Chapter 03: Architecture Characteristics

Purpose

This appendix documents the formal architecture characteristics analysis for the Nexus POS Platform. It identifies the driving quality attributes that shape architectural decisions and provides justification for each characteristic’s priority.

Source: Architecture Characteristics Worksheet v2.0 (Expert Panel-Reviewed) System/Project: Nexus - Omnichannel Retail POS (Multi-Tenant Cloud) Architect/Team: Cloud AI Architecture Agents Domain/Quantum: Retail / Inventory Management / Multi-Platform Integration Date Modified: February 19, 2026 Panel Review Score: 6.50/10 → Updated per 4-member expert panel recommendations

K.1 Top 9 Driving Characteristics

These are the primary quality attributes that drive architectural decisions. They are listed in priority order.

Rank	Characteristic	Priority Level	Blueprint Reference
1	Availability	Critical	Ch 04: Architecture Styles, Section L.10A.1
2	Interoperability	Critical	Ch 05: BRD Module 6 (Integrations)
3	Data Consistency	Critical	Ch 04: Architecture Styles, Section L.4A
4	Security	Elevated	Ch 04: Architecture Styles, Section L.8 (Security)
5	Compliance (NEW)	Critical	Ch 05: BRD Module 6 (Integrations)
6	Modifiability	High	Ch 04: Architecture Styles, Section L.9A
7	Scalability	High	Ch 04: Architecture Styles, Section L.10A.4
8	Configurability (ELEVATED from implicit)	High	Ch 04: Architecture Styles Section L.10A.4, BRD Module 5
9	Performance	High	Ch 09: Indexes & Performance

K.2 Characteristics with Definitions and Justifications

K.2.1 Availability (Rank 1)

Attribute	Value
Definition	The amount of uptime of a system; usually measured in 9’s (e.g., 99.9%).
Priority	Critical
Blueprint Reference	Ch 04: Architecture Styles, Section L.10A.1

Justification:

Continuous POS operation is non-negotiable. Physical stores must be able to process transactions even during brief network outages. The system uses an online-first architecture with a thin offline fallback (ADR-048) — the API is the primary data source under normal conditions, with a minimal SQLite cache that activates only when connectivity is lost.

Architectural Implications:

API-primary data access via React Query (server state management)
3-state connection monitor (ONLINE / DEGRADED / OFFLINE)
2-table SQLite fallback (product_cache + sales_queue)
FIFO queue flush on reconnection
Flag-on-sync price discrepancy for manager review

Online-First Justification

The online-first design keeps POS terminals operational under all network conditions while avoiding the complexity of full local database replication:

Online-First with Offline Fallback
====================================

Normal Operation (ONLINE):
  All reads via React Query → Central API → PostgreSQL
  Real-time prices, inventory, customer data
  No local database sync overhead

Intermittent Connectivity (DEGRADED):
  Reads continue via React Query (stale-while-revalidate)
  Writes queue locally in sales_queue table
  Socket.io heartbeat detects degraded state

Network Outage (OFFLINE):
  Product lookups from product_cache (read-only SQLite)
  Sales written to sales_queue (FIFO)
  POS continues processing sales with cached prices

Reconnection:
  sales_queue entries flush to API in FIFO order
  Server applies current prices, flags discrepancies
  product_cache refreshes from API

The online-first design is governed by five core principles (from Ch 04, Section L.10A.1 / ADR-048):

Principle	Description
API-Primary Data Access	All reads go through React Query with server-side caching. React Query handles background refetching, stale-while-revalidate, and retry logic.
3-State Connection Monitor	ONLINE (full API access), DEGRADED (intermittent, queue writes), OFFLINE (local fallback only). Transitions based on Socket.io heartbeat + HTTP health check.
2-Table SQLite Fallback	`product_cache` (read-only product/price lookups) and `sales_queue` (FIFO write queue for completed sales). No full local database replication.
FIFO Queue Flush	When connection restores, `sales_queue` entries are submitted to the API in order. No conflict resolution needed — server applies current prices and flags discrepancies.
Flag-on-Sync Price Discrepancy	If a sale was completed offline with a cached price that differs from the current server price, the system flags it for manager review rather than auto-adjusting.

Event Sourcing Supports Offline Queue

Event sourcing (Ch 04 Section L.4A) supports availability by providing a natural model for the offline sales queue. When the POS client is offline, completed sales are captured as immutable events in the local sales_queue. When connectivity is restored, these events are submitted to the central API in FIFO order. Because each event has a unique ID and the server is the authority on current state, the queue flush is straightforward — no conflict resolution or event merging is required. The server accepts each sale, applies current pricing, and flags any discrepancies for review.

