Dual-Platform Ready

Blaze: Multi-Tenant
Agentic SDLC Platform

Enterprise governance for AI-assisted development — across every coding agent. One framework, any platform, complete audit trail.

Specialized Agents

SDLC Phases

Cloud Infra Phases

∞

Multi-Tenant Ready

CDD

Evidence Framework

100%

Audit-Driven

K8s

Cloud-Native

The Challenge

Why Teams Need Governed AI Development

As AI coding agents proliferate across engineering teams, organizations face compounding governance, compliance, and quality risks without a unified oversight framework.

⚠️

Ungoverned AI Coding

AI agents operate without guardrails, producing code that skips security reviews, ignores architectural standards, and bypasses compliance checkpoints. No visibility into what agents are doing or why.

No enforcement of coding standards
Security vulnerabilities introduced silently
Architectural drift goes undetected
No audit trail for regulatory review

📋

No Evidence Trail

Compliance auditors require proof that decisions were made deliberately. AI-generated code leaves no traceable chain from requirements to implementation to testing, creating significant compliance gaps.

SOC 2 / ISO 27001 audit failures
Cannot demonstrate due diligence
Requirements traceability broken
Decision rationale lost forever

🔒

Platform Lock-In

Teams investing in one AI coding platform face switching costs when better tools emerge. Custom agents, prompts, and workflows tied to a single vendor create long-term strategic risk.

Claude Code agents use different metadata formats than OpenCode agents
OpenCode plugins and permission models unavailable in Claude Code
Retraining cost when switching tools
No portability of institutional knowledge

⏱️

Manual Governance Doesn't Scale

As AI accelerates output, manual review processes become the bottleneck. Human reviewers cannot keep pace with AI-generated PRs, leading to rubber-stamping or dangerous backlogs.

Review queues block delivery
Quality assurance degraded under pressure
Inconsistent standards across teams
No systematic knowledge capture

Solution

Platform Vision

Blaze is a governance and orchestration layer that sits above all AI coding platforms, providing a unified agent framework, evidence collection, and compliance enforcement regardless of which tool your engineers use. Blaze is available as a local installation for existing environments and as a fully managed cloud platform — where developers connect to Kubernetes-hosted ephemeral containers with Claude Code and the full governance stack pre-installed.

Governance Layer

Blaze Platform

Agent orchestration · Evidence collection · CDD enforcement · Multi-tenant isolation · Compliance reporting

▼ publish-artifacts.sh · Canonical Artifact Registry

Full Platform

OpenCode

Plugins · MCP · Hooks · Commands · Modes · Real-time governance

Enhanced

Claude Code

MCP tools · Hooks · Agents · Slash commands

Key Differentiators

Dual-Platform

Define artifacts once in canonical format; publish to OpenCode and Claude Code automatically. All 78 agents available on both platforms today.

Evidence-First

Every agent action is captured as structured evidence, satisfying SOC 2, ISO 27001, and custom compliance frameworks.

Multi-Tenant Isolation

Schema-per-tenant PostgreSQL with row-level security. Each customer's data is cryptographically separated.

78 Specialized Agents

A complete SDLC agent portfolio covering design through deployment, pre-built and ready to customize.

CDD Framework

Compliance-Driven Development chains requirements through code to evidence automatically.

Cost-Optimized Routing

Intelligent model routing (Haiku/Sonnet/Opus) saves 60-70% on LLM costs without sacrificing quality.

How It Works

Developer Journey — From Terminal to Compliance

A developer starts a governed session from their terminal. From that point, Blaze handles governance, testing, review, and compliance evidence automatically. Here is the end-to-end flow:

Start Session

CLI command starts a governed K8s container. Artifacts pulled automatically.

Code + Build

AI agents assist with implementation. Tests written before code (TDD).

Test + Scan

Agents run unit tests, security scans, and coverage checks automatically.

Review + Gate

Multi-model consensus review. 3 of 4 AI models must approve to merge.

Merge + Ship

Governed merge with full audit trail. Branch cleanup automatic.

Evidence + Audit

Compliance evidence collected at every step. SOC 2 / GDPR ready.

Specialized Agents

SDLC Phases

100%

Compliance Evidence
on Every Commit

Zero manual overhead. Developers write code in their terminal. Everything else — testing, security scanning, multi-model review, evidence collection, compliance reporting — happens automatically in the background.

Impact

What Changes With Blaze

A side-by-side comparison of development before and after adopting Blaze:

Area	Without Blaze	With Blaze
Governance	Manual code reviews, tribal knowledge, inconsistent standards	78 AI agents enforce standards automatically on every commit
Compliance	Spreadsheets assembled after the fact for auditors	Evidence collected in real-time at every phase gate
Consistency	Every developer configures their own tools differently	Governed artifacts — same rules, hooks, and agents for everyone
Speed	Days from code complete to merge (manual reviews, back-and-forth)	Minutes — AI handles testing, review, and documentation
Audit Trail	“We think we checked that” — no verifiable proof	SHA-256 hashed evidence chain, every action traceable
Multi-Tenant	One-off setups per customer, no isolation guarantees	Deploy isolated instances in one command with full data separation

Blaze turns AI-assisted development from a wild west into a governed, auditable, repeatable process — without slowing developers down.

Technical Design

Architecture Overview

Blaze uses a hub-and-spoke architecture centered on a Governance MCP Server, with tenant isolation enforced at every layer from the API gateway through to storage.

Core

Governance MCP Server

Tool routing · Evidence capture · RBAC · Tenant context

↗

Platform

OpenCode (Full)

Claude Code (Enhanced)

↓

Isolation Layer

Tenant Namespace

JWT + RBAC Auth

Row-Level Security

↖

Data Layer

PostgreSQL + AGE

S3 Evidence Storage

TimescaleDB Metrics

GitHub App Integration

CI/CD Pipelines

PM Tools (Jira/ADO)

Compliance Reports

API Gateway

Tenant-aware routing with JWT validation. Every request carries tenant context through the full call chain.

MCP Protocol

Model Context Protocol enables bidirectional tool communication between agents and the governance server.

Event Sourcing

All agent actions are persisted as immutable events, enabling full audit replay and compliance reporting.

Cloud Platform Architecture

Blaze runs as a managed Kubernetes platform where developers connect to ephemeral containers pre-loaded with Claude Code and the full SDLC governance stack.

Control Plane

Platform API

Config Sync

State Manager

Env Controller

↓

Data Plane

Org

→

Tenant

→

Project

→

Developer Pod

Security

PSS Restricted
Falco Runtime
OPA/Gatekeeper
Network Policies

↓

Observability

Prometheus

Grafana

Loki

OTel

Ephemeral Dev Environments

Developers connect via web terminal or SSH to pods with Claude Code and Blaze pre-installed. Environments spin up in under 60 seconds, fully configured for the project.

State Persistence

Memory bank, evidence, and session state are stored in GCS/S3 and automatically restored on container start. No work is lost between sessions.

BlazeEnvironment CRD

Declarative environment lifecycle managed by a Kubernetes operator. OpenAPI-validated custom resource definition controls provisioning, scaling, and teardown.

Platform Governance

Canonical Artifact Registry

All platform artifacts are defined once in blaze/canonical/ and automatically published to OpenCode and Claude Code via publish-artifacts.sh. Frontmatter transformations adapt each artifact to its target platform format. A PostToolUse hook auto-publishes on edit; a pre-commit hook auto-stages generated files — zero manual steps.

78 Agents

24 Commands

18 Skills

40 Rules

Canonical Format (Markdown + YAML Frontmatter)

# blaze/canonical/agents/security-reviewer.md
---
description: "Comprehensive security analysis
  using OWASP Top 10 and CWE standards"
mode: subagent
model: anthropic/claude-opus-4-20250514
hidden: true
tools:
  bash: true
  read: true
  grep: true
permission:
  edit: "allow"
  bash: "allow"
targets: [opencode, claude-code]
---

You are the security reviewer agent...
(instruction body — identical across platforms)

Transformation Rules

Artifact	To OpenCode	To Claude Code
Agent	Full frontmatter (strip `targets:`)	Description-only frontmatter
Command	Keep `agent:`, `subtask:`	Keep `description:` only
Skill	`skill-name/skill.md`	`skill-name/index.md`
Rule	`blaze/rules/`	`.claude/rules/`
Mode/Schema/Plugin	Direct copy	N/A

Publisher Flow

blaze/canonical/ (source of truth)

↓ publish-artifacts.sh --generate

.opencode/
Full frontmatter + body

.claude/
Minimal frontmatter + body

Zero-Touch Automation

PostToolUse Auto-publish on edit

Write or Edit to blaze/canonical/* triggers publish-artifacts.sh --generate automatically via Claude Code hook (~2s).

Pre-commit Auto-stage generated files

Git pre-commit hook detects canonical changes, auto-runs generation, and re-stages all target files. Commit includes both source and output.

Drift Guard Block direct target edits

Direct edits to .opencode/ or .claude/ without canonical changes are blocked. Emergency bypass via SKIP_CANONICAL_CHECK=1.

Agent Catalog

Agent Portfolio — 78 Agents

A complete SDLC coverage across four phases plus cross-cutting concerns. All 78 agents run on both OpenCode and Claude Code. Artifacts are defined in blaze/canonical/ and auto-published to both .opencode/ and .claude/ via the canonical artifact registry.

sdlc-orchestrator

Coordinates SDLC phase transitions, triggers appropriate agents, and enforces phase gates across the full development lifecycle.

