PRD-BLAZE-3.0 · Version 1.0.0 · Draft

Blaze 3.0
NexGen

The agentic product development lifecycle platform powered by knowledge. Complete infrastructure for building, deploying, operating, and continuously improving AI-powered solutions at enterprise scale.

Epics

Agents

Enforcement Layers

101

AI Controls

AI Models

Testing Gates

Rules

P0 Foundation P1 High P2 Medium ISO 42001 EU AI Act NIST AI RMF 62 Agents + 27 Skills

Source Document

PRD-BLAZE-3.0 — Full Product Requirements Document

Markdown source with complete user stories, Gherkin acceptance criteria, and cross-repo extraction analysis

→

Part 1

Vision & Strategy

Blaze is the agentic product development lifecycle platform powered by knowledge. It provides the complete infrastructure — cloud operations, knowledge management, process orchestration, AI governance, and developer tooling — that enables organizations to build, deploy, operate, and continuously improve AI-powered solutions at enterprise scale.

Every solution built on Blaze inherits the full platform: a 4-store knowledge base, Camunda BPMN process execution, compliance-driven development, governance-as-code controls, contextual micro-learning, and continuous feedback loops. Developers don't build these capabilities — they consume them. The platform gets smarter with every solution built on it.

Blaze solutions serve highly regulated industries — financial services, healthcare, government, insurance — where compliance is not optional. The platform's evidence-first architecture collects machine-verifiable evidence at every step for the full spectrum of regulatory obligations: SOC 2, SOX, PCI-DSS, HIPAA, GDPR, DORA, SR 11-7, and AI-specific frameworks (ISO 42001, EU AI Act, NIST AI RMF). AI governance is one critical dimension of a comprehensive governance-as-code capability that applies to every regulation each customer is required to operate by.

Strategic Differentiators

🧠

Knowledge-First

The KB is not a feature — it is the foundation. Every solution starts with knowledge ingestion, and every interaction enriches the KB.

⚖️

Governance-as-Code

Regulatory compliance is enforced by executable BPMN processes and DMN decision tables, not documentation. Every control — from AI governance to industry-specific regulations — produces machine-verifiable evidence.

🤖

Agentic Development

78 specialized AI agents perform every specialist role — from requirements through deployment. See SDLC vs PDLC below for what makes this fundamentally different.

♻️

Platform Inheritance

Build once in Blaze, inherit everywhere. A capability added to the platform is immediately available to all solutions.

🔄

Full Lifecycle

From solution conception through production operation through retirement, every phase is governed, instrumented, and knowledge-captured.

📊

Evidence-First Compliance

Compliance evidence is a first-class output of every workflow. Blaze solutions serve highly regulated industries — financial services, healthcare, government, insurance — where SOC 2, SOX, PCI-DSS, HIPAA, GDPR, DORA, SR 11-7, and AI-specific regulations (ISO 42001, EU AI Act, NIST AI RMF) all require auditable, machine-verifiable evidence at every step. The platform collects it automatically.

Key Differentiator

A System That Improves Itself

Every development platform on the market automates the Software Development Lifecycle — the cycle of writing requirements, coding, testing, reviewing, and deploying. AI code assistants make developers faster inside this loop. CI/CD pipelines make deployments more reliable. These are valuable — but they are static. The pipeline that shipped your code today is identical to the one that shipped it six months ago.

Blaze introduces something fundamentally different: the Product Development Lifecycle — a second, outer loop that continuously measures, analyzes, tunes, and improves the development process itself. 78 agents execute your SDLC. The PDLC watches how they perform, identifies where they're weak, and improves them. Agent effectiveness is tracked. Context is refined by the Context Engineer. Domain IP is encoded into prompts and rules. Feedback from users corrects the knowledge base. The micro-learning system adapts to developer growth.

The result: the system that builds your software today is measurably better than the one that built it last month. That's not a tool. That's a platform that learns.

SDLC vs PDLC — The Two Loops

Inner Loop — SDLC
What the agents do on every feature

Requirements

Code

Test

Review

agents
execute

→

Days to hours — ships features

feeds

↔

improves

Outer Loop — PDLC
How the system improves itself

Measure

Analyze

Tune

Deploy

Context

Engineer

curates
& improves

→

Weeks to months — improves the system

What happens in the SDLC (inner loop):

• prd-generator writes requirements from PRDs
• Developer writes code assisted by Claude
• test-coverage-analyzer enforces TDD
• pr-orchestrator runs 9+ review agents
• pipeline-orchestrator deploys
• cdd-methodology collects evidence
• Every interaction produces OTel traces

What happens in the PDLC (outer loop):

• Measure — Agent Analytics Dashboard tracks effectiveness by SDLC role
• Analyze — Which agents produce findings that lead to changes? Which don't?
• Tune — Context Engineer refines prompts, rules, ontologies, domain IP
• Deploy — Improved context ships to all agents across all solutions
• Feedback from users corrects KB and promotes knowledge
• Micro-learning adapts to developer skill growth
• The platform that built today's feature is better than yesterday's

Traditional CI/CD

Static YAML pipelines. Run the same checks every time. Never learn. Never improve. A tool, not a system.

No inner loop intelligence. No outer loop at all.

AI Code Assistants

Copilot, Cursor, etc. Help one developer write code faster. No governance. No evidence. No lifecycle beyond the editor.

Partial inner loop. No outer loop. No compliance.

Blaze PDLC

78 agents execute the full SDLC with governance and evidence. The PDLC continuously measures and improves the agents, the context, and the methodology.

Complete inner loop + self-improving outer loop.

Key Differentiator

7-Layer Enforcement Architecture

Blaze enforcement is not advisory — it is non-bypassable, multi-layered, and evidence-producing. Seven layers ensure that governance is structural, not aspirational.

