192 Repos. 19 Sessions.
One Clear Path Forward.

Config-Only Multi-Brand

All 3 production brands use identical Docker images, Helm charts, and code. Differentiation is purely through environment config. Confirmed through infrastructure analysis.

Clean Service Boundaries

No shared database backdoors across 7 analyzed domains. All inter-service communication uses GraphQL, REST, or RabbitMQ. Validated across all 7 domains.

Modern Tech Stack

Java 21, Spring Boot 3.5.4, Angular 18.2, PostgreSQL 16. Core tech is current — the stack isn't the problem.

Near-Zero Test Coverage

2-3 test files per service across all Gen 2 services. Expected coverage not found. Major regression risk during migration.

CIB Seven EOL

Camunda 7 CE support ended Oct 2025. Two BPM services + Keycloak plugin affected. Replacement is mandatory.

Zonal Infrastructure

GKE clusters and Cloud SQL are zonal (us-central1-a). Zone failure = complete tenant outage. No automatic HA.

Evidence-First

Every claim traced to source code, config files, or infrastructure artifacts. No assumptions without verification.

Hypothesis-Driven

14 hypotheses formulated and tested. Each assigned an assurance level (L0–L2) with falsifiability criteria.

Iterative Discovery

Findings from each session reshaped priorities for the next. The analysis plan evolved as evidence accumulated.

Monolithic Tangle

Assumed shared databases, tight coupling between services, outdated frameworks. Expected to recommend a ground-up rebuild.

Clean Service Boundaries

No shared database backdoors. Modern stack (Java 21, Spring Boot 3.5). Config-only multi-brand. The code was better than the infrastructure around it.

ADR-002 through ADR-008

The first seven decisions built incrementally: each new session's findings refined or challenged earlier choices. ADR-005 (Database Consolidation) was rewritten twice as we discovered the true scope of 35 databases per tenant.

ADR-010 Restructured

Passwordless-First Auth started as a simple Keycloak-to-X migration. Session 14 revealed 5 custom Keycloak themes per user type, forcing a complete rethink of the auth transition strategy.

ADR-011 Video Platform

Initially assumed Mux could handle everything. Discovery of Jitsi for interactive sessions and live-commerce requirements added a second video tier to the strategy.

ADR-012 Email Delivery

The lutung discovery in Session 5 directly spawned this ADR. What started as a footnote became a standalone decision requiring its own migration path.

ADR-013 BPM Engine

Initial analysis recommended Spring SM, but two inputs flipped the decision: Meet & Greet SM was retired (no in-house precedent), and strategic intent to expand BPM usage made the engine an investment, not overhead. Operaton recommended.

ADR-014 through ADR-024

Eleven more ADRs covering observability, testing, CI/CD security, financial ledger, API strategy, search, network security, messaging, data pipeline, file storage, and feature flags — completing the full architectural decision set.

Claude Code

Codebase traversal across 192 repos. Pattern recognition in service boundaries, dependency mapping, config analysis. Consistent application of hypothesis framework across all 14 hypotheses across 19 sessions. Draft generation for all 20 knowledge base documents.

Human Architect

Domain context and stakeholder priorities. Strategic direction on what to investigate next. Business judgment on trade-offs (cost vs. risk vs. speed). Final validation of every recommendation and decision.

GKE Standard

Zonal cluster with Spot VMs. Avoids $74/month Autopilot fee. 60-91% compute savings.

Cloudflare Tunnel

Zero-trust ingress with no public IPs. Free tier. Routes to *.agentic-innovations.com.

In-Cluster Databases

PostgreSQL and Redis run in-cluster. No managed service costs. PVC for persistence.

GKE Cluster

Standard mode, Spot VMs, Workload Identity

VPC Network

Cloud NAT, firewall rules, private subnets

IAM

Service accounts, Workload Identity bindings

Tenant

Namespace, quotas, NetworkPolicy, RBAC

Cloudflare

Tunnel config, DNS records, routes

Secrets

Secret Manager, External Secrets Operator

Storage

Terraform state, backups, assets

Registry

Container images with cleanup policies

Helix Platform

helix.agentic-innovations.com
AI agent orchestration platform

NIL GamePlan

nilgameplan.agentic-innovations.com
NIL compliance and management

The Agile Network

agile.agentic-innovations.com
Fan-athlete connection platform

ArgoCD Features

• Continuous deployment from Git
• ApplicationSet for all tenants
• Automated sync with self-heal
• Rollback via Git revert

Knative Serving

• Scale-to-zero for cost savings
• Automatic scaling on demand
• Traffic splitting for canary
• Revision management

Its main advantage — "preserving working code" — assumes code is expensive to write. With agentic coding, writing code is cheap. What's expensive is dealing with messy code: implicit coupling, undocumented behavior, Gen 1 patterns mixed with Gen 2, and retrofitting tests onto zero-coverage legacy.

Its main advantage — incremental risk mitigation — relies on CDC pipelines, Istio routing, and dual-write sync. These are all infrastructure tasks, the hardest category for agentic coding. The agent ends up context-switching between "build new code" and "maintain sync infrastructure" constantly.

CIB Seven: No Patches

Community support ended Oct 2025. Every month without migration increases exposure to unpatched CVEs across 2 BPM services and the Keycloak plugin.

lutung: Dead Library in Production

Every transactional email runs through an unmaintained library (deprecated 2016). No security updates, no bug fixes, no migration path until replaced.

Zonal GKE: Single Point of Failure

Current zonal clusters mean a single zone outage takes down all production traffic for that tenant. Regional migration eliminates this risk.

3 Clusters × 35 DBs: Compounding Spend

Running separate infrastructure per tenant with 35 databases each means cloud costs scale linearly with every new brand. Consolidation breaks this pattern.