| name | create-adrs |
| description | Create Architecture Decision Records (ADRs) documenting strategic technical decisions while acknowledging ecosystem E(t) constraints. Use when choosing cloud providers, languages, frameworks, databases, or architectural patterns. |
| allowed-tools | ["Read","Write","Edit"] |
create-adrs
Skill Type: Actuator (Design Documentation)
Purpose: Document architecture decisions acknowledging ecosystem E(t)
Prerequisites: Strategic technical decision needed
Agent Instructions
You are creating Architecture Decision Records (ADRs) that acknowledge ecosystem E(t) constraints.
Critical: ADRs document GIVEN constraints (E(t)), not just CHOSEN solutions.
Format: "Given E(t), we chose X" (not "we chose X")
ADR Structure
Template
# ADR-{ID}: {Decision Title}
**Date**: {YYYY-MM-DD}
**Status**: Accepted | Rejected | Superseded | Deprecated
**Deciders**: {Who made this decision}
---
## Context
**Requirements**:
- <REQ-ID>: User authentication
- REQ-NFR-SEC-001: Secure password storage
**Problem**:
We need to choose a password hashing algorithm that is secure
against brute force attacks while maintaining acceptable performance.
**Ecosystem E(t) Constraints**:
- Team Experience: Team familiar with bcrypt
- Infrastructure: Running on AWS (bcrypt supported)
- Compliance: PCI-DSS recommends strong hashing
- Performance: Login response must be < 500ms (REQ-NFR-PERF-001)
- Libraries Available: bcrypt, argon2, scrypt available
---
## Decision
**Selected**: bcrypt with cost factor 12
**Rejected Alternatives**:
- SHA256: โ Too fast (vulnerable to brute force)
- MD5: โ Cryptographically broken
- Argon2: โ ๏ธ Better security but team unfamiliar, migration risk
- scrypt: โ ๏ธ Good security but less widely supported
**Rationale**:
1. bcrypt is industry standard (acknowledged E(t))
2. Team has experience with bcrypt (acknowledge E(t) - team capabilities)
3. Cost factor 12 balances security and performance
4. Meets PCI-DSS requirements (acknowledge E(t) - compliance)
5. Login tests show 200ms average (well within 500ms SLA)
---
## Ecosystem Constraints Acknowledged
**Team** (E(t)):
- Team knows: bcrypt, SHA256
- Team doesn't know: Argon2 implementation
- Risk: Learning curve with Argon2
**Infrastructure** (E(t)):
- Platform: AWS Lambda + RDS PostgreSQL
- bcrypt: Native support, no additional dependencies
- Argon2: Would need custom layer
**Compliance** (E(t)):
- PCI-DSS: Requires strong, salted hashing
- bcrypt: Explicitly mentioned in PCI guidelines
- Audit: External auditors familiar with bcrypt
**Performance** (E(t)):
- Requirement: Login < 500ms (REQ-NFR-PERF-001)
- bcrypt (cost 12): ~200ms (acceptable)
- Argon2: ~250ms (acceptable but no experience)
**Timeline** (E(t)):
- Sprint: 2 weeks
- bcrypt: No learning curve (immediate)
- Argon2: 2-3 days research + testing
---
## Constraints Imposed Downstream
**Code Stage** (constraints for implementation):
- MUST use bcrypt library (not custom hashing)
- MUST use cost factor 12 (not lower)
- MUST salt passwords (bcrypt does this automatically)
**Runtime Stage** (constraints for deployment):
- Infrastructure: bcrypt library must be available
- Performance monitoring: Track hash time (should be ~200ms)
**Testing Stage**:
- Test hash time (ensure < 500ms)
- Test bcrypt version (security updates)
---
## Consequences
**Positive**:
- โ
Team productive immediately (no learning curve)
- โ
Proven security (industry standard)
- โ
PCI-DSS compliant (audit-friendly)
- โ
Performance acceptable (< 500ms)
**Negative**:
- โ ๏ธ Not latest algorithm (Argon2 is newer)
- โ ๏ธ Vendor lock-in to bcrypt (migration costly)
**Neutral**:
- Cost factor 12 is balance (could be 10 for faster, 14 for stronger)
---
## Related Decisions
- ADR-001: Database selection (PostgreSQL)
- ADR-003: Session management (JWT)
**Supersedes**: None
**Superseded By**: None
---
## References
- PCI-DSS Password Requirements: https://www.pcisecuritystandards.org/
- bcrypt Documentation: https://en.wikipedia.org/wiki/Bcrypt
- OWASP Password Storage: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
ADR Numbering
Sequential: ADR-001, ADR-002, ADR-003, ...
Categories:
- Infrastructure: Cloud provider, hosting, databases
- Security: Authentication, encryption, authorization
- Architecture: Patterns, frameworks, languages
- Integration: APIs, external services
- Data: Storage, schemas, migration
When to Create ADRs
Create ADR for:
- โ
Cloud provider choice (AWS vs GCP vs Azure)
- โ
Language/framework choice (Python vs Node vs Java)
- โ
Database choice (PostgreSQL vs MySQL vs MongoDB)
- โ
Authentication approach (JWT vs sessions vs OAuth)
- โ
API style (REST vs GraphQL vs gRPC)
- โ
Architectural pattern (monolith vs microservices)
Don't create ADR for:
- โ Implementation details (already covered by code)
- โ Tactical decisions (variable names, file structure)
- โ Obvious choices (using standard library)
Output Format
[CREATE ADR - bcrypt Password Hashing]
Decision: Use bcrypt for password hashing
Context:
Requirements: <REQ-ID>, REQ-NFR-SEC-001
Problem: Need secure password hashing
Ecosystem E(t): Team knows bcrypt, PCI-DSS compliant, AWS supported
Decision:
Selected: bcrypt (cost factor 12)
Rejected: SHA256 (too fast), Argon2 (team unfamiliar)
Ecosystem Constraints Acknowledged:
- Team capabilities: knows bcrypt โ
- Compliance: PCI-DSS requires strong hashing โ
- Performance: Must be < 500ms โ
- Infrastructure: AWS supports bcrypt โ
Constraints Imposed:
- Code must use bcrypt library
- Code must use cost factor 12
- Runtime must have bcrypt available
Created: docs/adrs/ADR-002-password-hashing.md
โ
ADR Created!
Architecture decision documented
Ecosystem E(t) acknowledged
Downstream constraints clear
Notes
Why ADRs?
- Document "why": Explains reasoning behind decisions
- Acknowledge E(t): Shows we understand ecosystem constraints
- Prevent re-litigation: Decision made, recorded, done
- Onboarding: New team members understand past decisions
ADRs vs Constraints (C-*):
- C-*: Given constraints we MUST work within
- ADR: Chosen solutions GIVEN those constraints
Example:
C-001: PCI-DSS requires strong password hashing (GIVEN)
ADR-002: We chose bcrypt (GIVEN C-001 and team skills)
Homeostasis Goal:
desired_state:
all_strategic_decisions_documented: true
ecosystem_constraints_acknowledged: true
rationale_clear: true
"Excellence or nothing" ๐ฅ
