Chapter 03: Architecture Characteristics
Purpose
This appendix documents the formal architecture characteristics analysis for the Nexus POS Platform. It identifies the driving quality attributes that shape architectural decisions and provides justification for each characteristic’s priority.
Source: Architecture Characteristics Worksheet v2.0 (Expert Panel-Reviewed) System/Project: Nexus - Omnichannel Retail POS (Multi-Tenant Cloud) Architect/Team: Cloud AI Architecture Agents Domain/Quantum: Retail / Inventory Management / Multi-Platform Integration Date Modified: February 19, 2026 Panel Review Score: 6.50/10 → Updated per 4-member expert panel recommendations
K.1 Top 9 Driving Characteristics
These are the primary quality attributes that drive architectural decisions. They are listed in priority order.
| Rank | Characteristic | Priority Level | Blueprint Reference |
|---|---|---|---|
| 1 | Availability | Critical | Ch 04: Architecture Styles, Section L.10A.1 |
| 2 | Interoperability | Critical | Ch 13: Integration Patterns |
| 3 | Data Consistency | Critical | Ch 04: Architecture Styles, Section L.4A |
| 4 | Security | Elevated | Ch 12: Security & Auth, Ch 26: Security Compliance |
| 5 | Compliance (NEW) | Critical | Ch 13: Integrations, Ch 26: Security Compliance |
| 6 | Modifiability | High | Ch 04: Architecture Styles, Section L.9A |
| 7 | Scalability | High | Ch 04: Architecture Styles, Section L.10A.4 |
| 8 | Configurability (ELEVATED from implicit) | High | Ch 04: Architecture Styles Section L.10A.4, BRD Module 5 |
| 9 | Performance | High | Ch 09: Indexes & Performance |
K.2 Characteristics with Definitions and Justifications
K.2.1 Availability (Rank 1)
| Attribute | Value |
|---|---|
| Definition | The amount of uptime of a system; usually measured in 9’s (e.g., 99.9%). |
| Priority | Critical |
| Blueprint Reference | Ch 04: Architecture Styles, Section L.10A.1 |
Justification:
“Offline First” capability is non-negotiable. Physical stores must be able to process transactions even if internet connectivity fails.
Architectural Implications:
- Local SQLite database on POS terminals
- Event queue for offline transaction storage
- Automatic sync when connectivity restored
- Graceful degradation patterns
Offline-First Justification
Retail network reality makes offline-first a non-negotiable design constraint:
Retail Network Reality
======================
Internet Outage at 2pm on Black Friday?
Traditional POS: "Network Error - Cannot Process Sale" (DISASTER)
Offline-First POS: Works normally, syncs when online (BUSINESS CONTINUES)
Slow WiFi during holiday rush?
Traditional POS: 5-second delay per sale (FRUSTRATED CUSTOMERS)
Offline-First POS: Instant response, sync in background (HAPPY CUSTOMERS)
Server maintenance window?
Traditional POS: Store closes or uses manual paper (LOST REVENUE)
Offline-First POS: No impact to operations (FULL REVENUE)
The offline-first design is governed by five core principles (from Ch 04, Section L.10A.1):
| Principle | Description |
|---|---|
| Local-First | All operations work against local database first |
| Async Sync | Sync happens in background, not blocking UI |
| Queue Everything | Changes queue when offline, sync when online |
| Conflict Resolution | Deterministic rules for conflicting changes |
| Eventual Consistency | Accept that data may be temporarily out of sync |
Event Sourcing Enables Offline Sync
Event sourcing (Ch 04 Section L.4A) directly supports availability by enabling offline event queues. When the POS client is offline, all business operations (sales, payments, inventory adjustments) are captured as immutable events stored locally. When connectivity is restored, these events are synced to the central server and merged deterministically. Because events are append-only and each has a unique ID, offline sales never conflict – they simply merge into the central event stream. This makes event sourcing a foundational enabler of the offline-first architecture.