K.2.2 Interoperability (Rank 2)

Attribute	Value
Definition	The ability of the system to interface and interact with other systems to complete a business request.
Priority	Critical
Blueprint Reference	Ch 05: BRD Module 6 (Integrations)

Justification:

BRD v18.0 Module 6 defines integration with 6 provider families across fundamentally different protocols:

Provider Family	Auth Model	Rate Limiting	Sync Cadence
Shopify	OAuth 2.0 / PKCE	50 points/second (GraphQL)	Real-time webhooks
Amazon SP-API	OAuth / Login with Amazon (LWA)	Burst + restore token bucket	2-minute polling
Google Merchant	API key + Service Account	Quota-based (daily limits)	2x/day batch + real-time local inventory
Payment Processor	API key / OAuth	Per-transaction	Real-time
Email (SMTP)	SMTP credentials	Provider-specific	Event-triggered
Carrier APIs	API key	Per-request	On-demand

The system must maintain an Anti-Corruption Layer (ACL) per provider to prevent external schema changes from propagating into the core POS domain. BRD Section 6.2 mandates:

Provider Abstraction: IntegrationProvider interface with 5 standard methods per provider: connect(), syncProducts(), syncInventory(), validateData(), healthCheck()
Circuit Breaker: 5 failures within 60 seconds triggers OPEN state; 30-second cooldown before HALF_OPEN
Idempotency Framework: 24-hour deduplication windows with SHA-256 keying (Section 6.2.5)
Transactional Outbox: Atomic inventory reservation + guaranteed event publication

Architectural Implications:

Anti-Corruption Layer (ACL) per provider preventing external schema leakage
Provider Abstraction pattern (IntegrationProvider) for uniform integration interface
Circuit breaker pattern (CLOSED → OPEN → HALF_OPEN state machine)
Idempotency framework with configurable dedup windows
Transactional Outbox for guaranteed event delivery
Rate limiter per provider with adaptive throttling

K.2.3 Data Consistency (Rank 3)

Attribute	Value
Definition	The data across the system is in sync and consistent across databases and tables.
Priority	Critical
Blueprint Reference	Ch 04: Architecture Styles, Section L.4A

Justification:

Critical for handling the “Inventory Sync” race conditions between physical shoppers and online orders to prevent overselling.

Architectural Implications:

Event Sourcing for Sales and Inventory domains
Eventual consistency model with conflict resolution
Optimistic concurrency control
Idempotent event handlers

Event Sourcing Justification

Traditional CRUD systems store only current state. Event sourcing stores every change as an immutable event, providing the full history needed for audit trails, temporal queries, and offline conflict resolution (from Ch 04 Section L.4A):

Traditional CRUD vs Event Sourcing
==================================

CRUD Approach:
+------------------+
| inventory_items  |
|------------------|
| sku: NXP001      |
| quantity: 45     |  <- Only current state
| updated_at: now  |
+------------------+

Event Sourcing Approach:
+------------------+
| events           |
|------------------|
| InventoryReceived: +100 @ 2025-01-01 09:00  |
| ItemSold: -2 @ 2025-01-01 10:15             |
| ItemSold: -1 @ 2025-01-01 11:30             |
| ItemSold: -3 @ 2025-01-01 14:22             |
| AdjustmentMade: -49 @ 2025-01-01 16:00      |  <- Caught discrepancy!
| ItemSold: -1 @ 2025-01-02 09:15             |
| Current State: 45 (sum of all events)       |
+------------------+

Benefits for Retail POS:

Benefit	Description
Complete Audit Trail	Every sale, void, refund, adjustment is recorded forever
Temporal Queries	“What was our inventory on December 15th at 3pm?”
Offline Sync	Events queue locally, merge when online
Conflict Resolution	Compare event streams, not states
Debugging	Replay events to reproduce issues
Compliance	PCI-DSS, SOX require transaction logs

K.2.4 Security (Rank 4 - Elevated)

Attribute	Value
Definition	The ability of the system to prevent malicious actions, protect credentials, and restrict access across all trust boundaries.
Priority	Elevated (due to multi-platform OAuth, GenAI code generation, PCI-DSS 4.0)
Blueprint Reference	Ch 04: Architecture Styles, Section L.8 (Security)

Justification:

BRD v18.0 elevates security from basic PCI-DSS to 5 concrete security sub-domains:

Security Sub-Domain	Scope	Key Requirements
1. Authentication & Authorization	Multi-provider OAuth lifecycle	3 OAuth providers (Shopify, Amazon LWA, Google), MFA for admin users (PCI-DSS 4.0 Req 8.4.2), role-based access control
2. Credential Lifecycle Management	Secrets vault and rotation	HashiCorp Vault for 6 credential types, automated 90-day rotation, tenant-specific encryption keys, emergency rotation procedures
3. Supply Chain Security	Dependency and package safety	Snyk/OWASP SCA with package firewall, SBOM generation (PCI-DSS 4.0 Req 6.3.2), real-time vulnerability scanning
4. GenAI Governance	AI-generated code safety	6-gate Security Test Pyramid: SAST + SCA + Secrets Detection + Architecture Conformance (dependency-cruiser) + Contract Tests (Pact) + Manual Security Review
5. PCI-DSS 4.0 Compliance	Payment card security	SAQ-A boundaries, FIM via Wazuh/OSSEC (Req 11.5.1), session management, audit trail retention (365 days), vulnerability scanning (Req 11.3.1)

