Service Architecture audit library · free to read · ADR examples · UK studio

The architecture audit library we run. against every codebase.

Self-audit your codebase against the same ten patterns we run on every paid engagement — no email gate, no paywall — or have an independent senior voice write the brief in five days.

10audit patterns, published free
47audits run since 2019
0paywall, ever
(Why we publish it free)

The checklist was never the moat. The senior attention on your specific codebase is.

These ten patterns are the same ten we run on every paid audit. Nothing held back. Run them against your own code, tick what you have, note what’s missing.

0

0

5days

The founder this library is fordiligence call in 6 weeks · vibe-coded MVP · passed

Nadia inherited the codebase. The product worked. The diligence call was in six weeks.

01

Her seed lead’s CTO had sent a one-line email: “send us the architecture brief and the ADRs before the call.” There were no ADRs. There was no diagram. The MVP had been built in Cursor and Lovable over a frantic eight weeks, and nobody had written down a single load-bearing decision.

02

She didn’t need a rebuild. She needed to know what an acquirer’s CTO would ask, in advance, in plain words. So she ran her code against this library. Ten patterns. Tenant isolation, idempotent payments, an audit log on every mutation, a threat model on the top eight abuse paths.

03

She found six gaps, fixed four herself, and booked us for the two that needed a senior pair. The brief shipped on the Friday. The diligence call lasted forty minutes instead of two days. This page is for founders walking into a room they can’t bluff.

Same ten patterns since early 2025
The architecture patterns library · ten patterns, same shape every Monday

Ten patterns.
Run them against your own codebase.

They surface in eight of every ten audits we’ve done across 47 engagements. Open any row. Tick what you have. Note what’s missing.

Row-level security in Postgres or per-tenant collection in Mongo. Tested with the IDOR playbook. One URL parameter change cannot return another tenant’s data.

Token expiry, refresh rotation, no anon-key fallback, MFA path stubbed. Session invalidation on password change. CSRF on every mutation.

Stripe or GoCardless webhook handlers idempotent. Idempotency keys on every POST that touches money. Reconciler runs nightly. Double-charge architecturally impossible.

Who changed what, when, before-value, after-value. Exportable per workspace. SOC-2 and ISO 27001 audits become paperwork, not panic.

STRIDE + MITRE ATT&CK applied. Spoofing, tampering, repudiation, info disclosure, DoS, elevation. What we tested. What passed. What needs work.

k6 simulation at 5 to 10× expected peak. What breaks first. Where the connection pool maxes out. Where the queue backs up. The capacity number in the runbook.

Trace ID per request. Sentry catches errors with user + tenant context. Datadog or CloudWatch metrics. Runbook for the top 10 alerts. On-call answers within an hour, not a day.

Every paid event (LLM call, email, SMS, storage, Stripe fee) logged with tenant ID. Cost dashboard live. Two customers being 60% of the LLM bill becomes a known fact, not a mystery.

RTO + RPO defined. Multi-AZ on the DB. Backup tested by restoring to staging in the last 90 days. Single-region failure plan documented.

Architecture decision records covering the load-bearing calls. A one-page system diagram in the repo. An onboarding video. Your next senior hire reads it on day one and ships on day two.

The five-day cadence

How the audit week runs

Fixed scope, fixed price, brief on the Friday. The same shape on every engagement since 2019. Self-audit with the library first, then book us for the gaps that need a senior pair.

Step-01

Read-only access

NDA signed inside 30 minutes, read-only access granted, the clock starts. We map the system before we touch a single decision.

Step-02

Run the ten patterns

Tenant isolation, idempotent payments, an audit log on every mutation, a threat model on the top eight abuse paths. The same ten we publish free.

Step-03

Reproduce in staging

Every critical finding is confirmed in staging, not asserted. A finding leads with the risk in plain words, then the observed behaviour.

Step-04

Rank by severity

The fix-list comes ordered by severity with an effort estimate against each line. You fix the cheap criticals; we take the senior pairs.

Step-05

Brief on the Friday

A 30-page written brief, a one-page system diagram, six ADRs drafted. It survives Series A and acquirer review, not a Notion page.

A sample architecture audit finding, redacted

What a real finding looks like in the brief.

Finding 04 of 14. Severity: critical. This is the exact shape of every line in the written audit, not a Notion page.

  1. 01
    The titleOne line, plain words

    “Tenant isolation bypassable with URL parameter modification.”

    A finding leads with the risk, not the jargon. Anyone on the diligence call can read the title and know what’s at stake before the detail.

  2. 02
    ObservedReproduced in staging

    “A trailing slash on another workspace ID returned that tenant’s invoices.”

    The membership check used string-equality that treated a trailing slash as equivalent. We confirmed it in staging: customer A’s token listed customer B’s invoices.

  3. 03
    RiskWhy it matters

    “Direct PII + financial data disclosure across tenants.”

    Material in any SOC-2 audit, GDPR breach assessment, or acquirer technical diligence. The brief states the consequence in the terms your acquirer’s lawyers use.

  4. 04
    RemediationEffort estimated

    “Enforce row-level security at Postgres. Replace string-equality with a strict UUID match.”

    Sample RLS policy in the appendix. Add an integration test for the trailing-slash case. Effort: one senior engineer, three working days.

  5. 05
    Verification pathHow you prove it’s fixed

    “Re-run the staging IDOR test post-remediation.”