K.2.2 Interoperability (Rank 2)
| Attribute | Value |
|---|---|
| Definition | The ability of the system to interface and interact with other systems to complete a business request. |
| Priority | Critical |
| Blueprint Reference | Ch 13: Integration Patterns |
Justification:
BRD v18.0 Module 6 defines integration with 6 provider families across fundamentally different protocols:
| Provider Family | Auth Model | Rate Limiting | Sync Cadence |
|---|---|---|---|
| Shopify | OAuth 2.0 / PKCE | 50 points/second (GraphQL) | Real-time webhooks |
| Amazon SP-API | OAuth / Login with Amazon (LWA) | Burst + restore token bucket | 2-minute polling |
| Google Merchant | API key + Service Account | Quota-based (daily limits) | 2x/day batch + real-time local inventory |
| Payment Processor | API key / OAuth | Per-transaction | Real-time |
| Email (SMTP) | SMTP credentials | Provider-specific | Event-triggered |
| Carrier APIs | API key | Per-request | On-demand |
The system must maintain an Anti-Corruption Layer (ACL) per provider to prevent external schema changes from propagating into the core POS domain. BRD Section 6.2 mandates:
- Provider Abstraction:
IIntegrationProviderinterface with 5 standard methods per provider - Circuit Breaker: 5 failures within 60 seconds triggers OPEN state; 30-second cooldown before HALF_OPEN
- Idempotency Framework: 24-hour deduplication windows with SHA-256 keying (Section 6.2.5)
- Transactional Outbox: Atomic inventory reservation + guaranteed event publication
Architectural Implications:
- Anti-Corruption Layer (ACL) per provider preventing external schema leakage
- Provider Abstraction pattern (
IIntegrationProvider) for uniform integration interface - Circuit breaker pattern (CLOSED → OPEN → HALF_OPEN state machine)
- Idempotency framework with configurable dedup windows
- Transactional Outbox for guaranteed event delivery
- Rate limiter per provider with adaptive throttling
K.2.3 Data Consistency (Rank 3)
| Attribute | Value |
|---|---|
| Definition | The data across the system is in sync and consistent across databases and tables. |
| Priority | Critical |
| Blueprint Reference | Ch 04: Architecture Styles, Section L.4A |
Justification:
Critical for handling the “Inventory Sync” race conditions between physical shoppers and online orders to prevent overselling.
Architectural Implications:
- Event Sourcing for Sales and Inventory domains
- Eventual consistency model with conflict resolution
- Optimistic concurrency control
- Idempotent event handlers
Event Sourcing Justification
Traditional CRUD systems store only current state. Event sourcing stores every change as an immutable event, providing the full history needed for audit trails, temporal queries, and offline conflict resolution (from Ch 04 Section L.4A):
Traditional CRUD vs Event Sourcing
==================================
CRUD Approach:
+------------------+
| inventory_items |
|------------------|
| sku: NXP001 |
| quantity: 45 | <- Only current state
| updated_at: now |
+------------------+
Event Sourcing Approach:
+------------------+
| events |
|------------------|
| InventoryReceived: +100 @ 2025-01-01 09:00 |
| ItemSold: -2 @ 2025-01-01 10:15 |
| ItemSold: -1 @ 2025-01-01 11:30 |
| ItemSold: -3 @ 2025-01-01 14:22 |
| AdjustmentMade: -49 @ 2025-01-01 16:00 | <- Caught discrepancy!
| ItemSold: -1 @ 2025-01-02 09:15 |
| Current State: 45 (sum of all events) |
+------------------+
Benefits for Retail POS:
| Benefit | Description |
|---|---|
| Complete Audit Trail | Every sale, void, refund, adjustment is recorded forever |
| Temporal Queries | “What was our inventory on December 15th at 3pm?” |
| Offline Sync | Events queue locally, merge when online |
| Conflict Resolution | Compare event streams, not states |
| Debugging | Replay events to reproduce issues |
| Compliance | PCI-DSS, SOX require transaction logs |
K.2.4 Security (Rank 4 - Elevated)
| Attribute | Value |
|---|---|
| Definition | The ability of the system to prevent malicious actions, protect credentials, and restrict access across all trust boundaries. |
| Priority | Elevated (due to multi-platform OAuth, GenAI code generation, PCI-DSS 4.0) |
| Blueprint Reference | Ch 12: Security & Auth, Ch 26: Security Compliance |
Justification:
BRD v18.0 elevates security from basic PCI-DSS to 5 concrete security sub-domains:
| Security Sub-Domain | Scope | Key Requirements |
|---|---|---|
| 1. Authentication & Authorization | Multi-provider OAuth lifecycle | 3 OAuth providers (Shopify, Amazon LWA, Google), MFA for admin users (PCI-DSS 4.0 Req 8.4.2), role-based access control |
| 2. Credential Lifecycle Management | Secrets vault and rotation | HashiCorp Vault for 6 credential types, automated 90-day rotation, tenant-specific encryption keys, emergency rotation procedures |
| 3. Supply Chain Security | Dependency and package safety | Snyk/OWASP SCA with package firewall, SBOM generation (PCI-DSS 4.0 Req 6.3.2), real-time vulnerability scanning |
| 4. GenAI Governance | AI-generated code safety | 6-gate Security Test Pyramid: SAST + SCA + Secrets Detection + Architecture Conformance (ArchUnit/NetArchTest) + Contract Tests (Pact) + Manual Security Review |
| 5. PCI-DSS 4.0 Compliance | Payment card security | SAQ-A boundaries, FIM via Wazuh/OSSEC (Req 11.5.1), session management, audit trail retention (365 days), vulnerability scanning (Req 11.3.1) |
Architectural Implications:
- HashiCorp Vault (Docker container) for centralized credential management
- 6-gate Security Test Pyramid in CI/CD pipeline
