, or a substitute for evidence.
The decision was already made, but a page simulates consultation.
Every reviewer becomes a veto point.
Comments become demonstrations of expertise.
Many authors flatten the narrative into contradictions.
Chronology replaces decision quality.
A polished demo is presented as proof.
Major concerns become an informal backlog.
The decision cannot be found from the implementation.
Start with live work. Measure friction. Tune the process before scaling it across the platform organization.
Define thresholds, lifecycle states, DACI roles, metadata, naming, templates, and the Confluence space.
Run one T1, one T2, and one AI-specific T3 proposal through the lifecycle.
Build the registry, reminders, approval conditions, Jira links, stale-document reports, and waiver expiry checks.
Remove ceremonial sections, strengthen missing controls, and publish RFC-0001 as the governing process RFC.
The page synthesizes current standards, operating models, and production-readiness practices. Open the underlying sources for the normative detail.
Confluence becomes the control plane for intent, ownership, evidence, and accountability. Code, contracts, tests, telemetry, and policy become the delivery plane that proves the decision is real.