Stop when the evidence fails
If a node or edge cannot trace to the allowed source, remove it, mark it uncertain, or expand the source scope explicitly. Visual plausibility is not a substitute for provenance.
AI diagram review workflow · two failure modes
A plausible canvas can still hide a broken trust boundary or send traffic to the wrong workload. Bound the source, name the critical path, make one correction that changes the model, and verify that the next agent update preserves it before the diagram reaches a teammate.
01
Scope
Named evidence
02
Path
One decision
03
Human
Model correction
04
Agent
Preserved update
05
Team
Owned questions
Second failure mode
OAuth review asks whether state, verifier, token exchange, and failure handling cross the right trust boundaries. Kubernetes review asks whether readiness, liveness, Service selection, and rollback have the right operational meaning. A reusable review process must expose both kinds of error without pretending they are the same system.
Human review rubric
SOURCE BOUNDARY
[ ] Every node and edge traces to named source or an explicitly standard relationship.
[ ] Unsupported services, vendors, and data flows are removed or labelled uncertain.
CRITICAL PATH
[ ] The diagram answers one named engineering decision.
[ ] Trust, traffic, readiness, failure, and recovery transitions are explicit where relevant.
HUMAN CORRECTION
[ ] A reviewer changes the system model, not only layout or color.
[ ] The correction and its reason are recorded beside the canvas.
PRESERVED UPDATE
[ ] The follow-up targets the same diagram and names what must survive.
[ ] Stable element ids and the reviewed critical path are checked after the update.
TEAM HANDOFF
[ ] Unresolved questions have an owner or a pinned comment.
[ ] Invite editors for changes; use a public link only for read-only review.Human review is valuable when it changes an engineering conclusion. In the OAuth proof, the reviewer protects state and PKCE boundaries. In the Kubernetes proof, the reviewer connects readiness to Service eligibility. The domain changes; the review discipline does not.
Product boundary: Both diagrams are internally produced source fixtures, not participant results, customer screenshots, or testimonials. They demonstrate a review method but do not prove that the method improves team outcomes. Any participant-derived source, quote, image, or result requires written publication permission.
Failure comparison
The table does not score the diagrams against each other. It shows what each review question means in two domains so a technical lead can reuse the method without flattening domain expertise.
Swipe to compare
| Job | OAuth PKCE review | Kubernetes rollout review |
|---|---|---|
| Source boundary | Use only the supplied PKCE flow note; do not invent provider endpoints, token contents, or implementation behavior. | Use only Deployment, Service, and Ingress YAML plus standard controller ownership; do not invent cloud or mesh services. |
| Critical path | State must be created and validated before code exchange; the verifier stays server-side and failure creates no session. | Readiness controls Service endpoint eligibility; Ingress reaches only Ready pods; liveness has a separate restart role. |
| Human correction | Move state validation to the trust boundary and annotate verifier and token exposure constraints. | Add the missing readiness-to-Service dependency and separate pod-template inputs from live traffic. |
| Preserved update | Add explicit state-mismatch rejection without moving the reviewed trust boundary or removing its note. | Add the rollback decision without moving the reviewed input stage or deleting the readiness edge. |
| Team handoff | Assign unresolved security questions in pinned comments and invite the reviewer who can change the flow. | Assign rollout ownership, invite the application or platform editor, and use a public link only for read-only review. |
If a node or edge cannot trace to the allowed source, remove it, mark it uncertain, or expand the source scope explicitly. Visual plausibility is not a substitute for provenance.
Run the targeted follow-up on the same diagram, re-check the named critical path, then hand unresolved questions to a person through comments or an invite.
Reproduce it
01
Write the engineering question the diagram must answer, list the only source the agent may use, and forbid unsupported services or behavior. A diagram without a bounded decision is difficult to review honestly.
02
Mint a read + write Personal Access Token and connect @excaliwow/mcp. Keep publish and delete disabled while the diagram is still under review.
MCP client config
{
"mcpServers": {
"excaliwow": {
"command": "npx",
"args": ["-y", "@excaliwow/mcp"],
"env": {
"EXCALIWOW_TOKEN": "excw_pat_…"
}
}
}
}03
Apply the rubric above in order. Make a model-changing correction in the browser, request a targeted update to the same diagram, re-check the correction, and only then invite an editor or attach a read-only share link.
Human review
Same-canvas follow-up
Update the same diagram in place: add the explicit state-mismatch rejection and secure cookie flags without moving the human-highlighted trust boundary.
Start free—no credit card. First 10,000 verified accounts keep the core workspace free; 3 diagrams to start and earn more capacity.