Architectural Implications:

HashiCorp Vault (Docker container) for centralized credential management
6-gate Security Test Pyramid in CI/CD pipeline
Wazuh/OSSEC agents on all POS terminals for File Integrity Monitoring
Architecture conformance tests (dependency-cruiser) enforcing module boundaries
Pact contract tests against Shopify/Amazon/Google sandbox APIs
Audit trail with INTEGRATION category for OAuth operations and webhook verification

POS Security Layers

The system implements a 5-layer defense-in-depth security model (from Ch 04 Section L.9A):

Security Layers
===============

+------------------------------------------------------------------+
|                        INTERNET                                   |
+---------------------------+--------------------------------------+
                            |
                            v
+---------------------------+--------------------------------------+
|                    TLS TERMINATION                                |
|                    (Let's Encrypt)                                |
+---------------------------+--------------------------------------+
                            |
                            v
+------------------------------------------------------------------+
|                    API GATEWAY                                    |
|  +-----------------------+  +-----------------------+             |
|  | Rate Limiting         |  | IP Whitelisting       |             |
|  | 100 req/min/client    |  | (Nexus POS only)      |             |
|  +-----------------------+  +-----------------------+             |
+---------------------------+--------------------------------------+
                            |
                            v
+------------------------------------------------------------------+
|                    AUTHENTICATION                                 |
|  +-----------------------+  +-----------------------+             |
|  | JWT Validation        |  | PIN Verification      |             |
|  | - Signature check     |  | - Employee clock-in   |             |
|  | - Expiry check        |  | - Sensitive actions   |             |
|  | - Tenant claim        |  +-----------------------+             |
|  +-----------------------+                                        |
+---------------------------+--------------------------------------+
                            |
                            v
+------------------------------------------------------------------+
|                    AUTHORIZATION                                  |
|  +-----------------------+  +-----------------------+             |
|  | Role-Based (RBAC)     |  | Permission Policies   |             |
|  | - Admin               |  | - can:create_sale     |             |
|  | - Manager             |  | - can:void_sale       |             |
|  | - Cashier             |  | - can:view_reports    |             |
|  +-----------------------+  +-----------------------+             |
+------------------------------------------------------------------+

Each layer provides independent protection: TLS encrypts data in transit, the API gateway enforces rate limits and IP restrictions, JWT authentication validates identity and tenant context, PIN verification secures sensitive in-store actions, and RBAC authorization controls access to specific operations.

Tenant Data Isolation as Security Evidence

Row-Level Security (RLS) isolation (from Ch 04 Section L.10A.4) provides a strong security boundary enforced at the PostgreSQL database level. Every tenant table includes a tenant_id column and an RLS policy that automatically filters queries by the tenant context set in the connection session variable. Even if application code omits a WHERE tenant_id = ? clause, PostgreSQL’s RLS policies prevent cross-tenant data access:

-- RLS policy on every tenant table
CREATE POLICY tenant_isolation ON products
  USING (tenant_id = current_setting('app.current_tenant')::uuid);

-- Middleware sets tenant context from JWT claims
SET app.current_tenant = 'uuid-of-nexus-tenant';

-- Query automatically filtered by RLS — returns only Nexus products
SELECT * FROM products;

-- Even a query without WHERE clause is safe — RLS enforces isolation
SELECT * FROM orders;
-- Returns only orders for the current tenant

K.2.5 Compliance (Rank 5 - NEW)

Attribute	Value
Definition	Adherence to regulatory standards, platform marketplace policies, and legal requirements across all operating jurisdictions and external channels.
Priority	Critical
Blueprint Reference	Ch 05: BRD Module 6 (Integrations)

Justification:

BRD v18.0 introduces non-negotiable compliance requirements from 3 external platforms plus existing regulatory frameworks:

Compliance Domain	Requirements	Impact
PCI-DSS SAQ-A	No card data stored, tokenized payments, FIM on POS terminals	Payment architecture, audit trail, monitoring
Amazon SP-API	Product taxonomy compliance, FBA packaging rules, listing quality standards, content policy enforcement	Catalog validation, product data enrichment
Google Merchant	Product data specifications, disapproval prevention, local inventory accuracy, API v1 migration (Content API EOL August 2026)	Data quality engine, inventory sync accuracy
Shopify	@idempotent mutation mandate (required 2026-04), webhook verification, POS non-native compliance rules (Decision #99)	API client design, idempotency framework
State Regulations	Virginia 5-year gift card minimum expiry, consumer protection, data privacy	Configuration per jurisdiction

Architectural Implications:

Platform policy validation engine (“strictest-rule-wins” cross-platform validation per BRD Section 6.6)
Automated compliance checking on product data before channel publication
Credential rotation policies per platform requirement
Audit trail for all external interactions with INTEGRATION event category
Jurisdiction-aware configuration (geographic expansion design from ADR-BRD-006)

Tenant Isolation Compliance Benefits

Row-Level Security (RLS) isolation (from Ch 04 Section L.10A.4) directly supports SOC 2, GDPR, and HIPAA compliance requirements:

