ADR
Architecture decision record
version v7.2.
For up-to-date documentation, see the
latest version.
21 minute read
| Reference: | TASD – Software Factory as a Product |
| Type & Classification: | Product |
| Step: | Continuous Delivery |
| Bid/Project/Product Name & ID: | Software Factory as a Product (SWaaP) |
| Solution Level: | Digital product |
| Solution Name: | Software Factory as a product |
| Solution description: | As deployed, create and update a Software Factory |
| Key Products/Solution: |
The Technical Architecture and Security Document (TASD) is a High-Level view Document (HLD), referring to Thales IS standard components. The aim is to describe the entire product.
This document describes the architecture of the Software Factory as a Product (SWaaP).
The aim of this document is to provide a general high-level view of the design and security architecture of the product.
This TASD must be updated each time there is a change in the architecture of the product.
This document is an HLD, so the aim is not to describe in detail the different components, especially when these are standard and/or already installed inside the Thales ecosystem. Every component of the product has a low-level architecture design which is documented into specific LLDs. These designs are out of the scope of this document and are referenced in the section below called “Referenced Documentation ”.
| Document reference | Document Name |
|---|---|
| LLD-Artifactory | Low level design of Artifactory component |
| LLD-BlackDuck | Low level design of Black Duck component |
| LLD-BlackDuckAlert | Low level design of Black Duck Alert component |
| LLD-CodeCompanion | Low level design of Code Companion |
| LLD-Documentation | Low level design of SF Documentation |
| LLD-GitLab | Low level design of GitLab component |
| LLD-Kroki | Low level design of Kroki component |
| LLD-Orchestrator | Low level design of Orchestrator component |
| LLD-Runner | Low level design of GitLab Runner component |
| LLD-SonarQube | Low level design of SonarQube component |
| LLD-Xray | Low level design of Xray component |
| SCOM-Artifactory | Software Center Operation Manual of Artifactory |
| SCOM-BlackDuck | Software Center Operation Manual of Black Duck |
| SCOM-BlackDuckAlert | Software Center Operation Manual of Black Duck Alert |
| SCOM-CodeCompanion | Software Center Operation Manual of Code Companion |
| SCOM-Documentation | Software Center Operation Manual of SF Documentation |
| SCOM-GitLab | Software Center Operation Manual of GitLab |
| SCOM-Kroki | Software Center Operation Manual of Kroki |
| SCOM-Orchestrator | Software Center Operation Manual of Orchestrator |
| SCOM-Runner | Software Center Operation Manual of Runner |
| SCOM-SonarQube | Software Center Operation Manual of SonarQube |
| SCOM-Xray | Software Center Operation Manual of Xray |
Software Factory helps Software Engineer who want to develop high quality software applications by reducing the time to write the first line of code on secured environments and maximizing collaboration and autonomy unlike others public software workbenches.
The objective of the Software Factory as a Product is to design, develop, deploy, operate and support a set of tools inside a Software Factory, provided as a Service.
Once instantiated and deployed, these services will be provided to any Thales engineer:
Figure 1 - Overview of the product.
(*) Note: (dotted in the above figure)
The product also provides services to the team that deploys, updates and operates the instance:
All this documentation is either available online or within the SF Documentation component.
The product is based on a Kubernetes environment to be easily deployed and operated with minimized dependency with the platform (public, hybrid or on premise). The product is based on several COTS (GitLab, Artifactory, Xray, SonarQube, Coverity, Black Duck, Black Duck Alert, …) or OSS (Diagram as code).
The scalability of the infrastructure is ensured by the elasticity of the Kubernetes cluster (see Sizing chapter for cluster size ) in the product documentation.
Product needs are collected, managed and implemented by the Software Factory tribe.
The product is managed by the Software Factory tribe . Release note is available on this site .
Version 4 (end of Cycle 23) deliver major version 18 of GitLab. Other COTS also receive at least minor updates.
Version 4.1 deliver a minor version 18.2 GitLab
Cycle 24 deliver both SWaaP 4.2 and 5.0. Both versions deliver minor version 18.3 of GitLab, patch 2.2.4 of Code Companion, minor versions 0.5.0 & 0.6.0 of Software Factory Documentation, and finally version 2025.6.2 of Coverity.
The major difference for version 5.0 lies in a new deployment model described in paragraph 7.1 .
This cycle will target classical updates of existing COTS & TOTS. Major updates will be:
The product has no classical requirements. It is designed and developed based on business use cases.
