The Architecture Canontruth · evidence · projection

Back to site index

Law

Documentation Is Architecture

law-08-documentation-is-architecture · canon/laws/LAW-08-documentation-is-architecture/unit.md

Content source: Deepest Treatment · publications/books/building-systems-that-matter/volumes/I/08-Documentation-Is-Architecture.md · Canonical source: canon/laws/LAW-08-documentation-is-architecture/unit.md

Foundational Chapter 8

Documentation Is Architecture

"If the architecture lives only in people's heads, you do not have an architecture. You have a rumor."

— Rick Collette

Abstract

If your architecture lives only in people's heads, you don't have an architecture. You have a rumor.

It feels solid while everyone who built it is still around to answer questions. Then someone leaves, and a little of the system becomes unknowable. Then another. Eventually you are running code nobody fully understands, shaped by decisions nobody can reconstruct.

Seven laws have described how to build trustworthy systems. This final law concerns how a system is known — and it makes a claim that sounds like a category error until you look closely: the documentation of a system is not a description of its architecture. It is part of its architecture.

The conventional view treats documentation as downstream of design: you architect the system, then, if there is time, you write up what you built. In this view documentation is a record, perennially out of date, perennially deprioritized, a chore that describes the real thing from the outside. This chapter rejects that view. The act of writing a system down with enough precision is an act of architecture — it forces the clarity, exposes the gaps, and fixes the decisions that loose, in-the-head designs leave fatally vague. And a system whose architecture exists only as tribal knowledge does not, in any durable sense, have that architecture at all; it has a fragile consensus that decays with every departure, every reorg, and every month that passes.

This chapter grounds the claim in the most direct evidence available: the specifications of the systems used throughout this book — AISDR, SADIE, CapDB, CapBan — which are precise enough that the document is the architecture; in EDDA, whose RFCs and ADRs make decisions first-class artifacts; and, unavoidably, in this book itself, which is an attempt to make a body of architectural thinking exist as something more durable than its author's memory.

1. The idea

Architecture is the set of significant decisions about a system — its structure, its boundaries, its constraints, its trade-offs. Documentation is the externalization of those decisions into a form others can read, check, and build on. The law's claim is that these are not two separate things, the second describing the first, but two aspects of one thing: a decision that is not externalized is not yet fully made, and an architecture that is not written down does not durably exist.

Consider what happens when you try to document a design precisely. You discover, the moment you must write it down exactly, all the places where it was vague. The boundary you "knew" was clear turns out to have an undefined case. The constraint you "obviously" enforced turns out to have no enforcement. The decision everyone "agreed" on turns out to mean three different things to three people. The act of documentation does not merely record the architecture; it completes it, by forcing every loose place into a decision. This is why writing the spec is architectural work and not clerical work: the precision the document demands is precision the architecture lacked until the document demanded it.

Now consider the alternative — architecture that lives only in people's heads. It feels real because the people can answer questions about it. But it is a rumor: unverifiable (you cannot check a head against itself), inconsistent (different heads hold different versions), undiscoverable (newcomers cannot read a mind), and mortal (it leaves when the person does). An undocumented architecture is not a leaner version of a documented one; it is a different and far weaker thing — a temporary alignment of memories that is one resignation away from being lost. The system may keep running, but its architecture — the knowledge of why it is shaped as it is and what may not be violated — evaporates, and what remains is code no one fully understands and decisions no one can reconstruct.

So "documentation is architecture" is not a plea to write more. It is a recognition that the written architecture is the architecture in any sense that survives — and that the writing is where much of the architectural thinking actually happens.

2. The forces

Precision forces decisions. You can hold a vague design in your head indefinitely; ambiguity is comfortable until you must commit it to a form others will hold you to. Writing a system down precisely — its schemas, its lifecycles, its boundaries, its failure modes — forces every vague place into a decision, because the document cannot be vague the way a mental model can. This is the generative force: documentation is where loose architecture becomes definite, which is to say where it becomes architecture at all.

Shared understanding requires a shared artifact. A system built by more than one person over more than a moment needs a common, authoritative account of its architecture — one everyone can point to, build against, and be corrected by. Spoken agreement does not provide this; it fragments, drifts, and contradicts itself across people and time. Only a written artifact can be the single source of architectural truth, the same way Chapter 1 demanded a single source of business truth. Documentation is to architecture what the Truth Plane is to data: the one authoritative home that everything else must agree with.

