Peer review and certification

Professional development is not complete until your work has been tested by someone other than yourself. Peer review trains two skills simultaneously: the ability to give structured, evidence-based feedback, and the ability to receive critique without defensiveness. Both are essential in professional engineering environments.

CPD (Continuing Professional Development) is the structured process by which professionals maintain and develop their competence after initial qualification. The CPD Standards Office, which sets the benchmark for CPD programmes in the UK, requires that learning outcomes be evidenced through demonstrable outputs, not just participation. In this course, the capstone project is the output, and the peer review process is the evidence of quality.

The review process in this course mirrors professional practice. You submit your project, two reviewers evaluate it independently against a rubric, you respond to their feedback, and the course coordinator marks the module complete. You also review at least one peer project. Both roles are required for certification.

The peer review cycle proceeds through these stages:

1. Submit your project as a GitHub repository with accompanying documentation.
2. Two reviewers are assigned and evaluate your submission independently against the five review categories.
3. Each reviewer provides written feedback within three working days.
4. You read the feedback and either revise your submission or write a considered response explaining why you disagree.
5. The course coordinator reviews the feedback and your response and marks the module complete.

You are also required to review at least one peer project using the same rubric. This is not a lighter obligation. Giving good review feedback requires you to read a submission carefully, apply criteria rigorously, and communicate findings clearly. The review you give is itself evidence of your competence.

Reviewers evaluate submissions against five categories. Each category is rated Strong, Adequate, or Needs Work. The required minimum rating for each category is noted below. A submission that receives "Needs Work" in a required category must be revised before certification.

Functionality (required: Adequate or Strong). Does the agent run end-to-end on five test inputs without crashing? Do unit tests pass? Do tools handle errors gracefully, returning structured error objects rather than raw exceptions? Is there a step limit that prevents the agent loop from running indefinitely?

Architecture (required: Adequate or Strong). Does the chosen pattern match the stated requirements, with a justification rather than a default choice? Is the tool inventory complete, with schemas and permission levels documented? Is there an ADR (Architecture Decision Record)? Are security controls implemented, not just mentioned?

Code quality (required: Adequate). Are there no secrets in the code? Are tool descriptions specific, with examples of when to use and when not to use each tool? Are inputs validated using Pydantic or an equivalent? Is there structured logging for every tool call? Is code execution sandboxed where applicable?

Documentation (required: Adequate or Strong). Does the README cover setup with step-by-step instructions that have been verified? Does it state at least one known limitation honestly? Does the runbook cover at least two failure scenarios? Does the architecture documentation match the implemented system?

Ethics and safety (required: Adequate or Strong). Is least privilege applied, with tools scoped to minimum required permissions? Is there a human approval gate for high-risk actions, implemented and tested rather than just planned? Is at least one bias or edge case test documented? Is data handling compliant, with GDPR (General Data Protection Regulation) and data retention considerations noted?

Good peer feedback follows three rules that distinguish professional review from general comment. First, reference the code or documentation directly. Cite the specific file and line number rather than describing the issue in general terms. This makes the feedback immediately actionable. Second, separate observations from recommendations. State what you observed, then state what could be improved and why. Third, acknowledge what is working. Begin with two or three things that are done well. This demonstrates that you read the whole submission and makes critique easier to receive.

The contrast between weak and strong feedback is significant. A weak comment says "the security is not good." A strong comment says: "Thesearch_web tool description says 'searches the web for information' with no guidance on when to use or avoid it. This is likely to cause the agent to call it unnecessarily. Suggested revision: include explicit 'use when' and 'do not use when' guidance." Both comments describe the same issue. Only the second gives the author something to do.

For security observations, state the specific vulnerability pattern, reference the module where the correct approach was taught, and describe the fix with a test to verify it. For documentation gaps, quote the section that is missing or unclear, and describe what information a new engineer would need to find there.

Complete this self-assessment before submitting your capstone project for peer review. Self-assessment catches the issues that you are able to catch. Peer review catches the rest. Both are necessary.

Technical competencies. Can you explain what a context window is and why it limits agent memory? Can you write a tool schema description that makes the agent select the tool correctly in a test? Can you trace a bug through the agent loop using log output? Can you implement exponential backoff for a rate-limited API? Can you explain the difference between prompt injection and jailbreaking? Can you describe the OWASP (Open Web Application Security Project) Agentic AI Top 10 and apply three of them to your project?

Architecture competencies. Can you justify your pattern choice with reference to the specific requirements you documented? Can you draw a C4 Level 1 context diagram for your system without looking at a template? Can you name two trade-offs you accepted in your chosen architecture? Can you write an ADR for your most significant architectural decision?

Professional competencies. Could another engineer at your level set up your project from the README alone, without asking you questions? Have you documented at least two failure modes and the steps to recover from each? Have you tested your agent on at least one input that you expected it to handle badly, and documented what happened?

Based on review cycles from this course, three gaps appear most frequently. Knowing them in advance lets you fix them before your reviewer finds them.

Gap 1: Vague tool descriptions. This is the most common reason agent behaviour is difficult to control. A description that says "searches the database" gives the model no basis for deciding when to use the tool versus an alternative. Fix: rewrite every tool description to include "use when," "do not use when," and at least one example trigger phrase. Test each description by asking yourself: if another engineer read only this description, would they route requests to this tool the same way you do?

Gap 2: No structured error handling in tools. Tools that raise raw exceptions cause the agent loop to crash rather than recover. Fix: wrap every tool function in a try/except block and return a structured error dictionary on failure, with at minimum an error message and an error type field. The agent loop can then handle the error gracefully and either retry, escalate, or stop cleanly.

Gap 3: Missing limitations section. Nearly every project has limitations. Submissions that do not document them are likely unaware of them, which is more concerning than the limitations themselves. Fix: deliberately test five adversarial or unusual inputs before writing your README, document which ones produce incorrect or incomplete results, and state what an operator should do in each case.

To receive CPD (Continuing Professional Development) credit for this course, your evidence package must contain six items. Your capstone project as a GitHub repository (public or shared with your reviewer). Architecture documents in Markdown within the repository, including a context diagram, a tool inventory, and at least one ADR. Test results showing all unit tests passing, either as CI (Continuous Integration) output or verified screenshots. Written peer review feedback that you received, covering at least two review categories. Written peer review feedback that you gave on at least one peer project. A signed self-assessment checklist with all items answered.

The CPD Standards Office requires that evidence be structured and documented rather than claimed. Each item in this package serves as verifiable evidence of a specific learning outcome. The peer review you gave is evidence of evaluation skill. The peer review you received and responded to is evidence of professional receptivity to feedback. Both matter.