Software Factory as a Product is a product that permits to deploy and operate Software Factory instances. These Software Factories are provided as a service to build software-based solutions and enhance engineering efficiency through:
The services provided by the Software Factory are:
The product provides assets to deploy and operate the following services:
The product is cross-platform and seamless deployment designed. Requirements are also limited by the least mandatory dependencies:
| Number | Requirement | Capability |
|---|---|---|
| PRE_001 | Mandatory | Access to Software Factory package |
| PRE_002 | Mandatory | Flux CD operator |
| PRE_003 | Mandatory | Kubernetes cluster with: |
| PRE_004 | Mandatory | - Persistent Storage |
| PRE_005 | Product standard | - Ingress controller (nginx) |
| PRE_006 | Product standard | DNS Entry |
| PRE_007 | Product standard | TLS / SSL Certificates |
| PRE_008 | Mandatory for production | Object storage |
| PRE_009 | Highly recommended | IAM - SAML SSO |
| PRE_010 | Highly recommended | Backup / restore at platform level |
| PRE_011 | Highly recommended | Security measures at platform level |
| PRE_012 | Highly recommended | Monitor / Supervision (Prometheus - Grafana) |
| PRE_013 | Highly recommended | Log management |
| PRE_014 | Highly recommended | End user notification (SMTP) |
| PRE_015 | Mandatory for production | Managed Databases (PostgreSQL) |
| PRE_016 | Highly recommended | SLM/LLM |
| PRE_017 | Highly recommended | APIM |
| PRE_018 | Highly recommended | Guardrails |
| PRE_019 | Mandatory* | Have access to a Software Factory for deployment |
| PRE_020 | Mandatory* | Access to Oras and have a local artifact repository for deployment |
(*) alternative for mandatory (one or other).
Table 1 - SWaaP prerequisites.
Product is designed with least privilege principle. In that way, a namespace admin privilege is required for Flux operator.
The product is also integrated in ECOL (reference ) and we defined a link between ECOL and our product requirements annex 1 .
Product is supporting:
High-level variability model and high-level product plan is described in Table 2 :
| Variability Tree | Feature Name | End Q1-2026 | End Q2-2026 |
|---|---|---|---|
![]() | Code management, CI (GitLab) | ![]() | ![]() |
![]() | Web IDE (GitLab) | ![]() | ![]() |
![]() | GitLab Runner | ![]() | ![]() |
![]() | Runner(s) in K8S (as a Service) | ![]() | ![]() |
![]() | Documentation for dedicated runner | ![]() | ![]() |
![]() | Artefact management (Artifactory) | ![]() | ![]() |
![]() | Artefact vulnerability scan (Xray) | ![]() | ![]() |
![]() | Code quality management (SonarQube) | ![]() | ![]() |
![]() | SAST (Coverity) | ![]() | ![]() |
![]() | SCA (Black Duck) | ![]() | ![]() |
![]() | SCA alert (Black Duck Alert) | ![]() | ![]() |
![]() | Golden CI/CD template (NextGen-CICD) | ![]() | ![]() |
![]() | Orchestrator | ![]() | ![]() |
![]() | SF Documentation | ![]() | ![]() |
![]() | Best practices / process / training catalogue | ![]() | ![]() |
![]() | Diagram as code | ![]() | ![]() |
Table 2 - Variability Model.

Figure 2 - Variability Model Legend.
Code management and CI with GitLab and Artifactory are identified as critical items.
Software Factory product contributes to those basic security stories that have to be applied on TDP.
The product data has C2 – THALES GROUP INTERNAL classification. Instances of the product can have their own classification level.
The product has no defense / government classification. But instances can have their own independently.
Some components of the product have Export Administration Regulations. Example:
TODO Personal data.
The product has its own environments for tests purpose. Instances can have their own independently (classically at least staging & production).
TODO check if we declare this here or in a testing section.
The product shall be tested on several reference platforms that reflect the target environments (for example KaaS over AKS cluster and Tanzu cluster). Non-regression tests are designed to ensure stability of functions and integration of the product updates. Performance tests are also designed to ensure usability of the product. Those tests may be also executed on dev instances of the platforms.