Cross-Cutting

bpmn-specialist

Creates and validates BPMN 2.0 process diagrams for workflow documentation and compliance evidence.

Cross-Cutting

ado-manager

Full Azure DevOps integration: work items, boards, pipelines, and sprint management via ADO REST API.

Cross-Cutting

cdd-methodology

Enforces Compliance-Driven Development practices: requirement tagging, evidence linking, and traceability matrix generation.

Cross-Cutting

critical-thinking

Adversarial review agent that challenges assumptions, identifies logical gaps, and stress-tests architectural decisions.

Cross-Cutting

github-issues-manager

Manages GitHub Issues lifecycle: creation, labeling, milestone tracking, and automated closure with evidence references.

Cross-Cutting

jira-manager

Jira integration for issue tracking, epic management, sprint planning, and bi-directional sync with development artifacts.

Cross-Cutting

agent-creator

Meta-agent that generates new canonical agent definitions, bootstraps agent scaffolding, and validates against the canonical format.

Cross-Cutting

ai-governance-advisor

Assesses AI usage risks, recommends governance controls, and maps requirements to emerging AI regulation frameworks.

Phase 1

architecture-reviewer

Evaluates system architecture against patterns, identifies anti-patterns, and generates ADR-format decision records with evidence.

Phase 1

design-review

Reviews UI/UX designs against accessibility (WCAG 2.1), brand standards, and UX heuristics. Generates structured review reports.

Phase 1

prd-generator

Generates structured Product Requirements Documents from conversations, user stories, and feature briefs with acceptance criteria.

Phase 1

regulatory-analysis

Analyzes code and processes against regulatory requirements (GDPR, HIPAA, SOX, PCI-DSS) and flags compliance gaps.

Phase 1

risk-assessment

Performs structured risk analysis using STRIDE methodology, generates risk registers with likelihood/impact scoring.

Phase 1

acceptance-criteria-tester

Transforms acceptance criteria into executable BDD/Gherkin test scenarios. Validates every criterion maps to Given/When/Then before Phase 2 begins.

Phase 1

code-quality-reviewer

Static analysis beyond linting: detects complexity hotspots, naming inconsistencies, dead code, and anti-patterns with fix suggestions.

Phase 2

dependency-checker

Scans package manifests for known CVEs, license conflicts, outdated versions, and supply chain risks. Integrates with Snyk and OSV.

Phase 2

gemini-judge

Uses Google Gemini as a second-opinion judge for AI-generated code quality, providing multi-model consensus scoring.

Phase 2

performance-analyzer

Identifies algorithmic complexity issues, N+1 queries, memory leaks, and bundle size regressions with profiling evidence.

Phase 2

playwright-e2e-tester

Generates and executes Playwright end-to-end test suites, captures screenshots as evidence, and reports coverage gaps.

Phase 2

security-reviewer

OWASP Top 10 and CWE-based security analysis of code changes, with finding severity scoring and remediation guidance.

Phase 2

test-coverage-analyzer

Analyzes test suite coverage, identifies untested code paths, and generates targeted test cases for critical gaps.

Phase 2

aws-cost-reporter

Analyzes AWS cost anomalies, identifies optimization opportunities, and generates cost attribution reports per service and team.

Phase 3

pipeline-orchestrator

Manages CI/CD pipeline execution, handles deployment gates, triggers rollbacks, and captures deployment evidence.

Phase 3

trust-enforcer

Runtime policy enforcement agent that validates deployment artifacts against trust policies before production promotion.

Phase 3

compliance-manager

Generates compliance reports for auditors, maps evidence to control frameworks, and tracks remediation of findings.

Phase 4

documentation-reviewer

Reviews technical documentation for accuracy, completeness, and consistency with implementation. Identifies stale docs.

Phase 4

evidence-collection

Orchestrates evidence gathering across all agents, normalizes formats, and stores structured evidence in the data layer.

Phase 4

pr-orchestrator

Manages the full PR lifecycle: review assignment, governance checks, merge criteria enforcement, and post-merge evidence.

Phase 4

multi-ai-reviewer

Coordinates multi-model code review using Claude, Gemini, and GPT-4 for consensus scoring and reduced AI bias.

Phase 4

bpmn-validator

Validates BPMN 2.0 and DMN process models for Camunda Platform 7 compatibility and best practices.

Domain

bpmn8-validator

Validates BPMN 2.0 models against Camunda Platform 8 Zeebe engine constraints and migration readiness.

Domain

bpmn-commit-agent

Automates BPMN file commits with proper validation, visual checks, and changelog generation.

Domain

bpmn-tester

Tests BPMN process definitions with preview mode and automated validation against expected behavior.

Domain

dmn-decision-architect

Designs and validates DMN decision tables, ensuring correctness of hit policies and input/output mappings.

Domain

acceptance-criteria-tester

Validates that implementation satisfies BDD acceptance criteria by mapping Gherkin scenarios to test results.

Domain

e2e-testing-expert

Designs comprehensive end-to-end test strategies covering critical user paths and integration boundaries.

Domain

test-validator

Validates test results against quality gates and generates compliance reports for evidence collection.

Domain

presentation-qa

Reviews HTML presentations for accessibility, brand compliance, visual consistency, and responsive layout.

Domain

cicd-pipeline

Designs and maintains CI/CD pipeline configurations across GitHub Actions, GitLab CI, and Azure DevOps.

Domain

cloudflare-publisher

Deploys static assets and presentations to Cloudflare Pages with OTP-protected access control.

Domain

github-pages-deployer

Automates deployment of documentation and presentations to GitHub Pages with custom domain support.

Domain

npm-publisher

Manages npm package publishing with version validation, changelog generation, and registry authentication.

Domain

preview-deployer

Creates ephemeral preview environments for PR branches with automatic teardown on merge or close.

Domain

gmail-manager

Integrates with Gmail API for automated notifications, report delivery, and stakeholder communication.

Domain

google-calendar-manager

Manages calendar events for sprint ceremonies, deployment windows, and review deadlines.

Domain

google-drive-release-manager

Organizes release artifacts, evidence packages, and documentation in Google Drive with proper access controls.

Domain

master-cost-reporter

Generates comprehensive cost reports across AWS, Cloudflare, and AI API usage for budget tracking.

Domain

agent-health-check

Monitors agent availability, response times, and error rates across the platform agent fleet.

Domain

context-optimizer

Analyzes and optimizes context window usage across agents to reduce token consumption and improve response quality.

Domain

model-router

Routes requests to optimal AI models based on task complexity, cost targets, and latency requirements.

Domain

plan-checker

Validates implementation plans against architectural constraints, dependency graphs, and risk assessments.

Domain

platform-installer

Installs and configures the Blaze platform with declarative PM tool selection and environment setup.

Domain

prompt-enhancer

Optimizes prompts per-model (Claude, GPT-4o, o3, Gemini) using 28 anti-patterns, 7 templates, and 9-dimension intent extraction via a 4-phase pipeline.

Domain

subagent-creator

Creates, validates, and optimizes sub-agent definitions with proper format and best practices enforcement.

Domain

codebase-mapper

Generates comprehensive codebase maps for brownfield project onboarding with dependency and architecture analysis.

Domain

dev-summary-reporter

Generates daily and weekly development summary reports from git activity, PR metrics, and agent usage data.

Domain

hypothesis-reasoning

Executes hypothesis-driven reasoning with ADI cycle for rigorous architectural and technical decision-making.

Domain

predictive-monitor

Predicts potential issues from development patterns, alerting teams before problems materialize in production.

Domain

process-simulator

Simulates BPMN process execution to identify bottlenecks, deadlocks, and optimization opportunities.

Domain

root-cause-analyzer

Performs systematic root cause analysis on failures using 5-Whys, fishbone diagrams, and fault tree analysis.

Domain

bundle-analyzer

Analyzes JavaScript bundle sizes, identifies optimization opportunities, and enforces bundle budgets.

Domain

lighthouse-auditor

Conducts comprehensive Lighthouse performance audits with metric tracking and CI/CD enforcement.

Domain

web-performance-optimizer

Optimizes web performance metrics, bundle sizes, and loading speeds with automated analysis and monitoring.

Domain

git-workflow-guardian

Enforces git workflow rules including branch naming, commit message standards, and merge protections.

Domain

goal-verifier

Verifies that implementation outcomes match stated goals by cross-referencing deliverables against requirements.

Domain

project-showcase-generator

Generates comprehensive HTML showcase presentations from project data with live demos and architecture diagrams.

Domain

service-orchestrator

Coordinates multi-service deployments, manages dependencies, and ensures proper deployment sequencing.

Domain

OpenCode — full metadata: model, tools, permissions in frontmatter

Claude Code — minimal metadata: runtime manages model routing and permissions

Infrastructure

Platform Components

Beyond agents, Blaze comprises skills, rules, hooks, and scripts that form the backbone of governed AI development. Click any card for full details.