Layer 7 — Industry Verticals
7 industry rule sets: HIPAA, SOC 2, PCI-DSS, SOX, GDPR, DORA, SR 11-7 — auto-selected by customer industry at onboarding

Layer 6 — Trust Enforcer
trust-enforcer agent enforces trust boundaries across the pipeline — prevents unauthorized cross-service operations

Layer 5 — Code Integrity
6 blocking patterns: no stubs, no TODO/FIXME, no mocks outside tests, no hardcoded test data, no empty bodies, no commented-out code

Layer 4 — Deviation Protocol
4-category response: Auto-Fix (minor, in-scope) → Ask First (scope expansion) → Stop & Report (security/data) → Never Do (delete data, skip tests, force-push)

Layer 3 — Git Hooks
pre-commit (branch protection, canonical sync, AWS ID detection), commit-msg (conventional commits), pre-push (main branch protection)

Layer 2 — 40 Rules, 11 Categories
Always-active behavioral constraints: workflow (14), security (3), reasoning (3), BPMN (2), presentations (6), infrastructure (2), memory (2), frontend (2), agents (2), identity (1), testing (1)

Layer 1 — Python Enforcement Engines
compliance-monitor.py (4-framework evaluator), workflow-validator.py (phase gates), evidence-generator.py (Merkle hash), industry_rule_engine.py

6 Testing Gates

Every PR must pass all 6 gates. These are blocking — not advisory, not warnings.

Gate 1: File Coverage

Every new source file has a corresponding test file. No exceptions.

Gate 2: Threshold

Overall coverage ≥50% floor. New modules ≥80%. Both must pass.

Gate 3: Integration

External dependencies (APIs, databases, queues) have integration tests or documented contract tests.

Gate 4: No Skips

Skipped tests require: (1) documented reason, (2) linked work item, (3) re-enable condition.

Gate 5: Real Assertions

Tests must assert observable outcomes. Tests that only verify "runs without exception" are rejected.

Gate 6: Edge Cases

Every function with conditional logic must test happy path AND at least one error/edge case.

Phase Gate Enforcement Thresholds

Transition	Gate Condition	Enforcement
Phase 1 → 2	BDD Gherkin scenarios exist in PRD; scenarios block transition	BLOCKING
Phase 2 → 3	All tests pass; coverage ≥80% on new code; TDD commit order verified via git history	BLOCKING
Phase 3 → 4	Pipeline green; trust boundaries verified; deployment evidence collected	BLOCKING
Phase 4 → Merge	Compliance score ≥90% AND 0 critical findings; 100% BDD scenario coverage; final CDD attestation	BLOCKING

Key Differentiator

Multi-AI Consensus Pipeline

PR review is not single-model. Four stages using different AI models eliminate single-model blind spots through independent validation and cross-model debate.

Stage 1
Fast Triage

Rapid bug detection
Security basics
Code style

Claude Sonnet

Stage 2
Deep Analysis

Architecture review
Edge cases
Subtle logic bugs

Claude Opus

Stage 3
External Validation

Independent review
from external providers
Run in parallel

Gemini + GPT-4o

Stage 4
Discourse Synthesis

Cross-model debate
Resolve contradictions
Elevate consensus

Consensus Engine

Each stage produces a Context Capsule — a compressed evidence artifact linking findings to source code, review agent, and model used

Market Position

Competitive Landscape

Detailed capability comparison against the primary market alternatives.

Capability	EY + 8090 Partnership	8090 Standalone	Blaze PDLC
AI Models	Single model	Single model	4-model consensus (Sonnet + Opus + Gemini + GPT-4o)
Governance Model	Consulting overlay	~20 built-in modules	101 controls, 13 BPMN processes, 5 DMN tables — governance-as-code
Enforcement	Manual checkpoints	Recommended practices	7-layer non-bypassable enforcement with evidence at every gate
Testing	Consulting-led	4 modules	6-gate blocking protocol, TDD commit-order verified
Compliance Evidence	Consulting deliverable	Basic reports	SHA-256 hash chain, WORM storage, automated CDD collection
Process Execution	None	None	Camunda BPMN engine (C7 + C8), DMN decision tables
Knowledge Base	None	None	4-store KB (pgvector + Neo4j + Redis + MinIO)
Self-Improvement	None	None	PDLC outer loop — continuous measurement + Context Engineer
Hypothesis-Driven ADRs	None	None	L0/L1/L2 evidence classification, WLNK assessment, bounded validity
Deployment	Cloud SaaS only	Cloud SaaS only	Self-hosted EKS + Cloudflare edge, air-gapped/on-prem capable
Pricing	$200/seat + Big 4 rates	$200/seat/month	Platform-native — no consulting dependency

Part 1 — Architecture

Core Architecture

Blaze 3.0 is organized into five layers, each building on the one below. Applications sit at the top and consume everything beneath them.

Layer 5 — Applications
Built ON Blaze, BY Blaze
Consulting delivery platform · AI change management · Software lifecycle automation · Mainframe modernization · [future applications]
Layer 4 — Compliance & Governance Framework
Regulatory Compliance · AI Governance · Industry Standards
101-control catalog · 13 BPMN governance processes · 5 DMN decision tables · evidence infrastructure · OTel + Prometheus + Grafana + Phoenix AI · AI risk management · Industry-specific regulations (SOC 2, SOX, PCI-DSS, HIPAA, GDPR, DORA, SR 11-7) · AI-specific frameworks (ISO 42001, EU AI Act, NIST AI RMF)
Layer 3 — PDLC
Agentic Product Development Lifecycle
Agentic SDLC orchestration · solution creation wizard · TDD/BDD/CDD · code generation pipeline · PR orchestration · agent analytics · micro-learning · continuous PDLC improvement
Layer 2 — Platform Services
Shared Infrastructure Services
Knowledge Base (4-store) · Camunda BPMN engine · evidence ingestion · RAG copilot · feedback service · auth framework · task queue · connector framework · data governance · GDPR · MCP · audit · encryption · WebSocket · notification service · LLM gateway
Layer 1 — Cloud Operating Platform
Multi-Tenant Cloud Infrastructure
Multi-tenant provisioning · EKS cluster management · Cloudflare edge · DNS & auth · cost management & billing

Part 1 — Separation

Platform vs. Application Separation

Clear ownership boundaries ensure platform capabilities are not duplicated across solutions. Every column below describes where the capability lives and what the application contributes.

