# RE Workflow Management System - Technical Stack Conflicts & Clarifications **Date:** October 17, 2025 **Purpose:** Resolve contradictions between documents and finalize technical approach --- ## 🚨 CRITICAL: Technology Stack Conflicts ### **Conflict #1: Frontend Framework** | Document | Frontend Technology | |----------|-------------------| | **Streamlined Approvals SRS** (streamlined_approvals.md) | React.js | | **BPM Platform Proposal** (Royal Enfield Proposal 1.06) | Next.js | **❓ Question to Resolve:** - Which frontend framework should be used? - **React.js** (Library, client-side rendering by default) - **Next.js** (React framework with SSR/SSG capabilities) **Recommendation:** Next.js is better for: - SEO optimization - Server-side rendering for better performance - Built-in routing - Better initial load time - Modern approach for enterprise applications **✅ Decision Required:** [ ] React.js OR [ ] Next.js --- ### **Conflict #2: Database** | Document | Database | |----------|----------| | **Streamlined Approvals SRS** | PostgreSQL (PGSQL) | | **BPM Platform Proposal** | MongoDB | **❓ Question to Resolve:** - Which database should be the primary data store? **Comparison:** | Feature | PostgreSQL | MongoDB | |---------|-----------|---------| | Type | Relational (SQL) | Document (NoSQL) | | Data Structure | Tables, rows, columns | Collections, documents (JSON) | | Schema | Fixed schema | Flexible schema | | ACID Compliance | ✅ Strong | ⚠️ Eventual consistency | | Best For | Structured data, complex queries, transactions | Flexible/evolving schema, rapid development | | Approval Workflows | ✅ Better for hierarchy & status tracking | ⚠️ Requires careful design | | Document Storage | ⚠️ Use separate storage (GCS) | ✅ Can store inline (up to 16MB) | **Recommendation for Workflow System:** PostgreSQL - Approval workflows need strong ACID compliance - Complex multi-level approval hierarchy - TAT tracking and audit trail require relational integrity - User roles and permissions are structured data **✅ Decision Required:** [ ] PostgreSQL OR [ ] MongoDB --- ### **Conflict #3: BPM Platform vs Custom Development** **BPM Platform Proposal mentions:** - Camunda Zeebe (Open Source) OR - Newgen (SaaS) **Streamlined Approvals SRS does NOT mention any BPM platform** **❓ Question to Resolve:** Should we use a BPM (Business Process Management) platform or build custom? **Option A: BPM Platform (Camunda/Newgen)** **Pros:** - ✅ Built-in workflow engine - ✅ Visual workflow designer (BPMN) - ✅ Out-of-the-box features: task assignment, escalation, notifications - ✅ Easier to modify workflows without code changes - ✅ Audit trails and monitoring built-in **Cons:** - ❌ Learning curve for team - ❌ Additional licensing cost (Newgen SaaS) - ❌ Dependency on third-party platform - ❌ May be overkill for non-templatized workflows - ❌ Limited UI customization **Option B: Custom Development (React/Next.js + Node.js + PostgreSQL)** **Pros:** - ✅ Full control over UI/UX (Figma designs can be followed exactly) - ✅ No licensing costs - ✅ Flexible for non-templatized workflows - ✅ Better integration with RE SSO and AD **Cons:** - ❌ More development time - ❌ Need to build workflow engine from scratch - ❌ Maintenance overhead **Recommendation for Non-Templatized System:** Custom Development - The SRS clearly states "Non-Templatized" workflows - Dynamic approval levels (up to 10) - Highly customized UI requirements (Figma) - BPM platforms are better for repetitive, templatized processes **✅ Decision Required:** [ ] BPM Platform (Camunda/Newgen) OR [ ] Custom Development --- ## 📊 Proposed Unified Technology Stack