ADR-001: Use ARC as Assessment Framework Foundation
| Attribute | Value |
|---|---|
| Status | Accepted |
| Date | March 2026 |
| Deciders | CYC Product Team |
Context
CYC Assess requires a comprehensive, structured set of Azure best practice checks to assess client environments. The options were: build a proprietary checklist from scratch, use the Microsoft Azure Review Checklists (ARC), or use AI to generate and maintain checklists dynamically.
Decision
Use ARC as the foundational assessment layer. Extend it with CYC-proprietary items in future where gaps exist.
Options Considered
| Option | Pros | Cons |
|---|---|---|
| ARC (chosen) | 805 GA items, 102 pre-built graph queries, MIT licensed, actively maintained by Microsoft FastTrack, institutional credibility | Dependency on external repo, quarterly sync required |
| Custom proprietary checklist | Full IP ownership, no external dependency | High build cost, no pre-built graph queries, no institutional credibility |
| AI-generated checklists | Flexible, current | Graph queries require precise API schema knowledge — AI cannot maintain correctness reliably; accuracy risk for compliance product |
Rationale
The 102 pre-built Resource Graph queries are the decisive factor. These queries require Microsoft's internal API schema knowledge to maintain correctly. A wrong query returns silently incorrect compliance results — a product liability problem for a compliance-oriented tool. Building and maintaining equivalent queries independently would be a significant engineering investment with no customer-facing benefit.
The ARC institutional credibility ("same framework used by Microsoft FastTrack engineers") is also a trust asset with enterprise buyers that no internally-built checklist can replicate.
AI-generated checklists were evaluated specifically for the graph query layer and rejected on accuracy grounds.
Consequences
- CYC must maintain a
THIRD_PARTY_NOTICES.txtfile in the codebase - Quarterly checklist review and update process required (see Checklist Updates)
- CYC IDs are designed to remain stable even when ARC content changes (see ADR-002)