    Production deploy behind a feature flag. An audit-log query confirms zero cross-tenant access in the 30 days following. The fix is closed with evidence, not a hope.

Six ways founders use the library, four moments to book the audit

How the library earns its place

CTOs, founders, and engineering leads run this checklist differently. Pick yours, then book us for the gaps that need a senior pair.

10

Patterns published, free

5day

Brief on the Friday

“The diligence call lasted forty minutes instead of two days. This page is for founders walking into a room they can’t bluff.”

A founder who self-audited first

Seed-stage, vibe-coded MVP

001

As a self-audit checklist

Walk your codebase against the ten patterns. Mark the misses. You now have a prioritised list. Most teams find six gaps, some find three, a few find none.

002

As diligence preparation

Your seed lead or acquirer’s CTO will ask about exactly these ten things. Run the library first. Walk into the call with the answers ready. The questions get shorter.

003

As a hiring filter

Sending it to an external developer or agency before they quote? The ones who don’t recognise eight of the ten patterns are the ones who’ll miss them in your code.

004

When an acquirer review is imminent

A diligence call under six weeks out and no time to self-audit, write the brief, and produce the diagram. We ship a 30-page brief and a one-page diagram by Friday.

005

When a new CTO is inheriting

They walk into the brief and ADRs, not a wiki from 2022. An onboarding video recorded. First architectural call by week three, not month three.

006

When a vibe-coded MVP scaled

It was built in Cursor, Lovable, or Claude Code, it broke under load, and you don’t know what to fix first. The audit ranks the fix-list by severity, with effort against each.

Sample architecture audit findings · the receipts

The audit,
in the numbers that survive diligence

Studio-wide aggregate across seven years and 47 audits. Auditable, verified at every M&A diligence we’ve been part of. Numbers, not adjectives.

The library

10
Patterns published, free
0
Email gates, ever

The audit

47
Audits run since 2019
5 days
Brief on the Friday

The outcome

100%
Series A + acquirer reviews passed in 2025
0
Cross-tenant breaches post-remediation
In the founders’ own words

What founders say after the brief ships

Role-anonymised lines from teams who self-audited first, then booked the five-day audit.

100% would refer us
Seed-stage founder Vibe-coded MVP
The diligence call lasted forty minutes instead of two days. We walked in with the brief, the diagram, and the ADRs ready.
01 / 06
Architecture audit library · honest answers

What founders actually ask about the library and the audit

Pain-first, soft-second.

Yes. The ten patterns above are the same ten we run on every paid audit. Nothing held back, no email gate, no PDF download for “exclusive content”. The paid audit ships the senior engineering attention applied to your codebase, the written brief, the diagram, the ADRs, the walkthrough. That’s what you’re paying for. The architecture patterns library itself was never the moat.

Because senior engineers reading your specific codebase for five days find things a checklist can’t predict. The library tells you what to look for. The audit tells you what we found. The written brief tells your acquirer’s CTO what passed. About a third of our paid-audit clients run the architecture audit checklist first, then book the audit anyway. It pays back inside the first quarter.

Yes. We’d genuinely like more UK engineering studios to publish their audit patterns. Architectural transparency raises the floor for every founder. Credit Empyreal if it’s a straight fork. Adapt freely if you’re reshaping it for your stack.

Roughly quarterly, or when a new pattern surfaces in three or more audits in a row. The current ten have been stable since early 2025. We’re tracking two emerging patterns, LLM cost attribution per tenant and MCP tool-use audit logs, that are likely to be added in late 2026.

For tactical questions (“is this RLS policy correct?”, “should we move to Aurora Serverless?”), the senior architect retainer at £5K to £10K a month, cancellable any month, is the right shape. The full 5-day audit is the right shape when you need a written brief defendable at diligence.

Yes. A good third of our audits are on codebases built in Cursor, Lovable, v0, or Claude Code. We don’t care how the code arrived, we care what it does under load and what an acquirer’s CTO will find. The fix-list comes ranked by severity with an effort estimate against each line, so you can fix the cheap criticals yourself and book us for the senior pairs.

Every audit has two senior engineers paired, not one. Every decision goes into an ADR the same day. Mohit reviews the brief before it ships. Two handovers in seven years, both inside 48 hours.

For paid audits, yes, signed inside 30 minutes via DocuSign before any code access. For the free library itself there’s nothing to NDA, it’s public. UK VAT registered, listed on Companies House, shipping since 2019.

Architecture audit library — workflow / interface
In context

See it in context.

A look at the kind of architecture audit library surface we hand over — real screens, real data, documented and yours from day one.

Run the library against your codebase. Or book the audit and we’ll run it for you.

One paragraph. Brief on Friday.

Tell us where the codebase lives, what the diligence timeline looks like, and which patterns you’ve already self-audited. Mohit replies inside 24 hours: a clear yes, a clear no, or the one question that decides it.

Write to mohit@empyrealinfotech.com Replies in 24hNDA in 30 minBrief on Friday
What happens after the email lands
  1. < 24h

    A personal reply.

    Yes, no, or the deciding question. Straight to your inbox.

  2. Day 1

    NDA + code access.

    Signed inside 30 minutes. Read-only access. The audit starts.

  3. Fri

    Brief in your inbox.

    30 pages, a one-page diagram, six ADRs, a ranked fix-list.