🧩 Skills 16 Reusable capability modules that extend agent functionality

docx

Word document creation, editing, and tracked changes with OOXML

pptx

PowerPoint creation with html2pptx, templates, and rearrangement

xlsx

Spreadsheet generation with formula support and financial standards

pdf

PDF manipulation: merge, split, extract, create, OCR, and forms

bpmn-editing

BPMN 2.0 layout standards and Camunda visual best practices

coding-standards

TypeScript, React, Python/FastAPI, and SQLAlchemy code quality

accessibility

WCAG 2.1 AA/AAA compliance checking and automated testing

cloudflare-safety

Deployment safety: versioned workflow, binding preservation

context-full

Load complete project context in one session

context-infrastructure

GKE, Docker, Terraform, and Kubernetes context loading

context-services

Microservices architecture and dependency mapping

memory-search

Cross-session memory retrieval from memory bank files

mermaid-to-word

Mermaid diagrams to high-res PNGs embedded in Word docs

review-opus

Deep Opus-grade review: architecture, edge cases, subtle bugs

review-sonnet

Fast Sonnet-grade review: syntax, security basics, style

review-external

Gemini + GPT-4o dual-provider cross-validation reviews

📏 Rules 22 Declarative constraints that govern agent behavior

color-contrast

Dark background text visibility enforcement

Visual

accessibility

WCAG 2.1 AA frontend compliance requirements

Visual

react

Functional components, hooks, and React best practices

Frontend

spot-only-mandatory

All GKE node pools must use Spot VMs, zero exceptions

Infra

memory-operations

Auto-update triggers for memory bank files

Memory

session-handoff

Session continuity protocol via activeContext.md

Memory

dependency-security

Exact versions, license compliance, supply chain security

Security

unit-testing

TDD, Jest framework, 80% coverage threshold

Testing

code-integrity

No stubs, fake returns, TODOs, or mock implementations

Workflow

deviation-rules

AUTO-FIX / ASK FIRST / STOP deviation protocol

Workflow

git-worktree

All feature dev must use isolated git worktrees

Workflow

mandatory-testing

TDD + BDD + CDD enforcement with hard blocking

Testing

no-github-actions

OpenCode agents replace all CI/CD pipelines

Workflow

pm-tool-operations

Never use PM CLI directly; always use agents

Workflow

post-merge-updates

Mandatory cleanup sequence after PR merge

Workflow

unified-sdlc

4-phase SDLC with TDD/BDD/CDD and quality gates

Workflow

brand-compliance

Blaze brand colors, typography, logo, and spacing

Visual

language-compliance

Tone of voice, prohibited phrases, active voice

Visual

slide-design

6x6 content density, animation, and CTA standards

Visual

hypothesis-evaluation

Hypothesis-driven decisions with assurance levels

Reasoning

agent-dev

Agent creation standards, naming, and documentation

Agents

platform-identity

Core identity rules and prohibited patterns

Workflow

🪝 Hooks 16 Event-driven automation enforcing governance at every checkpoint

pre-commit

Branch protection and naming convention enforcement

BlockingGit

commit-msg

Conventional commits format and issue reference

Git

post-checkout

Merged branch cleanup on branch switch

Git

sdlc-auto-trigger

Keyword detection to auto-invoke SDLC orchestrator

SDLC

sdlc-phase1-validator

Phase 1 agent tracking and execution order validation

BlockingSDLC

mandatory-sdlc-check

Feature branch name and work item validation

BlockingSDLC

gsd-context-monitor

Context window usage tracking and threshold warnings

Advisory

pre-edit-validation

Blocks edits on main/master or merged branches

Blocking

pre-release-evidence

CDD evidence required before any release

Blocking

post-pr-creation

PR review reminder and evidence capture prompt

Advisory

pm-tool-enforcement

Validates PM tool usage matches project config

Blocking

validate-cdd-evidence

CDD phase evidence required before PR merge

Blocking

load-memory-bank

Session-start memory and context loading

Advisory

session-end

Auto-capture session summary to activeContext.md

Advisory

post-merge-hook

Post-merge cleanup checklist reminder

Advisory

check-no-ci-pipelines

Prevents CI pipeline file creation

Blocking

⚙️ Scripts 15+ Automation for PM integration, review gates, and compliance

jira-client.js

Jira REST API integration library for issue management

create-story-with-epic.js

Story + epic creation with priority and story points

pr-review-gate.js

PR governance gate via GitHub Checks API

pr-review-gate.sh

Shell wrapper with exemptions and colored output

Bash

openai-review.sh

GPT-4o code review with token/cost tracking

Bash

git-cleanup.sh

Branch, worktree, and stale ref cleanup

Bash

onboard-tenant.sh

Multi-tenant provisioning and configuration

Bash

purge-evidence.py

Evidence lifecycle management with GDPR compliance

Python

compliance-monitor.py

Real-time compliance monitoring with framework scoring

Python

evidence-generator.py

Merkle tree evidence with integrity verification

Python

workflow-validator.py

Work item, branch, commit, and file validation

Python

agent-helpers.js

Auto-generated helpers for 24+ agent types

markdown-to-jira.js

Bidirectional Markdown to Jira wiki conversion

otp-auth.ts

Shared OTP auth with Descope JWT and rate limiting

init.js

Platform initialization and environment verification

Process Modeling

BPMN Capabilities

Enterprise-grade BPMN 2.0 process modeling with validation for both Camunda 7 and Camunda 8 platforms, plus battle-tested best practices for visual clarity and maintainability.

Compatibility Validation

Ensures BPMN diagrams are fully compatible with Camunda 7 engine requirements.

historyTimeToLive attribute enforcement on all process definitions
candidateGroups / candidateUsers assignment validation
formData and embedded form reference checking
Execution listener and task listener syntax validation
Timer definition expression format verification

External Task Pattern

Validates proper use of the external task pattern for distributed work processing.

Topic name uniqueness across process definitions
Error handling boundary events on external tasks
Retry configuration (retries, retryTimeCycle)
Input/output variable mapping completeness

DMN Decision Tables

Validates decision tables for completeness and engine compatibility.

Hit policy validation (UNIQUE, FIRST, COLLECT, etc.)
Input/output column type consistency
Missing rule detection and gap analysis
Business rule task ↔ decision table linkage

Error Detection

Flags common pitfalls and incompatible configurations.

Zeebe namespace detection (flags zeebe: elements as Camunda 8-only)
Deprecated API usage warnings
Missing end events and dangling sequence flows
Overlapping boundary events on the same activity
Invalid expression language references

# Camunda 7 Validation Commands
blaze validate --engine camunda7 process.bpmn
blaze validate --engine camunda7 --strict decision.dmn
blaze validate --engine camunda7 --fix process.bpmn  # auto-fix common issues

Zeebe-Native Validation

Full validation against Camunda 8's Zeebe workflow engine requirements.

Zeebe task definition type validation
Message correlation key expression checking
Signal event reference validation
Multi-instance configuration completeness
Process instance variable scope validation

Cloud Connector Support

Validates Camunda 8 connector configurations for cloud service integrations.

REST connector URL and method validation
SendGrid / Slack connector parameter checking
Custom connector template compatibility
Secret reference resolution (secrets.*)

Job Worker Patterns

Best practices for job worker implementation and error handling.

Worker type naming convention enforcement
Timeout configuration validation
Error code mapping between process and workers
Variable fetching optimization (fetchVariables)

Operate & Tasklist Integration

Validates configurations that affect Operate monitoring and Tasklist user experience.

User task form key / form ID validation
Task assignment expression completeness
Process annotation for Operate dashboards
Incident resolution path verification

# Camunda 8 Validation Commands
blaze validate --engine camunda8 process.bpmn
blaze validate --engine camunda8 --connectors process.bpmn
blaze validate --engine camunda8 --migrate-from-c7 legacy.bpmn  # migration analysis

1 Task Dimensions

Standard task elements should be 151×76 pixels. Consistent sizing ensures visual harmony and prevents crowded diagrams.

Correct

<bpmndi:BPMNShape id="Task_1_di" bpmnElement="Task_1">
  <dc:Bounds x="280" y="200" width="151" height="76" />
</bpmndi:BPMNShape>

2 Pool & Lane Sizing

Pools should be wide enough for the full flow. Lanes need minimum 150px height per element row. Expand containers rather than cramming elements.

Correct

<dc:Bounds x="120" y="80" width="1200" height="500" />
<!-- Lane height = elements × 150px minimum -->

3 Escalation Pattern

Use timer boundary events for escalation. Escalation targets must be in the same lane or an adjacent lane — never skip lanes.

Correct

<!-- Timer boundary → escalation task in same lane -->
<boundaryEvent id="timer1" attachedToRef="Task_Review">
  <timerEventDefinition>
    <timeDuration>PT48H</timeDuration>
  </timerEventDefinition>
</boundaryEvent>

4 Text Annotations

Keep subprocess names clean and descriptive. Use text annotations for supplementary context rather than cluttering element labels.

Avoid

name="Review document and check for compliance issues
and send notification to the manager if needed"

Prefer

name="Review Document"
<!-- Use textAnnotation for details -->

5 Convergence Gateway

Always place a converging gateway before a subprocess to ensure all incoming flows are properly synchronized.

Pattern

Gateway (converge) → Subprocess → Continue
Not: Multiple flows → Subprocess (creates race conditions)

6 Multiple BPMNDiagram Support

Use multiple BPMNDiagram elements for drill-down views. Main diagram shows collapsed subprocesses; secondary diagrams show expanded detail.

