ArchUnit

Java architecture testing library that validates architectural constraints as unit tests. ArchUnit imports Java bytecode and applies rule checks: no cycles between packages, layered architecture rules (controllers don't import repositories), naming conventions, annotation requirements, dependency restrictions, and custom rules. Rules run as standard JUnit 5 or JUnit 4 tests — architecture violations appear as test failures with detailed violation messages. Catches architecture drift before it becomes technical debt. Rules expressed in fluent DSL: classes().that().resideInPackage('..controller..').should().onlyDependOnClassesThat()...

Evaluated Mar 06, 2026 (0d ago) v1.x
Homepage ↗ Repo ↗ Developer Tools java kotlin architecture testing static-analysis layered-architecture dependency junit
⚙ Agent Friendliness
71
/ 100
Can an agent use this?
🔒 Security
97
/ 100
Is it safe for agents?
⚡ Reliability
91
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
90
Error Messages
92
Auth Simplicity
100
Rate Limits
100

🔒 Security

TLS Enforcement
100
Auth Strength
100
Scope Granularity
95
Dep. Hygiene
92
Secret Handling
95

No network exposure — purely local bytecode analysis. Can enforce security-related architectural rules: @Secured annotations required on agent REST endpoints, no direct crypto calls outside security package, sensitive data classes must not be logged.

⚡ Reliability

Uptime/SLA
92
Version Stability
90
Breaking Changes
88
Error Recovery
95
AF Security Reliability

Best When

You're building a Java/Kotlin agent service with intentional architecture (layers, modules, clean architecture) and want to prevent gradual architecture erosion as the codebase grows.

Avoid When

Your codebase has no architectural conventions yet (define them first), you need runtime or behavioral testing, or you're enforcing code formatting (use Checkstyle/PMD).

Use Cases

  • Enforce layered architecture in Java agent services — ArchUnit test verifies agent controllers only depend on services, services only depend on repositories, preventing layer skipping
  • Validate agent module boundaries — ensure agent domain classes don't import infrastructure details; inner circle classes must not depend on outer ring classes (clean architecture enforcement)
  • Enforce naming conventions for agent code — all classes implementing AgentHandler must end in 'Handler', all Spring @Service classes must reside in 'service' package
  • Detect dependency cycles in agent codebase — ArchUnit cycle detection finds package cycles that indicate tangled design before they become impossible to untangle
  • Validate annotation usage patterns — ensure agent @RestController classes are annotated with @Validated, all agent event handlers use @TransactionalEventListener not @EventListener

Not For

  • Runtime behavior testing — ArchUnit analyzes bytecode statically; use integration tests for runtime behavior, security testing, or performance validation
  • Non-Java/Kotlin JVM languages — ArchUnit works on JVM bytecode but rules are expressed in Java; Kotlin users can write rules in Kotlin but some DSL expressions are awkward
  • Enforcing code style/formatting — use Checkstyle or ktlint for formatting; ArchUnit is for structural and architectural rules, not code style

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
No

Authentication

Methods: none
OAuth: No Scopes: No

Testing library — no auth concepts. Tests run locally or in CI without external service dependencies.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

ArchUnit is Apache 2.0 licensed, maintained by TNG Technology Consulting. Free for all use.

Agent Metadata

Pagination
none
Idempotent
Full
Retry Guidance
Not documented

Known Gotchas

  • @AnalyzeClasses caching is critical for test suite performance — without @AnalyzeClasses at the test class level, ArchUnit re-imports all bytecode for each test method; large codebases can take 30+ seconds per test without caching
  • Package matching uses regex, not glob — 'com.agent..' means 'com.agent and all subpackages' (double dot); 'com.agent.' (single dot) means only the exact package; this differs from Gradle/Maven wildcards and causes silent rule mismatches
  • Inner classes require separate rule handling — ArchUnit's package rules apply to inner/anonymous classes separately; agent inner classes in 'wrong' packages fail layer rules unless explicitly excluded with .ignoreDependency()
  • Freeze architecture for gradual enforcement — ArchUnit FreezingArchRule stores current violations as 'allowed violations' and only fails on new ones; use this to enforce rules on new code without fixing all legacy violations at once
  • Third-party library classes are excluded by default — ArchUnit only analyzes YOUR classes by default; rules about dependencies on external libraries require explicit ClassFileImporter with EXCLUDE_JARS not set
  • Rule naming matters for CI visibility — unnamed rules show 'ArchRule' in test reports; always name rules with .as('Agent controllers should only...') to make CI failure messages actionable without reading rule code

Alternatives

spotbugs-api pmd-api checkstyle-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for ArchUnit.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5208
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered