Skip to content

Implementation Plan — Phased Milestones & Vertical Slices

Validated against PRD v1.0

1. Build Philosophy

Vertical slices, not horizontal layers. Each phase delivers a working, testable increment. No "build all database tables first, then all services, then all UI."

Critical path: Configuration Engine → Workflow Engine → Decision Modules → Case Management → Analyst UI.

Estimated timeline: Each phase = 2-4 weeks for a team of 4-6 engineers.

2. Phase 0: Foundation (Weeks 1-2)

Goal: Project scaffold, CI/CD, authentication, core infrastructure. Nothing user-facing yet.

Deliverables

Item Description Acceptance Criteria
Project Scaffold Kotlin/Spring Boot 3 project with Gradle multi-module structure (10 bounded context modules + shared + infra). React/TypeScript frontend project. ./gradlew build passes. npm run build passes.
PostgreSQL Docker Compose with PostgreSQL. Flyway migrations directory structure per bounded context. docker compose up → PostgreSQL running. Flyway migrations apply cleanly.
Authentication Spring Security with JWT. User registration/login. RBAC with 8 predefined roles (RM, KYC Analyst, Sanctions Analyst, EDD Analyst, FCC Reviewer, Supervisor, Auditor, Admin). Login returns JWT. Protected endpoints reject unauthenticated requests. RBAC denies wrong-role access.
Architecture Fitness Tests ArchUnit tests enforcing bounded context boundaries. CI gate. ./gradlew test includes ArchUnit checks. Import violations fail the build.
Temporal Dev Setup Temporal server in Docker Compose. Hello World workflow. Temporal UI accessible at localhost:8080. Sample workflow runs end-to-end.

Phase 0 Exit Criteria

  • Developer can check out, docker compose up, ./gradlew bootRun, and hit GET /api/v1/health
  • JWT authentication works
  • RBAC roles enforced
  • ArchUnit tests pass in CI

3. Phase 1: Configuration Engine (Weeks 3-4)

Goal: The config engine must be built first — every other module depends on it.

Critical path dependency: YES — blocks all subsequent phases.

Vertical Slice

flowchart TB
    subgraph P1[Phase 1: Configuration Engine]
        A[Config Admin UI] --> B[Create version DRAFT]
        B --> C[Edit workflows, thresholds<br/>approval matrices, document rules]
        C --> D[Promote<br/>DRAFT → TEST → ACTIVE]
        D --> E[Rollback]
        E --> F[Config version history]
    end

Deliverables

ID Deliverable Dependencies AC
CF-1 ConfigVersion CRUD + promotion pipeline None Create, promote, rollback tested
CF-2 WorkflowTemplate definition (JSONB) CF-1 Save/load workflow template
CF-3 ThresholdConfig (risk score boundaries) CF-1 Save/load threshold rules
CF-4 ApprovalMatrix configuration CF-1 Save/load approval matrices
CF-5 DocumentRequirement rules CF-1 Save/load doc rules per archetype
CF-6 Config Admin UI CF-2-CF-5 CRUD all config types in browser

Testable Outcome

  • Admin creates a workflow template, thresholds, and document rules in the UI
  • Promotes config to ACTIVE
  • GET /api/v1/config/active returns the correct version
  • Rollback reverts to previous version

4. Phase 2: Workflow Engine + Onboarding Core (Weeks 5-8)

Goal: The orchestration backbone. Onboarding state machine works end-to-end with manual steps (no intelligence modules yet — those come in Phase 3).

Vertical Slice

flowchart TB
    subgraph P2[Phase 2: Workflow + Onboarding Core]
        A[Submit application] --> B[Classify]
        B --> C[Capture data]
        C --> D[Upload documents]
        D --> E[State machine transitions]
        E --> F[Human tasks: review, approve, reject]
        F --> G[SLA timers + breach escalation]
        G --> H[Case auto-creation]
    end

Deliverables

ID Deliverable Dependencies AC
WF-1 Temporal onboarding workflow (Corporate NL template) CF-2, Phase 0 Workflow starts, follows state transitions
WF-2 Parallel task execution (dummy tasks — modules not built yet) WF-1 3 parallel dummy tasks complete, workflow proceeds
WF-3 Human task: Analyst Review (approve/reject/request info) WF-1, Phase 0 (auth) Analyst sees task in queue, makes decision, workflow resumes
WF-4 SLA timers with breach escalation WF-1 SLA breached → supervisor notified
WF-5 Onboarding data model + APIs (customer, individual, legal entity, ownership, document) Phase 0 CRUD customer data via API
WF-6 Case auto-creation on workflow start WF-1, Phase 0 Workflow start → case appears in case list

Testable Outcome

  • RM submits corporate application
  • Onboarding Specialist classifies
  • Documents uploaded
  • Workflow progresses to ANALYST_REVIEW
  • Analyst approves → case moves to DECIDED
  • SLA timer fires if analyst doesn't act

5. Phase 3: Intelligence Modules (Weeks 9-12)

Goal: Three pluggable decision modules. Each is independently testable.