Structure

<bpmndi:BPMNDiagram id="MainDiagram">
  <!-- Top-level process with collapsed subprocesses -->
</bpmndi:BPMNDiagram>
<bpmndi:BPMNDiagram id="SubProcess_Detail">
  <!-- Expanded subprocess drill-down -->
</bpmndi:BPMNDiagram>

7 Parallel Agent Orchestration

Use parallel gateways for concurrent agent execution. Always pair split gateways with join gateways for clean synchronization.

Pattern

Parallel Split → [Security Review]
              → [Code Quality]    → Parallel Join
              → [Test Coverage]

8 Camunda Modeler Metadata

Preserve Camunda Modeler export metadata. The exporterVersion ensures compatibility when re-opening in the modeler.

Required Attributes

<definitions
  exporter="Camunda Modeler"
  exporterVersion="5.x.x"
  targetNamespace="http://bpmn.io/schema/bpmn">

9 Layout Rules

Flow direction is left-to-right. Minimum lane height is 150px. Maintain 40px minimum spacing between elements. Align elements to grid.

Guidelines

Flow direction:  Left → Right (primary)
Lane height:     ≥ 150px per element row
Element spacing: ≥ 40px between shapes
Gateway size:    50×50 (standard)
Event size:      36×36 (standard)

10 Validation Tooling

Use Blaze's built-in BPMN validation tools before committing diagrams. Supports both CLI and CI/CD pipeline integration.

Commands

blaze validate *.bpmn              # validate all diagrams
blaze validate --visual process.bpmn # check layout rules
blaze validate --overlap process.bpmn # detect overlapping elements
blaze lint process.bpmn               # lint naming conventions

Compatibility

Platform Support Matrix

Blaze supports two platform tiers based on API surface. Each tier provides real-time governance and evidence collection through different mechanisms.

Capability	OpenCode (Full Platform)	Claude Code (Enhanced)
Agent Execution	✓ Full subagent support	✓ Full subagent support
Real-time Governance	✓ Plugins + hooks	✓ Hooks
Evidence Collection	✓ Real-time via plugin	✓ Via MCP tools
MCP Support	✓ Full MCP server	✓ MCP client
Plugin System	✓ TypeScript plugins	✗ No plugin API
Slash Commands	✓ Custom commands	✓ /commands
Memory Bank	✓ Cross-session	✓ CLAUDE.md + auto memory
CI/CD Integration	✓ Native + hooks	✓ Via GitHub Actions
Modes/Personas	✓ Named modes	◐ Prompt-based

OpenCode — Full Platform

Maximum Governance Coverage

Real-time enforcement via TypeScript plugins, MCP server integration, event-driven evidence capture, custom commands, and named modes.

Claude Code — Enhanced

Strong Governance Coverage

Governance via MCP tools, hooks, and agents. Covers all SDLC phases effectively with subagent orchestration and slash commands.

Enterprise

Multi-Tenant Architecture

Blaze isolates every tenant at every layer of the stack. No data leakage between customers is possible by design, not by policy.

5-Level Isolation Hierarchy

Platform Operator (K8s Cluster)
└── Organization A (Dedicated cluster OR namespace)
    ├── Tenant 1 (K8s namespace)
    │   ├── Project: payments-api (K8s namespace)
    │   │   ├── Dev: alice → ephemeral pod
    │   │   └── Dev: bob   → ephemeral pod
    │   └── Project: mobile-app
    └── Tenant 2
        └── Project: analytics

Shared Control Plane (Governance MCP)

Level	K8s Primitive	Isolation Type
Platform Operator	`Cluster`	Infrastructure ownership
Organization	`Cluster or ns`	Hard network/resource isolation
Tenant	`Namespace`	RBAC, network policies, resource quotas
Project	`Namespace`	Full namespace isolation
Developer	`Pod(s)`	Ephemeral; state stored externally

Schema-per-tenant PostgreSQL with RLS policies
Namespace-per-tenant Kubernetes workloads
Tenant-scoped S3 prefixes with IAM isolation
JWT claims carry tenant_id through all services
Audit logs are tenant-isolated and immutable

Tenant Onboarding Flow

Provision Org

Create organization record, allocate dedicated cluster or namespace, configure billing

Create Tenant Namespace

Generate tenant_id, allocate K8s namespace with RBAC, network policies, and resource quotas

Configure Project

Create project namespace, link to git repo, configure feature flags and agent set

Spin Up Dev Environment

Apply BlazeEnvironment CRD, run init containers, connect developer via web terminal or SSH

Activate Governance

Enable enforcement rules, configure compliance framework, begin evidence collection

Tenant Data Model

CREATE SCHEMA tenant_{id};
SET search_path = tenant_{id};

CREATE TABLE tenants (
  id          UUID PRIMARY KEY,
  slug        TEXT UNIQUE NOT NULL,
  plan        'starter'|'pro'|'enterprise',
  created_at  TIMESTAMPTZ,
  settings    JSONB
);

-- RLS enforced on all tables
ALTER TABLE evidence ENABLE ROW LEVEL SECURITY;
CREATE POLICY tenant_isolation ON evidence
  USING (tenant_id = current_setting('app.tenant_id')::UUID);

Enterprise

Solution Registry & Multi-Tenant Deployment

Blaze is a platform for building and deploying AI-powered solutions. Solutions like KM Flow and SLA are registered in the catalog, then deployed as fully isolated instances per organization and customer.

Solution Catalog

Registered solutions are versioned products that can be instantiated per customer engagement.

Solution	Description	Status
KM Flow	AI-powered knowledge management workflow	active
SLA	Software Lifecycle Automation	active

Instance Hierarchy

Platform (Blaze)
└── Organization: blazeco
    ├── Instance: sol-blazeco--kmflow--acme
    │   ├── Namespace: sol-blazeco--kmflow--acme
    │   ├── Subdomain: acme-kmflow.accelerator-demo.com
    │   ├── Solution: kmflow @ v1.1
    │   └── Infra: PostgreSQL, PV, Claude Code pods
    ├── Instance: sol-blazeco--kmflow--globex
    │   └── Subdomain: globex-kmflow.accelerator-demo.com
    └── Instance: sol-blazeco--sla--acme
        └── Subdomain: acme-sla.accelerator-demo.com

Deployment Flow

1. Register Solution

blaze-solution.sh register --name kmflow --repo /repos/kmflow

2. Deploy Instance

blaze-deploy.sh kmflow --org blazeco --customer acme --version v1.0

3. Provision Infrastructure

K8s namespace + RBAC + NetworkPolicy + ResourceQuota + Deployment with init container

4. Configure Access

Cloudflare subdomain + OTP auth scoped to org email domains

5. Manage Lifecycle

blaze-instance.sh upgrade | snapshot | teardown | rollback | cost

Per-Instance Isolation

Layer	Isolation
K8s Namespace	`sol-{org}--{solution}--{customer}`
Network	Default-deny + explicit allow (CF tunnel, governance, DNS)
RBAC	Org-scoped ServiceAccount + RoleBinding
Database	Dedicated PostgreSQL per instance
Storage	Dedicated PersistentVolume
Subdomain	`{customer}-{solution}.accelerator-demo.com`
AI Artifacts	Governed via Governance Service cascade
Cost	K8s labels for per-instance attribution

Cloud Platform

Managed Developer Environments

Blaze Cloud provides Kubernetes-hosted ephemeral developer environments with Claude Code and the full SDLC governance stack pre-installed. Developers connect via web terminal or SSH — no local setup required.

Init Container Pipeline

Every developer pod is assembled by a sequence of three init containers that run before the main Claude Code container starts.

init-config

Assembles .claude/ directory with feature-flag-filtered agents, rules, and skills for this project

init-repo

Clones the project repository with scoped credentials and configures git identity for the developer

init-state

Restores memory bank and CDD evidence from cloud storage (GCS/S3) so context is available from the first prompt

Control Plane Services

Platform API

REST API for Org, Tenant, Project, and User CRUD operations. Manages the full environment lifecycle: create, suspend, resume, and delete environments. All mutations are JWT-authenticated and tenant-scoped.

Config Sync

Push-based configuration update queue. When platform-level agent definitions change, Config Sync notifies running pods and triggers a reload. Emergency sentinel mechanism enables immediate policy enforcement across all active sessions.

State Manager

Handles save, restore, and cleanup of ephemeral container state. On pod termination, the state manager snapshots the memory bank and evidence directory to cloud storage. On pod start, it restores from the latest snapshot.

Environment Controller

Kubernetes operator that watches BlazeEnvironment custom resources and reconciles the desired state. Manages pod lifecycle, resource quotas, and CRD validation against the OpenAPI schema.

Access Gateway

Web Terminal

Browser-based terminal via ttyd exposed through Kubernetes ingress over WebSocket. No local client installation required. Works in any modern browser with full PTY support.

WebSocket tunnel through ingress controller
SSO-authenticated via tenant IdP (OAuth/SAML)
Session recording for compliance audit trail
Clipboard integration and custom font rendering

SSH Access

Native SSH access via a bastion proxy with SSO certificate authentication. Developers use their existing SSH client and their normal workflow tools against the governed environment.

SSO certificate authority issues short-lived certs
Bastion proxy enforces tenant isolation
Port forwarding enabled for local tool access
Audit log for every SSH session

Security Stack

Defense-in-depth across five security layers, from pod admission through runtime monitoring.