Concern	PLATFORM	APPLICATION
Knowledge Base	4-store stack + KB service + embedding + RAG	Domain ontology, domain parsers, domain seed data
Process Execution	Camunda BPMN engine, deployment, task management	Domain BPMN processes, domain DMN tables
Auth & Tenancy	JWT, RBAC, RLS, OTP/SSO, multi-tenant isolation	Role definitions, persona configurations
Compliance & Governance	101 AI controls + industry regulatory frameworks (SOC 2, SOX, PCI-DSS, HIPAA, GDPR, DORA, SR 11-7), 13 BPMN governance processes, 5 DMN decision tables, evidence infrastructure with SHA-256 hash chain	Customer-specific regulatory requirements, industry-specific controls, domain risk scenarios
Ingestion	Pipeline framework, generic parsers (PDF, Excel, CSV, images)	Domain parsers (COBOL, ARIS, BPMN, contracts)
Feedback	Feedback service, correction promotion, KB growth	Domain-specific feedback categories
UI	Design system, layout shell, chart library, LMS engine	Domain pages, domain dashboards, domain components
Observability	OTel, Prometheus, Grafana, Phoenix AI	Domain-specific KRIs, domain dashboards
Connectors	Connector framework, WAL, sync checkpointing	Domain field mappings, domain-specific API calls
Development	Agentic SDLC, code generation framework, PR review	Domain fixtures, domain test scenarios

Part 2

Personas & Journeys

Six personas interact with the platform across its full lifecycle. Each persona has distinct touchpoints, needs, and journeys.

🏗️

Platform Operator

Provisions tenants, manages infrastructure, monitors cost, responds to alerts, performs upgrades.

Key Touchpoints

Admin UI K8s Console Ops Dashboard Cost Report

Needs

One-click tenant provisioning
Real-time infrastructure visibility
Cost attribution by solution/tenant
Automated alerting with runbooks

📐

Solution Architect

Designs new solutions via the wizard, defines processes, selects capabilities, reviews architecture.

Key Touchpoints

Solution Wizard BPMN Modeler Capability Catalog KB Explorer

Needs

Guided wizard experience
Deterministic code generation
Visual process design
Architecture review feedback

💻

Developer

Builds solutions in PDLC tenant using agentic development with Claude Code in Docker containers.

Key Touchpoints

Terminal UI CI/CD Command Center Agent Analytics Micro-Learning

Needs

Seamless workspace access
Agentic assistance at every step
Transparent agent activity
Fast feedback loops

👤

End User

Uses deployed solutions. Role varies by app: consultant (KMFlow), change practitioner (Change), governance analyst (SLA).

Key Touchpoints

Solution UI RAG Copilot Feedback Widget Learning Hub

Needs

Intuitive domain-specific UI
AI-powered assistance
Contextual help and learning
Ability to improve the system via feedback

🛡️

Compliance Officer

Reviews AI governance controls, evidence, and compliance posture across all solutions.

Key Touchpoints

AI Governance Dashboard Evidence Inventory Control Status Audit Trail

Needs

Single-pane compliance visibility
Evidence integrity verification
Regulatory mapping drill-down
Automated board reporting

⚙️

Customer Admin

Manages their organization's tenant. Configures users, integrations, SSO, and compliance frameworks.

Key Touchpoints

Onboarding Wizard SSO Config User Management Integrations

Needs

Self-service onboarding
SSO configuration
Integration setup
Usage and cost visibility

Part 2 — SDLC Transformation

SDLC Personas — Agent-Embodied Roles

In the traditional SDLC, a team of 12-15 specialists collaborate across phases. In the Blaze PDLC, three human roles remain essential — stakeholders who set direction, a developer who drives the lifecycle, and a context engineer who ensures every agent carries battle-tested, differentiated domain IP. The remaining specialist roles are performed by 63 specialized agents that execute with enterprise-grade rigor, measured effectiveness, and continuous improvement.

TRADITIONAL SDLC

Product Owner

Business Analyst

UX Designer

Architect

Developer

QA Engineer

Security Eng

DevOps / SRE

Tech Writer

Compliance

Code Reviewer

Release Mgr

Perf Engineer

Data Engineer

Risk Analyst

15 people

Weeks to coordinate · Communication overhead · Bottlenecks at handoffs

→

Agentic
PDLC

BLAZE PDLC

👥

Stakeholders & Domain Experts
Product owner · Business stakeholders · Subject matter experts
Set direction · Define requirements · Validate outcomes

▼

👤

1 Developer
Drives the lifecycle · Writes code · Makes implementation decisions

▼

🤖

63 Specialized Agents
Perform every specialist role · Measured · Continuously improving

CROSS-CUTTING

🧬

Context Engineer

Curates agent context · Battle-tests prompts & rules · Encodes domain IP
Ensures every agent carries the right knowledge at the right time
This is where differentiation lives

Enterprise-grade rigor · Zero coordination overhead · Every interaction instrumented

Persona → Agent Mapping

Each traditional SDLC role maps to one or more Blaze agents. The agent analytics dashboard (E14) tracks effectiveness by role, not just by agent name.

Traditional Role	What They Do	Blaze Agent(s)	Phase
Stakeholder / Product Owner ★	Sets direction, defines requirements, validates outcomes, domain authority	Human — assisted by `prd-generator` · `critical-thinking`	All
Context Engineer ★★	Curates agent context, encodes domain IP into prompts/rules/ontologies, battle-tests reliability	Human — the role that creates differentiated competitive advantage	All
Business Analyst	User stories, BDD scenarios, process models	`prd-generator` · `bpmn-specialist` · `dmn-decision-architect`	Phase 1
UX/UI Designer	Interface design, user flows, accessibility	`design-review` · `frontend-design` skill · `check-accessibility` skill	Phase 1-2
Software Architect	System design, API contracts, technology selection	`architecture-reviewer` · `codebase-mapper` · `plan-checker`	Phase 1-2
Developer ★	Drives the lifecycle, writes code, makes implementation decisions — may also embody the product owner role	Human + Claude Code — orchestrates all agents below	Phase 2
QA Engineer	Test strategy, execution, coverage analysis	`test-coverage-analyzer` · `playwright-e2e-tester` · `acceptance-criteria-tester` · `test-validator`	Phase 2-3
Security Engineer	Vulnerability assessment, security architecture	`security-reviewer` · `dependency-checker` · `trust-enforcer` · `red-team` skill	Phase 2-4
DevOps / SRE	CI/CD, deployment, monitoring, incident response	`pipeline-orchestrator` · `cloud-ops-engineer` · `platform-installer` · `service-detector`	Phase 3
Technical Writer	Documentation, API docs, user guides	`documentation-reviewer` · `presentation-reviewer`	Phase 2-4
Compliance Officer	Regulatory compliance, evidence, controls	`compliance-manager` · `cdd-methodology` · `regulatory-analysis` · `ai-governance-advisor`	All
Code Reviewer	Code quality, standards, best practices	`code-quality-reviewer` · `pr-orchestrator` (coordinates 9+ agents)	Phase 4
Release Manager	Release planning, versioning, deployment approval	`sdlc-orchestrator` · `pipeline-orchestrator` · `goal-verifier`	Phase 3-4
Performance Engineer	Load testing, optimization, benchmarking	`performance-analyzer` · `bundle-analyzer`	Phase 2-3
Data Engineer	Data pipelines, schema management, ETL	`data-pipeline-orchestrator`	Phase 2-3
Risk Analyst	Risk identification, assessment, mitigation	`risk-assessment` · `critical-thinking` · `root-cause-analyzer`	Phase 1, 4

