Short ADR Template Example

{{feature/system name}} ADR

Problem:
Authorization logic is duplicated across services, causing drift and security risk.

Decision:
Introduce a centralized Policy Evaluation Service using CEL expressions evaluated against request context.

flowchart LR
    Client --> APIGW[API Gateway]
    APIGW -->|Request Context| PolicySvc[Policy Evaluation Service]
    PolicySvc -->|Allow / Deny + Trace| APIGW
    APIGW --> Backend[Backend Service]

    PolicySvc --> PolicyStore[(Policy Registry)]
    PolicySvc --> AuditLog[(Audit Log)]

    subgraph Security Boundary
        PolicySvc
        PolicyStore
        AuditLog
    end

Why:

• Consistent enforcement
• Auditable decisions
• Policy updates without redeploys

Key Tradeoffs:

• +25ms latency (p95)
• Additional service to operate

Impact:
All write APIs will call this service at enforcement points.

References:

• ADR-004 Auth Model
• CEL Spec

Open Questions:

• Shadow mode duration?
• Max policy size?