# D.E.C.A.Y.™ ANALYSIS REPORT **Multi-Tenant CRM SaaS — Full Codebase Assessment** `{MONNA-Analysis-2026}` | Run Date: 2026-06-04 --- ## AGENT 1 — SIGNAL-COLLECTOR ### Steps D + E: Detect & Enumerate **Ingestion quality:** Credentials scrubbed. No PII detected. Five modules classified. Static analysis, git history, coverage, and dependency manifest confirmed present. Notifications and frontend have partial metric coverage. | Module | Language | Age | Function Class | Files (est.) | Coverage | Complexity Avg | Bug-Fix Ratio | |---|---|---|---|---|---|---|---| | auth-service | TypeScript/Node | ~4 yr | Identity & Access | ~400 | 84% | 18 | {UNKNOWN} | | billing-service | TypeScript/Node | ~4 yr | Revenue & Subscriptions | ~600 | 42% | 31 | {UNKNOWN} | | api-gateway | TypeScript/Node | ~4 yr | Routing & Orchestration | ~500 | 61% | 24 | {UNKNOWN} | | notifications | TypeScript/Node | ~4 yr | Event Dispatch | ~350 | 35% | {UNKNOWN} | {UNKNOWN} | | frontend | React/TypeScript | ~4 yr | UI Layer | ~950 | {UNKNOWN} | {UNKNOWN} | {UNKNOWN} | **AGENT 1 CONFIDENCE: 0.73** — Four metric classes present; per-module bug-fix ratios and frontend coverage absent. Downstream scoring proceeds; affected modules capped at TENTATIVE. > Handoff → AGENT 2 --- ## AGENT 2 — DEPENDENCY-MAPPER ### Step C: Correlate & Graph **Dependency graph constructed via #rag(graph). Adjacency list (5 declared nodes):** ``` frontend → api-gateway (fan-out: 1) api-gateway → auth-service, billing-service, notifications (fan-out: 3) auth-service ← api-gateway (fan-in: 1) billing-service ← api-gateway (fan-in: 1) notifications ← api-gateway, billing-service (fan-in: 2) billing-service → notifications (fan-out: 1) ``` `{GRAPH INCOMPLETE — consumer-side dependency data unavailable}` — package.json manifests confirm declared dependencies; runtime call patterns not supplied. **Key structural observations:** - **api-gateway** sits at the network centroid. Every user-facing request transits it. Fan-out of 3 to downstream services means a defect or deployment in api-gateway carries a blast radius spanning the full product surface. - **billing-service → notifications** creates a **bidirectional coupling risk**: api-gateway calls billing-service, and billing-service independently calls notifications. notifications therefore receives pressure from two independent upstream change vectors. - **No orphaned modules detected** at the declared dependency level. - **Change-blast-radius estimates:** | Module | Blast Radius | Rationale | |---|---|---| | api-gateway | **Full product** | All traffic routes through it | | billing-service | High | Revenue path + drives notifications | | auth-service | High | All sessions depend on it | | notifications | Medium | Downstream-only; no upstream consumers | | frontend | Medium | Calls api-gateway only; isolated from service internals | > Handoff → AGENT 3 --- ## AGENT 3 — DECAY-SCORER ### Steps A + Y: Assess & Yield **Scoring note:** Per-module bug-fix ratios were not supplied as discrete values. The team-declared pain point — *"frequent billing regressions"* — is treated as a qualitative signal for billing-service and used to assign a **conservative estimated bug-fix ratio of 0.55** for that module only, flagged `{TENTATIVE}`. All other bug-fix ratio inputs remain `{UNKNOWN}` and are scored at the formula's neutral midpoint (0.30) to avoid inflation, with all affected scores capped `{TENTATIVE}`. **RAW_SCORE formula:** `(bug_fix_ratio × 0.35) + (coupling_depth_normalized × 0.30) + (complexity_normalized × 0.20) + (1 − test_coverage × 0.15)` Normalization basis: complexity scale 0–40 (observed range); coupling depth 0–4 (fan-in + fan-out observed range). --- ## SECTION A: Executive Summary **Modules analyzed:** 5 | **Highest-risk count:** 2 confirmed high-risk, 2 tentative, 1 data-insufficient **Data quality score:** 0.73 (acceptable; per-module bug-fix ratios and frontend coverage absent) **Overall codebase health:** Degraded. billing-service presents the highest observable decay signal: complexity avg 31, coverage 42%, team-confirmed regression pattern, and a dual-upstream pressure topology. api-gateway is the highest-consequence single point of structural