- Wazuh/OSSEC agents on all POS terminals for File Integrity Monitoring
- Architecture conformance tests (ArchUnit/NetArchTest) enforcing module boundaries
- Pact contract tests against Shopify/Amazon/Google sandbox APIs
- Audit trail with INTEGRATION category for OAuth operations and webhook verification
POS Security Layers
The system implements a 5-layer defense-in-depth security model (from Ch 04 Section L.9A):
Security Layers
===============
+------------------------------------------------------------------+
| INTERNET |
+---------------------------+--------------------------------------+
|
v
+---------------------------+--------------------------------------+
| TLS TERMINATION |
| (Let's Encrypt) |
+---------------------------+--------------------------------------+
|
v
+------------------------------------------------------------------+
| API GATEWAY |
| +-----------------------+ +-----------------------+ |
| | Rate Limiting | | IP Whitelisting | |
| | 100 req/min/client | | (Admin Portal only) | |
| +-----------------------+ +-----------------------+ |
+---------------------------+--------------------------------------+
|
v
+------------------------------------------------------------------+
| AUTHENTICATION |
| +-----------------------+ +-----------------------+ |
| | JWT Validation | | PIN Verification | |
| | - Signature check | | - Employee clock-in | |
| | - Expiry check | | - Sensitive actions | |
| | - Tenant claim | +-----------------------+ |
| +-----------------------+ |
+---------------------------+--------------------------------------+
|
v
+------------------------------------------------------------------+
| AUTHORIZATION |
| +-----------------------+ +-----------------------+ |
| | Role-Based (RBAC) | | Permission Policies | |
| | - Admin | | - can:create_sale | |
| | - Manager | | - can:void_sale | |
| | - Cashier | | - can:view_reports | |
| +-----------------------+ +-----------------------+ |
+------------------------------------------------------------------+
Each layer provides independent protection: TLS encrypts data in transit, the API gateway enforces rate limits and IP restrictions, JWT authentication validates identity and tenant context, PIN verification secures sensitive in-store actions, and RBAC authorization controls access to specific operations.
Tenant Data Isolation as Security Evidence
Schema-per-tenant isolation (from Ch 04 Section L.10A.4) provides a strong security boundary. Unlike row-level tenancy where a missing WHERE tenant_id = ? clause could leak data across tenants, schema-per-tenant ensures that tenant data is physically separated at the PostgreSQL schema level. Even if application code has a bug, PostgreSQL’s search_path mechanism prevents cross-tenant data access:
-- Query from Tenant A's context (search_path = tenant_nexus)
SELECT * FROM products;
-- Returns only Nexus products
-- Even if someone tries:
SELECT * FROM tenant_acme.products;
-- ERROR: permission denied for schema tenant_acme
K.2.5 Compliance (Rank 5 - NEW)
| Attribute | Value |
|---|---|
| Definition | Adherence to regulatory standards, platform marketplace policies, and legal requirements across all operating jurisdictions and external channels. |
| Priority | Critical |
| Blueprint Reference | Ch 13: Integrations, Ch 26: Security Compliance |
Justification:
BRD v18.0 introduces non-negotiable compliance requirements from 3 external platforms plus existing regulatory frameworks:
| Compliance Domain | Requirements | Impact |
|---|---|---|
| PCI-DSS SAQ-A | No card data stored, tokenized payments, FIM on POS terminals | Payment architecture, audit trail, monitoring |
| Amazon SP-API | Product taxonomy compliance, FBA packaging rules, listing quality standards, content policy enforcement | Catalog validation, product data enrichment |
| Google Merchant | Product data specifications, disapproval prevention, local inventory accuracy, API v1 migration (Content API EOL August 2026) | Data quality engine, inventory sync accuracy |
| Shopify | @idempotent mutation mandate (required 2026-04), webhook verification, POS non-native compliance rules (Decision #99) | API client design, idempotency framework |
| State Regulations | Virginia 5-year gift card minimum expiry, consumer protection, data privacy | Configuration per jurisdiction |
Architectural Implications:
- Platform policy validation engine (“strictest-rule-wins” cross-platform validation per BRD Section 6.6)
- Automated compliance checking on product data before channel publication
- Credential rotation policies per platform requirement
- Audit trail for all external interactions with INTEGRATION event category
- Jurisdiction-aware configuration (geographic expansion design from ADR-BRD-006)
Tenant Isolation Compliance Benefits
Schema-per-tenant isolation (from Ch 04 Section L.10A.4) directly supports SOC 2, GDPR, and HIPAA compliance requirements:
SOC 2 / GDPR Compliance
=======================
Requirement: "Customer data must be logically separated"
With schema-per-tenant:
- Each customer's data in isolated schema
- No risk of WHERE clause forgetting tenant_id
- Clear audit trail per schema
- Easy data export for GDPR requests
- Simple data deletion for "right to be forgotten"
Per-tenant backup and restore is trivially achieved (pg_dump -n tenant_nexus), making data portability and right-to-erasure requests straightforward to fulfill. This isolation model ensures compliance without relying on application-level WHERE clause correctness.
K.2.6 Modifiability (Rank 6)
| Attribute | Value |
|---|---|
| Definition | The ease with which a system can adapt to changes in environment and functionality. |
| Priority | High |
| Blueprint Reference | Ch 04: Architecture Styles, Section L.9A |
Justification:
Plugin architecture is needed for frequent hardware/tax updates without full system rewrites.
Architectural Implications:
- Microkernel (Plugin) architecture for POS Client
- Hardware abstraction layer
- Tax calculation plugins
- Payment processor adapters
K.2.7 Scalability (Rank 7)
| Attribute | Value |
|---|---|
| Definition | Degree to which a product can handle growing or shrinking workloads. |
| Priority | High |
| Blueprint Reference | Ch 04: Architecture Styles, Section L.10A.4 |
Justification:
At some point the system must be able to grow to accommodate the number of new tenants.
Architectural Implications:
- Row-Level Isolation with PostgreSQL RLS (tenant_id + RLS policies)
- Horizontal scaling of stateless API layer
- Connection pooling per tenant
- Resource quotas and throttling
K.2.8 Configurability (Rank 8 - ELEVATED from implicit)
| Attribute | Value |
|---|---|
| Definition | The ability of the system to support multiple configurations and customize behavior on-demand per tenant, channel, and product level. |
| Priority | High |
| Blueprint Reference | Ch 04: Architecture Styles, Section L.10A.4, BRD Module 5 (Setup & Configuration) |
Justification:
BRD Module 5 spans 3,000+ lines of setup and configuration requirements. The system must support hierarchical configuration at multiple levels:
| Configuration Layer | Scope | Examples |
|---|---|---|
| Global | All tenants, all channels | System defaults, tax engine rules |
| Tenant | Per-tenant overrides | Feature toggles, branding, business rules |
| Channel | Per-channel per-tenant | Safety buffer modes, sync frequency, listing rules |
| Product | Per-product per-channel | Override safety buffer, pricing rules, visibility |
Key configuration complexity drivers:
- Safety Buffers: 4-level priority resolution (Product → Category → Channel → Global) with 3 calculation modes (FIXED, PERCENTAGE, MIN_RESERVE) per BRD Section 6.7.2
- Integration YAML: Section 6.12 defines 400+ lines of declarative integration configuration
- Feature Toggles: Per-tenant inventory sync strategy (Safe vs. Aggressive), channel enablement
- Tax Jurisdictions: Modular jurisdiction support with geographic expansion (ADR-BRD-006)
Architectural Implications:
- Hierarchical configuration resolution with 4-level priority
- YAML-driven integration rules (machine-readable, version-controlled)
- Per-tenant per-channel safety buffer settings
- Runtime configuration hot-reload without service restart
- Configuration validation engine preventing invalid combinations
K.2.9 Performance (Rank 9)
| Attribute | Value |
|---|---|
| Definition | The amount of time it takes for the system to process a business request. |
| Priority | High |
| Blueprint Reference | Ch 09: Indexes & Performance |
Justification:
Low latency scanning/checkout is required to prevent queues during high traffic.
Architectural Implications:
- Optimized database indexes
- Read replicas for query-heavy operations
- Caching strategies (Redis)
- Async processing for non-critical operations
Multi-Tenant Performance Considerations
Schema-per-tenant isolation (from Ch 04 Section L.10A.4) has specific performance implications for connection pooling and query execution:
Connection Pooling:
Connection Pool Strategy
========================
+------------------+
| Connection Pool |
| (PgBouncer) |
+--------+---------+
|
+--------------------+--------------------+
| | |
v v v
+-------+-------+ +--------+------+ +---------+-----+
| Connection 1 | | Connection 2 | | Connection 3 |
| search_path: | | search_path: | | search_path: |
| tenant_nexus | | tenant_acme | | tenant_nexus |
+---------------+ +---------------+ +---------------+
Note: search_path is set per-connection, not per-query.
Use transaction pooling mode in PgBouncer.
Query Performance:
Schema-per-tenant eliminates the need for a tenant_id column in every query, resulting in simpler and faster queries:
-- Index per schema (automatically namespaced)
CREATE INDEX idx_products_sku ON tenant_nexus.products(sku);
CREATE INDEX idx_products_sku ON tenant_acme.products(sku);
-- No tenant_id in WHERE clause needed
-- Simpler, faster queries:
SELECT * FROM products WHERE sku = 'NXP0001';
-- vs (row-level tenancy):
SELECT * FROM products WHERE tenant_id = ? AND sku = 'NXP0001';
This eliminates per-query tenant filtering overhead and allows PostgreSQL’s query planner to work with smaller, tenant-scoped indexes for better cache efficiency.
Tenant Performance Isolation
Schema-per-tenant provides natural performance isolation between tenants. A tenant with a large product catalog or high transaction volume does not degrade query performance for other tenants because each schema has its own table statistics, indexes, and can be independently vacuumed and reindexed:
-- Vacuum single tenant without affecting others
VACUUM ANALYZE tenant_nexus.products;
VACUUM ANALYZE tenant_nexus.sales;
-- Reindex single tenant
REINDEX SCHEMA tenant_nexus;
K.3 Implicit Characteristics
These characteristics are inherently required but not explicitly driving architectural decisions.
| Characteristic | Definition | Justification |
|---|---|---|
| Developer Experience (DevEx) | The ease with which developers can interact with the system’s tools, code, and processes. | Security Enabler: High “False Positive” rates from surface-level scanners cause developers to bypass security. We prioritize Deep SAST (accuracy) and AI-Remediation to ensure security does not degrade velocity. |
| Idempotency | The guarantee that repeating the same operation produces the same result without side effects. | BRD Section 6.2.5 mandates an idempotency framework with 24-hour deduplication windows and SHA-256 keying. Shopify @idempotent mutations become mandatory 2026-04. Critical for retry-safe integration operations. |
| Testability | The degree to which the system supports testing at all levels. | BRD v18.0 defines 36 user stories with Gherkin acceptance criteria. Three platform sandboxes (Shopify Dev Store, Amazon SP-API Sandbox, Google Merchant test account) require contract testing. Architecture must support isolation for unit, integration, and E2E tests. |
| Observability | The ability to understand system state from external outputs (logs, metrics, traces). | Multi-platform monitoring across 3 external channels requires first-class treatment. Integration-specific metrics: circuit breaker state, DLQ depth, sync latency, safety buffer violations, disapproval rate. LGTM stack (Loki, Grafana, Tempo, Prometheus). |
| Modularity | Degree to which a system is composed of discrete components. | Update tax logic without breaking inventory system. Module boundaries must be clean enough for independent Claude Code agent development. |
| Fault Tolerance | When fatal errors occur, other parts of the system continue to function. | Local client survival is required; POS must function if cloud crashes. Integration circuit breaker prevents external API failures from cascading to core POS operations. |
| Adaptability | Degree to which a product can be adapted for new environments. | Rapid adoption of new retail trends (social commerce). Module 6 designed as Extractable Integration Gateway for future independent deployment. |
K.4 Others Considered
These characteristics were evaluated but not prioritized as driving characteristics:
| Characteristic | Why Not Selected |
|---|---|
| Recoverability | Covered by Availability + Event Sourcing (replay capability) |
| Safety & Code Quality | Addressed through Security characteristic (6-gate Security Test Pyramid) and DevSecOps pipeline |
K.5 Characteristic Trade-offs
Understanding trade-offs between characteristics is critical for making consistent architectural decisions.
Trade-off Matrix
+------------------+------------------+------------------+------------------+------------------+
| | AVAILABILITY | CONSISTENCY | COMPLIANCE | CONFIGURABILITY |
+------------------+------------------+------------------+------------------+------------------+
| AVAILABILITY | - | TENSION | NEUTRAL | SUPPORTS |
| (Offline-First) | | (Eventual Sync) | | (Local config) |
+------------------+------------------+------------------+------------------+------------------+
| CONSISTENCY | TENSION | - | SUPPORTS | TENSION |
| (Data Sync) | (Offline Mode) | | (Audit Trail) | (Config changes) |
+------------------+------------------+------------------+------------------+------------------+
| COMPLIANCE | NEUTRAL | SUPPORTS | - | SUPPORTS |
| (Regulations) | | (Audit Trail) | | (Jurisdiction) |
+------------------+------------------+------------------+------------------+------------------+
| CONFIGURABILITY | SUPPORTS | TENSION | SUPPORTS | - |
| (Multi-level) | (Local config) | (Config changes) | (Jurisdiction) | |
+------------------+------------------+------------------+------------------+------------------+
| PERFORMANCE | SUPPORTS | TENSION | TENSION | TENSION |
| (Low Latency) | (Local Cache) | (Sync Overhead) | (Validation) | (Resolution) |
+------------------+------------------+------------------+------------------+------------------+
| SECURITY | TENSION | SUPPORTS | SUPPORTS | NEUTRAL |
| (Deep Scans) | (Scan Time) | (Audit Trail) | (PCI-DSS) | |
+------------------+------------------+------------------+------------------+------------------+
Key Trade-off Decisions
| Trade-off | Decision | Rationale |
|---|---|---|
| Availability vs. Consistency | Accept Eventual Consistency | Offline-First is non-negotiable; inventory sync can tolerate short delays |
| Performance vs. Security | 6-gate Security Pyramid with CI/CD gates | Security gates run in CI/CD pipeline, not at runtime; only contract tests add deployment time |
| Performance vs. Compliance | Async platform validation | Cross-platform validation runs asynchronously before channel publication; does not block POS checkout |
| Scalability vs. Simplicity | Row-Level Isolation with RLS in Modular Monolith | Full tenant isolation via PostgreSQL RLS without schema-per-tenant or microservices complexity |
| Compliance vs. Performance | Strictest-rule-wins cached validation | Validation rules cached and applied at publish-time, not checkout-time |
K.6 Characteristic-to-Chapter Mapping
Quick reference for finding characteristic implementations in the blueprint:
| Characteristic | Primary Chapters | Key Sections |
|---|---|---|
| Availability | Ch 04(L.10A.1), Ch 27 | Offline-First Design, Disaster Recovery |
| Interoperability | Ch 13 | Integration Patterns, ACL, Provider Abstraction |
| Data Consistency | Ch 04(L.4A), Ch 07 | Event Sourcing, Schema Design |
| Security | Ch 12, Ch 26 | Authentication, PCI-DSS Compliance, Credential Vault |
| Compliance | Ch 13, Ch 26 | Platform Policy Validation, Regulatory Compliance |
| Modifiability | Ch 04(L.9A), Ch 14 | Plugin Architecture, Hardware Layer |
| Scalability | Ch 04(L.10A.4), Ch 28 | Multi-Tenancy (RLS), Tenant Lifecycle |
| Configurability | Ch 04(L.10A.4), Module 5 | Feature Toggles, Safety Buffers, YAML Config |
| Performance | Ch 09, Ch 25 | Indexes, Monitoring |
| DevEx | Ch 18 | Development Environment |
| Idempotency | Ch 13 | Idempotency Framework, Dedup Windows |
| Testability | Ch 18, Ch 13 | Contract Testing, Platform Sandboxes |
| Observability | Ch 25 | LGTM Stack, Integration Metrics |
| Modularity | Ch 04(L.9A), Ch 04(L.9C) | Domain Model, Module Boundaries |
| Fault Tolerance | Ch 04(L.10A.1), Ch 27 | Offline-First, Circuit Breaker, Disaster Recovery |
| Adaptability | Ch 13 | Integration Adapters, Extractable Gateway |
K.7 Review Schedule
| Review Type | Frequency | Trigger Events |
|---|---|---|
| Scheduled Review | Quarterly | - |
| Event-Driven Review | As needed | New integration requirements, Security incidents, Performance degradation, New tenant requirements |
K.8 Non-Functional Requirements (NFRs)
This section defines measurable targets that validate the architecture characteristics. All NFRs are traceable to BRD requirements.
K.8.1 Performance Requirements
| Requirement ID | Category | Target | Source | Validation Method |
|---|---|---|---|---|
| NFR-PERF-001 | Checkout Latency | < 500ms p99 | BRD-v12 (implied) | Load testing |
| NFR-PERF-002 | RFID Bulk Lookup | < 200ms for 50 tags | BRD-v12 §1.1 | E2E testing |
| NFR-PERF-003 | Price Calculation | < 100ms | BRD-v12 §1.2 | Unit testing |
| NFR-PERF-004 | Tax Calculation | < 50ms | BRD-v12 §1.17 | Unit testing |
| NFR-PERF-005 | Product Search | < 300ms | Implicit | Load testing |
| NFR-PERF-006 | Receipt Generation | < 200ms | Implicit | E2E testing |
Performance Budget:
Total Checkout Time Budget: 500ms
├── Item Lookup: 100ms
├── Price Calculation: 100ms
├── Tax Calculation: 50ms
├── Payment Processing: 150ms (excluding terminal wait)
└── Receipt/Finalize: 100ms
K.8.2 Availability Requirements
| Requirement ID | Category | Target | Source | Validation Method |
|---|---|---|---|---|