Based on both documents and best practices, here's the recommended stack: ### **Frontend** ``` Framework: Next.js 14+ (with App Router) UI Library: React 18+ State Management: Redux Toolkit or Zustand Styling: Tailwind CSS + Shadcn UI (component library) Forms: React Hook Form + Zod (validation) HTTP Client: Axios or Fetch API Rich Text: Tiptap or Quill (for description/comments) File Upload: React Dropzone Date/Time: Day.js or date-fns Notifications: React Hot Toast or Sonner ``` ### **Backend** ``` Runtime: Node.js 20 LTS Framework: Express.js or Fastify Language: TypeScript (strongly recommended) API Style: RESTful APIs Authentication: JWT (JSON Web Tokens) Validation: Joi or Zod ORM: Prisma or TypeORM (for PostgreSQL) File Storage: Google Cloud Storage (GCS) Email Service: Nodemailer + SMTP or SendGrid Scheduler: Node-cron or Bull Queue (for TAT reminders) Logging: Winston or Pino ``` ### **Database** ``` Primary DB: PostgreSQL 15+ (Managed instance on GCP) Caching: Redis (optional, for session management) ``` ### **Infrastructure** ``` Cloud: Google Cloud Platform (GCP) Compute: VM (Ubuntu 24.04 LTS) - 4 Core, 16GB RAM, 500GB OR Alternative: Cloud Run / App Engine (for auto-scaling) Storage: Google Cloud Storage (GCS) SSL: Let's Encrypt or GCP Managed Certificate Web Server: Nginx (reverse proxy) Process Manager: PM2 (for Node.js) ``` ### **DevOps & CI/CD** ``` Repository: GitHub / GitLab CI/CD: GitHub Actions or GitLab CI Containerization: Docker (optional) Monitoring: Google Cloud Monitoring + Sentry (error tracking) Logging: Google Cloud Logging ``` ### **AI Integration** ``` For Conclusion Remarks: - OpenAI GPT-4 API (recommended) - OR Azure OpenAI Service (for data residency) - OR Google Gemini API ``` ### **Testing** ``` Unit Testing: Jest + React Testing Library E2E Testing: Playwright or Cypress API Testing: Supertest Load Testing: k6 or Artillery (basic) ``` --- ## 🔐 Authentication & Authorization Flow (From Proposal) ### **SSO Integration Approach** ``` ┌─────────────┐ │ User │ └──────┬──────┘ │ │ 1. Access Application ▼ ┌─────────────────────────────┐ │ RE Workflow Portal │ │ (Next.js Frontend) │ └──────┬──────────────────────┘ │ │ 2. Redirect to SSO ▼ ┌─────────────────────────────┐ │ RE SSO Bridge │ │ (Active Directory) │ └──────┬──────────────────────┘ │ │ 3. Return JWT Token ▼ ┌─────────────────────────────┐ │ Backend API │ │ (Node.js + Express) │ │ │ │ - Validate JWT │ │ - Fetch user from AD │ │ - Create session │ │ - Return user profile │ └─────────────────────────────┘ ``` **Implementation Steps:** 1. User clicks "Login" → Redirects to RE SSO endpoint 2. SSO authenticates against Active Directory 3. SSO returns JWT token with user claims 4. Frontend stores JWT in httpOnly cookie (secure) 5. Every API call includes JWT in Authorization header 6. Backend validates JWT signature 7. Backend fetches additional user info from AD if needed 8. Session expires based on RE IT policy --- ## 📧 Email Notification System (From Proposal) ### **Email Templates Required:** From the proposal, these email notifications are needed: 1. **Acknowledgement Email** - After request submission 2. **Approval Assignment Email** - When request reaches an approver 3. **TAT Reminder Email** - At 50%, 80%, 100% TAT usage 4. **Approval/Rejection Notification** - To initiator 5. **@Mention Notification** - When tagged in Work Notes 6. **Request Closure Email** - After final approval 7. **Spectator Added Email** - When added to request **SMTP Configuration Required:** ```javascript { host: "smtp.royalenfield.com", port: 587, // or 465 for SSL secure: false, // true for 465 auth: { user: "workflow-noreply@royalenfield.com", pass: "***********" } } ``` **❓ Questions:** - [ ] Is SMTP server already available? - [ ] Should we use internal SMTP or third-party (SendGrid/AWS SES)? - [ ] What is daily email sending limit? - [ ] Who designs HTML email templates? - [ ] Sender email address: `workflow-noreply@royalenfield.com`? --- ## 🔗 System Integrations ### **Mentioned in Proposal (For Other Projects):** 1. **SAP Integration** - For budgeting and invoicing (Claim Management) 2. **DMS (Document Management System)** - For document storage 3. **Active Directory (AD)** - For user search and @tagging ### **For Streamlined Approvals Project:** **Required Integrations:** 1. ✅ **RE SSO Bridge** - Authentication (CRITICAL) 2. ✅ **Active Directory (AD)** - User search for @tagging (CRITICAL) 3. ⚠️ **Email Service** - SMTP for notifications (HIGH PRIORITY) 4. ⚠️ **AI Service (OpenAI/Azure)** - Conclusion remarks (MEDIUM PRIORITY) **NOT Required (For Now):** - ❌ SAP Integration (not in streamlined approvals scope) - ❌ DMS Integration (we'll use GCS for document storage) --- ## 📋 Updated Pre-Development Questions ### **1. Technology Stack Finalization** - [ ] **Q1:** Confirm frontend framework: React.js or Next.js? - **Proposal says:** Next.js - **SRS says:** React.js - **Recommendation:** Next.js - [ ] **Q2:** Confirm database: PostgreSQL or MongoDB? - **Proposal says:** MongoDB - **SRS says:** PostgreSQL - **Recommendation:** PostgreSQL (better for workflow systems) - [ ] **Q3:** BPM Platform or Custom Development? - **Proposal mentions:** Camunda Zeebe / Newgen - **SRS implies:** Custom (no mention of BPM) - **Recommendation:** Custom (for non-templatized workflows) - [ ] **Q4:** Should we use TypeScript or JavaScript? - **Recommendation:** TypeScript (better for large projects) --- ### **2. Email Service Confirmation** - [ ] **Q5:** Email notifications are confirmed, right? - SRS says "optional email integration" - Proposal shows multiple email templates - **Need confirmation:** Is email required or optional? - [ ] **Q6:** If email is required: - SMTP host, port, credentials? - Sender email address? - Daily sending limits? - Email template designs (HTML)? --- ### **3. Active Directory Integration** From the proposal, AD integration is mentioned multiple times. - [ ] **Q7:** How to access AD for user search/@tagging? - LDAP connection? - Microsoft Graph API? - Custom REST API built by RE IT? - [ ] **Q8:** What AD attributes are available? - Name, Email, Employee ID, Department, Designation, Manager? - Sample AD user object structure needed - [ ] **Q9:** Service account credentials for AD queries? --- ### **4. SSO Integration Details** From proposal: "Design a secure login page, which allow user to redirect to AD, System user login through AD" - [ ] **Q10:** SSO endpoint URL and protocol? - OAuth 2.0 / SAML / Custom? - [ ] **Q11:** Test SSO credentials for development? - Need 10-15 test users with different roles - [ ] **Q12:** What user claims are returned in JWT token? - Example token payload needed --- ### **5. File Storage & Document Management** SRS mentions: Max 10MB per file, supports PDF, Word, Excel, PPT, images - [ ] **Q13:** Use Google Cloud Storage (GCS) for file uploads? - GCS bucket name? - Access credentials (Service Account JSON)? - Bucket configuration (public/private)? - [ ] **Q14:** Total storage limit per request? - Individual file: 10MB - Total per request: 100MB? 500MB? - [ ] **Q15:** File retention policy? - How long should documents be kept after request closure? --- ### **6. AI Service for Conclusion Remarks** SRS mentions: "AI-generated