Implementation Plan — Overview¶
Validated against PRD v1.0
Executive Summary¶
The FEC Platform MVP is built in 7 phases over 20 weeks by a team of 4-6 engineers. The build follows the critical path: Configuration Engine → Workflow Engine → Intelligence Modules → Case Management → Audit Hardening → Polish.
Each phase delivers a working, testable vertical slice. No phase begins before its predecessor's exit criteria are met.
1. Team Composition¶
| Role | Count | Required Skills |
|---|---|---|
| Backend Engineer (Kotlin/Spring) | 2-3 | Kotlin, Spring Boot 3, JPA/Hibernate, PostgreSQL. Temporal experience preferred. |
| Frontend Engineer (React/TypeScript) | 1-2 | React, TypeScript, MUI, state management, API integration. Graph visualization experience preferred (cytoscape.js, vis.js). |
| Tech Lead / Architect | 1 | Kotlin/Spring, Temporal, PostgreSQL, DDD. Architecture decision-making. Code review authority. |
| DevOps Engineer | 0.5 (shared) | Docker, CI/CD (GitHub Actions), cloud deployment (AWS/Azure). Part-time across phases. |
| Compliance Domain Expert | 0.25 (advisory) | KYC/CDD, AML/CTF regulations. Reviews domain correctness at phase exits. Part-time. |
Total: 4-6 FTE engineering + advisory compliance.
Skill Gaps to Address¶
| Skill | Ramp-Up | When Needed |
|---|---|---|
| Kotlin (from Java) | 2 weeks | Phase 0 (immediate) |
| Temporal | 2-3 weeks | Phase 2 (week 5) |
| PostgreSQL recursive CTEs | 1 week | Phase 3c (week 11) |
2. Infrastructure Requirements¶
| Environment | Purpose | Provisioned |
|---|---|---|
| Local Dev | Docker Compose (PostgreSQL + Temporal + App). Engineer laptops. | Phase 0 |
| CI | GitHub Actions runners. Unit + integration + ArchUnit tests. | Phase 0 |
| Test/Staging | Cloud VM or container service. Used for integration testing and config validation. | Phase 2 |
| Production | Cloud VM or container service (AWS ECS / Azure Container Apps). Single deployment for MVP. | Phase 5 |
Cloud Resources (Production MVP)¶
| Resource | Spec | Estimated Monthly Cost |
|---|---|---|
| App server | 2 vCPU, 4 GB RAM | ~$50-100 |
| PostgreSQL (managed) | 2 vCPU, 8 GB RAM, 50 GB storage | ~$100-150 |
| Temporal Cloud (or self-hosted) | 1 namespace, dev tier | ~$25-50 (free tier) |
| Load Balancer / TLS | Managed by cloud provider | ~$20 |
Estimated: ~$200-350/month for MVP production.
3. Testing Strategy¶
| Layer | Tool | Coverage Target | When |
|---|---|---|---|
| Unit Tests | JUnit 5 + MockK | ≥ 80% line (business logic) | Every phase |
| Integration Tests | TestContainers (real PostgreSQL) | All repository + service layers | Every phase |
| Architecture Tests | ArchUnit | Boundary violations = 0 | Phase 0+ (CI gate) |
| Workflow Tests | Temporal Test framework | All workflow paths (happy + sad) | Phase 2+ |
| API Contract Tests | Spring MockMvc + REST Assured | All endpoints have contract test | Every phase |
| E2E Tests | Playwright | Critical journeys (corporate onboarding, retail fast-track, sanctions escalation) | Phase 4+ |
| Performance Tests | k6 or Gatling | NFR-P01 through PFR-P04 targets | Phase 6 |
| Security Tests | OWASP ZAP | No critical/high findings | Phase 6 |
Test Pyramid¶
╱ E2E (Playwright) ╲ ~10 tests — critical journeys only
╱ Workflow Tests ╲ ~20 tests — all workflow paths
╱ Integration Tests ╲ ~100 tests — service + repository layers
╱ Unit Tests ╲ ~500+ tests — business logic coverage
╱ Architecture Tests (CI) ╲ ~10 rules — boundary enforcement
4. Go-Live Criteria¶
The platform is ready for production when ALL of the following are true:
Functional Completeness¶
- FR-ON-01 through FR-ON-06: Onboarding workflow runs end-to-end
- FR-NS-01 through FR-NS-03: Screening detects matches, adjudication works
- FR-RR-01 through FR-RR-03: Risk rating scores correctly, routes correctly
- FR-CM-01 through FR-CM-05: Case management lifecycle works
- FR-NA-01 through FR-NA-02: Ownership graph + linked discovery
- FR-CF-01 through FR-CF-03: Config engine versioning, promote, rollback
- FR-AU-01 through FR-AU-03: Audit log, replay, SoD enforcement
- FR-SC-01 through FR-SC-02: RBAC, authentication
- FR-NT-01: In-platform notifications
Non-Functional Targets¶
- NFR-P01: UI renders ≤ 2s (p95)
- NFR-P02: Screening ≤ 5s (p95)
- NFR-P03: 100 concurrent workflows without degradation
- NFR-P04: Audit log sustain 1K events/sec
- NFR-R02: Graceful degradation when external service unavailable
- NFR-U01: ≤ 5 clicks for common analyst tasks
- NFR-C02: Decision reconstruction ≤ 5 minutes
- NFR-M04: Business logic ≥ 80% line coverage
Security¶
- NFR-S01: TLS 1.2+ everywhere
- NFR-S02: Encryption at rest verified
- Penetration test: no critical/high findings
- Dependency scan: zero critical CVEs
Operational Readiness¶
- Runbook for common incidents (external service down, DB failover, Temporal recovery)
- Monitoring dashboard: active workflows, case counts, error rate, SLA breaches
- Backup/restore tested for PostgreSQL
- Rollback tested: config version rollback, application version rollback
Compliance¶
- Audit replay tested with mock regulatory review
- SoD enforcement verified for all decision paths
- Document retention policy configured
- Compliance domain expert sign-off
5. Post-MVP Roadmap (Directional)¶
| v2 Target | Capabilities |
|---|---|
| Transaction Monitoring | Event ingestion pipeline, scenario definitions, alert generation |
| Periodic Review | Scheduled review triggers, KYC refresh, risk reassessment |
| Event-Driven Review | Sanctions changes, ownership changes, adverse media triggers |
| SAR Filing Prep | Suspicion confirmation, narrative drafting, filing workflow |
| Keycloak SSO/MFA | Enterprise identity integration |
Implementation plan validated against PRD v1.0, all domain specs, phased milestones, and risk register.