The Context Engineer — Where Differentiation Lives

The Context Engineer is the most strategically important new role in the agentic SDLC. They curate every agent's context — prompts, rules, ontologies, domain knowledge — ensuring it represents battle-tested, reliable, trustworthy intellectual property. This is where market differentiation is created: domain-specific expertise, encoded at the right place, at the right time, for the right solutions. The quality of the agents is only as good as the context they carry. The Context Engineer makes it exceptional.

Stakeholders Still Drive Direction

Agents don't set strategy. Stakeholders, product owners, and domain experts define requirements, validate outcomes, and make business decisions. The developer may embody the product owner in smaller teams, but the role exists. Agents amplify human judgment — they don't replace it.

Agent Analytics by SDLC Role (E14)

The dashboard tracks effectiveness by SDLC role, not just by agent name. "How effective is our QA function?" aggregates across test-coverage-analyzer, playwright-e2e-tester, acceptance-criteria-tester, and test-validator. The Context Engineer uses these metrics to improve agent context.

Value Proposition

Enterprise-grade SDLC rigor without enterprise-grade team size. Every role is performed, every check is executed, every piece of evidence is collected. One developer drives the lifecycle. 63 agents perform the specialist work. The Context Engineer ensures the agents carry differentiated domain IP. Stakeholders validate the outcomes.

Architecture Diagram

Knowledge Base — 4-Store Architecture

Every solution inherits the full 4-store knowledge base. The KB FastAPI service provides unified access to graph queries, semantic search, caching, and object storage.

KB FastAPI Service
Unified Access Layer — /health, /graph, /search, /objects

▼

🔍

pgvector
PostgreSQL 17
768-dim embeddings
Semantic search
Relational data
Alembic migrations

🕸️

Neo4j 5
Community + APOC
Knowledge graph
Entity relationships
Ontology schema
Evidence nodes

⚡

Redis 7
Alpine
Query caching
Pub/Sub events
Task queue
Rate limiting

📦

MinIO
S3-compatible
Raw source files
Evidence artifacts
Generated reports
Document storage

Architecture Diagram

Platform Service Dependencies

15+ platform services interconnect to deliver the full Blaze experience. Every service is observable via OpenTelemetry.

FOUNDATION

Auth Framework
JWT · RBAC · RLS · OTP/SSO

Audit + Security Middleware
CSRF · Rate Limit · Headers · Request ID

Encryption at Rest
Fernet · AES-256 · Key Rotation

WebSocket Real-Time
Pub/Sub · Tenant-Scoped Broadcast

Notification Service
SMTP · Slack · In-App

INTELLIGENCE

Knowledge Base (4-Store)
pgvector · Neo4j · Redis · MinIO

Evidence Ingestion Pipeline
25+ Parsers · Chunk · Embed · Store

RAG Copilot
Hybrid Retrieval · LLM · Streaming

LLM Gateway
Multi-Provider · Local-First · Data Residency

Feedback & Continuous Learning
Corrections → KB · Growth Metrics

EXECUTION

Camunda Engine (C7 + C8)
BPMN · DMN · External Tasks

Connector Framework
WAL · Retry · Schema Drift · Sync

Task Queue
Redis Streams · Progress Tracking

Data Governance
Catalog · Policies · Lineage · GDPR

MCP Server
AI Agent Integration Protocol

⬤ OpenTelemetry instrumentation spans every service invocation — traces, metrics, and evidence collection

Architecture Diagram

Solution Lifecycle Flow

Every Blaze solution follows a BPMN-orchestrated lifecycle through four phases. Evidence is collected at every transition.

📝

DEFINE
Steps 1–4

• Solution definition
• Environment & tenancy
• Personas & roles
• Triggers & capabilities

Phase-1 Evidence

🔨

BUILD
Steps 5–9

• Code generation pipeline
• BPMN/DMN design
• KB-integrated development
• TDD/BDD/CDD enforcement

Phase-2 Evidence

🚀

DEPLOY
Steps 10–12

• Sandbox testing
• Infrastructure provisioning
• Helm deploy + KB seed
• DNS + auth + alerting

Phase-3 Evidence

📊

OPERATE
Continuous

• Feedback collection
• KB growth tracking
• AI governance monitoring
• Continuous improvement

Phase-4 Evidence

BPMN-Orchestrated Single master process with collapsed subprocesses · Timer boundaries for SLA enforcement · CDD evidence at every gate

Architecture Diagram

Platform Extraction — Before & After

35 platform capabilities currently maintained independently across 3 repos. Blaze 3.0 extracts them into one platform layer.

BEFORE — 3x Duplication

KMFlow
Auth middleware · KB · 25 parsers · RAG · Feedback · RLS · GDPR · Connectors · WebSocket · Task queue · Monitoring

Change / ACMOS
Auth module · KB · LMS · Chat · OPA · GraphRAG ML · Notifications · Prometheus · Voice agent · shadcn/ui

SLA
5x Auth workers · BPMN validators · BDD testing · Connectors (5x) · WAL · Graph ingest · AI governance · Camunda tooling

→

Extract &
Unify

AFTER — One Platform

Blaze Platform
Unified auth · KB (4-store) · Camunda (C7+C8) · LMS engine · RAG copilot · Feedback · Connectors · OPA governance · BPMN toolkit · BDD testing · Evidence infrastructure · OTel · Prometheus · Notifications · GDPR · Design system

KMFlow
Domain only

Change
Domain only

SLA
Domain only

Architecture Diagram

AI Governance Control Flow

Every AI interaction is classified by risk, routed to proportional governance, and produces machine-verifiable evidence.