Here is a list of approved decisions:
| Ref. | Date | Description |
|---|---|---|
| ADR001 | 2022/09 | From Software Factory services (TDP C2, C3) to Software Factory as a Product |
| ADR002 | 2023/01 | Deploy using Flux |
| ADR003 | 2024/06 | Add SonarQube, Coverity, Black Duck and Synopsys Alert |
| ADR004 | 2024/09 | Add Xray, Orchestrator, Code companion and SF Documentation as bundle; add Boarding & Offer Management as add-on |
| ADR005 | 2025/04 | Remove Boarding & Offer Management; Add Coverity |
| ADR006 | 2025/09 | Switch to a fork to build containers with Kaniko |
| ADR007 | 2025/09 | Add Diagram as code with Kroki component as bundle |
| ADR008 | 2026/04 | Move from nginx Ingress to Gateway API |
Table 3 - List of architecture decision record.
Details are in ADR
You will find in Figure 3 business architecture for software code and CI/CD engineering allocated to services:
Figure 3 - Business architecture allocated to services.
Note: in dash, external items.
Physical architecture of the product is described in Figure 4 :
Figure 4 - Physical architecture.
Note: in dash, external items not managed by the product.
The product has some generic roles. Currently there is no correlation between these roles and roles that can be defined at component level.
| User role | Description user role | Comment |
|---|---|---|
| UC1 | End user / Software engineer | Person that can write in a solution/product/project tenant |
| UC2 | Reader | Person that can read content of a solution/product/project tenant |
| UC3 | Tenant owner | Person that can administrate a solution/product/project tenant |
| UC4 | Software Factory application admin | Person that can administrate Software Factory instance components |
| UC5 | Software Factory system admin | Person that can administrate the deployment/upgrade of the Software Factory instance |
| UC6 | Software Factory tribe | Person that are delivering asset to deploy/upgrade a Software Factory instance |
Here is the RACI (Responsible, Accountable, Consulted, Informed) of SWaaP:
| Action | SWF tribe and his CPO | Platform Service Owner |
|---|---|---|
| Benchmark & Design | R&A | I |
| Provide Low level documentation | R&A | I |
| Provide High level documentation | R&A | I |
| Release updates & new versions of SWaaP | R&A | I |
| Communicate Release plan with Ops & platform | R&A | I |
| Communicate Release Plan with end-users | R&A | |
| Maintain system and data security on platform | R&A | |
| Deploy and operate SWaaP on staging & prod | R&A | |
| Monitor system performance | R&A | |
| Report bugs & issues to SWF tribe | R&A | |
| Infrastructure troubleshooting | R&A | |
| SWaaP Engineering troubleshooting | R&A | C |
SWaaP delivery is composed of OCI artifacts see diagram below
, that are located under
oci://artifactory.thalesdigital.io/docker-virtual-softwarefactory/sf/swaap/releases
:
charts: helm charts of SWaaPgitrepos: Git repositories in oci format of customer-template and swaap.images: container images of SWaaPmetadata: artifacts from editors to manage Air Gap SWaaPAn extra repository is also required to manage SonarQube plugins in https://artifactory.thalesdigtal.io/artifactory/generic-virtual-softwarefactory
These data are variables of SWaaP configuration of customer Git repository in:
cfg-swaap-version.yaml (see template
)cfg-swaap-variables.yaml (helmRepositoryUrl, imageRepositoryUrl
and sonarPluginRepositoryUrl see template
)Figure 5 - Delivery.
A mirrored version is available on TDP C3-CA:
oci://artifactory.tdp.infra.thales/proxy-docker-softwarefactory/sf/swaap/releases
:https://artifactory.tdp.infra.thales/artifactory/proxy-generic-softwarefactoryA mirrored version is available on Carma:
oci://carma.corp.thales/softwarefactory-c3-docker/sf/swaap/releases
:https://carma.corp.thales/artifactory/softwarefactory-c2-genericFor first delivery to a new team that is going to use the product, a customer Git repository has to be created copying, forking, or inspired from the customer template of SWaaP. To be consumed by Flux CD (see [#71-deployment]), this Git repository has to be hosted either in a Git server, or as an OCI aside others SWaaP deliveries.
Cadence of version is describe in the Product Lifecycle , and future versions are announced in releases .
SWaaP is also delivered as a standalone package in order to be deployed without having access to our deliverables. This delivery & deployment mode is currently in exploration.
This mode requires an artifact repository alongside the targeted deployment (see PRE_020 in Prerequisites ).
oras command to pull the SWaaP Air Gap delivery.oras command to push the SWaaP package
to the local registry as a standard SWaaP delivery.Once done, a platform can deploy a SWaaP instance as described in Deployment
You will see further documentation in delivery .
