Governance Quality Analysis
Perform comprehensive governance quality analysis across all architecture artifacts to identify inconsistencies, gaps, ambiguities, and compliance issues.Command
Arguments
- scope (required): Project ID or “all projects”
Examples
Purpose
Identify inconsistencies, gaps, ambiguities, and compliance issues across all architecture governance artifacts before implementation or procurement. This command performs non-destructive analysis and produces a structured report for tracking and audit.Operating Constraints
- Non-Destructive: Do NOT modify existing artifacts
- Architecture Principles Authority: Principles are non-negotiable - conflicts require adjustment of requirements/designs, not principles
- UK Government Compliance Authority: TCoP, AI Playbook, ATRS compliance are mandatory
- Evidence-Based: Every finding must cite specific file:section:line references
Detection Passes
The command runs comprehensive analysis across 11 domains:A. Requirements Quality Analysis
Duplication Detection:- Near-duplicate requirements across BR/FR/NFR categories
- Redundant requirements that should be consolidated
- Vague adjectives lacking measurable criteria (“fast”, “secure”, “scalable”)
- Missing acceptance criteria
- Unresolved placeholders (TODO, TBD, TBC, ???)
- Requirements with verbs but missing measurable outcomes
- Missing NFR categories (no security, no performance, no compliance)
- Missing data requirements (handles sensitive data but no DR-xxx)
- All requirements marked as MUST (no prioritization)
- No MUST requirements (everything is optional)
- Conflicting priorities
B. Architecture Principles Alignment
Principle Violations (CRITICAL):- Requirements or designs that violate architecture principles
- Technology choices that conflict with approved stack
- Security approaches that violate security-by-design principle
- Principles not reflected in requirements
- Principles not validated in design reviews
C. Requirements → Design Traceability
Coverage Gaps:- Requirements with zero design coverage
- Critical MUST requirements not covered
- Security requirements (NFR-S-xxx) not in security architecture
- Performance requirements (NFR-P-xxx) not validated in design
- Components in HLD/DLD not mapped to any requirement
- Technology choices not justified by requirements
D. Vendor Procurement Analysis
SOW Quality:- SOW requirements match ARC--REQ-.md?
- Missing evaluation criteria?
- Ambiguous acceptance criteria?
- Evaluation criteria align with requirement priorities?
- All critical requirements included in evaluation?
E. Stakeholder Traceability Analysis
Stakeholder Coverage:- All requirements traced to stakeholder goals?
- Orphan requirements (not linked to any stakeholder goal)?
- Requirement conflicts documented and resolved?
- Decision authority identified?
- Risk owners from stakeholder RACI matrix?
- Data owners from stakeholder RACI matrix?
F. Risk Management Analysis
Risk Coverage:- High/Very High inherent risks have mitigation requirements?
- Risks reflected in design?
- Risk owners assigned and aligned with RACI matrix?
- Strategic risks reflected in Strategic Case urgency?
- Financial risks in Economic Case cost contingency?
G. Business Case Alignment
Benefits Traceability:- All benefits mapped to stakeholder goals?
- All benefits supported by requirements?
- Benefits measurable and verifiable?
- Do Nothing baseline included?
- Recommended option justified by requirements scope?
H. Data Model Consistency
DR-xxx Requirements Coverage:- All DR-xxx requirements mapped to entities?
- All entities traced back to DR-xxx requirements?
- Database schemas in DLD match data model entities?
- CRUD matrix aligns with component design in HLD?
I. UK Government Compliance
TCoP (Technology Code of Practice):- Assessment exists?
- All 13 points assessed?
- Critical issues resolved?
- Assessment exists?
- Risk level determined?
- All 10 principles and 6 themes assessed?
- Mandatory assessments completed (DPIA, EqIA, Human Rights)?
- Record exists?
- Tier 1 and Tier 2 completed?
- Ready for GOV.UK publication?
J. MOD Secure by Design Compliance
7 SbD Principles Assessment:- All 7 principles assessed?
- CAAT registered and updated?
- DTSL appointed?
- Identify, Protect, Detect, Respond, Recover functions covered?
- First Line (DTSL), Second Line (Technical Coherence), Third Line (Audit) implemented?
K. Consistency Across Artifacts
Terminology Drift:- Same concept named differently across files
- Inconsistent capitalization/formatting
- Stack choices in HLD match principles
- Technology in DLD matches HLD
Severity Assignment
CRITICAL:- Violates architecture principles (MUST)
- Missing core artifact (no ARC--REQ-.md)
- MUST requirement with zero design coverage
- Stakeholder: Orphan requirements not linked to goals
- Risk: High/Very High risks with no mitigation
- UK Gov: TCoP/AI Playbook blocking issues
- MOD: CAAT not registered, no DTSL appointed
- Duplicate or conflicting requirements
- Ambiguous security/performance attribute
- Missing NFR category (no security, no performance)
- Vendor design doesn’t address SOW requirements
- Terminology drift
- Missing optional NFR coverage
- Underspecified edge case
- Minor traceability gaps
- Style/wording improvements
- Minor redundancy
- Documentation formatting
Output
GeneratesARC-{PROJECT_ID}-ANAL-v{VERSION}.md with:
- Executive summary with overall status and governance health score
- Findings summary table (ID, Category, Severity, Location, Summary, Recommendation)
- Requirements analysis with coverage matrix
- Architecture principles compliance
- Stakeholder traceability analysis
- Risk management analysis
- Business case analysis (if SOBC exists)
- Data model analysis (if DATA exists)
- UK Government compliance analysis (if applicable)
- MOD compliance analysis (if applicable)
- Security & compliance summary
- Recommendations (Critical/High/Medium/Low priorities)
- Metrics dashboard
- Detailed findings with examples
Governance Health Score
Grade Thresholds:- A (90-100%): Excellent governance, ready to proceed
- B (80-89%): Good governance, minor issues
- C (70-79%): Adequate governance, address high-priority issues
- D (60-69%): Poor governance, major rework needed
- F (<60%): Insufficient governance, do not proceed
Prerequisites
Architecture Principles (MANDATORY):- Check if
projects/000-global/ARC-000-PRIN-*.mdexists - If NOT found: ERROR “Run /arckit:principles first”
- REQ (Requirements)
- STKE (Stakeholder Analysis)
- RISK (Risk Register)
- SOBC (Business Case)
- DATA (Data Model)
- Vendor HLD/DLD files
- Design review documents (HLDR, DLDR)
- Compliance assessments (TCOP, SECD, AIPB, ATRS)
Hook Pre-processing
If the Governance Scan Pre-processor Hook has run:- All artifact metadata, requirements, principles, risks, cross-references extracted
- Vendor data and placeholder counts available
- Go directly to semantic analysis and detection passes
- Do NOT re-read artifacts listed in hook output
Related Commands
arckit conformance- Architecture conformance (ADR implementation, drift)arckit traceability- Requirements traceability matrixarckit principles-compliance- Detailed RAG scoring of principlesarckit health- Quick metadata health check
Remediation Guidance
After analysis, the command can suggest:- Specific edits to fix requirements
- Design review guidance
- Command sequences to address gaps
- Templates for missing artifacts
arckit principles- Create/update architecture principlesarckit stakeholders- Analyze stakeholder drivers, goals, conflictsarckit risk- Create risk registerarckit sobc- Create business casearckit data-model- Create data modelarckit tcop- Technology Code of Practice assessmentarckit ai-playbook- AI Playbook assessmentarckit mod-secure- MOD Secure by Design assessment