| NFR-AVAIL-001 | Cloud API Uptime | 99.9% (8.76 hrs/year downtime) | Implicit | Monitoring |
| NFR-AVAIL-002 | Offline Queue Size | Max 100 transactions | BRD-v12 §1.16.2 | Configuration |
| NFR-AVAIL-003 | Sync Interval | 30 seconds | BRD-v12 §1.16.2 | Configuration |
| NFR-AVAIL-004 | Parked Sale TTL | 4 hours | BRD-v12 §1.1.1 | Configuration |
| NFR-AVAIL-005 | Parked Sales per Terminal | Max 5 | BRD-v12 §1.1.1 | Configuration |
| NFR-AVAIL-006 | Payment Terminal Timeout | 60 seconds | BRD-v12 §1.18.2 | Configuration |
| NFR-AVAIL-007 | Connection Timeout | 10 seconds | BRD-v12 §1.18.2 | Configuration |
Availability Tiers:
Cloud Services: 99.9% (allows ~8.76 hrs downtime/year)
POS Terminal: 99.99% (via offline-first design)
Database (Primary): 99.95% (with automatic failover)
K.8.3 Scalability Requirements
| Requirement ID | Category | Target | Source | Validation Method |
|---|---|---|---|---|
| NFR-SCALE-001 | Concurrent Users | 500 (Black Friday peak) | BRD-v12 (implied) | Load testing |
| NFR-SCALE-002 | Transactions per Second | 1,000 TPS | Chapter 04 L.6 | Load testing |
| NFR-SCALE-003 | Tenant Count | 100+ tenants | Chapter 03 | Architecture |
| NFR-SCALE-004 | Export Row Limit | 1,000 rows max | BRD-v12 §2.5 | Configuration |
| NFR-SCALE-005 | Date Range for Reports | 365 days max | BRD-v12 YAML | Configuration |
| NFR-SCALE-006 | RFID Tags per Request | 50 max | BRD-v12 §1.1 | Configuration |
Scaling Strategy:
Stateless API Layer: Horizontal scaling (Kubernetes HPA)
Database: Vertical scaling + Read replicas + RLS per tenant
Event Stream: PostgreSQL event tables (v1.0), Kafka partitioning (v2.0)
File Storage: Object storage (S3-compatible)
K.8.4 Integration & Timeout Requirements
| Requirement ID | Category | Target | Source | Validation Method |
|---|---|---|---|---|
| NFR-INT-001 | Payment Timeout | 60 seconds | BRD-v12 §1.18.2 | Configuration |
| NFR-INT-002 | Connection Timeout | 10 seconds | BRD-v12 §1.18.2 | Configuration |
| NFR-INT-003 | Multi-Store Data Staleness | Max 5 minutes | BRD-v12 §1.7 | Monitoring |
| NFR-INT-004 | Batch Close Time | 23:00 daily | BRD-v12 §1.18.2 | Configuration |
| NFR-INT-005 | External API Retry | 3 attempts with backoff | Implicit | Configuration |
| NFR-INT-006 | Webhook Delivery | At-least-once | Implicit | Architecture |
Integration Patterns:
Synchronous: REST APIs with circuit breaker
Asynchronous: Event-driven via PostgreSQL Events + LISTEN/NOTIFY (v1.0)
Webhooks: Inbound (Shopify/Amazon) + Outbound with Transactional Outbox
File Transfer: SFTP/S3 for bulk imports
K.8.5 Data & Compliance Requirements
| Requirement ID | Category | Target | Source | Validation Method |
|---|---|---|---|---|
| NFR-DATA-001 | Consent Audit Retention | 7 years | BRD-v12 YAML | Policy |
| NFR-DATA-002 | Privacy Request Response | 30 days | BRD-v12 §2.5 | Process |
| NFR-DATA-003 | Transaction Data Retention | 7 years (tax compliance) | Implicit | Policy |
| NFR-DATA-004 | Gift Card Minimum Expiry | 5 years (Virginia) | BRD-v12 §1.5.2 | Configuration |
| NFR-DATA-005 | Auto-Anonymize Inactive | Configurable (0 = never) | BRD-v12 YAML | Configuration |
Data Classification:
Level 1 (Restricted): Card data (prohibited storage)
Level 2 (Sensitive): Customer PII, credentials
Level 3 (Internal): Transaction data, inventory
Level 4 (Public): Product catalog, store hours
K.8.6 Security Requirements
| Requirement ID | Category | Target | Source | Validation Method |
|---|---|---|---|---|
| NFR-SEC-001 | PCI Scope | SAQ-A (no card data stored) | BRD-v12 §1.18 | PCI Audit |
| NFR-SEC-002 | Payment Data Storage | Token only, no PAN | BRD-v12 §1.18.1 | Code review |
| NFR-SEC-003 | Manager Auth for Overrides | PIN required | BRD-v12 §1.2 | E2E testing |
| NFR-SEC-004 | Blind Count | Expected not shown | BRD-v12 §1.12 | UI testing |
| NFR-SEC-005 | Variance Tolerance | Configurable ($5 default) | BRD-v12 §1.12 | Configuration |
| NFR-SEC-006 | Session Timeout | 15 minutes inactivity | Implicit | Configuration |
| NFR-SEC-007 | Password Policy | Min 12 chars, complexity | Implicit | Configuration |
SAQ-A Compliance - Data Storage Rules:
STORED (Allowed):
- Payment tokens
- Approval codes
- Masked card number (****1234)
- Card brand (Visa, MC, etc.)