🛡️

Pod Security Standards

All developer pods run under the Restricted Pod Security Standard profile — the most locked-down Kubernetes security posture. No privilege escalation, read-only root filesystem, dropped all capabilities.

🔍

Falco Runtime Monitoring

7 custom Falco rules monitor for anomalous behavior inside developer pods: unexpected outbound connections, credential file access, shell spawning in unexpected contexts, and container escape attempts.

⚖️

OPA/Gatekeeper Admission Control

Open Policy Agent constraints validate every Kubernetes object at admission time. Three constraint sets: namespace labels (required org/tenant/project labels), pod constraints (no privileged, image registry allowlist), and secret constraints (Sealed Secrets only).

🔒

Network Policies & Sealed Secrets

Default-deny network policies with explicit allow rules for required egress (git, registry, LLM API). Secrets are managed as Sealed Secrets — encrypted with a cluster-specific key, safe to commit to git, decrypted only inside the cluster.

Observability Stack

Prometheus

6 scrape jobs covering the API server, environment controller, node exporter, Falco, and Claude Code metrics endpoints. Blaze label relabeling adds org, tenant, project, and user dimensions to every metric.

Grafana Dashboards

4 pre-built dashboards: Platform Overview (cluster health, pod counts, API latency), Session Activity (active sessions, token usage, costs), Compliance Score Trends, and Resource Utilization by tenant.

Loki Log Aggregation

Structured log collection from all containers via the Loki Kubernetes operator. Logs are indexed by org, tenant, project, and user labels enabling fast cross-tenant log queries without data leakage.

OpenTelemetry

Distributed traces, metrics, and logs with org/tenant/project/user resource attributes on every span. The OTel collector fans out to Prometheus (metrics), Loki (logs), and Jaeger (traces).

Alerting Rules

9 alerting rules covering: compliance score drop below threshold, security policy violations, API latency spikes, pod OOM events, Falco rule triggers, certificate expiry, and storage quota approaching 80%.

8-Phase Cloud Infrastructure Rollout

Phase 1

Base Container Image

Claude Code runtime base image
Blaze platform pre-installed
Non-root user, read-only filesystem
OCI-compliant image scanning

Phase 2

Init Container System

init-config: agent assembly
init-repo: repo cloning
init-state: state restoration
Parallel init with readiness gates

Phase 3

K8s Manifests

BlazeEnvironment CRD with OpenAPI validation
RBAC roles and bindings
Network policies (default deny)
Resource quotas per project

Phase 4

Access Gateway

ttyd web terminal deployment
SSH bastion proxy
SSO certificate authority
Ingress rules and TLS

Phase 5

Control Plane Services

Platform API (Go/FastAPI)
Config Sync service
State Manager
Environment Controller operator

Phase 6

Observability Stack

Prometheus + 6 scrape jobs
Grafana + 4 dashboards
Loki log aggregation
OTel collector pipeline

Phase 7

State Management

GCS/S3 snapshot integration
Save/restore lifecycle hooks
Evidence directory sync
Memory bank persistence

Phase 8

Security & Compliance

Falco with 7 custom rules
OPA/Gatekeeper constraints
Sealed Secrets integration
9 alerting rules activated

Trust & Safety

Security & Compliance

Enterprise-grade security architecture designed for SOC 2 Type II certification, with defense-in-depth across authentication, authorization, encryption, and audit.

🔐

Authentication & Identity

JWT-based authentication with short-lived tokens (15min access, 7-day refresh). Supports OIDC federation with enterprise IdPs (Okta, Azure AD, Google Workspace).

PKCE OAuth 2.0 flow
MFA enforcement per tenant policy
API key rotation with zero-downtime
Service account scoping

🛡️

Authorization & RBAC

Role-based access control with hierarchical permissions. Roles are tenant-scoped and cannot cross tenant boundaries even for platform administrators.

Owner / Admin / Developer / Viewer roles
Resource-level permissions (agent, evidence, report)
Attribute-based access for sensitive data
Audit log for all permission changes

🔒

Encryption

Data encrypted at rest with AES-256-GCM. Transit encryption via TLS 1.3 minimum. Customer-managed encryption key (CMEK) support for Enterprise tier.

PostgreSQL transparent data encryption
S3 SSE-S3 / SSE-KMS per bucket
Secrets managed via HashiCorp Vault
Key rotation on 90-day schedule

📊

Audit & Compliance

Immutable audit trail for every action across the platform. Audit records cannot be deleted or modified, satisfying SOC 2 CC7 and ISO 27001 A.12.4 controls.

SOC 2 Type II path (12-month audit window)
ISO 27001 control mapping available
GDPR data residency options (EU deployment)
PCI-DSS cardholder data exclusion by design

MCP Security Scanner

60+ regex patterns from 6 open-source scanners (Cisco YARA, AgentSeal, mcp-shield, Pipelock, AgentShield, guard-scanner) scan MCP tool descriptions for prompt injection, tool poisoning, credential harvesting, and data exfiltration.

9-layer deobfuscation (zero-width chars, base64, leetspeak, bidi controls, Unicode normalization)
17 prompt injection patterns (instruction override, role assignment, jailbreak commands)
Tool poisoning & shadowing detection (hidden actions, concealment directives)
Credential harvesting (API keys, JWTs, private keys, env var secrets)
Suspicious parameter name scanning (exfiltration channels, hidden instructions)

Context Budget Estimator

Token-level visibility into what Claude Code loads at session start. Estimates context window consumption from CLAUDE.md files, rules, skills, MCP schemas, and system overhead.

Classifies items as always-loaded vs deferred (ToolSearch)
Detects on-demand rules via paths: frontmatter analysis
MCP server token estimation (~3,100 tokens per unique server)
MEMORY.md truncation modeling (200 lines / 25KB cap)
System overhead constants calibrated to Claude Code v2.1.84

Data Layer

Data Architecture

A purpose-built polyglot persistence layer combining relational integrity, graph relationships, time-series analytics, and cost-tiered object storage.

PostgreSQL + Apache AGE

Primary data store with graph extension for relationship traversal. AGE enables Cypher queries over requirement→evidence→artifact graphs without a separate graph database.

Apache AGE graph extension
Cypher query support
Full ACID transactions
JSON/JSONB for flexible schemas

S3 Evidence Storage

Three-tier intelligent tiering for cost-optimized evidence retention. Evidence moves automatically based on age and access frequency.

Standard: 0-30 days ($0.023/GB)
Standard-IA: 31-90 days ($0.0125/GB)
Glacier: 90+ days ($0.004/GB)
Lifecycle policies automated per tenant

TimescaleDB Metrics

Time-series extension for agent performance metrics, compliance score trends, and cost analytics. Continuous aggregates for dashboard performance.

Hypertable auto-partitioning
Continuous aggregate views
Data retention policies
Grafana integration

Immutable S3 artifact with full chain of custody

Test-Driven Development

TDD ensures executable specifications precede implementation. Blaze's test-coverage-analyzer and playwright-e2e-tester capture test results as structured evidence linked to requirements.

Behavior-Driven Development

BDD scenarios written in Gherkin provide human-readable specifications that double as compliance evidence. Scenario outcomes are captured with screenshots and execution logs.

Compliance-Driven Development

CDD extends TDD/BDD with explicit control mapping. Every requirement is tagged to a control framework, and evidence collection is mandatory before phase transitions are permitted.

Evidence Lifecycle

Collection

Agents invoke mcp_evidence_capture with typed payloads. Evidence schema version is recorded for forward compatibility. All metadata (agent, phase, tenant, timestamp) is automatically attached.

Storage

Evidence written atomically to PostgreSQL (metadata + searchable fields) and S3 (full payload). Checksums verified on write. Intelligent tiering moves cold evidence to Glacier automatically.

Querying

Compliance managers can query evidence by requirement ID, control framework, date range, agent, or phase. Apache AGE enables graph traversal: "show all evidence linked to SOC2-CC6.1".

Reporting

The compliance-manager agent generates formatted audit packages: evidence index, control mapping matrix, coverage percentages, and gap analysis. Exportable as PDF or structured JSON.

Ergonomics

Developer Experience

Blaze is designed for zero-friction adoption. Developers interact with familiar tools while governance happens transparently in the background.

Zero-Infrastructure Onboarding

A single CLI command installs Blaze agents into any supported platform. No local servers, no Docker, no configuration files to maintain.

# Install Blaze into Claude Code
npx blaze-cli install --platform claude-code \
  --tenant-id $BLAZE_TENANT_ID \
  --api-key $BLAZE_API_KEY

# Install into OpenCode
npx blaze-cli install --platform opencode \
  --tenant-id $BLAZE_TENANT_ID

# Verify installation
npx blaze-cli status
✓ Agents: 78 installed
✓ MCP server: connected
✓ Evidence collection: active
✓ Governance: enforcing

Context-Triggered Agents

Agents activate automatically based on file context and SDLC phase. No manual invocation needed for routine governance checks.

Open a *.tf file → architecture-reviewer activates
Edit auth code → security-reviewer triggers automatically
Create PR → pr-orchestrator begins evidence collection
Phase gate reached → compliance-manager generates report
Dependency added → dependency-checker scans CVEs
Test processes pile up → process watchdog auto-kills runaways

Memory Bank

Cross-session institutional memory. Agents learn your codebase, team conventions, and past decisions. Context persists across sessions and is shared across the team.