SOC 2 / GDPR Compliance
=======================

Requirement: "Customer data must be logically separated"

With Row-Level Security (RLS):
- Every table has tenant_id + RLS policy enforced at database level
- RLS policies automatically filter queries — no risk of missing WHERE clause
- Clear audit trail per tenant_id
- Data export for GDPR: SELECT * FROM customers WHERE tenant_id = :id
- Data deletion for "right to be forgotten": DELETE cascading on tenant_id
- Defense-in-depth: even buggy application code cannot leak cross-tenant data

Per-tenant data export is achieved via COPY (SELECT * FROM table WHERE tenant_id = :id) TO STDOUT, making data portability and right-to-erasure requests straightforward. RLS enforcement at the database level provides defense-in-depth isolation that does not depend on application-level query correctness.

K.2.6 Modifiability (Rank 6)

Attribute	Value
Definition	The ease with which a system can adapt to changes in environment and functionality.
Priority	High
Blueprint Reference	Ch 04: Architecture Styles, Section L.9A

Justification:

Plugin architecture is needed for frequent hardware/tax updates without full system rewrites.

Architectural Implications:

Microkernel (Plugin) architecture for Nexus POS
Hardware abstraction layer
Tax calculation plugins
Payment processor adapters

K.2.7 Scalability (Rank 7)

Attribute	Value
Definition	Degree to which a product can handle growing or shrinking workloads.
Priority	High
Blueprint Reference	Ch 04: Architecture Styles, Section L.10A.4

Justification:

At some point the system must be able to grow to accommodate the number of new tenants.

Architectural Implications:

Row-Level Isolation with PostgreSQL RLS (tenant_id + RLS policies)
Horizontal scaling of stateless API layer
Connection pooling per tenant
Resource quotas and throttling

K.2.8 Configurability (Rank 8 - ELEVATED from implicit)

Attribute	Value
Definition	The ability of the system to support multiple configurations and customize behavior on-demand per tenant, channel, and product level.
Priority	High
Blueprint Reference	Ch 04: Architecture Styles, Section L.10A.4, BRD Module 5 (Setup & Configuration)

Justification:

BRD Module 5 spans 3,000+ lines of setup and configuration requirements. The system must support hierarchical configuration at multiple levels:

Configuration Layer	Scope	Examples
Global	All tenants, all channels	System defaults, tax engine rules
Tenant	Per-tenant overrides	Feature toggles, branding, business rules
Channel	Per-channel per-tenant	Safety buffer modes, sync frequency, listing rules
Product	Per-product per-channel	Override safety buffer, pricing rules, visibility

Key configuration complexity drivers:

Safety Buffers: 4-level priority resolution (Product → Category → Channel → Global) with 3 calculation modes (FIXED, PERCENTAGE, MIN_RESERVE) per BRD Section 6.7.2
Integration YAML: Section 6.12 defines 400+ lines of declarative integration configuration
Feature Toggles: Per-tenant inventory sync strategy (Safe vs. Aggressive), channel enablement
Tax Jurisdictions: Modular jurisdiction support with geographic expansion (ADR-BRD-006)

Architectural Implications:

Hierarchical configuration resolution with 4-level priority
YAML-driven integration rules (machine-readable, version-controlled)
Per-tenant per-channel safety buffer settings
Runtime configuration hot-reload without service restart
Configuration validation engine preventing invalid combinations

K.2.9 Performance (Rank 9)

Attribute	Value
Definition	The amount of time it takes for the system to process a business request.
Priority	High
Blueprint Reference	Ch 09: Indexes & Performance

Justification:

Low latency scanning/checkout is required to prevent queues during high traffic. See also Ch 04 Section L.6 for TPS targets and latency budgets.

Architectural Implications:

Optimized database indexes
Read replicas for query-heavy operations
Caching strategies (Redis)
Async processing for non-critical operations

Multi-Tenant Performance Considerations

Row-Level Security isolation (from Ch 04 Section L.10A.4) has specific performance implications for connection pooling and query execution:

Connection Pooling:

Connection Pool Strategy (Row-Level Security)
==============================================

                    +------------------+
                    |  Connection Pool |
                    |  (PgBouncer)     |
                    +--------+---------+
                             |
        +--------------------+--------------------+
        |                    |                    |
        v                    v                    v
+-------+-------+   +--------+------+   +---------+-----+
| Connection 1  |   | Connection 2  |   | Connection 3  |
| Shared pool   |   | Shared pool   |   | Shared pool   |
| All tenants   |   | All tenants   |   | All tenants   |
+---------------+   +---------------+   +---------------+

Tenant context set per-transaction via middleware:
  SET LOCAL app.current_tenant_id = '<tenant-uuid>';

Use transaction pooling mode in PgBouncer.
Connections are shared across all tenants (no per-tenant pools).