AI Use Case Detected
Developer builds an AI-powered feature

▼

DMN-9 Risk Classification
5 dimensions × 1-10 scale → Risk Tier + EU AI Act Category

▼

Tier 1 — High Risk
13 governance phases
Full committee review
Independent validation

Tier 2 — Limited Risk
9 governance phases
Working group review
Standard validation

Tier 3 — Minimal Risk
5 governance phases
Automated checks
Self-attestation

▼

SP1 Risk

SP2 Data

SP3 Ethics

SP4 Review

SP5 Model

SP6 Validation

SP7 Testing

SP8 Deploy

SP9 Recert

▼

Evidence Collection
SHA-256 hash chain
S3 WORM storage

5-Dimension Monitoring
Performance · Drift · PSI
Bias · SLA compliance

Board Reporting
Quarterly SR 11-7
KRI trend analysis

Architecture Diagram

Multi-Tenant Isolation Model

Four layers of isolation ensure complete data separation across the Org → Tenant → Project hierarchy.

Organization: Acme Financial

Tenant: acme-dev

Project: onboarding

Project: compliance

Tenant: acme-prod

Project: live

Isolation Mechanisms

Database Layer

PostgreSQL Row-Level Security (RLS) on 60+ tables. Session variable app.current_engagement_id enforced per transaction.

Application Layer

RBAC with engagement membership. Permission check triggers RLS automatically. PEP/PDP field-level masking.

Network Layer

K8s NetworkPolicy per namespace. Cloudflare Tunnel per-route isolation. Separate DNS per tenant.

Storage Layer

Separate PVCs per namespace. MinIO bucket isolation. S3 WORM for evidence (per retention tier).

Agentic Portfolio

Complete Agent, Skill & Rule Inventory

The Blaze platform operates through 62 agents, 27 skills, and 40 rules across 11 categories. Every capability is visible, instrumented, and mapped to personas — even when orchestrated behind larger workflows.

Agents

Skills

Rules

Rule Categories

Agents by SDLC Role

PRIMARY = directly invocable. HIDDEN = behind orchestrators but fully instrumented and tracked in Agent Analytics.

SDLC Role	Agent	Vis	Description
Product Owner	`prd-generator`	PRI	PRD generation with CDD + BDD Gherkin
	`critical-thinking`	PRI	7-phase rigorous decision analysis
	`hypothesis-reasoning`	PRI	ADI hypothesis testing cycle
Business Analyst	`bpmn-specialist`	PRI	BPMN 2.0 creation, validation, optimization
Business Analyst	`dmn-decision-architect`	HID	DMN 1.3 decision tables, FEEL expressions
UX/UI Designer	`design-review`	HID	Live browser testing via Playwright
UX/UI Designer	`presentation-qa`	HID	Viewport testing, CSS fixes
Architect	`architecture-reviewer`	HID	Architecture, patterns, structural integrity
	`codebase-mapper`	PRI	Brownfield project analysis
	`plan-checker`	HID	Validates plans against goals
QA Engineer	`test-coverage-analyzer`	PRI	Coverage, quality, completeness
	`playwright-e2e-tester`	PRI	Full UI path coverage, MCP browser
	`acceptance-criteria-tester`	HID	BDD test generation from work items
	`test-validator`	HID	Results validation + evidence
Security Eng	`security-reviewer`	HID	Vulnerability analysis, risk assessment
	`dependency-checker`	HID	Supply chain security
	`trust-enforcer`	HID	Trust boundary enforcement
DevOps / SRE	`cloud-ops-engineer`	PRI	Autonomous monitoring, cost, ops
	`pipeline-orchestrator`	HID	CI/CD, multi-service deployment
	`platform-installer`	HID	Declarative platform install
	`service-detector`	HID	Auto-detect affected services
Compliance	`compliance-manager`	PRI	Multi-framework compliance
	`cdd-methodology`	PRI	CDD implementation + evidence
	`regulatory-analysis`	HID	Regulatory gap identification
	`ai-governance-advisor`	HID	ISO 42001, EU AI Act guidance
Code Reviewer	`pr-orchestrator`	PRI	9+ agent consensus review
Code Reviewer	`code-quality-reviewer`	HID	Standards, patterns, practices
Release Mgr	`sdlc-orchestrator`	PRI	Master 4-phase SDLC workflow
Release Mgr	`goal-verifier`	HID	Trust-nothing verification
Work Items	`ado-manager`	HID	ADO: PRD-driven epics/stories/BDD
	`jira-manager`	PRI	Jira: PRD-driven work items
	`github-issues-manager`	PRI	GitHub Issues: stories + tasks

Skills (27) & Rules (40)

Skills — User-Invocable Commands

BPMN: bpmn-editing · test-bpmn · review-model
Dev: sdlc · full-sdlc · specify · simplify · coding-standards
Governance: review · gate · red-team · security-scan · governance-bridge · risk-assessment
Ops: platform-ops · cloud-ops-check · onboard-solution · deploy-production · deploy-preview · rollback · pipeline-status
Analysis: critical · hypothesize · rigorous · code-audit · check-drift
Context: context-full · context-infrastructure · context-services · context-budget · memory · review-presentation

Rules — Always-Active Behavioral Constraints

Workflow (14): unified-sdlc · testing-gates · code-integrity · coding-standards · deterministic-output · deviation-rules · git-worktree · no-github-actions · pm-tool-ops · post-merge · pr-auto-review · self-sufficiency · test-evidence · solution-standards
Security (3): dependencies · deployment-security · security-hooks
Reasoning (3): hypothesis-evaluation · prompt-anti-patterns (28 catalogued)
BPMN (2): modeling-standards · visual-clarity
Presentations (6): accessibility · brand · color-contrast · deployment · language · responsive
Infra (2) · Memory (2) · Frontend (2) · Agents (2) · Identity (1) · Testing (1)

Transparency Principle

Every agent invocation — whether triggered by a developer or orchestrated behind a workflow — produces an OpenTelemetry trace. The Agent Analytics Dashboard (E14) surfaces all 62 agents grouped by SDLC role. Nothing is invisible. Nothing runs unmeasured. The Context Engineer curates the context that makes each agent effective.