- Terminal ID
PROHIBITED (Never store):
- Full card number (PAN)
- CVV/CVC
- Track data
- PIN block
- EMV cryptogram (raw)
K.8.7 Integration Requirements (BRD v18.0)
| Requirement ID | Category | Target | Source | Validation Method |
|---|---|---|---|---|
| NFR-INTG-001 | Shopify Sync Latency | < 5 seconds (webhook processing) | BRD-v18 §6.3 | Integration testing |
| NFR-INTG-002 | Amazon Sync Latency | < 2 minutes (polling interval) | BRD-v18 §6.4 | Integration testing |
| NFR-INTG-003 | Google Batch Sync | 2x/day + real-time local inventory | BRD-v18 §6.5 | Integration testing |
| NFR-INTG-004 | Circuit Breaker Threshold | 5 failures / 60 seconds → OPEN | BRD-v18 §6.2.4 | Unit testing |
| NFR-INTG-005 | DLQ Retry Policy | 3 attempts, exponential backoff | BRD-v18 §6.2.3 | Integration testing |
| NFR-INTG-006 | Safety Buffer Calculation | < 100ms per product per channel | BRD-v18 §6.7.2 | Performance testing |
| NFR-INTG-007 | Integration Health Check | Every 60 seconds per provider | BRD-v18 §6.11 | Monitoring |
| NFR-INTG-008 | Idempotency Window | 24-hour dedup with SHA-256 key | BRD-v18 §6.2.5 | Unit testing |
| NFR-INTG-009 | Credential Rotation | Automated every 90 days | BRD-v18 §6.2.2 | Operations |
Integration Performance Budget:
Shopify Webhook Processing: < 5s
├── Receive + Validate Signature: 100ms
├── Deserialize + Map to Domain: 200ms
├── Business Logic Processing: 2,000ms
├── Database Persistence: 500ms
└── Outbox Event Publication: 200ms
(Buffer): 2,000ms
Amazon SP-API Polling Cycle: < 2min
├── OAuth Token Refresh (if needed): 500ms
├── API Call (paginated): 5,000ms
├── Response Mapping: 1,000ms
├── Inventory Delta Calculation: 2,000ms
└── Database + Outbox: 1,500ms
(Buffer): 110,000ms
K.8.8 NFR Traceability Matrix
This matrix links NFRs to Architecture Characteristics:
| Characteristic | Related NFRs |
|---|---|
| Availability | NFR-AVAIL-001 through NFR-AVAIL-007 |
| Performance | NFR-PERF-001 through NFR-PERF-006 |
| Scalability | NFR-SCALE-001 through NFR-SCALE-006 |
| Security | NFR-SEC-001 through NFR-SEC-007 |
| Interoperability | NFR-INT-001 through NFR-INT-006 |
| Data Consistency | NFR-DATA-001 through NFR-DATA-005 |
| Compliance | NFR-DATA-001 through NFR-DATA-005, NFR-INTG-001 through NFR-INTG-009 |
| Configurability | NFR-INTG-006 (Safety Buffer), platform-specific targets |
NFR Validation Schedule
| NFR Category | Validation Frequency | Responsible Team |
|---|---|---|
| Performance | Every release + quarterly load test | QA + DevOps |
| Availability | Continuous monitoring | DevOps |
| Scalability | Quarterly load test | DevOps |
| Security | Annual PCI audit + continuous scans | Security |
| Integration | Every release + monthly provider sync | QA + Integration Team |
| Compliance | Annual audit | Compliance |
Document Information
| Attribute | Value |
|---|---|
| Version | 5.0.0 |
| Created | 2026-01-24 |
| Updated | 2026-02-25 |
| Source | Architecture Characteristics Worksheet v2.0, BRD-v18.0, Chapters 02/03/05/06 |
| Author | Claude Code |
| Reviewer | Expert Panel (Marcus Chen, Sarah Rodriguez, James O’Brien, Priya Patel) |
| Status | Active |
| Part | II - Architecture |
| Chapter | 03 of 32 |
| Previous | Chapter 11 v1.1.0 (backup at Chapter-11-Architecture-Characteristics.md.backup-v18.0) |
Change Log
| Version | Date | Changes |
|---|---|---|
| 1.0.0 | 2026-01-24 | Initial document |
| 1.1.0 | 2026-01-26 | Added Section K.8 (Non-Functional Requirements) with 37 NFRs from BRD-v12 |
| 2.0.0 | 2026-02-19 | Expert panel review (6.50/10): Expanded to Top 9 driving characteristics (added Compliance, elevated Configurability); rewrote Interoperability with 6 provider families, 3 auth models, 3 rate-limiting paradigms; rewrote Security with 5 concrete sub-domains and 6-gate Security Test Pyramid; added Idempotency, Testability, Observability as implicit; added K.8.7 Integration Requirements (9 NFRs from BRD v18.0 Module 6); updated multi-tenancy from Schema-Per-Tenant to Row-Level with RLS; updated event infrastructure from Kafka to PostgreSQL Events (v1.0) |
| 3.0.0 | 2026-02-22 | Enriched with cross-chapter evidence from former Ch 05/06/08/09; all chapter references renumbered for v3.0.0 (39-chapter to 34-chapter consolidation) |
Next Chapter: Chapter 04: Architecture Styles Analysis
This chapter is part of the POS Blueprint Book. All content is self-contained.