This chapter describes classical integration an instance of the product can have.
Here is a list of services that can be integrated with the Software Factory.
| Ref. | Name | Required | In/ex ternal | Example of protocol & ports (1) | Description |
|---|---|---|---|---|---|
| SFE01 | Flux → Git in Software Factory for deployment | Mandatory | External | HTTPS/443 - Defined by external Git server | Code in a Git server for deployment of the product |
| SFE02 | Flux → Registry in Software Factory for deployment | Mandatory | External | HTTPS/443 - Defined by external Registry server | Registries with helm charts and containers for deployment of the product |
| SFE03 | Object Storage | Highly recommended | External | HTTPS/443 - Defined by external Object storage provider | Components store data on Object Storage (S3/Azure blob storage) |
| SFE04 | IAM - SAML SSO | Highly recommended | External | HTTPS/443 - Defined by external IAM provider | Users should be authenticated using SAML SSO |
| SFE05 | End user notification (SMTP) | Highly recommended | External | SMTPS/465 - Defined by external SMTP provider | Notification should be sent via mail using SMTP |
| SFE06 | Managed Databases (PostgreSQL) | Mandatory for production | External | SSL over POSTGRES/5432 - Defined by external PosgreSQL provider | Components store data in a PostgreSQL data base - Alternative is to use deploy embedded data base with the product |
| SFB01 | Runner, CLI or Orchestrator → GitLab | Mandatory | Both | HTTPS/443 - 3 Ingress entrypoint of SWaaS (ui/registry/pages) | GitLab Runner, CLI or Orchestrator should connect to GitLab using GitLab public API |
| SFB02 | Runner, CLI or Orchestrator → Artifactory | Mandatory | Both | HTTPS/443 - Ingress entrypoint of SWaaS | GitLab Runner, CLI or Orchestrator should connect to Artifactory using Artifactory public API |
| SFB03 | Runner or CLI → Artifactory (for Xray) | Mandatory | Both | HTTPS/443 - Ingress entrypoint of SWaaS | GitLab Runner or CLI should connect to Xray using Artifactory public API |
| SFB05 | Runner, CLI or Orchestrator → SonarQube | Mandatory | Both | HTTPS/443 - Ingress entrypoint of SWaaS | GitLab Runner, CLI or Orchestrator should connect to SonarQube using SonarQube public API |
| SFB06 | Runner or CLI → Coverity | Mandatory | Both | HTTPS/443 - Ingress entrypoint of SWaaS | GitLab Runner or CLI should connect to Coverity using Coverity public API |
| SFB07 | Runner or CLI → Black Duck (And Black Duck Alert) | Mandatory | Both | HTTPS/443 - Ingress entrypoint of SWaaS | GitLab Runner or CLI should connect to Black Duck using Black Duck public API |
| SFB04 | Runner → External service | Highly recommended | External | HTTPS/443 - Ingress entrypoint of SWaaS | GitLab Runner should connect to any service required by projects |
| SFE07 | User applicative admin → GitLab | Mandatory | External | HTTPS/443 - Ingress entrypoint of SWaaS | User and applicative admin should use GitLab UI or public API to access to GitLab |
| SFE08 | User applicative admin → Artifactory (and Xray) | Mandatory | External | HTTPS/443 - Ingress entrypoint of SWaaS | User and applicative admin should use Artifactory UI or public API to access to Artifactory or Xray |
| SFE11 | User applicative admin → SonarQube | Mandatory | External | HTTPS/443 - Ingress entrypoint of SWaaS | User and applicative admin should use SonarQube UI or public API to access to SonarQube |
| SFE12 | User applicative admin → Coverity | Mandatory | External | HTTPS/443 - Ingress entrypoint of SWaaS | User and applicative admin should use Coverity UI or public API to access to Coverity |
| SFE13 | User applicative admin → Black Duck (And Black Duck Alert) | Mandatory | External | HTTPS/443 - Ingress entrypoint of SWaaS | User and applicative admin should use Black Duck UI or public API to access to Black Duck |
| SFE20 | User applicative admin → SF Documentation | Mandatory | External | HTTPS/443 - Ingress entrypoint of SWaaS | User and applicative admin should use SF Documentation UI |
| SFI08 | GitLab → Kroki | Mandatory | Internal | HTTPS/443 - Direct access Kubernetes service to service | GitLab proxy users request and forward to Kroki |
| SFI04 | Xray → Artifactory | Mandatory | Internal | HTTPS/443 - Ingress entrypoint of SWaaS | Xray is integrated in Artifactory (it is accessible through Artifactory UI) |
| SFI05 | Black Duck Alert → Black Duck | Mandatory | Internal | HTTPS/443 - Ingress entrypoint of SWaaS | Black Duck Alert is integrated in Black Duck (it is accessible through Black Duck UI) |
