Current Research Synthesis 2026
Purpose
This synthesis records the current external source signals used to deepen the guide. It is not a trend list. It explains which current platform and security facts should influence architecture guidance.
Source signals
| Source family | Current signal | Architecture implication |
|---|---|---|
| web.dev Web Vitals | Core Web Vitals continue to center user experience around loading, responsiveness, and visual stability: LCP, INP, and CLS. Field measurement remains essential. | Performance chapters should evaluate route and interaction quality with field data, not only lab audits or bundle guesses. |
| React official docs | React 19 stabilized Actions-related APIs, Server Components remain framework-mediated, and Server Functions move mutation ergonomics closer to UI code. | Rendering/data chapters must separate ergonomic colocation from authorization, validation, idempotency, and cache invalidation boundaries. |
| MDN web standards model | Open, interoperable, accessible, and backward-compatible web standards remain the stable base beneath framework churn. | Part 0 and Part II should teach browser/platform reasoning before framework-specific decisions. |
| MDN CSP guidance | CSP is a browser-enforced policy layer that reduces XSS and resource-loading risk when designed deliberately. | Security chapters should treat CSP/reporting/Trusted Types as architecture controls with rollout, triage, and ownership. |
| OWASP Client-Side Security Risks | Client-side risk includes broken client-side access control, DOM XSS, sensitive leakage, outdated components, third-party origin control, JavaScript drift, client-side logging gaps, and missing browser controls. | Review packets must cover browser-specific risks, third-party scripts, drift monitoring, and logging/alerting, not only backend OWASP concerns. |
| MDN cookies and privacy docs | Cookies are state mechanisms with explicit security and privacy implications; tracking and third-party behavior remain constrained by browser and regulatory pressure. | Auth/session/privacy chapters need cookie attributes, consent-aware loading, minimization, and third-party governance. |
| MDN Attribution Reporting docs | Some attribution reporting headers/APIs are deprecated, non-standard, or browser-limited. | Attribution guidance must avoid false stability; teams should design measurement around uncertainty, fallback, consent, and source verification. |
| W3C/WAI WCAG 2.2 | Accessibility is a standards-backed product quality requirement, not a final QA pass. | Design-system and review chapters should encode keyboard, focus, semantics, names, error help, target size, and cognitive load into component contracts. |
Guide changes implied
The guide should keep moving from "topic coverage" toward "decision capability." The deepest gaps are not missing definitions; they are missing examples of how architects actually run decisions through teams.
Add and maintain:
- maturity models that calibrate senior, staff, and architect evidence
- completed artifacts for route architecture, scorecards, threat models, readiness packets, and ADRs
- operating cadence for architecture reviews, platform governance, performance/accessibility/security budgets, and incident learning
- current-source refresh notes for unstable platform claims
- scenario drills that force tradeoff decisions under time, product, and risk pressure
Maintenance triggers
Re-check primary sources when:
- React or a major framework changes server function, compiler, caching, or streaming guidance
- Web Vitals metric definitions or thresholds change
- browser privacy APIs or attribution APIs change support status
- OWASP publishes a new client-side or web Top 10 update
- WCAG or browser/assistive technology guidance changes
- a new AI/GenUI protocol becomes a production dependency
Sources to keep pinned
- https://web.dev/articles/vitals
- https://react.dev/reference/rsc/server-components
- https://react.dev/reference/rsc/server-functions
- https://react.dev/blog/2024/12/05/react-19
- https://developer.mozilla.org/en-US/docs/Learn_web_development/Getting_started/Web_standards/The_web_standards_model
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Attribution-Reporting-Register-Source
- https://owasp.org/www-project-top-10-client-side-security-risks/
- https://www.w3.org/WAI/standards-guidelines/wcag/new-in-22/