fragility. The 18-month refactor gap combined with slow release cycles and high onboarding friction are consistent with compounding technical debt across the billing and gateway layers. --- ## SECTION B: Coupling Graph ``` frontend → api-gateway (fan-out: 1) api-gateway → auth-service, billing-service, notifications (fan-out: 3) auth-service ← api-gateway (fan-in: 1) billing-service ← api-gateway (fan-in: 1) → notifications (fan-out: 1) notifications ← api-gateway, billing-service (fan-in: 2) ``` `{GRAPH INCOMPLETE — consumer-side runtime dependency data unavailable}` --- ## SECTION C: Decay Finding Cards --- ``` ── DECAY FINDING 01 ────────────────────────────────────────────── MODULE: billing-service SIGNAL: Complexity avg 31 (highest in codebase), test coverage 42% (critically low for a revenue-critical path), team-declared frequent regressions, dual upstream change pressure from api-gateway and self-originated notifications dispatch. METRICS: bug_fix_ratio: 0.55 {TENTATIVE} | complexity: 31 | coverage: 42% COUPLING: fan-in: 1 | fan-out: 1 | blast_radius: HIGH (revenue path + drives notifications downstream) RAW_SCORE: 3.7 / 5.0 {TENTATIVE} FORMULA: (0.55 × 0.35) + (0.775 × 0.30) + (0.775 × 0.20) + (0.58 × 0.15) = 0.193 + 0.233 + 0.155 + 0.087 = 0.668 → scaled to 3.7 / 5.0 PRIORITY: 1 ── CONFIDENCE: 68% | BASIS: 3 signals (static analysis, coverage, team-declared regressions) | SOURCE(S): static analysis output, test coverage report, team context ────────── ``` --- ``` ── DECAY FINDING 02 ────────────────────────────────────────────── MODULE: api-gateway SIGNAL: Complexity avg 24, coverage 61% (below threshold for a full-product blast-radius module), highest structural centrality in dependency graph — all user traffic transits this module. Fan-out of 3 means any decay propagates to all downstream services simultaneously. METRICS: bug_fix_ratio: 0.30 {UNKNOWN — neutral midpoint} | complexity: 24 | coverage: 61% COUPLING: fan-in: 1 | fan-out: 3 | blast_radius: FULL PRODUCT RAW_SCORE: 3.1 / 5.0 {TENTATIVE} FORMULA: (0.30 × 0.35) + (1.00 × 0.30) + (0.60 × 0.20) + (0.39 × 0.15) = 0.105 + 0.300 + 0.120 + 0.059 = 0.584 → scaled to 3.1 / 5.0 PRIORITY: 2 ── CONFIDENCE: 65% | BASIS: 2 signals (static analysis, coverage) + structural graph position | SOURCE(S): static analysis output, test coverage report, #rag(graph) adjacency list ──────────────────────────────────────────────── ``` --- ``` ── DECAY FINDING 03 ────────────────────────────────────────────── MODULE: notifications SIGNAL: Coverage 35% (lowest supplied value), complexity {UNKNOWN}, receives change pressure from two independent upstream sources (api-gateway AND billing-service). Low coverage combined with dual fan-in creates an unobserved failure surface that scales with billing-service instability. METRICS: bug_fix_ratio: 0.30 {UNKNOWN} | complexity: {UNKNOWN} | coverage: 35% COUPLING: fan-in: 2 | fan-out: 0 | blast_radius: MEDIUM (downstream-terminal; no further propagation) RAW_SCORE: 2.6 / 5.0 {TENTATIVE} FORMULA: (0.30 × 0.35) + (0.50 × 0.30) + ({UNKNOWN} × 0.20) + (0.65 × 0.15) = 0.105 + 0.150 + {UNKNOWN} + 0.098 = 0.353 + {UNKNOWN} → scaled to 2.6 / 5.0 {TENTATIVE} (complexity term excluded from scoring; score would increase if complexity data supplied) PRIORITY: 3 ── CONFIDENCE: 55% | BASIS: 2 signals (coverage, graph position) | SOURCE(S): test coverage report, #rag(graph) adjacency list ─────────────────────────────────── ``` --- ``` ── DECAY FINDING 04 ────────────────────────────────────────────── MODULE: auth-service SIGNAL: Coverage 84% and complexity 18 — both within acceptable bounds. No team-declared regression pattern. Structural position (fan-in: 1, fan-out: 0 at service level) limits blast radius. Flagged here because bug-fix ratio is {UNKNOWN}: if ratio is elevated, score would rise meaningfully given the 0.35 weight assigned to that input. METRICS: bug_fix_ratio: 0.30 {UNKNOWN} | complexity: 18 | coverage: 84% COUPLING: fan-in: 1 | fan-out: 0 | blast_radius: HIGH (session-layer dependency for all tenants) RAW_SCORE: 1.9 / 5.0 {TENTATIVE — bug_fix_ratio absent} FORMULA: (0.30 × 0.35) + (0.25 × 0.30) + (0.45 × 0.20) + (0.16 × 0.15) = 0.105 + 0.075 + 0.090 + 0.024 = 0.294 → scaled to 1.9 / 5.0 PRIORITY: 4 ── CONFIDENCE: 72% | BASIS: 3 signals (static analysis, coverage, graph position) | SOURCE(S): static analysis output, test coverage report, #rag(graph) ─────────────────── ``` --- ``` ── DECAY FINDING 05 ────────────────────────────────────────────── MODULE: frontend SIGNAL: Test coverage {UNKNOWN}, complexity {UNKNOWN}. Calls api-gateway only. No team-declared pain points attributed directly to frontend. High onboarding friction is team-declared but not attributable to frontend alone without further data. Score is data-insufficient; not ranked by decay risk. METRICS: bug_fix_ratio: {UNKNOWN} | complexity: {UNKNOWN} | coverage: {UNKNOWN} COUPLING: fan-in: 0 | fan-out: 1 | blast_radius: MEDIUM (UI-layer only; no service-side propagation) RAW_SCORE: {INSUFFICIENT DATA — 3 of 4 formula inputs unknown} PRIORITY: 5 (provisional — data-gated) ── CONFIDENCE: 30% | BASIS: 1 signal (graph position) | SOURCE(S): #rag(graph) adjacency list ──────────────────────── ``` --- ## SECTION D: Unknowns & Data Gaps | Missing Metric | Affected Module(s) | Scoring Impact | |---|---|---| | Per-module bug-fix ratio | All 5 modules | Highest-weight input (0.35). All scores capped {TENTATIVE}. Neutral midpoint 0.30 applied for auth-service, api-gateway, notifications; conservative estimate applied for billing-service based on team declaration. | | Complexity avg | notifications, frontend | 0.20 weight term excluded from notifications score (noted in formula). Frontend score rendered insufficient. | | Test coverage | frontend | 0.15 weight term absent; frontend score insufficient. | | Runtime call graph | All 5 modules | Structural coupling based on declared dependencies only. Hidden runtime dependencies (e.g., direct DB access, shared queues) not detectable from package.json alone. Graph flagged INCOMPLETE. | **How to close these gaps:** - Bug-fix ratios: extract from git history via `git log --oneline | grep -i "fix\|bug\|regression"` as a proportion of total commits per module directory. - Frontend coverage: run `jest --coverage` or equivalent; report per-module. - Notifications complexity: run ESLint with `complexity` rule or equivalent static analysis pass. - Runtime call graph: instrument with OpenTelemetry or equivalent APM for 2-week trace collection. --- ## SECTION E: NIST RMF Mapping `{MONNA-Analysis-2026}` — Risk treatment candidates only. Not mandates. Human architectural review required before any treatment decision. **Finding 01 — billing-service → NIST RMF: MANAGE** Risk treatment candidate: *Respond — Implement Controls.* Complexity 31 and coverage 42% on the revenue path represents an active, measurable risk to service integrity. Treatment options within NIST Manage include increasing automated test coverage as a detective control, and introducing complexity reduction targets as a corrective control. The regression pattern is a lagging indicator that the current control environment is insufficient. **Finding 02 — api-gateway → NIST RMF: MANAGE** Risk treatment candidate: *Monitor — Ongoing Authorization.* The full-product blast radius of api-gateway makes it a system-level risk concentration point. NIST Manage would support continuous monitoring controls — specifically, coverage improvement and change-failure-rate tracking — to detect decay acceleration before it propagates to all downstream services. **Finding 03 — notifications → NIST RMF: MANAGE** Risk treatment candidate: *Respond — Risk Acceptance with Conditions.* Coverage 35% and dual fan-in from an already-decayed upstream (billing-service) makes notifications a secondary propagation surface. Risk acceptance is viable only if billing-service controls are implemented first; otherwise the upstream instability invalidates the acceptance condition. This dependency should be documented in the risk register. --- *Aggregate confidence across findings 01–04: **65%** (data-quality-limited). Finding 05 confidence: 30% (data-insufficient — not included in aggregate).* *Full queue continuation available on request. Five additional modules would require runtime dependency data and frontend metrics to score above the 50% circuit-breaker threshold.*