Part 3 — Platform Capabilities

Epic E1: Multi-Tenant Cloud Platform

E1: Multi-Tenant Cloud Platform

P0 Foundation Cloud Ops

Source: Existing admin UI onboarding wizard + KMFlow RLS + Change Prisma Org/Tenant models

US-E1-01: Organization Onboarding

As a Platform Operator, I want to provision a new organization via a guided wizard, so that new customers can onboard in minutes.

Feature: Organization Onboarding Wizard Scenario: Complete 4-step organization onboarding Given the admin is on the onboarding wizard When they select industry "Banking" And enter organization name "Acme Financial" And select plan tier "Enterprise" And configure PM tool "Jira" and Git provider "GitHub" Then an organization "acme-financial" is created And compliance frameworks auto-selected based on industry And a default tenant is provisioned

US-E1-02: Tenant Data Isolation

As a Platform Operator, I want tenant namespaces with full data isolation at database, network, and storage layers.

Feature: Tenant Data Isolation Scenario: PostgreSQL RLS enforces isolation Given tenant "acme-dev" with engagement_id "uuid-123" When a user in "acme-dev" queries the evidence table Then only records with engagement_id "uuid-123" are returned And RLS is enforced at the database level, not application level

Epic E2: Knowledge Base Foundation

E2: Knowledge Base Foundation

P0 Foundation Intelligence

Source: KMFlow KB service + Change DocumentIngestionService + SLA pgvector schema

US-E2-01: Automatic KB Stack Deployment

As a Developer, I want every solution to automatically deploy the 4-store KB stack via Helm chart.

Feature: Automatic KB Stack Deployment Scenario: New solution gets full KB stack Given the blaze-solution Helm chart is configured When the solution is deployed Then PostgreSQL/pgvector, Neo4j, Redis, MinIO, and KB service are running And /health reports all stores as "ok"

US-E2-02: Semantic Search

As a Developer, I want to query the knowledge graph and perform semantic search across embedded fragments.

Feature: Knowledge Graph Queries Scenario: Semantic search returns relevant fragments Given the KB contains 50 embedded knowledge fragments When I search for "account validation rules" Then results ranked by cosine similarity are returned And each includes source node ID, score, and text

Epic E3: BPMN Process Engine

E3: BPMN Process Engine

P0 Foundation Execution

Source: KMFlow cib7 + Change cib7 + SLA Camunda 8 Zeebe + deploy-and-migrate.sh

US-E3-01: BPMN/DMN Deployment

As a Solution Architect, I want to deploy BPMN/DMN files via REST API with duplicate filtering.

US-E3-02: Dual Engine Support

As a Platform Operator, I want Camunda to support both C7 (cib7) and C8 (Zeebe).

Epic E4: Evidence Ingestion Pipeline

E4: Evidence Ingestion Pipeline

P0 Foundation Intelligence

Source: KMFlow 25+ parsers + Change DocumentIngestionService + SLA contract analysis pipeline

US-E4-01: Automatic Parser Selection

As a Developer, I want a parser factory that selects the right parser based on file type.

US-E4-02: Domain Parser Registration

As a Solution Architect, I want to register domain-specific parsers without modifying the platform.

Epic E5: RAG Copilot

E5: RAG Copilot

P1 High Intelligence

Source: KMFlow HybridRetriever + Copilot + Change ChatService

US-E5-01: Evidence-Based Answers with Citations

As an End User, I want to ask questions and receive evidence-based answers with citations I can trust.

US-E5-02: Multi-Provider LLM Gateway

As a Developer, I want LLM routing with local-first fallback for air-gapped environments.

Epic E6: Feedback & Continuous Learning

E6: Feedback & Continuous Learning

P1 High Growth

Source: KMFlow suggestion_feedback.py + SLA feedback-widget.js

US-E6-01: Feedback Collection

As an End User, I want to provide thumbs up/down feedback on any API response, and my corrections improve the system.

Epic E7: Connector Framework

E7: Connector Framework

P1 High Execution

Source: KMFlow BaseConnector + SLA task-sync-base + WAL + 5 connectors

US-E7-01: Base Connector with Retry and WAL

As a Developer, I want a base connector class with retry logic, credential management, and write-ahead log for reliable delivery.

Epic E8: Data Governance

E8: Data Governance

P1 High Compliance

Source: KMFlow data governance framework + SLA evidence infrastructure

US-E8-01: Evidence Integrity with SHA-256

As a Compliance Officer, I want every evidence artifact to have a SHA-256 hash and retention tier.

US-E8-02: GDPR Right of Erasure

As a Compliance Officer, I want GDPR erasure to be enforceable across all solutions.

Epic E9: Auth & Security

E9: Auth & Security

P0 Foundation Foundation

Source: KMFlow auth middleware + Change auth module + SLA 5x CF Workers (duplicated!)

US-E9-01: Unified Auth Worker

As a Platform Operator, I want a single auth worker template that protects any solution, eliminating 5+ copies of the same code.

US-E9-02: Platform Security Middleware

As a Developer, I want middleware that automatically enforces security headers, CSRF, rate limiting, and audit logging on every request.

US-E9-03: Prompt Injection Guard

As a Security Engineer, I want a 6-category prompt injection scanner on all text-accepting API endpoints, with advisory mode for development and blocking mode for production (rejects CRITICAL patterns).

US-E9-04: Security Implementation Specifics

As a Platform Operator, I want RS256 asymmetric JWT signing, 7-role RBAC with require_permission() dependency injection, Redis-backed rate limiting (120/min GET, 10/min write), tenacity circuit breakers on 4 external dependencies (kubectl, S3, KMS, K8s TokenReview), nonce-based CSP on all CF Workers, and ECR tag immutability across all repositories.

US-E9-05: Full GDPR Compliance (Articles 15, 17, 20)

As a Compliance Officer, I want GDPR Right of Access (Art. 15 data export), Right to Erasure (Art. 17 anonymization), and Right to Portability (Art. 20 machine-readable export), with ConsentRecord tracking under Articles 6/7 and PII redaction in all logs.

