Analysis Dimensions¶
Use this checklist to ensure systematic coverage when comparing a codebase against a target state. Not every dimension applies to every analysis — scope to the relevant surfaces.
Prioritisation Rule¶
Assess dimensions in this order unless the user narrows scope:
- Deployment and infrastructure (can it run in production?)
- Security and authentication (is it safe to expose?)
- Observability (can we see what it's doing?)
- CI/CD and testing (can we ship changes safely?)
- Architecture and code quality (is it maintainable?)
- Documentation and operational readiness (can someone else run it?)
Technology Stack¶
- Language and runtime version (alignment with team standard)
- API / web framework
- Frontend framework (if applicable)
- Package manager and lockfile strategy
- Source control platform and branching model
- Monorepo vs multi-repo structure
Architecture & Design¶
- Domain boundaries (clean separation vs mixed concerns)
- Data access patterns (ORM, direct SQL, API calls)
- State management (mutable rows, event sourcing, CQRS)
- Type safety (type checker, typed IDs, schema contracts)
- Schema versioning and API evolution strategy
- Configuration management (env vars, config files, feature flags)
CI/CD & Build¶
- Pipeline platform (GitHub Actions, Azure DevOps, Jenkins, etc.)
- Build stages (lint, typecheck, test, build, push, deploy)
- Coverage thresholds (overall and diff)
- Linting strictness (rule sets, suppressions)
- Branch policies (reviewers, CI pass, comments resolved)
- PR templates and conventional commits
- Deployment stages (dev → pre-production → production) with approval gates
- Rollback mechanism
- Container build validation in CI
Containerisation & Infrastructure¶
- Dockerfile(s) — existence, base image, multi-stage, size
- Container registry integration (ACR, ECR, GCR, Docker Hub)
- Infrastructure-as-code (Terraform, Bicep, CloudFormation)
- Environment provisioning (pre-production/production parity)
- Port conventions and health endpoints
- Container topology (single, sidecar, multi-container)
Observability¶
- Telemetry SDK (OpenTelemetry, vendor-specific)
- Distributed tracing (spans on key operations)
- Structured logging (JSON, correlation IDs, log levels)
- Custom metrics (business KPIs, throughput, latency)
- Dashboards and alerting rules
- Log remediation (print statements vs logging framework)
Authentication & Authorisation¶
- Auth mechanism (OAuth/OIDC, API keys, service-to-service)
- Identity provider integration (Entra ID, Okta, Auth0)
- Role model (RBAC, ABAC, custom)
- Token validation (JWT verification, session management)
- Secrets management (Key Vault, Secrets Manager, env vars)
Security¶
- Secret scanning (detect-secrets, gitleaks, trufflehog)
- Dependency auditing (pip-audit, npm audit, OSSF scorecard)
- SAST (bandit, semgrep, CodeQL)
- CORS configuration
- Network security (VNet, private endpoints, firewalls)
- Security headers (CSP, HSTS, X-Frame-Options)
- Input validation (at boundaries, against injection)
- Supply-chain controls (pinned actions, lockfile integrity)
Testing¶
- Test framework and runner
- Coverage thresholds (overall, diff, per-module)
- Test categorisation (unit, integration, e2e, smoke, golden)
- Test quality tooling (structural quality, not just coverage)
- E2E / browser test capability
- Load / performance testing
- Pre-commit / pre-push test gates
Documentation¶
- Architecture Decision Records (ADRs)
- Developer setup guides (README, CONTRIBUTING)
- API documentation (OpenAPI specs, generated vs hand-maintained)
- Operational runbooks (startup, recovery, incident)
- Deployment documentation
- Documentation site (VitePress, MkDocs, Docusaurus)
- Copilot customisation (instructions, agents, skills, prompts)
Operational Readiness¶
- Runbooks (startup/shutdown, recovery, incident response)
- Change management integration (ServiceNow, Jira, etc.)
- Rollback strategy (documented, tested)
- Release communication (Teams, Slack, email notifications)
- Handover documentation (for team transitions)
- On-call / escalation procedures
Reporting Rule¶
For each dimension assessed, produce one of:
- ✅ Aligned — meets or matches the target standard
- ⚠️ Different — alternative approach that achieves the goal (note trade-offs)
- ❌ Gap — missing relative to target (include effort estimate)
- 🟢 Ahead — exceeds the target (note as cross-pollination opportunity)
- ⬜ Out of scope — explicitly excluded with rationale