Skip to content

2. Functional Requirements

2. Functional Requirements

2.1 Platform Capabilities

2.1.1 RulePack Execution

  • Purpose: Execute externalized validation rules and compliance policies
  • Format: JSON-based rule definitions with versioning
  • Features:
  • Safe operators (no eval/exec): ==, !=, <, >, in, matches, etc.
  • Severity levels: FATAL (blocking), WARNING (review required), INFO (logged)
  • Field-level validation with contextual error messages
  • Batch processing support (1M+ records)
  • Rule composition and chaining

Example RulePack Structure:

{
  "metadata": {
    "pack_id": "federal-gtas-v1",
    "version": "1.0.0",
    "compliance": ["OMB-A-136", "GTAS-2024"]
  },
  "rules": [
    {
      "rule_id": "GTAS-001",
      "type": "FATAL",
      "field": "TAS",
      "operator": "matches",
      "pattern": "^[0-9]{3}-[0-9]{4}$",
      "error_message": "Invalid TAS format. Expected: ###-####"
    }
  ]
}

2.1.2 WorkflowPack Orchestration

  • Purpose: Define and execute multi-step business processes
  • Format: YAML-based workflow definitions
  • Features:
  • Node types: Data source, validation, AI inference, decision, approval, data sink
  • Human-in-the-loop approval gates
  • Saga pattern for distributed transactions
  • Automatic compensation on failures
  • Parallel execution support

Example WorkflowPack Structure:

workflow_id: gtas-monthly-submission
version: 1.0.0
steps:
  - id: ingest
    type: data-source
    config:
      format: csv
      schema: trial-balance-v1

  - id: validate
    type: validation
    config:
      rulepack: federal-gtas-v1
      on_failure: halt

  - id: reconcile
    type: calculation
    config:
      formula: sum(debits) - sum(credits)

  - id: approve
    type: approval
    config:
      role: certifying_official
      timeout_hours: 48

  - id: submit
    type: data-sink
    config:
      endpoint: https://gtas.treasury.gov/api/submit
      method: POST

2.1.3 AI Orchestration

  • Purpose: Provide intelligent assistance and automation
  • Capabilities:
  • Model Router: Select optimal model (cost, speed, compliance)
  • RAG (Retrieval-Augmented Generation): Vector store with compliance knowledge
  • PII Redaction: Automatic sensitive data scrubbing before LLM calls
  • Explainability: Generate plain-language explanations for rule failures
  • Smart Recommendations: Suggest corrections for compliance violations

Supported AI Models:

  • Production: Google Gemini 1.5 Pro/Flash (via Vertex AI)
  • Roadmap: Claude 3.5 Sonnet, GPT-4 Turbo, AWS Bedrock, Hugging Face local models

2.1.4 Multi-Tenant Architecture

  • Tenant Isolation:
  • PostgreSQL: Schema-per-tenant with Row-Level Security (RLS)
  • Kubernetes: Namespace-per-tenant (enterprise tier)
  • Redis: Key prefixing by tenant ID
  • Storage: GCS buckets with tenant-scoped access
  • Deployment Modes:
  • SaaS Multi-Tenant: Shared platform, schema isolation ($10k/mo base)
  • SaaS Dedicated: Dedicated cluster per tenant ($50k/mo+)
  • On-Prem/Private: Customer infrastructure ($200k/yr license)

2.1.5 RAG (Retrieval-Augmented Generation)

  • Purpose: Provide contextual, compliance-aware knowledge retrieval for AI and UI workflows
  • Architecture: 4-level hierarchy (Platform → Suite → Module → Entity) with scope-based retrieval
  • Features:
  • Scoped search: Retrieve knowledge at desired specificity (e.g., suite, module, entity)
  • Boosting: Relevance scoring based on context, recency, and compliance tags
  • Real-time ingestion: New docs, policies, and evidence can be indexed on demand
  • Admin UI: Upload, manage, and visualize knowledge graph
  • Integration: RAG available via API and UI hooks (Designer, AI Assistant)
  • Sample Use Cases:
  • Explain compliance rules with traceable source references
  • Retrieve agency-specific guidance for workflow steps
  • Power AI Assistant with up-to-date, certified knowledge

2.1.6 OCR (Optical Character Recognition)

  • Purpose: Extract structured data and text from scanned documents and images
  • Features:
  • Multi-engine support: Tesseract (open source), Google DocAI (cloud)
  • Field extraction: Map document zones to schema fields (template-based)
  • Batch processing: Handle large volumes (1000+ docs per batch)
  • Confidence scoring: Per-field and per-page extraction quality
  • Redaction: Mask PII/PHI on output if enabled
  • Supported Formats: PDF, TIFF, PNG, JPEG
  • Sample Use Cases:
  • Ingest scanned financial reports for validation
  • Extract fields from government forms (e.g., SF-133)
  • Pre-process documents for RAG indexing

2.1.7 Ledger (Immutable Audit Ledger)

  • Purpose: Provide tamper-evident, append-only event logging for compliance and audit
  • Features:
  • SHA-256 hash-chain: Each event links to previous for immutability
  • Append-only API: No updates or deletes permitted
  • Periodic verification: Automated detection of drift or tampering
  • Integration: Compliance service logs to ledger for all critical events
  • Export: Downloadable for 3rd party audits
  • Sample Use Cases:
  • Store evidence of workflow execution and approvals
  • Provide audit trail for regulatory certification
  • Detect unauthorized event modification attempts

2.2 User Roles & RBAC

Role Permissions UI Access
PLATFORM_VIEWER Read-only platform status Dashboards, logs
PACK_AUTHOR Create/edit RulePacks & WorkflowPacks Designer, testing
PACK_REVIEWER Approve packs for deployment Review queue, annotations
COMPLIANCE_OFFICER Certify compliance, audit access Audit logs, reports
SUITE_OPERATOR Execute workflows, upload data Suite dashboards, data entry
SUITE_ADMIN Manage suite configuration Suite settings, integrations
PLATFORM_ADMIN Full platform administration All features, tenant management

2.3 Audit & Compliance Logging

Required Events (NIST 800-53 AU-2, AU-3):

  • User authentication (login, logout, failures)
  • Pack creation, modification, deployment
  • Workflow execution (start, steps, end, errors)
  • Data access (read, write, delete)
  • Permission changes (role grants, revocations)
  • AI inference calls (model, prompt hash, response)
  • Configuration changes (platform, tenant, suite)

Log Format (JSON):

{
  "timestamp": "2025-09-30T14:23:45Z",
  "event_type": "workflow_executed",
  "tenant_id": "agency-dod-001",
  "user_id": "jane.doe@dod.gov",
  "session_id": "sess_abc123",
  "correlation_id": "wf_xyz789",
  "details": {
    "workflow_id": "gtas-monthly-submission",
    "status": "completed",
    "duration_ms": 3542
  },
  "compliance_tags": ["FISMA", "GTAS", "OMB-A-136"]
}

Retention:

  • Audit logs: 7 years (regulatory requirement)
  • Workflow execution logs: 3 years
  • Access logs: 1 year
  • Performance logs: 90 days