Phase 3a: Name Screening (Week 9)

ID Deliverable Dependencies AC
NS-1 Name normalization + exact/fuzzy matching CF-3 Screen 10 names → correct matches
NS-2 WatchlistProvider interface + mock provider NS-1 Screen against mock sanctions list
NS-3 Analyst adjudication API + UI NS-1, Phase 0 (auth) Adjudicate potential match → CLEAR/CONFIRM
NS-4 Integrate into workflow (replace dummy task) WF-2, NS-1 Screening invoked automatically in workflow

Phase 3b: Risk Rating (Week 10)

ID Deliverable Dependencies AC
RR-1 Rules engine: 6 factors, weighted scoring CF-3 Score customer → correct band
RR-2 Factor traceability (rationale per factor) RR-1 UI shows why each factor scored as it did
RR-3 Integrate into workflow (replace dummy task) WF-2, RR-1 Risk rating invoked automatically
RR-4 Risk-based branching (HIGH → EDD, LOW → fast-track) WF-2, RR-1 HIGH customer → workflow branches to EDD_REVIEW

Phase 3c: Network Analysis (Week 11-12)

ID Deliverable Dependencies AC
NA-1 Ownership graph traversal (recursive CTE) Phase 2 (ownership data) Build graph → correct nodes/edges
NA-2 Linked entity discovery NA-1 Shared directors → discovered links
NA-3 Graph visualization UI NA-1 Ownership structure rendered as interactive graph
NA-4 Integrate into workflow WF-2, NA-1 Network analysis invoked for corporate customers

Testable Outcome (End of Phase 3)

  • Corporate onboarding runs end-to-end with ALL three intelligence modules invoked
  • Screening detects PEP → adjudication required
  • Risk rating = HIGH → workflow branches to EDD
  • Network analysis shows ownership graph with discovered links

6. Phase 4: Case Management & Analyst Workspace (Weeks 13-15)

Goal: The full analyst experience. Queue, workspace, escalation, decisions.

Deliverables

ID Deliverable Dependencies AC
CM-1 Case queue with filters (status, type, priority, age) Phase 2 (cases exist) Analyst sees assigned cases
CM-2 Analyst workspace (single pane: customer + risk + screening + graph + docs + notes) Phase 3 (all modules produce data) All panels populated from real data
CM-3 Append-only case notes CM-2 Write note → appears in timeline
CM-4 Escalation routing (L1→L5) Phase 0 (roles) HIGH risk → auto-escalates to EDD
CM-5 Supervisor dashboard (team workload, SLA risk) Phase 2 (tasks exist) Supervisor sees team metrics, reassigns cases
CM-6 Decision logging with SoD enforcement Phase 0 (RBAC) Approve own case blocked → 403

Testable Outcome

  • Analyst opens workspace → sees customer profile, risk rating, screening results, ownership graph, documents, notes
  • Analyst adds note, escalates case
  • Supervisor views dashboard, reassigns overloaded case
  • Segregation of duties enforced on all decisions

7. Phase 5: Audit Hardening (Weeks 16-17)

Goal: Immutable audit trail complete. Replay works. Retention configured.

Deliverables

ID Deliverable Dependencies AC
AU-1 AuditEvent recording from all bounded contexts All previous phases Every state transition, decision, module invocation logged
AU-2 Audit replay UI (timeline view) AU-1 Auditor searches case → sees full event timeline
AU-3 Export audit package (PDF/JSON) AU-2 Export → valid PDF with complete reconstruction
AU-4 Monthly partitioning + retention policy AU-1 Oldest partition = current month; 7-year retention tested

Testable Outcome

  • Auditor picks any case from any point → reconstructs within 5 minutes
  • All decision rationale, config versions, module outputs verified
  • Export package passes mock regulatory review

8. Phase 6: Polish & Hardening (Weeks 18-20)

ID Deliverable AC
PL-1 Notification bell (in-platform alerts) Notifications appear for assigned tasks, SLA warnings, escalations
PL-2 Error handling sweep (all edge cases from domain specs) Every edge case has defined behavior — no raw stack traces
PL-3 Performance testing (100 concurrent workflows, 50 analysts) Meets NFR-P01 through NFR-P04
PL-4 Security review (TLS, encryption, pen test) Meets NFR-S01 through NFR-S06
PL-5 Documentation finalization All API docs, architecture docs, runbooks complete
PL-6 External integration with real providers (sanctions, PEP, registry) Real screening returns real results

9. Dependency Graph

flowchart TB
    P0[Phase 0: Foundation] --> P1[Phase 1: Config Engine]
    P1 --> P2[Phase 2: Workflow + Onboarding]
    P2 --> P3A[Phase 3a: Name Screening]
    P2 --> P3B[Phase 3b: Risk Rating]
    P2 --> P3C[Phase 3c: Network Analysis]
    P2 --> P4[Phase 4: Case Management]
    P3A --> P4
    P3B --> P4
    P3C --> P4
    P4 --> P5[Phase 5: Audit Hardening]
    P2 --> P5
    P5 --> P6[Phase 6: Polish]

10. Summary Timeline

Phase Weeks What's Delivered
0: Foundation 1-2 Project, auth, CI, DB, ArchUnit
1: Config Engine 3-4 Versioned config, admin UI
2: Workflow + Onboarding 5-8 State machine, human tasks, SLA, data model
3: Intelligence Modules 9-12 Screening, Risk Rating, Network Analysis
4: Case Management 13-15 Analyst workspace, escalation, supervisor dashboard
5: Audit Hardening 16-17 Immutable log, replay, export, retention
6: Polish 18-20 Notifications, error handling, performance, security, docs
Total 20 weeks MVP complete

Plan validated against PRD v1.0 and all domain specs. Critical path: Config → Workflow → Modules → Case Mgmt → Audit.