Part 4 — PDLC

Epic E10: Solution Creation Wizard

E10: Solution Creation Wizard

P0 Critical PDLC

Source: Prior platform 12-step wizard + Blaze admin onboarding + BPMN orchestration requirement

US-E10-01: Guided Define Phase

As a Solution Architect, I want a guided wizard for the Define phase (definition, environment, personas, triggers).

US-E10-02: Platform Capability Catalog

As a Solution Architect, I want to browse and select platform capabilities from a catalog to compose my solution.

US-E10-03: Code Generation in Build Phase

As a Solution Architect, I want the Build phase to generate React components, FastAPI stubs, OpenAPI specs, and database schemas deterministically from source fixtures.

E11

Epic E11: Agentic SDLC Orchestration

E11: Agentic SDLC Orchestration

P0 Critical PDLC

Source: Existing 78-agent architecture + OTel instrumentation

US-E11-01: Automatic Agent Invocation per Phase

As a Developer, I want the SDLC orchestrator to automatically invoke the right agents at each phase (code-quality, security, coverage, architecture) with full OTel tracing.

E12

Epic E12: Code Generation Pipeline

E12: Code Generation Pipeline

P1 High PDLC

Source: Blaze governance parsers + generators (BMS React, CICS FastAPI, OpenAPI, DDL, BPMN)

US-E12-01: Deterministic Pipeline Output

As a Solution Architect, I want code generation to be deterministic: same fixtures produce same output every time, tracked by pipeline-manifest.json.

E13

Epic E13: PR Orchestration

E13: PR Orchestration

P1 High PDLC

Source: Existing pr-orchestrator (9+ review agents, multi-AI consensus)

US-E13-01: Multi-Agent PR Review

As a Developer, I want 9+ specialized agents to review my PR in parallel with consensus scoring before merge.

E14

Epic E14: Agent Analytics Dashboard

E14: Agent Analytics Dashboard

P1 High PDLC

Source: New — dedicated admin UI view showcasing agentic PDLC as a product capability

US-E14-01: Agent Usage and Effectiveness Metrics

As a Platform Operator, I want to see invocation counts, duration, success rate, findings produced, and cost for each of the 78 agents, grouped by tier with trend charts.

E15

Epic E15: Micro-Learning & Education

E15: Micro-Learning & Education

P1 High Experience

Source: Change LMS (full backend + frontend) — extracted as platform learning engine

US-E15-01: Just-in-Time Learning Prompts

As a Developer, I want contextual learning prompts when I'm working on a task, suppressed after I've mastered the topic.

US-E15-02: Persona-Based Learning Paths with Certifications

As a Platform Operator, I want structured learning paths (Foundation → Advanced) with certifications and maturity levels (1-5).

US-E15-03: Embedded Learning Modal

As an End User, I want an in-context learning modal with interactive scenarios and quizzes that doesn't require leaving my workflow.

Part 5 — Compliance & Governance

Epic E16: AI Management System (ISO 42001)

Blaze solutions serve highly regulated industries — financial services (SOC 2, SOX, PCI-DSS, SR 11-7, DORA), healthcare (HIPAA), government, and insurance. AI governance is one critical dimension, but the platform's evidence-first compliance and governance-as-code capabilities extend to every regulation each customer in each industry is required to operate by. The BPMN-orchestrated control framework, DMN-driven routing, and SHA-256 evidence chain apply uniformly — whether the regulation is EU AI Act Article 14 or SOX Section 404.

E16: AI Management System (AIMS)

P0 Critical Governance

Source: SLA AI governance program (101 controls, 13 BPMN, 5 DMN) + Blaze governance docs (33 documents)

US-E16-01: Risk Classification via DMN-9

As a Compliance Officer, I want every AI interaction classified by risk tier via DMN-9 (5 dimensions, 16 rules), routing to proportional governance (13/9/5 phases).

US-E16-02: Governance-as-Code

As a Compliance Officer, I want the 101-control catalog enforced as executable BPMN processes producing machine-verifiable evidence.

E17

Epic E17: EU AI Act & NIST Compliance

E17: EU AI Act / NIST AI RMF Compliance

P0 Critical Governance

Source: Blaze EU AI Act mapping + SLA regulatory mapping (13 frameworks, article-level)

US-E17-01: Article-Level Compliance Mapping

As a Compliance Officer, I want article-level mapping to EU AI Act, NIST AI RMF, ISO 42001, and 10+ additional frameworks.

E18

Epic E18: AI Observability

E18: AI Observability

P0 Critical Governance

Source: Blaze OTel instrumentation + SLA Prometheus KRIs + Change Prometheus metrics

US-E18-01: Agent Invocation Tracing

As a Compliance Officer, I want every agent invocation to produce an OTel trace with type, duration, findings, tokens, and model used.

E19

Epic E19: AI Risk Register

E19: AI Risk Management

P1 High Governance

Source: SLA 15-category risk taxonomy + 63-item risk register + DMN decision tables

US-E19-01: 15-Category Risk Taxonomy

As a Compliance Officer, I want risks classified across 15 categories (Fairness, Transparency, Privacy, Security, Reliability, Human Oversight, Accountability, Content Safety, Environmental, Third-Party, Regulatory, Operational, Financial, Societal, Alignment).

E20

Epic E20: AI Governance Dashboard

E20: AI Governance Dashboard

P1 High Governance

Source: New admin UI view + SLA Grafana dashboards + KRI alert rules

US-E20-01: Single-Pane Compliance Visibility

As a Compliance Officer, I want a dashboard showing: compliance score (overall + per-framework), 101 control statuses, evidence inventory with SHA-256 verification, 7 KRI trends, active AI systems by tier, and recent incidents.

Part 6 — Solution SDK

Epic E21: Parser Extension Interface

E21: Parser Extension Interface

P2 Medium SDK

Source: KMFlow 25+ parsers + SLA contract parsers

US-E21-01: Custom Parser Registration

As a Developer, I want to register domain-specific parsers that extend the platform's ingestion pipeline without modifying platform code.

