gh-rknall-claude-skills-python-architecture-review/architecture-checklist.md

Python Backend Architecture Review Checklist

This checklist serves as a quick reference for conducting comprehensive architecture reviews.

System Architecture

• Architecture style matches scale and complexity
• Service boundaries are well-defined
• Communication patterns are appropriate
• No unnecessary over-engineering
• Single points of failure identified and addressed
• Dependency management is clear
• Framework choice is justified (FastAPI/Django/Flask/etc.)
• Async patterns are properly utilized where needed

Database Architecture

• Database type selection is appropriate
• Schema is properly normalized/denormalized
• Indexes are strategically placed
• Sharding/partitioning strategy exists if needed
• Read replicas planned for scale
• Caching layer is implemented
• Connection pooling is configured
• N+1 query issues are prevented
• ORM choice is appropriate
• Migration strategy is defined
• Backup and DR plans exist

API Design

• API design pattern is consistent (REST/GraphQL/gRPC)
• Endpoints follow naming conventions
• Versioning strategy is defined
• Authentication/authorization is implemented
• Rate limiting exists
• API documentation is auto-generated
• Error handling is consistent
• Pagination is implemented
• Input validation uses Pydantic or similar
• OpenAPI/Swagger documentation exists

Security

• Authentication mechanism is secure (JWT/OAuth2)
• Authorization model is well-defined (RBAC/ABAC)
• CORS is properly configured
• CSRF protection is enabled where needed
• Data is encrypted in transit (HTTPS/TLS)
• Data is encrypted at rest where needed
• Secrets management solution exists
• SQL injection is prevented (parameterized queries)
• XSS protections are in place
• Security headers are configured
• Dependency scanning is automated
• Password hashing uses bcrypt/argon2
• Audit logging is implemented
• Rate limiting prevents abuse
• Input sanitization is thorough

Scalability & Performance

• Scaling strategy is defined (horizontal/vertical)
• Load balancer is configured
• Auto-scaling rules exist
• Caching strategy is multi-layered
• Background jobs use queue system (Celery/RQ)
• Long-running tasks are async
• Database connection pooling is optimized
• ASGI server is production-ready
• GIL limitations are addressed
• Performance monitoring is in place
• Load testing has been conducted

Observability

• Structured logging is implemented
• Log aggregation is configured
• Metrics are collected (Prometheus/StatsD)
• Distributed tracing exists (OpenTelemetry)
• Error tracking is configured (Sentry)
• Health check endpoints exist
• Alerting rules are defined
• Performance baselines are established
• Business metrics are tracked
• Dashboards are created

Deployment & Infrastructure

• Dockerfile is optimized (multi-stage)
• Container orchestration is configured
• CI/CD pipeline is automated
• Environment parity exists (dev/staging/prod)
• Infrastructure as Code is used
• Deployment strategy is safe (blue-green/canary)
• Rollback procedure is defined
• Configuration is externalized
• Secrets are managed securely
• Dependencies are pinned and managed (Poetry/PDM)

Code Organization

• Project structure is clear and logical
• Module boundaries are well-defined
• No circular dependencies exist
• Dependency injection is used appropriately
• Configuration management is centralized
• Type hints are used throughout
• Tests are well-organized (pytest)
• Code follows PEP 8 standards
• Linting/formatting is automated (Ruff/Black)

Resilience

• Retry logic exists for external calls
• Circuit breakers protect external services
• Timeouts are configured appropriately
• Graceful degradation is implemented
• Error handling is consistent
• Dead letter queues exist
• Bulkhead patterns separate concerns
• Rate limiting protects resources

Testing

• Unit tests exist (>80% coverage)
• Integration tests cover critical paths
• API tests validate contracts
• Load tests verify performance
• Security tests check vulnerabilities
• Test fixtures are reusable
• Mocking is used appropriately
• CI runs tests automatically

Documentation

• API documentation is complete
• Architecture diagrams exist
• Setup instructions are clear
• Configuration is documented
• Deployment process is documented
• Code has docstrings
• README is comprehensive
• Contributing guidelines exist

Compliance & Standards

• GDPR compliance addressed if applicable
• HIPAA compliance addressed if applicable
• SOC 2 requirements met if applicable
• Data retention policies defined
• Privacy policies implemented
• Audit trails exist
• 12-Factor App principles followed