Query Performance:

Row-Level Security uses composite indexes on (tenant_id, ...) so that the RLS policy filter and application query merge into a single efficient index scan:

-- Composite index ensures tenant_id filter is nearly free
CREATE INDEX idx_products_tenant_sku ON products(tenant_id, sku);
CREATE INDEX idx_sales_tenant_date ON sales(tenant_id, sale_date);

-- RLS policy automatically appends tenant filter
-- Application writes simple queries:
SELECT * FROM products WHERE sku = 'NXP0001';
-- PostgreSQL rewrites to:
SELECT * FROM products
 WHERE sku = 'NXP0001'
   AND tenant_id = current_setting('app.current_tenant_id')::uuid;

The composite index prefix on tenant_id ensures the RLS predicate adds negligible overhead — PostgreSQL’s query planner merges the policy filter with application predicates for a single index scan. Shared tables also improve cache utilization for common catalog data.

Tenant Performance Isolation

Row-Level Security provides logical performance isolation between tenants. Composite indexes on (tenant_id, ...) ensure each tenant’s queries scan only their own rows, so a tenant with a large product catalog does not degrade query performance for other tenants. Maintenance operations can target tenant-specific data using partial operations:

-- Analyze statistics for tenant-heavy tables
VACUUM ANALYZE products;
VACUUM ANALYZE sales;

-- Partial reindex targeting specific indexes
REINDEX INDEX CONCURRENTLY idx_products_tenant_sku;

-- Monitor per-tenant table bloat via pg_stat_user_tables
-- Alert when dead_tup_ratio exceeds threshold

K.3 Implicit Characteristics

These characteristics are inherently required but not explicitly driving architectural decisions.

Characteristic	Definition	Justification
Developer Experience (DevEx)	The ease with which developers can interact with the system’s tools, code, and processes.	Security Enabler: High “False Positive” rates from surface-level scanners cause developers to bypass security. We prioritize Deep SAST (accuracy) and AI-Remediation to ensure security does not degrade velocity.
Idempotency	The guarantee that repeating the same operation produces the same result without side effects.	BRD Section 6.2.5 mandates an idempotency framework with 24-hour deduplication windows and SHA-256 keying. Shopify @idempotent mutations become mandatory 2026-04. Critical for retry-safe integration operations.
Testability	The degree to which the system supports testing at all levels.	BRD v18.0 defines 36 user stories with Gherkin acceptance criteria. Three platform sandboxes (Shopify Dev Store, Amazon SP-API Sandbox, Google Merchant test account) require contract testing. Architecture must support isolation for unit, integration, and E2E tests.
Observability	The ability to understand system state from external outputs (logs, metrics, traces).	Multi-platform monitoring across 3 external channels requires first-class treatment. Integration-specific metrics: circuit breaker state, DLQ depth, sync latency, safety buffer violations, disapproval rate. LGTM stack (Loki, Grafana, Tempo, Prometheus).
Modularity	Degree to which a system is composed of discrete components.	Update tax logic without breaking inventory system. Module boundaries must be clean enough for independent Claude Code agent development.
Fault Tolerance	When fatal errors occur, other parts of the system continue to function.	Local client survival is required; POS must function if cloud crashes. Integration circuit breaker prevents external API failures from cascading to core POS operations.
Adaptability	Degree to which a product can be adapted for new environments.	Rapid adoption of new retail trends (social commerce). Module 6 designed as Extractable Integration Gateway for future independent deployment.

K.4 Others Considered

These characteristics were evaluated but not prioritized as driving characteristics:

Characteristic	Why Not Selected
Recoverability	Covered by Availability + Event Sourcing (replay capability)
Safety & Code Quality	Addressed through Security characteristic (6-gate Security Test Pyramid) and DevSecOps pipeline

K.5 Characteristic Trade-offs

Understanding trade-offs between characteristics is critical for making consistent architectural decisions.

Trade-off Matrix

+------------------+------------------+------------------+------------------+------------------+
|                  |   AVAILABILITY   |   CONSISTENCY    |    COMPLIANCE    |  CONFIGURABILITY |
+------------------+------------------+------------------+------------------+------------------+
| AVAILABILITY     |        -         |    TENSION       |   NEUTRAL        |   SUPPORTS       |
| (Online+Fallback)|                  | (Eventual Sync)  |                  | (Local config)   |
+------------------+------------------+------------------+------------------+------------------+
| CONSISTENCY      |    TENSION       |        -         |   SUPPORTS       |   TENSION        |
| (Data Sync)      | (Offline Mode)   |                  | (Audit Trail)    | (Config changes) |
+------------------+------------------+------------------+------------------+------------------+
| COMPLIANCE       |   NEUTRAL        |   SUPPORTS       |        -         |   SUPPORTS       |
| (Regulations)    |                  | (Audit Trail)    |                  | (Jurisdiction)   |
+------------------+------------------+------------------+------------------+------------------+
| CONFIGURABILITY  |   SUPPORTS       |    TENSION       |   SUPPORTS       |        -         |
| (Multi-level)    | (Local config)   | (Config changes) | (Jurisdiction)   |                  |
+------------------+------------------+------------------+------------------+------------------+
| PERFORMANCE      |   SUPPORTS       |    TENSION       |    TENSION       |    TENSION       |
| (Low Latency)    | (Local Cache)    | (Sync Overhead)  | (Validation)     | (Resolution)     |
+------------------+------------------+------------------+------------------+------------------+
| SECURITY         |    TENSION       |   SUPPORTS       |   SUPPORTS       |   NEUTRAL        |
| (Deep Scans)     | (Scan Time)      | (Audit Trail)    | (PCI-DSS)        |                  |
+------------------+------------------+------------------+------------------+------------------+