E22

Epic E22: Ontology Extension Interface

E22: Ontology Extension Interface

P2 Medium SDK

Source: KMFlow ontology + SLA governance ontology

US-E22-01: YAML Ontology Definition

As a Solution Architect, I want to define my domain's node types and relationships as YAML, with Neo4j constraints auto-created.

E23

Epic E23: UI Component SDK

E23: UI Component SDK

P2 Medium SDK

Source: KMFlow shadcn/ui components + Change full shadcn library + chart components + layout system

US-E23-01: Shared Design System

As a Developer, I want a platform design system (shadcn/ui primitives, chart library, layout shell) that every solution inherits for visual consistency.

Part 7

Reference Applications

Four applications demonstrate the platform's capabilities. Each is Tier 1 (Full Knowledge Solution) consuming all 5 platform layers.

KMFlow

Consulting Delivery Platform

8-step PoV consensus algorithm (BRIGHT/DIM/DARK), TOM analysis, shelf data requests, client portal, assessment matrix, pattern library, survey bot, simulation & financial modeling

Consumes: All Layer 2 + Layer 3 + Layer 4

Change / ACMOS

AI-Orchestrated Change Management

SCML 7-phase methodology, stakeholder analysis, sentiment sensing, capacity modeling, content generation with governance, conversational assessments, adoption drift, wisdom harvesting

Consumes: All layers + LMS engine + Voice agent

SLA

Software Lifecycle Automation

8-phase governance lifecycle, contract analysis NLP, vendor management, 5 ITSM connectors, 21 DMN decision tables, committee voting, regulatory ingest (17 frameworks in Neo4j)

Origin of AI Governance program (adopted as platform)

COBOL Migration

Mainframe Modernization

COBOL parser, BMS screen map transformer, CICS stub generator, JCL-to-BPMN generator, DB2-to-PostgreSQL migration, CardDemo knowledge graph (11 programs, 4 stores, 5 rules)

Showcase for deterministic code generation pipeline

Appendix A

Platform Extraction Priority

35 capabilities currently duplicated across repos, prioritized for extraction into the Blaze platform.

Immediate — P0

Priority	Capability	Current State	Action
P0	Auth framework	3 implementations (middleware + NestJS + 5x CF Workers)	Single platform auth library
P0	4-store KB standardization	3 independent configurations	Standardize via Helm data-layer subchart
P0	Security middleware stack	3 implementations (CSRF, rate limit, headers, audit)	Unified middleware package
P0	Camunda BPMN engine support	cib7 in 2 repos + C8 in 1	Platform supports C7 + C8 via adapters
P0	BPMN validator + security scanner	SLA only (7-file suite)	Extract as platform BPMN toolkit
P0	BDD BPMN testing framework	SLA only (Cucumber + BpmnParser)	Extract as platform test toolkit

Near-Term — P1

Priority	Capability	Source
P1	LMS engine	Change worktree (full backend + 26 frontend components)
P1	Notification service (SMTP)	Change (only app with email sending)
P1	Hallucination detector + reranker	Change graphrag-ml (gRPC)
P1	Connector framework merger	KMFlow BaseConnector + SLA task-sync-base + WAL
P1	AI governance OPA policies	Change (6-domain framework)
P1	Regulatory ingest pipeline	SLA (17 frameworks → Neo4j)
P1	Evidence infrastructure	SLA (SHA-256 hash chain, S3 WORM, retention tiers)

Medium-Term — P2

Priority	Capability	Source
P2	PEP/PDP field-level access control	KMFlow
P2	Voice agent framework	Change (LiveKit)
P2	Camunda Modeler sync + Optimize export	SLA
P2	Schema library unification	KMFlow + SLA (YAML templates)
P2	Demo persona system	SLA (persona → candidateGroup mapping)

Blaze 3.0NexGen

Vision & Strategy

Strategic Differentiators

Knowledge-First

Governance-as-Code

Agentic Development

Platform Inheritance

Full Lifecycle

Evidence-First Compliance

A System That Improves Itself

SDLC vs PDLC — The Two Loops

Traditional CI/CD

AI Code Assistants

Blaze PDLC

7-Layer Enforcement Architecture

6 Testing Gates

Gate 1: File Coverage

Gate 2: Threshold

Gate 3: Integration

Gate 4: No Skips

Gate 5: Real Assertions

Gate 6: Edge Cases

Phase Gate Enforcement Thresholds

Multi-AI Consensus Pipeline

Competitive Landscape

Core Architecture

Platform vs. Application Separation

Personas & Journeys

SDLC Personas — Agent-Embodied Roles

Persona → Agent Mapping

The Context Engineer — Where Differentiation Lives

Stakeholders Still Drive Direction

Agent Analytics by SDLC Role (E14)

Value Proposition

Knowledge Base — 4-Store Architecture

Platform Service Dependencies

Solution Lifecycle Flow

Platform Extraction — Before & After

AI Governance Control Flow

Multi-Tenant Isolation Model

Isolation Mechanisms

Complete Agent, Skill & Rule Inventory

Agents by SDLC Role

Skills (27) & Rules (40)

Skills — User-Invocable Commands

Rules — Always-Active Behavioral Constraints

Transparency Principle

Epic E1: Multi-Tenant Cloud Platform

Epic E2: Knowledge Base Foundation

Epic E3: BPMN Process Engine

Epic E4: Evidence Ingestion Pipeline

Epic E5: RAG Copilot

Epic E6: Feedback & Continuous Learning

Epic E7: Connector Framework

Epic E8: Data Governance

Epic E9: Auth & Security

Epic E10: Solution Creation Wizard

Epic E11: Agentic SDLC Orchestration

Epic E12: Code Generation Pipeline

Epic E13: PR Orchestration

Epic E14: Agent Analytics Dashboard

Epic E15: Micro-Learning & Education

Epic E16: AI Management System (ISO 42001)

Epic E17: EU AI Act & NIST Compliance

Epic E18: AI Observability

Epic E19: AI Risk Register

Epic E20: AI Governance Dashboard

Epic E21: Parser Extension Interface

Epic E22: Ontology Extension Interface

Epic E23: UI Component SDK

Reference Applications

KMFlow

Change / ACMOS

SLA

COBOL Migration

Platform Extraction Priority

Immediate — P0

Near-Term — P1

Medium-Term — P2

Blaze 3.0
NexGen