Cross-border payments operator → Archiet Traceability Audit
Analysis date: 2026-05-30
Industry: fintech
Stack: nestjs
Compliance regimes: pci-dss, soc2
Integrations supplied: Stripe, Paystack, Flutterwave, Plaid, Twilio
Notes: LATAM + Africa corridors; requires PAN tokenisation + SCCs to non-adequate regions; SOC2 Type II readiness.
Executive summary
Headline finding. Archiet can generate 94.12% of Cross-border payments operator's in-scope architecture directly — assessed across 17 concerns against pci-dss, soc2, with 0 gap(s) requiring custom work. On the evidence below this is a strong fit. We recommend the customer adopt Archiet as the primary code-generation platform and wrap the small custom surface alongside the generated application. A current-state assessment, severity-ranked gap analysis, and a phased 30/60/90-day adoption roadmap follow.
Coverage at a glance: 94.12% can-generate, 5.88% partial, 0.0% cannot-generate, 0.0% requires-custom. Each row below is graded against the four-level Sceptre rubric:
- ✅ CAN GENERATE — Feature ships in Archiet today.
- ⚠️ PARTIAL — Some aspects ship; some require custom work.
- ❌ CANNOT GENERATE — Not currently available in Archiet.
- 🔧 REQUIRES CUSTOM — Needs custom templates or manual implementation.
Coverage at a glance
- ✅ CAN GENERATE: 94.12% of in-scope concerns
- ⚠️ PARTIAL: 5.88%
- ❌ CANNOT GENERATE: 0.0%
- 🔧 REQUIRES CUSTOM: 0.0%
Customer-supplied components
The customer named the following components / capabilities. The support matrix below maps Archiet's coverage to the same shape:
- Multi-rail payment orchestration
- FX + settlement ledger
- KYC/KYB document review
- PCI cardholder data environment
- SOC2 audit evidence pipeline
Architecture Principles
| Concern | Archiet support | Evidence |
|---|---|---|
| API-first + DDD service boundaries | ✅ CAN GENERATE | DDD patterns (entity, aggregate_root, value_object, domain_event, repository, query) implemented across all 12 stacks via stack renderers + multi-stack DDD templates. |
| OpenAPI-authoritative contract | ✅ CAN GENERATE | OpenAPI 3.1 spec is authoritative; routes generated from it; Pydantic / dataclass schemas track the spec. |
| Security by default | ✅ CAN GENERATE | JWT auth via httpOnly cookies, RBAC, encryption-at-rest config, audit trail capability when enabled. G01 OAuth provider chain (Google / GitHub / SAML / Okta / Azure AD / custom OIDC) ships per build. |
| ArchiMate motivation traceability | ✅ CAN GENERATE | ArchiMate motivation elements (Goal/Outcome/Requirement/Constraint/Principle) drive the genome. Each principle becomes ≥ 1 acceptance criterion. |
Multi-Tenancy + Auth
| Concern | Archiet support | Evidence |
|---|---|---|
| Workspace-scoped multi-tenancy + RLS | ✅ CAN GENERATE | Workspace-scoped models with workspace_id everywhere; RLS policies via the rls_policy_generator; Query.all() linter blocks unscoped queries. |
| Universal OAuth + SSO chain | ✅ CAN GENERATE | JWT auth via httpOnly cookies, RBAC, encryption-at-rest config, audit trail capability when enabled. G01 OAuth provider chain (Google / GitHub / SAML / Okta / Azure AD / custom OIDC) ships per build. |
Audit + Observability
| Concern | Archiet support | Evidence |
|---|---|---|
| Tamper-evident audit log | ✅ CAN GENERATE | G05 audit_log_reader generator emits append-only, hash-chained audit_events with /api/audit/events + /api/audit/verify routes; Postgres trigger blocks UPDATE/DELETE; SIEM exporters for Splunk / Datadog / CloudWatch. |
| Structured logs + APM integrations | ✅ CAN GENERATE | Templates for Datadog, New Relic, Sentry, Honeycomb. Structured logging (JSON + request_id correlation) baked into every stack. |
