CONCEPT Cited by 1 source
Design-to-code traceability¶
Definition¶
Design-to-code traceability is the architectural property of maintaining a visible, verifiable link between decisions made during design review (threat models, API contracts, privacy requirements, compliance constraints) and the implementing code. Without this property, reviewers at code-review time cannot verify that agreed-upon requirements were actually implemented.
Why it matters¶
The gap between design decisions and implementation is structural, not incidental:
- Temporal disconnect. Design reviews happen weeks or months before implementation. At Dropbox, 54% of implementing PRs aren't opened until >1 month after the design review; median delay is ~5 weeks (Source: sources/2026-06-12-dropbox-mcp-dash-design-to-code-security).
- Reference decay. Only 12% of implementing PRs explicitly link back to their design review / threat model (Source: sources/2026-06-12-dropbox-mcp-dash-design-to-code-security).
- Invisible connections. 69% of design-to-code connections are recoverable only through semantic search — they exist but are invisible through manual references (Source: sources/2026-06-12-dropbox-mcp-dash-design-to-code-security).
Approaches to closing the gap¶
| Approach | Limitation |
|---|---|
| Manual linking (engineers add references) | Compliance declines over time; depends on memory |
| Bot reminders | Adds noise; doesn't verify content alignment |
| Static analysis | Detects presence of controls, not alignment with intent |
| Semantic retrieval + LLM reasoning | Can recover invisible connections and compare implementation against requirements automatically |
The Dropbox realization¶
Dropbox's system uses Dash's MCP server to semantically retrieve relevant threat models during code review, then uses a foundational LLM to reason across both the requirement document and the code change to identify gaps. This achieved 80% linkage rate (vs 12% through explicit references alone).
Generalization¶
The concept applies beyond security to any domain where documented requirements must be verified against implementation: - Privacy: data classification requirements vs code handling user data - Platform: API contracts vs interface changes - Compliance: regulatory requirements vs data handling in regulated jurisdictions
Seen in¶
- sources/2026-06-12-dropbox-mcp-dash-design-to-code-security — quantifies the gap (12% explicit linkage, ~5-week median delay) and presents the MCP + semantic search + LLM solution.