Handoff architecture

An operating ethic, not a patent. Every non-trivial system should be designed for the moment its original builder is unreachable. The discipline shows up in API design, in access control, in documentation, in failure modes, and — most importantly — in who the system serves when nothing is going wrong.

This is the ethic, not an invention. Every system worth building is eventually going to be operated by someone who didn't build it. That person might be a new engineer, a successor vendor, a spouse, a regulator, or a court-appointed trustee. A system designed for its original builder's convenience fails that person by default. A system designed for handoff passes the test.

Handoff discipline shows up in specific places. Credentials stored somewhere the next operator can actually find and rotate. APIs whose surface is described by the code, not by a senior engineer's memory. Failure modes that produce intelligible error messages instead of a silent collapse. Access controls that distinguish "can read the data" from "can act on the account." Documentation that reflects the current state of the system, not the state it had when the original builder was still paying attention.

The counter-pattern is the hero-operator: a system that only works because one specific person knows where the sharp edges are. It ships faster in year one and becomes a liability by year three. Nothing I build is designed that way, and I've spent a meaningful fraction of my career repairing systems other people built that way.