Architectural patterns extracted and stored
Past ADRs available to all agents
Team conventions encoded from code review feedback
Cross-session context eliminates repetitive setup

⚡

Instant Setup

Under 5 minutes from install to first evidence captured

🔍

Transparent

See exactly what each agent checks and why in real-time

🧠

Context-Aware

Agents understand your codebase, not just generic rules

🛡️

Resource Protection

Watchdog prevents runaway AI subprocesses from consuming system resources

Integrations

Ecosystem Integration

Blaze connects to the tools your teams already use. No workflow changes required — governance wraps your existing process.

Project Management

🐙 GitHub Issues

📋 Jira Cloud

🔷 Azure DevOps

📐 Linear

CI/CD Pipelines

⚙️ GitHub Actions

🔷 Azure Pipelines

🦊 GitLab CI

🔄 CircleCI

Source Control

🐙 GitHub (App)

🦊 GitLab

🔷 Azure Repos

🗑️ Bitbucket

AI Coding Platforms

🟠 OpenCode (Full Platform)

🟢 Claude Code (Enhanced)

Security & Compliance

🐍 Snyk

🔍 OSV (Google)

🔐 HashiCorp Vault

☁️ AWS Security Hub

Observability

📊 Grafana

🔎 DataDog

📈 AWS CloudWatch

🔬 OpenTelemetry

MCP Protocol

Model Context Protocol is the integration backbone. Blaze exposes a governance MCP server that any MCP-compatible client can connect to, enabling tool discovery, invocation, and result streaming without custom integrations.

# blaze MCP server capabilities (tool manifest)
{
  "tools": [
    { "name": "evidence_capture",    "description": "Record structured evidence for compliance" },
    { "name": "create_finding",       "description": "Log a governance finding with severity" },
    { "name": "get_requirements",     "description": "Retrieve requirements for current phase" },
    { "name": "check_phase_gate",     "description": "Validate phase transition readiness" },
    { "name": "store_pattern",        "description": "Save reusable code pattern to memory bank" },
    { "name": "query_evidence",       "description": "Search evidence by requirement or control" }
  ]
}

Market Position

AI SDLC Compliance & Orchestration

Blaze operates in the emerging AI SDLC governance space — not AI coding assistants. The distinction matters: coding assistants generate code, Blaze governs the entire AI-assisted development lifecycle. Every tool below that writes code is a tool Blaze sits on top of.

$3.5B

AI Dev Tools Market (2025)

46%

CAGR — Agentic AI Market

82%

Enterprises Citing AI Governance as Top Priority

Direct Competitors

Platforms competing in AI SDLC governance and orchestration.

Direct competitive comparison across 7 enterprise dimensions — data as of March 2026
Platform	Funding	Governance	Multi-Agent	Evidence / Audit	Multi-Platform	SDLC Coverage	Compliance
Blaze	Startup	✓	✓ 78 agents (both platforms)	✓ Neo4j graph	✓ OpenCode + Claude Code	✓ Full 4-phase	✓ CDD + EU AI Act
Blitzy	$4.4M seed	● SOC 2 / ISO	✓ 3000+ agents	●	✗ Own platform	✓ Full lifecycle	✓ SOC 2 / ISO 27001
Factory	$70M raised	●	✓	●	✗ Own platform	●	✓ SOC 2 / ISO
GitLab Duo	Public	●	●	●	✗ GitLab only	✓ Full lifecycle	●
Qodo	Multi-agent	●	✓	✗	●	✗ Reviews only	✗

✓ Full support ● Partial ✗ None / minimal

Complementary Tools Blaze Governs

These AI coding tools generate code — Blaze adds the governance layer on top.

AI coding tools that Blaze governs — not competitors, but the ecosystem Blaze orchestrates
Tool	What It Does	Blaze Integration
GitHub Copilot	Code completion & PR assistance	Governs via MCP, evidence capture
Cognition (Devin)	Autonomous coding agent	Governance overlay planned
Amazon Q Developer	AWS code assistant	Evidence capture via MCP
Tabnine	Privacy-first completion	Compatible governance layer
Claude Code / OpenCode	Terminal AI assistants	Native support (both platforms)

Governance Across AI Coding Platforms

Blitzy, Factory, and GitLab Duo build governance into their own closed platforms. Qodo covers only code reviews. Blaze governs across OpenCode and Claude Code today, with a canonical artifact registry designed to extend to any future MCP-compatible agent — without requiring developers to switch tools.

Where Blaze Leads

📜

CDD Methodology

No competitor has a structured Compliance-Driven Development methodology with evidence gates at every SDLC phase.

🔁

Agent Transpilation

Canonical artifact registry publishes definitions across platforms — define once, auto-publish to OpenCode and Claude Code. All 78 agents plus commands, skills, and rules managed from single source of truth.

🔧

PM-Tool Agnostic

Enforces governance across Jira, Azure DevOps, GitHub Issues, and Linear. No vendor lock-in on project management.

🛰

Knowledge Graph

Neo4j evidence graph enables compliance queries across the entire development history — not just flat log files.

🔍

9+ Review Agents

Specialized depth across security, architecture, compliance, performance, dependencies, design, and code quality.

🤖

Multi-Model Consensus

Cross-model review (Claude + GPT-4 + Gemini) prevents single-LLM blind spots with configurable agreement thresholds.

Market Positioning

SDLC Coverage Breadth → Governance Depth →

Niche Tools Governed Platforms Point Solutions Broad but Ungoverned

Blaze

Blitzy

Factory

GitLab Duo

Qodo

Copilot

Devin

Amazon Q

Tabnine

Market Opportunity

Market Gaps & Revenue Priorities

The AI coding market is growing fast, but critical enterprise capabilities remain unaddressed. These gaps represent Blaze's strategic opportunity.

Capability Gaps in the Market

Enterprise capability gaps across the AI coding assistant market
Capability Gap	Market Maturity	Competitors Addressing	Blaze Status
TRiSM Framework Alignment	Nascent	0	Designed In
EU AI Act Compliance	Nascent	0	Evidence Ready
GRC Platform Integration	Non-existent	0	Roadmap
Agent Marketplace	Nascent	0	Roadmap
AI Developer Metrics	Early	1–2	In Progress
Self-Service Compliance Portal	Low	0	Roadmap

Table Stakes vs. True Differentiators

Table Stakes (Everyone Has These)

Code completion & inline suggestions
Chat-based coding assistance
IDE integration (VS Code, JetBrains)
Basic security scanning (SAST)
Context-aware code generation
Multi-language support

True Differentiators (Where Blaze Leads)

Dual-platform governance overlay (OpenCode + Claude Code)
Structured evidence capture at every phase
Multi-model consensus reviews
Compliance-Driven Development methodology
Agent publishing across platforms (canonical registry)
Knowledge graph for audit queries

Revenue Impact Priorities

Ordered by estimated enterprise demand and competitive moat potential.

Enterprise governance dashboard with board-level reporting and risk scoring
Compliance evidence automation with SOC 2 / ISO 27001 / EU AI Act control mapping
Multi-model orchestration with intelligent cost routing (already built)
GRC platform integration — ServiceNow GRC, OneTrust, Archer connectors
Developer productivity analytics — DORA + SPACE + AI-specific metrics
Agent marketplace for SDLC-specific agents with governance pre-certification

Adoption

Change Management & 90-Day Rollout

A phased adoption approach minimizes disruption while building organizational capability. Each phase has defined KPIs and success criteria before advancing.

Days 1-30 — Foundation

Install & Observe

Deploy Blaze in observation mode. No enforcement. Gather baseline metrics and identify high-value governance opportunities.

Install agents on pilot team (3-5 devs)
Configure platform connections (GitHub, Jira)
Run agents in report-only mode
Review first evidence dashboard
Identify top 5 governance gaps
Train team on CDD concepts

KPI: 100% agent coverage, baseline compliance score established

Days 31-60 — Integration

Enable & Enforce

Activate enforcement for security and quality agents. Integrate with PR workflow. Begin evidence collection for compliance reporting.

Enable blocking security-reviewer checks
Activate PR governance via pr-orchestrator
Link requirements to work items
First compliance report generated
Expand to 10-15 developers
Configure custom governance rules

KPI: Security findings down 40%, evidence coverage 60%+

Days 61-90 — Scale

Expand & Optimize

Full team rollout. Enable all SDLC phase governance. Optimize model routing for cost. Prepare first SOC 2 evidence package.

Roll out to entire engineering org
Enable all 78 agents across OpenCode and Claude Code
Tune model routing for cost optimization
Generate SOC 2 readiness report
Establish governance KPI dashboard
Plan agent customization roadmap

KPI: Compliance score 80%+, LLM costs reduced 60%

Adoption KPIs

↑ 40%

Security finding reduction
by Day 60

80%+

Compliance score
by Day 90

60%

LLM cost reduction
via routing

<5min

Developer onboarding
time target

Execution Plan

Migration Roadmap — 8 Weeks

A structured 8-week technical delivery plan covering all platform components. Weeks overlap to maintain momentum while managing dependencies.

Work Stream

Canonical Format

Security & Auth

MCP Server

Data Layer

Agent Artifacts

Presentation

Documentation

Weeks 1-2: Foundation

Canonical artifact registry implemented with publish-artifacts.sh pipeline. 174 artifacts (78 agents, 24 commands, 18 skills, 40 rules, 5 modes, 4 schemas, 3 plugins, 2 workflows) managed from single source of truth with zero-touch automation.

Weeks 2-5: Core Services

JWT auth, RBAC, MCP server with all tools, tenant provisioning API, PostgreSQL schema migrations with RLS.

Weeks 4-7: Data & Agents

Evidence pipeline, S3 tiering, TimescaleDB, all 78 agent artifacts deployed to target platforms, CLI tooling.

Week 8: Launch

Presentation layer, documentation, design partner onboarding, final security review, go-live checklist.

Cloud Infrastructure Phases

8-phase delivery plan for the Kubernetes-based managed developer environment platform. Each phase is independently deployable and testable.

Phase 1 — Container

Base Container Image

Claude Code + Blaze runtime base image
Non-root, read-only filesystem configuration
OCI-compliant image built in CI
Vulnerability scanning gate

Phase 2 — Init

Init Container System

init-config, init-repo, init-state containers
Feature-flag-based agent filtering
Credential injection via Sealed Secrets
Parallel init with readiness probes

Phase 3 — K8s

K8s Manifests

BlazeEnvironment CRD with OpenAPI schema
RBAC roles, bindings, service accounts
Default-deny network policies
Resource quotas and LimitRanges

Phase 4 — Access

Access Gateway

ttyd web terminal via ingress
SSH bastion proxy deployment
SSO certificate authority setup
OAuth/SAML tenant IdP integration

Phase 5 — Control Plane

Control Plane Services

Platform API for environment lifecycle
Config Sync push queue service
State Manager save/restore service
Environment Controller K8s operator

Phase 6 — Observability

Observability Stack

Prometheus with 6 scrape jobs
Grafana with 4 dashboards
Loki log aggregation
OTel collector + 9 alert rules

Phase 7 — State

State Management

GCS/S3 snapshot lifecycle
Memory bank persistence hooks
Evidence directory sync
Cross-session context restoration

Phase 8 — Security

Security & Compliance

Pod Security Standards (Restricted)
Falco with 7 custom runtime rules
OPA/Gatekeeper admission constraints
Sealed Secrets cluster integration

Risk Management

Risk Analysis

Identified risks are categorized by domain, assessed for likelihood and impact, and paired with concrete mitigations. Click any card to expand details.

Technical Risks

High MCP Protocol Instability

▼

MCP is a rapidly evolving protocol. Breaking changes in the spec could require significant rework of the governance server and client integrations.

Likelihood: Medium | Impact: High

Mitigation: Version-pin MCP dependencies. Maintain an abstraction layer between Blaze tools and MCP protocol calls. Monitor the MCP spec repo and allocate sprint capacity for protocol upgrades.

Medium PostgreSQL + AGE Performance at Scale

▼

Apache AGE graph queries over large evidence datasets may degrade as tenants accumulate months of data. Cypher query planning in AGE is less mature than dedicated graph databases.

Likelihood: Medium | Impact: Medium

Mitigation: Implement query result caching for compliance reports. Set evidence archival policies to keep hot data under 90 days in PostgreSQL. Add performance benchmarks to CI for evidence query regression detection.

Medium Platform API Changes (Claude Code / OpenCode)

▼

AI coding platforms are evolving rapidly. OpenCode or Claude Code may change their plugin/hook APIs in ways that break existing Blaze integrations.

Likelihood: High | Impact: Medium

Mitigation: Maintain integration tests against platform APIs. Subscribe to platform changelogs. The canonical registry abstraction limits blast radius — only the publisher transforms need updating, not the agents themselves.

Business Risks

High Slow Enterprise Adoption

▼

Enterprise procurement cycles are long (6-18 months). Security review, legal, and procurement gates can delay revenue even after a technical win. Developer tooling budgets may require executive sponsorship.

Likelihood: High | Impact: High

Mitigation: Design Partner Program bypasses procurement with POC-first structure. Focus initial sales on security/compliance buyers (not just developers) who have budget and urgency. PLG motion for dev-led bottoms-up adoption.

Medium Platform Consolidation Risk

▼

If OpenCode or Claude Code achieves dominant market share and builds native governance features, the multi-platform value proposition weakens. Anthropic could build a competitive governance layer natively.

Likelihood: Low | Impact: High

Mitigation: Differentiate on evidence/compliance depth (not just agent execution). Build network effects through shared agent patterns across the tenant community. Platform consolidation actually validates the market.

Security Risks

Critical Tenant Data Cross-Contamination

▼

A bug in RLS policies or tenant context propagation could expose one tenant's evidence data to another tenant's queries. This would be a catastrophic trust and legal violation.

Likelihood: Low | Impact: Critical

Mitigation: Defense-in-depth: schema isolation + RLS + application-layer tenant_id filtering. Automated isolation testing in CI that attempts cross-tenant queries and asserts zero results. Regular penetration testing of tenant boundaries.

High Prompt Injection via Agent Context

▼

Agents reading code files or PR descriptions could encounter adversarially crafted content designed to manipulate agent behavior or exfiltrate tenant context.

Likelihood: Medium | Impact: High

Mitigation: Treat all file content as untrusted. Use structured output schemas that reject free-form instruction-following. Sandbox agent tool access with explicit allow-lists. Log all tool invocations for post-hoc review.

Operational Risks

Medium LLM Cost Overruns

▼

Without usage caps, aggressive agent invocation (especially Opus-routed tasks) could generate LLM costs that exceed subscription revenue. Misconfigured routing could send all traffic to expensive models.

Likelihood: Medium | Impact: High

Mitigation: Per-tenant LLM budget limits with soft and hard caps. Real-time cost dashboards with alerting at 70% and 90% of budget. Routing configuration validation that rejects all-Opus configurations in lower tiers.

Low Evidence Storage Growth

▼

High-frequency evidence collection across many tenants generates substantial S3 storage. Without lifecycle management, storage costs could grow unboundedly. Large evidence payloads could also slow query performance.

Likelihood: Medium | Impact: Low

Mitigation: S3 Intelligent-Tiering is enabled by default. Evidence retention limits enforced per pricing tier. Payload size limits (1MB max per evidence record) enforced at ingestion. Monthly storage reports per tenant with projected growth.

Development Status

Project Stats & Health

Live metrics from the Blaze monorepo as of March 24, 2026. All figures are derived from git history, CI pipelines, and coverage reports.

64,775Lines of Code

1,510Tests Passing

99%Python Coverage

95%JS Coverage

78AI Agents

44PRs Merged

0Failing Tests

Codebase Composition

Source Files

Python (.py)	51
JavaScript (.js)	91
TypeScript (.ts)	31
HTML presentations	17
Markdown docs	538
YAML configs	74

Platform Components

AI agents	78
Hooks (JS + Shell)	21
Scripts (JS + Shell)	51
Instruction files	50
Rule files	33
Config files	24

Infrastructure

Cloudflare Workers	7
K8s manifest dirs	8
Terraform modules	EKS
Compliance frameworks	4
ADRs	4
BDD feature files	2

Test Coverage

Python Enforcement Engine 99%

369 tests across 6 modules. Merkle tree integrity, compliance scoring, prompt injection scanning, health score normalization, workflow validation, and industry-specific rule engine.

`compliance-monitor.py`	98%
`evidence-generator.py`	97%
`workflow-validator.py`	97%
`industry_rule_engine.py`	100%
`health-score.py`	99%
`prompt-injection-scanner.py`	99%

JavaScript Scripts & Hooks 95.4%

1,038 tests across 27 suites. Attestation verification, immutable storage, cost tracking, release notes, PR review gate, dashboard aggregation, checkbox orchestration, and PM tool integrations.

Statements	95.4%
Branches	86.2%
Functions	96.3%
Lines	96.3%
Test suites	27 / 27 pass
Skipped tests	31 (infra-dependent)

Development Timeline

Metric	Value
First commit	March 4, 2026
Latest commit	March 21, 2026
Development duration	17 days
Total commits	75
Pull requests merged	42
Commits per day (avg)	4.4
Lines of code (Py + JS + TS)	62,717
Total files in repo	802

Compliance & Security

Regulatory Frameworks

SOC2 GDPR HIPAA ISO 27001

4-dimensional compliance scoring: controls coverage, evidence freshness, severity-weighted effectiveness, and remediation speed. Merkle tree integrity validation with SHA-256 hash chains.

Security Features

MCP security scanner	60+ patterns
Deobfuscation layers	9 techniques
OTP auth workers	7 workers
Enforcement modules	6 modules
Context budget estimator	token visibility
Evidence types	4 types
Blaze Health Score	0-10 scale

AI Agent Hierarchy

Primary Agents

Tab-switchable orchestrators: sdlc and review. Entry points for all SDLC workflows.

Visible Agents

Invoked via @agent-name: critical-thinking, codebase-mapper, hypothesis-reasoning, and 7 more.

Hidden Agents

Internal agents called by orchestrators. Security reviewers, compliance managers, deployment specialists, and domain experts.

Release History

Changelog

Platform evolution from initial launch through current state. All changes ship to both OpenCode and Claude Code runtimes via automated agent sync.

