PK
Back to archive

Engineering

Architecture Is Mostly Deciding What Must Not Change

A practical way to separate durable constraints from implementation details before design hardens.

Architecture Is Mostly Deciding What Must Not Change

Architecture discussions often spend too much time on what we are going to build and not enough time on what must remain stable while everything else changes. The result is design that looks complete but gives no guidance when reality moves.

The most useful architecture work I have seen starts with immovable constraints, not component boxes.

The thesis

Architecture is mostly the act of deciding what must not change.

That sounds conservative, but it is the opposite. Good constraints create room for local change. Bad constraints freeze the wrong things and force every future improvement into negotiation.

The principal engineering question is not "What is the ideal design?" It is "Which promises are we willing to make expensive to break?"

The production pattern

A system usually begins with implementation flexibility. Teams can rename concepts, change storage, move logic, alter protocols, and revise workflows quickly. Then usage grows. Other systems integrate. Operational assumptions form. People build dashboards, runbooks, scripts, and mental models around current behavior.

At that point, some choices become load-bearing.

The mistake is pretending all parts of the system have equal weight. They do not. An internal helper can be replaced. A public contract cannot. A batch job can be rescheduled. A user-visible state transition may be much harder to reinterpret. A database index can be rebuilt. A semantic guarantee in an API can haunt every caller.

Architecture hardens whether we admit it or not. The only choice is whether it hardens around the right things.

The model

I separate design choices into four categories.

First are durable invariants. These are the promises the system depends on: identity rules, ownership boundaries, ordering semantics, authorization assumptions, data retention expectations, and user-visible state meanings.

Second are replaceable mechanisms. These include libraries, storage engines, queue technologies, deployment shapes, and framework choices. They matter, but they should not be confused with the architecture itself.

Third are transitional compromises. These are deliberate shortcuts with an owner and an exit condition. They are acceptable only when they are named.

Fourth are accidental constraints. These are implementation details that become painful because another system, process, or team quietly starts depending on them.

My architecture review checklist is:

  • Invariants: What must remain true across versions?
  • Contracts: Who depends on this behavior outside the immediate code?
  • Escape hatches: What can we replace without permission from every consumer?
  • Accidents: Which details might callers mistake for promises?
  • Transitions: Which compromises need an expiration date?
  • Tests: Which checks protect the durable promises?

I also ask for an explicit negative space statement: what are we not promising? This is often where architecture becomes useful. "Events are ordered per account, not globally." "The export format is stable, but the internal job schedule is not." "This API owns authorization decisions, but it does not guarantee presentation order."

Those statements lower future conflict. They give implementers room to improve mechanisms without renegotiating the entire system, and they warn integrators not to build on behavior that was never meant to be a contract.

Where this goes wrong

The danger is over-declaring invariants. If everything is sacred, nothing can move. Teams end up preserving historical accidents because nobody wants to pay the social cost of questioning them.

There is also a startup-stage counterpoint. Early in a product's life, pretending to know durable boundaries can be theater. If the domain is still moving, the right architecture may be one that keeps options open rather than one that optimizes for elegance.

The test is cost of change. If breaking a choice would require coordinated changes across many owners, user-visible migration, or subtle data repair, it deserves architectural attention. If changing it would require a focused pull request and a deployment, it probably does not.

What I do now

When reviewing a design, I ask the author to highlight the promises first. Not the stack. Not the diagram. The promises.

For example: "This identifier is stable across merges." "This event may be delivered more than once." "This state transition is monotonic." "This service owns policy decisions; callers own presentation." Those statements are more architectural than a box labeled "API layer."

Then I look for mismatches. If the design claims a behavior is replaceable but every consumer will observe it, we are underpricing it. If the design treats a tool choice as permanent but no one outside the component cares, we are over-weighting it.

Principal engineers create leverage by making future change cheaper. That does not happen by making every part flexible. It happens by being precise about which parts are stable and which parts are allowed to evolve aggressively.

Closing takeaway

Before you approve an architecture, ask what it makes expensive to change. If the answer is accidental, the design is not ready.