Key Trade-off Decisions

Trade-off	Decision	Rationale
Availability vs. Consistency	Accept Eventual Consistency	Online-first with offline fallback (ADR-048); inventory sync can tolerate short delays during brief outages
Performance vs. Security	6-gate Security Pyramid with CI/CD gates	Security gates run in CI/CD pipeline, not at runtime; only contract tests add deployment time
Performance vs. Compliance	Async platform validation	Cross-platform validation runs asynchronously before channel publication; does not block POS checkout
Scalability vs. Simplicity	Row-Level Isolation with RLS in Modular Monolith	Full tenant isolation via PostgreSQL RLS without schema-per-tenant or microservices complexity
Compliance vs. Performance	Strictest-rule-wins cached validation	Validation rules cached and applied at publish-time, not checkout-time

K.6 Characteristic-to-Chapter Mapping

Quick reference for finding characteristic implementations in the blueprint:

Characteristic	Primary Chapters	Key Sections
Availability	Ch 04(L.10A.1)	Online-First with Offline Fallback (ADR-048)
Interoperability	Ch 05 Module 6	Integration Patterns, ACL, Provider Abstraction
Data Consistency	Ch 04(L.4A), Ch 07	Event Sourcing, Schema Design
Security	Ch 04(L.8)	6-Gate Security Pyramid, PCI-DSS Compliance
Compliance	Ch 05 Module 6	Platform Policy Validation, Regulatory Compliance
Modifiability	Ch 04(L.9A)	Plugin Architecture, Hardware Layer
Scalability	Ch 04(L.10A.4)	Multi-Tenancy (RLS)
Configurability	Ch 04(L.10A.4), Ch 05 Module 5	Feature Toggles, Safety Buffers, YAML Config
Performance	Ch 09, Ch 04(L.6)	Indexes, TPS targets and latency budgets
DevEx	Ch 04(L.6)	QA & Testing Strategy
Idempotency	Ch 05 Module 6	Idempotency Framework, Dedup Windows
Testability	Ch 04(L.6)	Contract Testing, Platform Sandboxes
Observability	Ch 04(L.7)	LGTM Stack, Integration Metrics
Modularity	Ch 04(L.9A), Ch 04(L.9C)	Domain Model, Module Boundaries
Fault Tolerance	Ch 04(L.10A.1)	Online-First with Offline Fallback, Circuit Breaker
Adaptability	Ch 05 Module 6	Integration Adapters, Extractable Gateway

K.7 Review Schedule

Review Type	Frequency	Trigger Events
Scheduled Review	Quarterly	-
Event-Driven Review	As needed	New integration requirements, Security incidents, Performance degradation, New tenant requirements

K.8 Non-Functional Requirements (NFRs)

This section defines measurable targets that validate the architecture characteristics. All NFRs are traceable to BRD requirements.

K.8.1 Performance Requirements

Requirement ID	Category	Target	Source	Validation Method
NFR-PERF-001	Checkout Latency	< 500ms p99	BRD-v20 (implied)	Load testing
NFR-PERF-002	RFID Bulk Lookup	< 200ms for 50 tags	BRD-v20 §1.1	E2E testing
NFR-PERF-003	Price Calculation	< 100ms	BRD-v20 §1.2	Unit testing
NFR-PERF-004	Tax Calculation	< 50ms	BRD-v20 §1.17	Unit testing
NFR-PERF-005	Product Search	< 300ms	Implicit	Load testing
NFR-PERF-006	Receipt Generation	< 200ms	Implicit	E2E testing

Performance Budget:

Total Checkout Time Budget: 500ms
├── Item Lookup:        100ms
├── Price Calculation:  100ms
├── Tax Calculation:     50ms
├── Payment Processing: 150ms (excluding terminal wait)
└── Receipt/Finalize:   100ms

K.8.2 Availability Requirements

Requirement ID	Category	Target	Source	Validation Method
NFR-AVAIL-001	Cloud API Uptime	99.9% (8.76 hrs/year downtime)	Implicit	Monitoring
NFR-AVAIL-002	Offline Queue Size	Max 100 transactions	BRD-v20 §1.16.2	Configuration
NFR-AVAIL-003	Sync Interval	30 seconds	BRD-v20 §1.16.2	Configuration
NFR-AVAIL-004	Parked Sale TTL	4 hours	BRD-v20 §1.1.1	Configuration
NFR-AVAIL-005	Parked Sales per Terminal	Max 5	BRD-v20 §1.1.1	Configuration
NFR-AVAIL-006	Payment Terminal Timeout	60 seconds	BRD-v20 §1.18.2	Configuration
NFR-AVAIL-007	Connection Timeout	10 seconds	BRD-v20 §1.18.2	Configuration