conclusion remarks" - [ ] **Q16:** Which AI service? - OpenAI GPT-4? - Azure OpenAI Service? - Google Gemini? - Self-hosted LLM? - [ ] **Q17:** API credentials for AI service? - [ ] **Q18:** Data privacy clearance? - Can request data be sent to external AI service? - Does it contain PII or sensitive information? - [ ] **Q19:** Fallback if AI fails? - Manual remark entry by initiator? --- ### **7. Infrastructure Setup** From SRS: 1 VM, 4-Core, 16GB RAM, 500GB, Ubuntu 24.04 LTS - [ ] **Q20:** Is this VM already provisioned? - VM IP address / hostname? - SSH access credentials? - [ ] **Q21:** Domain name for application? - Example: `workflow.royalenfield.com` - DNS configuration status? - [ ] **Q22:** SSL certificate? - RE-provided certificate? - Or use Let's Encrypt? - [ ] **Q23:** Should we use VM or serverless? - **Current spec:** 1 VM - **Alternative:** GCP Cloud Run (auto-scaling, pay-per-use) - **Recommendation:** Start with VM, move to Cloud Run if needed --- ### **8. Role-Based Access Control** From proposal, multiple roles are mentioned (for other projects): - Admin, DD Lead, IT Team, ZM DD, RBM, ZBH, NBH, etc. For Streamlined Approvals: - Initiator, Approver, Final Approver, Spectator, Admin - [ ] **Q24:** Role list for Streamlined Approvals? - Is there an Admin role with super privileges? - What can Admin do that others cannot? - [ ] **Q25:** User role assignment? - Managed in AD or in our application? - Can users have multiple roles? --- ### **9. Performance & Load Requirements** SRS mentions: "Average response time < 3 seconds" - [ ] **Q26:** Expected concurrent users? - 10 users? 100 users? 500 users? - [ ] **Q27:** Expected request volume? - How many workflow requests per day/month? - [ ] **Q28:** Peak usage times? - Should we plan for load spikes? --- ### **10. Testing & UAT** From proposal: Functionality, Usability, Compatibility, Interface, Performance, Security testing - [ ] **Q29:** QA team availability? - Dedicated QA resources? - QA contact person? - [ ] **Q30:** UAT participants? - Need 5-10 end users for UAT - Names and availability? - [ ] **Q31:** Test data creation? - Can we create dummy workflow requests? - Sample documents for upload testing? --- ### **11. Deployment & Go-Live** From proposal: Waterfall methodology with phased delivery - [ ] **Q32:** Deployment approach? - Phased rollout (pilot → org-wide)? - Or big-bang deployment? - [ ] **Q33:** Pilot user group? - Which departments will pilot the system? - How many users in pilot? - [ ] **Q34:** Target go-live date? - When should production be ready? - [ ] **Q35:** Deployment window? - Business hours or after hours? - Weekend deployment preferred? --- ### **12. Communication & Governance** From proposal: - Daily Scrum (10 mins) - Weekly Review (30 mins) - Monthly Governance (60 mins) - [ ] **Q36:** Are these meeting frequencies acceptable? - [ ] **Q37:** Communication channels? - Microsoft Teams / Slack / Email? - Dedicated project channel? - [ ] **Q38:** Project management tool? - Proposal mentions: ZOHO PMS - Alternatives: Jira, Azure DevOps, Trello? --- ### **13. Security & Compliance** From proposal - Security Measures: - JWT tokens - SSL certificates - API rate limiting - SQL injection protection - XSS protection - Session management - [ ] **Q39:** Security audit requirements? - Penetration testing needed? - VAPT before go-live? - [ ] **Q40:** Compliance standards? - GDPR, ISO 27001, SOC 2? - [ ] **Q41:** Data retention policy? - How long should audit logs be kept? - Document retention period? - [ ] **Q42:** Security contact person? - RE InfoSec team contact? --- ### **14. Support & Maintenance** From