Decisions outlive their deciders. The most valuable architectural knowledge is why — why truth has one home here, why this constraint, why this trade-off and not its opposite. That knowledge is exactly what is lost first when it lives only in memory, because the reasoning fades even before the people leave. A decision recorded with its rationale — an ADR, an RFC — outlives the person who made it and protects the system from having its hard-won choices casually undone by someone who never knew why they were made. Undocumented rationale is undocumented architecture; the system keeps the decision and loses the reason, which means it keeps the constraint and loses the ability to know when the constraint may safely change.

The pull-back force: documentation must be true and live. Documentation is architecture only when it is accurate and maintained. A document that has drifted from the system is worse than none, because it actively misleads — it asserts an architecture the system no longer has. So the law carries an obligation: the architectural documentation must be kept true as the system evolves, treated as a living part of the system rather than a one-time artifact, and ideally bound closely enough to the system (schemas that are enforced, specs that generate or validate code) that drift is structurally hard. Documentation that is allowed to rot does not stay weak architecture; it becomes anti-architecture, a confident description of a system that no longer exists.

3. The law

Documentation is not a description of architecture; it is a constituent part of it. The act of writing a system down with precision is an act of architecture, and an architecture that exists only as tribal knowledge does not durably exist. The written, accurate, maintained account is the architecture in the only form that survives.

Two corollaries follow:

If it is not written, it is not decided. A design held only in memory is incomplete; precision in documentation is where loose architecture becomes definite.
Documentation must be living and true, or it is anti-architecture. Accurate and maintained, it is the single source of architectural truth; drifted and stale, it actively misleads and is worse than nothing.

The systems in this book are, conveniently, their own proof — because the way they are documented is what made them buildable and knowable.

4. Implementation: the specifications that are the systems

The clearest evidence for this law is sitting in the source material for this very book. The systems used as proof points throughout — AISDR, SADIE, CapDB, CapBan — are documented to a level where the document does not describe the architecture; it is the architecture.

Look at what those specifications actually contain. They are not prose summaries written after the fact. They define data schemas down to the field, with types and constraints. They define lifecycles as explicit state machines — the states a workflow or a ban or a decision moves through, and the legal transitions between them. They define the boundaries between components and the contracts across those boundaries. They define threat models, failure modes, and recovery procedures. They define, in several cases, the build order itself — the sequence in which the system is to be constructed. A specification at this level of precision is not a view of the architecture from outside; it is the architecture, expressed in the medium where architecture can be exact.

The SADIE specification is the most striking example. It is precise enough that one could build the system from the document — it gives the module definition, the permission model, the domain model, the table schemas, the event subjects, the package layout, the worker behaviors, the API surface, the approval rules, and the build order. The architecture of SADIE is not something that exists separately and is summarized by the spec; for any practical purpose, the spec is SADIE's architecture, and SADIE's code is one realization of it. This is the first corollary made vivid: every architectural decision about SADIE was made by being written into the spec with enough precision to build from. The places the spec is exact are the places the architecture is decided; had the spec been vague, the architecture would have been vague in exactly those places.

AISDR demonstrates the same principle in a security domain where precision is not a nicety but a requirement. Its specification defines the six control domains, the decision-record schema with its twenty-plus fields, the policy-gate algorithm, the tier model, the evidence-bundle format, the governed request lifecycle step by step. The reason AISDR can make its strong guarantees — that every action has identity, evidence, policy, and a record — is that those guarantees are specified, exactly, in a document precise enough to be the contract the system is held to. An AISDR documented only in people's heads could not make those guarantees, because there would be no authoritative, checkable statement of what the guarantees are. The documentation is not describing AISDR's trustworthiness; it is constituting it.

CapDB and CapBan round out the evidence from the systems-engineering end. CapDB's documentation specifies its layered architecture, its feature-flag implication rules, its volume format, its replication protocol, and its security model — the document is the design that the C code implements, and the design's coherence (the implication rules, the protocol message types) lives in the spec before it lives in the binary. CapBan's specifies its three-layer architecture, its trait contracts, its policy model, its threat model, and its failure-and-recovery behavior. In both, the architecture is the documented design, and the implementation is a faithful rendering of it. Take the documents away and you would not have a leaner system; you would have a body of code whose architecture would have to be reverse-engineered and would, over time, be lost.