Week 6 — Security Hardening & Tooling

March 28, 2026

Added

MCP Security Scanner — 60+ patterns from 6 open-source scanners with 9-layer deobfuscation (cherry-picked from claude-code-organizer)
Context Budget Estimator — token-level visibility into Claude Code context window consumption
/context-budget skill for on-demand budget analysis
ADR-004: Cherry-pick evaluation — rejected full integration of claude-code-organizer, extracted 2 capabilities
138 new tests (93 security scanner + 45 context budget) — 100% line coverage on scanner, 99% on budget

Changed

Security Features table updated: 6 patterns → 60+ MCP security patterns
Security section expanded with MCP Scanner and Context Budget cards
Comprehensive audit batches 10–18: auth codes, TLS, CORS, GDPR, seccomp, type assertions, nullish coalescing

Security

3-agent parallel evaluation of external packages before integration (security, architecture, dependency)
Zero new dependencies added — all extracted code is pure JavaScript with Node builtins only

Week 5 — Solution Registry & Governance

March 24, 2026

Added

Solution Registry — register, deploy, and manage Blaze-powered solutions as multi-tenant products #176
3 CLI scripts: blaze-solution.sh, blaze-deploy.sh, blaze-instance.sh (1,400+ lines) #176
5 K8s manifest templates for solution instance namespaces #176
Artifact Governance Service — FastAPI with 4-level cascade resolution, 15 API endpoints #173
Solution & Instance ORM models, Pydantic schemas, manifest validation #173
PRD v4.0 with Solution Registry user stories US-17–US-22 and BDD scenarios
103 new tests (76 Python + 27 JavaScript) #173, #176

Changed

PRD upgraded v3.0 → v4.0: Solution Registry as third platform pillar
Governance API router extended with solutions + instances endpoints

Fixed

Version string injection in CLI scripts #176
JSON injection via --description in solution update #176
Ambiguous FK on Scope.artifacts relationship #175

Week 4 — Infrastructure & Intelligence

March 22–24, 2026

Added

Browser-based Claude Code terminal on EKS with ttyd + reverse proxy #162
Ephemeral Claude Code containers with git persistence AB#127
IRSA-based CronJob for cost reports with rich email templates #161
Prompt-enhancer: 28 anti-patterns, 7 templates, per-model optimization (Claude/GPT-4o/o3/Gemini) #163
Automated agent sync between Claude Code and OpenCode runtimes
/specify command — pre-PRD requirement clarification with structured decomposition and Gherkin generation #177
ADR-003: spec-kit evaluation — skip tool, cherry-pick Phase 1 patterns #177

Changed

Prompt-enhancer agent upgraded from stub to full 4-phase pipeline (v1.0 → v2.0)
Master presentation: updated prompt-enhancer card, added changelog slide
SDLC orchestrator: wired acceptance-criteria-tester into Phase 1→2 gate for BDD enforcement #177
Phase 1 agent count: 6 → 7 (added acceptance-criteria-tester to portfolio) #177

Week 3 — Enterprise & Admin

March 20–21, 2026

Added

Blaze Admin UI — 5 admin views + data-driven cost report #133
Cascading config engine, onboarding wizard, platform settings UI AB#126
Production credentials management AB#128
Session Management API — 8 endpoints with OpenAPI 3.0 spec #102
Session recording pipeline + playback UI + CDD evidence #106
Per-session cost tracking and aggregate dashboard #105
Agent selection, activity monitoring, SDLC phase visibility #104
Terminal UI with xterm.js, multi-session tabs, sanitizer #103
Bi-directional ADO ↔ GitHub PR linking + state sync #125
K8s console auth Worker + read-only API proxy #87, #91
CF Workers standardization, cross-subdomain SSO #160
AWS cost optimization R3–R7: single NAT, log retention, off-hours scaling #157
EKS Terraform configs with IRSA and cost controls #98
Process concurrency guard and watchdog hook #134
ADR-001: Anthropic plugins — adopt LSPs + security hook #83
ADR-002: claude-kit — scanner, practices, health score #89

Changed

Sprint 2: Enterprise blockers — SSO config, wizard validation, filters #61
Sprint 3: Compliance hardening — 8-vertical coverage #62
Sprint 6: Commercial readiness #66
Web UI domain migration to accelerator-demo.com #146
Backlog completion: billing API, SOC2 prep, custom tools AB#37-39
99% Python + 95% JS test coverage #91
CLAUDE.md rewrite + PM tool migration to Azure DevOps #86

Fixed

P0 remediation: 9 CRITICAL audit findings #84
P1 remediation: 5 CRITICAL + HIGH security findings #85
EKS cluster security hardening — pentest remediation #88
PII removal from source code and config files #72
Pre-commit fail-closed with bypass detection #75
Agent registry paths and opencode.json defaults #76

Week 2 — Cloud Platform & Migration

March 16–19, 2026

Added

Blaze Cloud Platform — Managed K8s Developer Environments #54
SDLC technical deep-dive presentation #55
8090.ai competitive analysis and platform code audit #60
Agentic SDLC asset migration to Blaze platform #53
Remaining capabilities migration from legacy Helix #56

Changed

Complete migration from Helix platform to Blaze canonical form
Dual-runtime support: OpenCode + Claude Code

Week 1 — Platform Launch

March 4–10, 2026

Added

Initial Blaze agentic SDLC platform on OpenCode framework #41
Canonical artifact registry for dual-runtime agents
Gap analysis presentation with Cloudflare OTP deployment #41
Competitive landscape & market opportunity analysis #42
Agent modals, platform components, BPMN capabilities #43
Architecture visuals redesign with CLAUDE.md #45
12-agent comprehensive code audit command
ADO manager with PRD-driven agent
Git hooks via .githooks with pre-push protection #44, #52

Changed

Migrated from legacy Helix naming to Blaze
OpenCode config hardened for production loading
All legacy Claude Code references removed

Fixed

OpenCode plugin crash from blaze-registry path #46
Plugin audit findings — extract, harden, test #49
Agent frontmatter mode: subagent restoration

Dual-Runtime Sync: All agent changes are automatically validated across OpenCode (.opencode/agents/) and Claude Code (.claude/agents/) via pre-commit hook. Canonical source is .opencode/agents/ — Claude Code agents are auto-synced on every commit.

Get Started

Design Partner Program

We are accepting a limited cohort of design partners to co-build Blaze into the governance platform their teams need. Design partners get early access, influence over the roadmap, and preferential pricing in exchange for structured feedback.

What Design Partners Get

Full Professional tier access at no cost during POC
Direct access to engineering team (weekly syncs)
Priority feature development based on your needs
Locked-in pricing at 50% of launch price
Co-authorship credit on case study
Early access to Enterprise features
Custom agent development (2 agents included)

Cohort Size: Limited to 5 design partners in the first cohort. Applications reviewed on a rolling basis.

How to Get Started

Schedule a 30-minute technical discovery call to assess fit and platform requirements
Receive a customized Blaze POC environment configured for your stack and compliance framework
Run a 2-week governed sprint with your team using Blaze agents alongside your existing AI tools
Review evidence dashboard, compliance score, and cost impact with our team
Sign design partner agreement and begin full integration with roadmap influence rights

📧

Email

design-partners@accelerator-demo.com

🐙

GitHub

github.com/accelerator-demo/blaze

🌐

Platform

sla.accelerator-demo.com

Blaze: Write agents once. Govern everywhere. Prove compliance automatically.

Multi-tenant · Dual-platform · Evidence-driven · Built for enterprise

Blaze: Multi-TenantAgentic SDLC Platform

Why Teams Need Governed AI Development

Ungoverned AI Coding

No Evidence Trail

Platform Lock-In

Manual Governance Doesn't Scale

Platform Vision

Key Differentiators

Dual-Platform

Evidence-First

Multi-Tenant Isolation

78 Specialized Agents

CDD Framework

Cost-Optimized Routing

Developer Journey — From Terminal to Compliance

What Changes With Blaze

Architecture Overview

API Gateway

MCP Protocol

Event Sourcing

Cloud Platform Architecture

Ephemeral Dev Environments

State Persistence

BlazeEnvironment CRD

Canonical Artifact Registry

Canonical Format (Markdown + YAML Frontmatter)

Transformation Rules

Publisher Flow

Zero-Touch Automation

Agent Portfolio — 78 Agents

Platform Components

BPMN Capabilities

Compatibility Validation

External Task Pattern

DMN Decision Tables

Error Detection

Zeebe-Native Validation

Cloud Connector Support

Job Worker Patterns

Operate & Tasklist Integration

1 Task Dimensions

2 Pool & Lane Sizing

3 Escalation Pattern

4 Text Annotations

5 Convergence Gateway

6 Multiple BPMNDiagram Support

7 Parallel Agent Orchestration

8 Camunda Modeler Metadata

9 Layout Rules

10 Validation Tooling

Platform Support Matrix

Maximum Governance Coverage

Strong Governance Coverage

Multi-Tenant Architecture

5-Level Isolation Hierarchy

Tenant Onboarding Flow

Provision Org

Create Tenant Namespace

Configure Project

Spin Up Dev Environment

Activate Governance

Tenant Data Model

Solution Registry & Multi-Tenant Deployment

Solution Catalog

Instance Hierarchy

Deployment Flow

1. Register Solution

2. Deploy Instance

3. Provision Infrastructure

4. Configure Access

5. Manage Lifecycle

Per-Instance Isolation

Managed Developer Environments

Init Container Pipeline

init-config

init-repo

init-state

Control Plane Services

Platform API

Config Sync

Blaze: Multi-Tenant
Agentic SDLC Platform