| Acceptance-criteria quality gate | ✅ CAN GENERATE | Acceptance-criteria runner (static + dynamic tier) measures behavioural correctness; nightly benchmark publishes pass-rates per (solution × stack) at /benchmark; > 5pp regression alarms via the nightly task. |
Compliance Overlays
| Concern | Archiet support | Evidence |
|---|---|---|
| PCI-DSS v4.0 package | ✅ CAN GENERATE | C02 PCI-DSS v4.0 overlay emits compliance/pci_dss/{cardholder_data_scope.md, control_matrix.md, network_segmentation.tf, tokenization_enforcement_test.py, vulnerability_scan_config.yaml, incident_response_runbook.md} + cdh_field_registry + pan_redaction. |
| SOC2 TSC + policy set | ✅ CAN GENERATE | C03 SOC2 overlay emits compliance/soc2/{control_matrix_type1.md, control_matrix_type2.md, policy_information_security.md, policy_acceptable_use.md, policy_change_management.md, policy_incident_response.md, access_review_runbook.md, vendor_management_register.md, evidence_collection_calendar.md} + access_review_queries. |
Capabilities
| Concern | Archiet support | Evidence |
|---|---|---|
| Payments orchestration | ✅ CAN GENERATE | G02 payment_orchestration generator: Stripe / Paystack / Flutterwave / Paddle / iDEAL / ACH adapters; SCA / 3DS handling; webhook idempotency; subscription lifecycle (start / pause / cancel / dunning); per-tenant credentials via IntegrationCredential. |
| Saga / outbox / compensating tx | ✅ CAN GENERATE | G07 saga + outbox + compensating-transactions generator emits the long-running cross-service workflow scaffold with tracked saga state, outbox pattern for at-least-once event publication, and compensating actions for failed steps. |
Integrations
| Concern | Archiet support | Evidence |
|---|---|---|
| Third-party vendor adapters | ✅ CAN GENERATE | Integration templates ship for: Stripe, Paystack, Flutterwave, Plaid, Twilio. Each has a vendor adapter with auth model, retry/backoff, circuit breaker; per-tenant credentials via IntegrationCredential.config_json. |
Stack + Delivery
| Concern | Archiet support | Evidence |
|---|---|---|
| Production stack support | ✅ CAN GENERATE | Stack nestjs is one of the 12 production-tier stacks. DDD templates, capability injection, and compliance overlays all wire into this stack. |
| CI/CD + IaC | ✅ CAN GENERATE | .github/workflows/deploy.yml + Docker + docker-compose. Terraform / Kubernetes manifests / Helm charts available where the stack supports them. Wiring guard + contamination detector + secrets-scan run in CI. |
| White-label / agency tier | ⚠️ PARTIAL | Generated apps support per-workspace branding (logo, colors, typography); white-label API for consultancies to ship under their own brand is in-flight per the enterprise-lane plan (M04). |
Recommendation
Archiet covers 94.12% of the in-scope architecture concerns directly. The customer can adopt Archiet as the primary codegen platform; the remaining 5.9% of concerns are either partial (degrade-cleanly) or wrap-around custom code the customer plugs in alongside the generated app.
Recommended adoption roadmap (30 / 60 / 90 days)
- Now (week 1): Generate the covered surface — adopt the 94.12% Archiet produces directly and stand up the running application as the integration baseline.
- Next (30–60 days): Implement the High-severity gap items above as custom modules against the generated contracts; prioritize auth, multi-tenancy, and any compliance-driven controls first.
- Later (60–90 days): Close the Medium-severity custom items, automate evidence collection in CI, and re-run this audit to track gap closure quarter over quarter.
Audit produced by the Archiet customer audit factory. The same factory is available to the customer's procurement team — the report you're reading was generated deterministically from the customer profile above and can be regenerated against any future Archiet release to track gap closure.