| SFI06 | GitLab → Orchestrator | Mandatory | Internal | HTTPS/443 - Ingress entrypoint of SWaaS | GitLab should connect to Orchestrator |
| SFI07 | Artifactory → Orchestrator | Mandatory | Internal | HTTPS/443 - Ingress entrypoint of SWaaS | Artifactory should connect to Orchestrator |
| SFE09 | GitLab ← GitLab | Highly recommended | External | HTTPS/443 - Defined by external GitLab server | GitLab mirroring on an upper sensitive data domain pulling GitLab on a lower sensitive data domain to upper |
| SFE10 | Artifactory ← Other Artifactory | Highly recommended | External | HTTPS/443 - Defined by external Artifactory server | Artifactory remote on an upper sensitive data domain pulling Artifactory repository on a lower sensitive data domain to upper |
| SFE14 | Black Duck ← Black Duck vulnerability database | Mandatory | External | HTTPS/443 - Defined by external Vulnerability database provider | Black Duck is pulling vulnerability database |
| SFE15 | Black Duck ← Black Duck registering | Mandatory | External | HTTPS/443 - Defined by external Black Duck registering server | Black Duck is registering online |
| SFE16 | LLM Backend | Mandatory | External | HTTPS/443 - Defined by external LLM | Users require a LLM Backend to create their prompts. |
| SFE17 | API Management | Highly recommended | External | HTTPS/443 - Defined by external APIM | LLM Backend should be served by an APIM and handles logging, authentication and usage statistics. |
| SFE18 | Orchestrator ← User or ITSM | Highly recommended | External | HTTPS/443 - Ingress entrypoint of SWaaS | Orchestrator exposes an API to manage SF workspace that can be consumed by ITSM, user, … |
| SFE19 | Orchestrator → Export Control Register | Recommended for EC | External | HTTPS/443 - Defined by external EC register | Check related project in Platform Register. |
(1) Protocol and ports are example that may be set for production.
Currently data are located in each LLD.
Except next chapter deployment, this chapter is not applicable to the product itself. It describes what can we recommend doing for Software Factory instances.
SWaaP product has to be deployed and updated using Flux
,
which has to be installed in the Kubernetes cluster (see prerequisites
).
Conf as code has to be managed with a Git repository dedicated to Software Factory instance,
called customer repository.
This repository can be initialized with the [Customer template] and is own by the platform team.
For updates, the platform team will change the swaap-version in the customer repository,
and also check the potential updates of the [Customer template] in the release note.
Several instances (such as staging, pre-production, production, or any other name) in several clusters can be managed with the same Git repository. See customer template documentation for further details
Application admin can deploy or upgrade doing, as you will see in figure 6 :
Therefore, a GitRepository object is created and will be reconciled by Flux, using a specific service account.
(x) Numbers are related to link label in figure 6
(*) For more details, see the full documentation
Figure 6 - Setup.
Flux tries to reconcile the content of the Git repository with the resources in Kubernetes namespace (1) executing:
For local changes (5) instance Admin can edit the instance source code. For upgrade from the product (MR) the instance Admin validates the merge request.
Flux will perform the reconcile each time there is a change in the source code.
(x) Numbers are related to link label in figure 7
Figure 7 - Flux.
Failover is ensured by Kubernetes mechanism. If a process crash or a service does not respond, the associated pod restarts.
Observability plays a large part in monitoring the health of services.
Currently no high availability is provided by the product, even if some tools are able to support it.
Not applicable at product level.
When a vulnerability is discovered is published by a software editor, it is essential to have a well-defined response plan to ensure the prompt and effective implementation of the patch. Our process permits to ensure an SLA regarding vulnerabilities. For further details, see Security_patch_management .
We recommend to manage point in time restore at platform level. Like that it is possible to restore synchronously:
Alternative backup procedure is indicated in every component LLD.
There is no transverse capacity of monitoring. The product support Prometheus/Grafana. Monitoring of component is detail in every LLD and SCOM.