Availability Tiers:

Cloud Services:     99.9% (allows ~8.76 hrs downtime/year)
POS Terminal:       99.99% (via online-first architecture with thin offline fallback per ADR-048 — brief network outages handled by 2-table SQLite cache and FIFO sales queue)
Database (Primary): 99.95% (with automatic failover)

K.8.3 Scalability Requirements

Requirement ID	Category	Target	Source	Validation Method
NFR-SCALE-001	Concurrent Users	500 (Black Friday peak)	BRD-v20 (implied)	Load testing
NFR-SCALE-002	Transactions per Second	1,000 TPS	Chapter 04 L.6	Load testing
NFR-SCALE-003	Tenant Count	100+ tenants	Chapter 03	Architecture
NFR-SCALE-004	Export Row Limit	1,000 rows max	BRD-v20 §2.5	Configuration
NFR-SCALE-005	Date Range for Reports	365 days max	BRD-v20 YAML	Configuration
NFR-SCALE-006	RFID Tags per Request	50 max	BRD-v20 §1.1	Configuration

Scaling Strategy:

Stateless API Layer:  Horizontal scaling (Kubernetes HPA)
Database:            Vertical scaling + Read replicas + RLS per tenant
Event Stream:        PostgreSQL event tables (v1.0), Kafka partitioning (v2.0)
File Storage:        Object storage (S3-compatible)

K.8.4 Integration & Timeout Requirements

Requirement ID	Category	Target	Source	Validation Method
NFR-INT-001	Payment Timeout	60 seconds	BRD-v20 §1.18.2	Configuration
NFR-INT-002	Connection Timeout	10 seconds	BRD-v20 §1.18.2	Configuration
NFR-INT-003	Multi-Store Data Staleness	Max 5 minutes	BRD-v20 §1.7	Monitoring
NFR-INT-004	Batch Close Time	23:00 daily	BRD-v20 §1.18.2	Configuration
NFR-INT-005	External API Retry	3 attempts with backoff	Implicit	Configuration
NFR-INT-006	Webhook Delivery	At-least-once	Implicit	Architecture

Integration Patterns:

Synchronous:   REST APIs with circuit breaker
Asynchronous:  Event-driven via PostgreSQL Events + LISTEN/NOTIFY (v1.0)
Webhooks:      Inbound (Shopify/Amazon) + Outbound with Transactional Outbox
File Transfer: SFTP/S3 for bulk imports

K.8.5 Data & Compliance Requirements

Requirement ID	Category	Target	Source	Validation Method
NFR-DATA-001	Consent Audit Retention	7 years	BRD-v20 YAML	Policy
NFR-DATA-002	Privacy Request Response	30 days	BRD-v20 §2.5	Process
NFR-DATA-003	Transaction Data Retention	7 years (tax compliance)	Implicit	Policy
NFR-DATA-004	Gift Card Minimum Expiry	5 years (Virginia)	BRD-v20 §1.5.2	Configuration
NFR-DATA-005	Auto-Anonymize Inactive	Configurable (0 = never)	BRD-v20 YAML	Configuration

Data Classification:

Level 1 (Restricted):  Card data (prohibited storage)
Level 2 (Sensitive):   Customer PII, credentials
Level 3 (Internal):    Transaction data, inventory
Level 4 (Public):      Product catalog, store hours

K.8.6 Security Requirements

Requirement ID	Category	Target	Source	Validation Method
NFR-SEC-001	PCI Scope	SAQ-A (no card data stored)	BRD-v20 §1.18	PCI Audit
NFR-SEC-002	Payment Data Storage	Token only, no PAN	BRD-v20 §1.18.1	Code review
NFR-SEC-003	Manager Auth for Overrides	PIN required	BRD-v20 §1.2	E2E testing
NFR-SEC-004	Blind Count	Expected not shown	BRD-v20 §1.12	UI testing
NFR-SEC-005	Variance Tolerance	Configurable ($5 default)	BRD-v20 §1.12	Configuration
NFR-SEC-006	Session Timeout	15 minutes inactivity	Implicit	Configuration
NFR-SEC-007	Password Policy	Min 12 chars, complexity	Implicit	Configuration

SAQ-A Compliance - Data Storage Rules:

STORED (Allowed):
   - Payment tokens
   - Approval codes
   - Masked card number (****1234)
   - Card brand (Visa, MC, etc.)
   - Terminal ID

PROHIBITED (Never store):
   - Full card number (PAN)
   - CVV/CVC
   - Track data
   - PIN block
   - EMV cryptogram (raw)

K.8.7 Integration Requirements (BRD v18.0)