proposal: Annual Maintenance and Support Services - [ ] **Q43:** Is AMS (Annual Maintenance Support) in scope? - Or only initial development? - [ ] **Q44:** Support SLA requirements? - Response time for critical issues? - Resolution time expectations? - [ ] **Q45:** Warranty period? - How long is bug-fix warranty after go-live? - Proposal mentions: 2 weeks post-launch monitoring --- ## 🎯 Recommended Technology Decision Matrix | Decision Point | Option 1 | Option 2 | Recommendation | Reason | |---------------|----------|----------|----------------|---------| | Frontend | React.js | **Next.js** | ✅ Next.js | SSR, better performance, modern | | Backend | Express.js | **Fastify** | ✅ Express.js | More mature, larger community | | Database | **PostgreSQL** | MongoDB | ✅ PostgreSQL | Better for workflows, ACID compliance | | Language | JavaScript | **TypeScript** | ✅ TypeScript | Type safety, better for large projects | | ORM | Prisma | TypeORM | ✅ Prisma | Better DX, type-safe queries | | State Management | Redux | **Zustand** | ✅ Redux Toolkit | Industry standard, good for complex state | | Styling | Tailwind | **Tailwind + Shadcn** | ✅ Tailwind + Shadcn | Fast development, consistent UI | | Email | Internal SMTP | **SendGrid** | ⚠️ Need decision | Depends on RE IT policy | | AI Service | **OpenAI** | Azure OpenAI | ⚠️ Need decision | Depends on data privacy requirements | | Hosting | VM | Cloud Run | ✅ VM (initially) | As per SRS spec, can migrate later | | BPM Platform | Camunda | **Custom** | ✅ Custom | Better fit for non-templatized workflows | --- ## 📝 Next Steps ### **Immediate Actions (This Week):** 1. **Schedule Technical Kickoff Meeting** with RE stakeholders - Present this document - Get decisions on all conflicts - Finalize technology stack 2. **Create Shared Decision Log** - Document all technology decisions - Get sign-off from Product Owner and Tech Lead 3. **Request Critical Access** - SSO integration documentation - AD integration access method - Test user accounts (10-15 users) - Database credentials - GCP project access 4. **Set Up Development Environment** - Git repository creation - Local development setup guide - CI/CD pipeline planning ### **Week 2 Actions:** 1. **Finalize Architecture Document** - System architecture diagram - Database schema design - API endpoint specification - Security architecture 2. **Begin Sprint Planning** - Break down SRS into user stories - Estimate effort (story points) - Create sprint plan --- ## 📞 Key Stakeholders Needed for Decisions | Decision Area | Stakeholder | Contact Needed | |--------------|-------------|----------------| | Technology Stack | CTO / Tech Lead | Email / Meeting | | SSO Integration | IT Infrastructure Team | Documentation + Credentials | | Email Service | IT Operations | SMTP config / approval | | Database Choice | Database Admin | Provisioning + credentials | | AI Service | Product Owner + Legal | Data privacy clearance | | Security | InfoSec Team | Security requirements doc | | Budget | Finance / Project Sponsor | AI API costs, cloud costs | --- **Document Status:** ⚠️ DRAFT - Awaiting Stakeholder Review **Priority:** 🔴 CRITICAL - Blocks Development **Owner:** Development Team Lead **Review Date:** [To be scheduled] --- ## 📎 Appendix: Document References 1. **streamlined_approvals.md** - System Requirements Specification (SRS) 2. **Royal Enfield Proposal 1.06.txt** - BPM Platform Approach Proposal 3. **Figma Wireframe** - https://sway-dense-03017508.figma.site 4. **RE_FULLSCOPE_AND PROJECT_STRUCTURE.md** - Overall project scope 5. **RE_Workflow_Complete_Project_Setup.md** - Complete setup guide