5. Implementation: EDDA, decisions as first-class artifacts

EDDA makes the most explicit commitment to this law by treating architectural decisions themselves as first-class, documented artifacts — through RFCs and Architecture Decision Records (ADRs, the lightweight practice Michael Nygard popularized for capturing a decision with its rationale).

This is the third force institutionalized. An ADR records not just what was decided but why — the context, the options considered, the decision, and its consequences. An RFC proposes and deliberates a significant change in the open, as a written artifact others can review and reference. Together they make EDDA's architectural reasoning durable: the rationale behind each significant decision is captured at the moment it is freshest and preserved for everyone who comes after, including those who will one day consider changing it.

The value of this is precisely the value the pull-back force in Chapter 2 and the rationale force above identify. An architecture whose decisions are recorded with their reasoning can be evolved responsibly — a future engineer can read why truth was given one home, why a constraint was imposed, why a trade-off was made, and decide on an informed basis whether the reasoning still holds. An architecture whose decisions live only in memory can only be evolved blindly — the reasoning is gone, so changes are made without knowing what they might violate, and hard-won constraints are casually undone by people who never knew why they existed. EDDA's RFCs and ADRs are how an architecture keeps not just its decisions but its judgment, which is the part that matters most and is lost first.

6. Implementation: this book

It would be incomplete to argue this law without acknowledging the artifact you are reading. This book — and the project documents that govern it, the proof-point map that ties its claims to real systems, the editorial notes that track its state, the plan that sequences its construction — is itself an instance of the law.

The eight laws existed, before this book, as something closer to tribal knowledge: a coherent way of thinking about systems, held in one person's head and scattered across the specifications of the systems that embodied it. That is exactly the fragile, undocumented state the law warns against — real to the person who holds it, a rumor to everyone else, and mortal. The act of writing it down with precision — defining the laws, grounding each in a real system, working through the forces and failure modes and trade-offs — is the act of turning that body of thinking into architecture in the durable sense: externalized, checkable, buildable-upon, and able to survive its author. The places this book is forced to be precise are the places the thinking is forced to become definite, which is the first corollary applied to a book about architecture rather than to a system.

And the book is governed by the second corollary as deliberately as anything it describes. It is built to be living — a plan sequences its construction, editorial notes track its state, a handoff prompt lets work continue across sessions, and a ruleset keeps its voice and claims consistent. The documentation of the book's own construction is treated as part of the book's architecture, because a book about "documentation is architecture" that was itself an undocumented, unmaintained heap would refute its own thesis. The medium is, unavoidably, the message.

7. The failure modes

The architecture in people's heads. The default and most dangerous failure: a system whose real architecture — its boundaries, constraints, and rationale — exists only as shared memory among the people who built it. It feels solid while those people are present and answering questions, and it evaporates the moment they leave, reorganize, or simply forget. What remains is code no one fully understands and decisions no one can reconstruct. The system runs; its architecture is gone. The fix is the first corollary: write it down with enough precision that the architecture exists outside any skull.

Documentation drift. The failure that gives documentation its bad name: a document written once and never maintained, now describing a system that has moved on. This is worse than no documentation, because it misleads with confidence — it asserts boundaries that no longer hold and constraints that were removed, and the reader trusts it. Drifted documentation is anti-architecture, and the second corollary is the guard: keep it living and true, or do not pretend it is the architecture. Binding documentation tightly to the system — enforced schemas, specs that validate code, generated references — is how the strongest systems make drift structurally hard.

Documentation as afterthought. Treating documentation as downstream of design — something to do after the architecture is "done," if time permits — which guarantees both that it is deprioritized into nonexistence and that the architectural clarity the act of documentation would have forced is never forced. The vague places stay vague, because nothing ever demanded they be made definite. The law inverts the order: documentation is not after architecture, it is where architecture happens.

Decisions without rationale. Recording what was decided but not why — schemas and structures without the reasoning behind them. The system keeps its decisions and loses its judgment, so future engineers can see the constraints but not learn whether they still apply, and either ossify around rules they do not understand or casually break rules they should have kept. EDDA's ADRs are the antidote: capture the why, not just the what.

8. The tradeoffs

The cost of this law is effort spent on writing and on keeping the writing true — effort that is real, ongoing, and easy to begrudge because its payoff is deferred and diffuse. Specifying a system to the level where the document is the architecture is substantial work; keeping that document accurate as the system evolves is more work, indefinitely. A team under deadline will always be tempted to skip it, ship the code, and carry the architecture in their heads, because that is faster today. The law's cost is paid now; its benefit — an architecture that survives, that newcomers can learn, that can be evolved responsibly — is collected later, by people who may not be the ones who paid.