TODO Capacity planning
There is currently no transverse capacity of managing users. On/off boarding has to be performed at component level.
There is no administration at product level. See component LLD.
List of ECOL requirement is described in Table 4 . And traceability from SWaaP prerequisites to ECOL requirement is described in Table 5 .
| Number | Type | Capability |
|---|---|---|
| ECOL_NET_31 | Network | Ingress Controller |
| ECOL_NET_40 | Network | WAN (Thales) Connectivity |
| ECOL_COMP_30 | Compute (Containers) | Container Orchestration |
| ECOL_COMP_40 | Compute (Containers) | Container Orchestration Capacity |
| ECOL_COMP_50 | Compute (Containers) | Container Orchestration RBAC |
| ECOL_COMP_60 | Compute (Containers) | Container Orchestration Namespaces |
| ECOL_STOR_10 | Storage | Persistent Storage |
| ECOL_STOR_20 | Storage | Object Storage |
| ECOL_DATA_10 | Data | Backup / Restore |
| ECOL_DATA_20 | Data | Managed Databases (PostgreSQL) |
| ECOL_OPE_10 | Operation | Monitoring / Supervision (Prometheus – Grafana) |
| ECOL_OPE_30 | Operation | Log Management |
| ECOL_OPE_60 | Operation | Operational Dashboard (Grafana) |
| ECOL_OPE_70 | Operation | Flux |
| ECOL_INFSRV_10 | Infrastructure Services | Mail Exchange |
| ECOL_INFSRV_30 | Infrastructure Services | Infrastructure Automation |
| ECOL_INFSRV_40 | Infrastructure Services | DNS |
| ECOL_INFSRV_70 | Infrastructure Services | Artefact Repository (can be Carma or local) |
| ECOL_SEC_40 | Security | IAM & SSO |
| ECOL_SEC_50 | Security | Encryption |
| ECOL_SEC_60 | Security | Vault |
| ECOL_SEC_80 | Security | Security Operation Center |
| ECOL_XAAS_20 | XaaS | KaaS |
| ECOL_PLAT_10 | Hosting Platform | Subscription and Cost Management |
| ECOL_PLAT_20 | Hosting Platform | Cloud Product & Service Lifecycle Management |
| ECOL_PLAT_40 | Hosting Platform | Capacity Management & Scalability |
| ECOL_PLAT_50 | Hosting Platform | High Availability and Resiliency |
| ECOL_PLAT_60 | Hosting Platform | Continuity |
Table 4 - ECOL requirement needs for Software Factory.
| Number | Capability | Traceability |
|---|---|---|
| PRE_001 | Access to Software Factory package | ECOL_INFSRV_70 |
| PRE_002 | Flux CD operator | ECOL_OPE_70, ECOL_COMP_50 |
| PRE_003 | Kubernetes cluster | ECOL_COMP_30, ECOL_COMP_40, ECOL_COMP_60, ECOL_XAAS_20 |
| PRE_004 | - Persistent Storage | ECOL_STOR_10 |
| PRE_005 | - Ingress controller (nginx) | ECOL_NET_31, ECOL_NET_40 |
| PRE_006 | - DNS Entry | ECOL_INFSRV_40 |
| PRE_007 | - TLS / SSL Certificates | |
| PRE_008 | Object storage | ECOL_STOR_20 |
| PRE_009 | IAM - SAML SSO | ECOL_SEC_40 |
| PRE_010 | Backup / restore at platform level | ECOL_DATA_10 |
| PRE_011 | Security measures at platform level | ECOL_SEC_50, ECOL_SEC_60, ECOL_SEC_80 |
| PRE_012 | Monitor / Supervision (Prometheus - Grafana) | ECOL_OPE_10 |
| PRE_013 | Log management | ECOL_OPE_30 |
| PRE_014 | End user notification (SMTP) | ECOL_INFSRV_10 |
| PRE_015 | Managed Databases (PostgreSQL) | ECOL_DATA_20 |
| PRE_016 | SLM/LLM | |
| PRE_017 | APIM | |
| PRE_018 | Guardrails | |
| PRE_019 | GitLab and Artifactory for deployment | ECOL_INFSRV_70 |
| PRE_020 | Oras and local artifact manager for deployment | ECOL_INFSRV_70 |
Table 5 - SWaaP prerequisites to ECOL requirement traceability.
Architecture decision record