CONCEPT Cited by 1 source

RFC as codified engineering rule

A discipline where an engineering organisation distils RFCs (Requests For Comments) — long-form design documents written by domain experts to establish a best practice — into machine-consumable rules in a constrained format ("If you need X, use Y"), then enforces those rules automatically at code review or merge time, with a back-link to the RFC for human-readable rationale.

The discipline is canonicalised in the 2026-05-01 Code Orange: Fail Small is complete post by Cloudflare as the substrate of its internal Codex:

The Codex is … a living repository of engineering standards written by domain experts through our Request For Comments (RFC) process, then distilled into actionable rules. Best practices that previously lived in the heads of senior engineers, or were discovered only after an incident, now become shared knowledge accessible to everyone.

Each rule follows a simple format: "If you need X, use Y" with a link to the RFC that explains why.

Why this shape works

Engineering orgs accumulate standards in three forms:

1. Oral culture / senior-engineer heads — the rule is known by the people who have been around long enough. Review catches violations only when those people happen to review the MR. Single-point-of-failure on review staffing.
2. Wiki pages / docs / long-form RFCs — the rule exists in prose, but is never automatically checked. Relies on every developer reading every RFC and internalising it. Fails at scale.
3. Codified machine-enforceable rule linked back to the RFC — the rule is the invariant the system checks on every MR; the RFC is the rationale when a reviewer or developer wants context. This is the Codex shape.

The third shape is what makes institutional memory actually persistent — the rule's enforcement is independent of which humans happen to be on the MR. Cloudflare's framing: "build institutional memory that enforces itself."

The constrained format

"If you need X, use Y" has three load-bearing properties:

1. Precondition is machine-matchable. The "if you need X" half is expressed as a pattern in the diff, in the AST, in the module, in the language used. An AI code-review agent can match it with high recall over the whole codebase.
2. Resolution is specific. "Use Y" gives the reviewer a concrete suggestion — not "be careful" or "consider alternatives." The developer knows exactly what change would make the rule pass.
3. Rationale is cited. The RFC link is the escape hatch for the case the rule doesn't fit cleanly. A reviewer can read the RFC, decide the rule doesn't apply to this MR, and override with an explicit note.

Named instances (Cloudflare Codex)

From the 2026-05-01 post:

• "Do not use .unwrap() outside of tests and build.rs." — addresses concepts/unhandled-rust-panic; motivated by the 2025-11-18 FL2 Bot Management incident.
• "Services MUST validate that upstream dependencies are in an expected state before processing." — addresses concepts/internally-generated-untrusted-input; motivated by the 2025-11-18 and 2025-12-05 incidents.

Both rules are traceable to specific incidents; both would have rejected the MRs that caused the outages.

Flywheel

The RFC → rule → enforcement loop, from the 2026-05-01 post:

It's a flywheel: expertise becomes standards, standards become enforcement, enforcement raises the floor for everyone.

And:

Domain experts write RFCs to codify best practices. Incidents surface gaps that become new RFCs. Every approved RFC generates Codex rules. Those rules feed the agents that review the next merge request.

Incidents are a natural source of new RFCs — the post-mortem's "stated remediation" language becomes an RFC, which generates one or more Codex rules, which prevent the class of bug recurring.

Sibling industry shapes

• Golang go vet + custom analyzers. Static-analysis ecosystem for one language; rules are code.
• Conventional linter (ESLint, clippy, checkstyle). Rules are authored by a central team; usually no explicit link back to a per-rule rationale doc.
• Architecture Decision Records (ADR). Long-form organisational decisions with rationale; rarely paired with automated enforcement.

The Codex shape combines ADR's rationale-first discipline with machine enforcement across the entire codebase via AI code review.

What the concept does not imply

• It does not say rules must be written in natural language (the Cloudflare AI-review substrate happens to handle that well, but the concept applies to any machine-enforceable form).
• It does not say rules should cover every best practice — the Codex flywheel is explicitly "each approved RFC generates Codex rules", so rules-that-can't-be-automated stay RFC-only.
• It does not say AI code review is the only enforcement substrate — conventional linters, CI gates, pre-commit hooks, build-system checks can all enforce Codex-style rules. AI code review is what scales to rules that require semantic understanding.

Canonical wiki instance

sources/2026-05-01-cloudflare-code-orange-fail-small-complete — the Codex is the canonical wiki instance; Cloudflare articulates the "RFC → rule → enforce" flywheel explicitly; the "If you need X, use Y" format is named. systems/cloudflare-codex is the system the concept is realised in; systems/cloudflare-ai-code-review is the enforcement substrate.

Seen in

• sources/2026-05-01-cloudflare-code-orange-fail-small-complete — canonical wiki instance; RFC → rule → enforcement flywheel explicit; two named rules with incident-origin traceability.

Related

• systems/cloudflare-codex — the system that realises this concept.
• systems/cloudflare-ai-code-review — the enforcement substrate.
• patterns/codex-enforced-via-ai-code-review — the reusable pattern.
• concepts/institutional-memory — the organisational property this concept is a mechanism for.
• concepts/unhandled-rust-panic — addressed by the .unwrap() Codex rule.
• concepts/internally-generated-untrusted-input — addressed by the upstream-dependency-validation Codex rule.