That asymmetry is the honest tension, and the resolution is proportionality, as with every law in this book. Not everything warrants a spec from which the system could be rebuilt; a throwaway script needs a sentence, not an RFC, and over-documenting the trivial is its own waste that also breeds drift (the more documentation you carry, the more there is to keep true). The judgment is to invest documentation effort in proportion to architectural significance and longevity: the decisions that are hard, constraining, consequential, and long-lived — truth ownership, security boundaries, governance models, the things the other seven laws are about — deserve to be written with the precision that makes them real and maintained with the discipline that keeps them true. The incidental and short-lived do not. Documentation, like every other property in this book, is matched to the stakes.

There is also a tension between precision and adaptability that mirrors Chapter 2's. A heavily specified architecture is, like a heavily constrained one, harder to change casually — which is partly the point (it prevents casual erosion of hard-won decisions) and partly a cost (it raises the friction of legitimate change). The same answer applies: bind tightly where stability is worth the friction, keep lighter where change is expected, and use living artifacts — ADRs that record changes, specs maintained alongside code — so that the architecture can evolve and stay documented, rather than being forced to choose.

9. The future

The case for this law strengthens in every direction systems are heading, and one direction in particular makes it newly urgent.

As systems grow more complex and more distributed, the architecture that must be held becomes too large for any head — there is simply too much structure, too many boundaries, too many decisions for shared memory to carry. The only architecture that scales with the system is the written one. The larger and more distributed systems become, the more completely "the architecture in people's heads" fails, and the more the documented architecture becomes the only architecture there is.

AI sharpens the point dramatically, in two ways. First, AI systems are consumers of documentation at a scale humans never were: an AI assistant building on or operating a system reads its specifications, and the precision and accuracy of those specifications directly bound what the AI can do correctly. A system documented to the level of AISDR's or SADIE's specs is one an AI can reason about, extend, and operate; a system whose architecture is tribal knowledge is opaque to it. Documentation is becoming the interface through which intelligence — human and artificial — engages an architecture at all. Second, AI is increasingly a producer of systems, and a body of work like this book's — laws, grounded examples, precise specs — is exactly the kind of durable, externalized architecture that can guide generation toward trustworthy systems rather than plausible ones. The discipline of writing architecture down well is, increasingly, the discipline of making architecture legible to machines as well as to people.

The forms will keep evolving — ADRs, RFCs, executable specifications, schemas that enforce themselves, specifications that generate and validate code, documentation bound so tightly to the system that drift becomes impossible. The direction of all of them is the same: toward closing the gap between the written architecture and the running one, until they are unmistakably the same thing. That convergence is the law reaching its conclusion. The architecture and its documentation were never two things. The writing is where the architecture becomes definite, the written account is the architecture in the form that survives, and a system whose architecture is not written down does not, in the end, have one.

Closing Volume I

Eight laws, one argument.

Truth has one home, and everything else derives from it. Architecture is the management of the constraints that make a system trustworthy. Security is a property of the structure, not a feature bolted to it. Relationships are first-class data, not the gaps between entities. Evidence comes before intelligence, because a conclusion is worth what its grounding is worth. Platforms exist to remove decisions, because good practice is reliable only when it stops being a choice. Systems degrade better than the organizations that run them, when they are built to hold the line as they fail. And the documentation of a system is not a description of its architecture but a part of it.

These are not eight separate techniques. They are eight angles on a single discipline — the discipline of building systems that can be trusted: trusted to know what is true, to honor their constraints, to be safe, to model their world honestly, to ground their conclusions, to make the right thing the default, to fail gracefully, and to be knowable. Each law was argued from first principles and proved against systems that were actually built — Ampriot, EDDA, AISDR, CapBan, CapDB — because a law of architecture that cannot survive contact with a running system is not a law; it is an opinion.

The volumes that follow take these systems and examine them whole. Where Volume I used them as proof points — a glimpse of CapDB here, a piece of AISDR there — the case-study volumes follow each system end to end, showing the eight laws not as separate chapters but as they actually appear in a real architecture: tangled together, in tension, traded off against one another, and resolved into something that works. The laws are the lens. The systems are what the lens was built to see.

Truth has one home. Everything else — including this book — is honestly derived from it.

Incoming References

Pattern 2
Projection 4
Reference Architecture 1