Requirement ID	Category	Target	Source	Validation Method
NFR-INTG-001	Shopify Sync Latency	< 5 seconds (webhook processing)	BRD-v18 §6.3	Integration testing
NFR-INTG-002	Amazon Sync Latency	< 2 minutes (polling interval)	BRD-v18 §6.4	Integration testing
NFR-INTG-003	Google Batch Sync	2x/day + real-time local inventory	BRD-v18 §6.5	Integration testing
NFR-INTG-004	Circuit Breaker Threshold	5 failures / 60 seconds → OPEN	BRD-v18 §6.2.4	Unit testing
NFR-INTG-005	DLQ Retry Policy	3 attempts, exponential backoff	BRD-v18 §6.2.3	Integration testing
NFR-INTG-006	Safety Buffer Calculation	< 100ms per product per channel	BRD-v18 §6.7.2	Performance testing
NFR-INTG-007	Integration Health Check	Every 60 seconds per provider	BRD-v18 §6.11	Monitoring
NFR-INTG-008	Idempotency Window	24-hour dedup with SHA-256 key	BRD-v18 §6.2.5	Unit testing
NFR-INTG-009	Credential Rotation	Automated every 90 days	BRD-v18 §6.2.2	Operations

Integration Performance Budget:

Shopify Webhook Processing: < 5s
├── Receive + Validate Signature:  100ms
├── Deserialize + Map to Domain:   200ms
├── Business Logic Processing:     2,000ms
├── Database Persistence:          500ms
└── Outbox Event Publication:      200ms
     (Buffer):                     2,000ms

Amazon SP-API Polling Cycle: < 2min
├── OAuth Token Refresh (if needed): 500ms
├── API Call (paginated):            5,000ms
├── Response Mapping:                1,000ms
├── Inventory Delta Calculation:     2,000ms
└── Database + Outbox:               1,500ms
     (Buffer):                       110,000ms

K.8.8 NFR Traceability Matrix

This matrix links NFRs to Architecture Characteristics:

Characteristic	Related NFRs
Availability	NFR-AVAIL-001 through NFR-AVAIL-007
Performance	NFR-PERF-001 through NFR-PERF-006
Scalability	NFR-SCALE-001 through NFR-SCALE-006
Security	NFR-SEC-001 through NFR-SEC-007
Interoperability	NFR-INT-001 through NFR-INT-006
Data Consistency	NFR-DATA-001 through NFR-DATA-005
Compliance	NFR-DATA-001 through NFR-DATA-005, NFR-INTG-001 through NFR-INTG-009
Configurability	NFR-INTG-006 (Safety Buffer), platform-specific targets

NFR Validation Schedule

NFR Category	Validation Frequency	Responsible Team
Performance	Every release + quarterly load test	QA + DevOps
Availability	Continuous monitoring	DevOps
Scalability	Quarterly load test	DevOps
Security	Annual PCI audit + continuous scans	Security
Integration	Every release + monthly provider sync	QA + Integration Team
Compliance	Annual audit	Compliance

Document Information

Attribute	Value
Version	7.0.0
Created	2026-01-24
Updated	2026-03-02
Source	Architecture Characteristics Worksheet v2.0, BRD-v18.0, Chapters 02/03/05/06
Author	Claude Code
Reviewer	Expert Panel (Marcus Chen, Sarah Rodriguez, James O’Brien, Priya Patel)
Status	Active
Part	II - Architecture
Chapter	03 of 9
Previous	Chapter 11 v1.1.0 (pre-restructure numbering; backup at Chapter-11-Architecture-Characteristics.md.backup-v18.0)

Change Log

Version	Date	Changes
1.0.0	2026-01-24	Initial document
1.1.0	2026-01-26	Added Section K.8 (Non-Functional Requirements) with 37 NFRs from BRD-v20
2.0.0	2026-02-19	Expert panel review (6.50/10): Expanded to Top 9 driving characteristics (added Compliance, elevated Configurability); rewrote Interoperability with 6 provider families, 3 auth models, 3 rate-limiting paradigms; rewrote Security with 5 concrete sub-domains and 6-gate Security Test Pyramid; added Idempotency, Testability, Observability as implicit; added K.8.7 Integration Requirements (9 NFRs from BRD v18.0 Module 6); updated multi-tenancy from Schema-Per-Tenant to Row-Level with RLS; updated event infrastructure from Kafka to PostgreSQL Events (v1.0)
3.0.0	2026-02-22	Enriched with cross-chapter evidence from former Ch 05/06/08/09; all chapter references renumbered for v3.0.0 (39-chapter to 34-chapter consolidation)
5.2.0	2026-02-27	Fixed 6 schema-per-tenant references → Row-Level Security (RLS) with `tenant_id` + `current_setting('app.current_tenant_id')`. Updated connection pooling diagram, query performance, tenant isolation, security evidence, and compliance sections
7.0.0	2026-03-02	Unified web app pivot: Nexus Admin → Nexus POS in API gateway IP whitelisting diagram. All footers to 7.0.0

Next Chapter: Chapter 04: Architecture Styles Analysis

This chapter is part of the POS Blueprint Book. All content is self-contained.

The POS Platform Blueprint