diff --git a/docs/architect_assessment.md b/docs/architect_assessment.md
new file mode 100644
index 0000000..1d033e6
--- /dev/null
+++ b/docs/architect_assessment.md
@@ -0,0 +1,23 @@
+# Architect Assessment
+
+## Updated Remediation Order
+
+### Summary
+- Fix API contract breaks first.
+- Then close scraper/network security gaps.
+- Then harden runtime architecture for scale/reliability.
+
+### Key Changes
+- Align `/syntheses` and admin rate-limit contracts end-to-end (backend + frontend + tests).
+- Wire dedicated hardened HTTP clients and enforce SSRF checks per hop with streaming body limits.
+- Move job/rate-limit state to shared backing (Redis/DB) if multi-instance is in scope.
+- Add contract tests so frontend mocks cannot drift from backend payloads.
+
+### Test Plan
+- Backend integration tests for `/syntheses` list shape and `/admin/rate-limits/{provider_name}` update path.
+- Security tests for scraper redirect/private-IP/rebinding cases and oversized responses.
+- Frontend tests consuming real API fixtures (or generated schema fixtures), not hand-crafted mismatched types.
+
+### Assumptions
+- Backend is the API source of truth.
+- You want production-safe defaults even for self-hosted single-tenant deployments.