A Wohlig Transformations Whitepaper

Executive Summary

Confixa is Wohlig’s flagship enterprise IT product: a fully autonomous AI IT services firm built as one Master Orchestrator, twelve specialist Domain Agents, and fifty-plus Sub-Agents arranged in a governed hierarchy. It covers software development, testing, DevOps, security, compliance, data engineering, FinOps, vendor management, customer success, and incident operations — all running autonomously, all deployed inside the client’s own Google Cloud project, all audited and governed at the platform level.

Confixa is built for the regulated sectors most software vendors avoid: BFSI, healthcare, and government. It treats compliance, evidence, and audit as first-class system primitives — not bolted-on features.

This whitepaper documents the four-layer architecture, the agent registry, the integration approach with the underlying open-source orchestration platform, the nine critical engineering gaps Wohlig fills with custom services, the architectural risk register, and the phased build roadmap from Phase 0 through Phase 4.

At a Glance:

• Master Orchestrator: 1

• Domain Agents: 12

• Sub-Agents: 50+

• Compliance controls covered: 400+

• Build phases: 5 (Phase 0 through Phase 4)

• Deployment: Inside client’s own GCP project

• Multi-tenant model: One client = one isolated company

• Target verticals: BFSI, healthcare, GovTech

1. Why a New Pattern Is Required

Three structural pressures are simultaneously squeezing regulated enterprise IT in India:

1. Accelerating regulation. DPDP, RBI Master Directions, SEBI CSCRF, IRDAI cyber guidelines, CERT-In incident reporting, and MeitY sector standards all evolve continuously. Manual controls libraries drift out of date within weeks.

2. Persistent talent scarcity. Senior compliance officers, SREs, security engineers, and FinOps specialists are scarce, expensive, and hard to retain. Most enterprises operate 30–40% under-staffed in these functions.

3. Cloud-spend opacity. Unoptimized GCP and AWS estates routinely carry 15–30% recoverable waste — but the analysis requires senior engineering time that is never available.

Point AI tools — a copilot for code, a chatbot for support, a vendor for compliance evidence — do not solve this. The system must be a firm, not a feature: organized into roles, accountable to a governance layer, instrumented end-to-end, and deployed inside the customer’s perimeter.

2. The Four-Layer Architecture

Layer 1 — Client Interaction & Intelligence

Web dashboard for status, compliance posture, approvals queue, agent activity, and FinOps reports. Natural-language WhatsApp commands. Live voice interface for client briefings. Master Orchestrator that decomposes complex client goals into structured subtasks for the right Domain Agents.

Layer 2 — Orchestration Spine

Provided by a self-hosted, MIT-licensed open-source agent orchestration platform. Provides the org chart, ticket system, heartbeat scheduler, governance gates, per-agent budget enforcement, multi-company isolation, runtime context injection, and a pluggable-agent adapter protocol. Configured and deployed by Wohlig on GKE; not coded.

Layer 3 — Infrastructure & Integration Services (Wohlig-built)

The connective tissue that makes the orchestration spine production-ready for enterprise:

• Context API — generates dynamic runtime context for every agent invocation by reading from the Client Profile DB, Evidence Store, current sprint state, and compliance posture cache.

• Real-time Event Bridge — Pub/Sub subscriber that converts events from Grafana, GitHub Actions, vulnerability scanners, ArgoCD, and runtime threat detection into immediate ticket creations. Solves the “heartbeats are too slow for incidents” failure mode.

• Approval Workflow Engine — parses approval/rejection signals from email, WhatsApp, and Slack and translates them into ticket status updates. Configurable SLA with escalation to backup approvers.

• Secrets Bridge — synchronizes credentials between GCP Secret Manager and the agent layer. No long-lived credentials in agent config. Rotation triggers automatic config update.

• Agent Adapter Framework — standardized Python/Node.js wrapper library. Any new agent registers as a pluggable-agent endpoint via this framework. Handles heartbeat acknowledgement, task checkout, state persistence, result reporting, and PII scrubbing.

• Agent Observatory — measures task success rate, escalation rate, hallucination flag rate, MTTD/MTTR contribution, cost-per-outcome. Publishes a weekly Agent Health Report.

Layer 4 — Capability Services (Wohlig-built — the product)

The actual IT services Confixa delivers:

• Compliance Engine — controls library across DPDP, RBI, SEBI, IRDAI, ISO 27001, SOC 2, GDPR, HIPAA, PCI-DSS. 400+ controls, automated check scripts, evidence collection, gap assessment, regulatory change processing.

• Evidence Store — Cloud SQL evidence metadata + GCS artifact store. Schema: evidence_id, client_id, framework, control_id, artifact_type, collected_at, artifact_url, status. Source of truth for audit packs.

• Audit Pack Generator — assembles formatted audit packages from evidence: PDF executive summary, per-control evidence folders, risk register, narrative auditor responses. Sub-4-hour SLA from trigger.

• Regulatory Intelligence Feed — monitors RBI, SEBI, IRDAI, MCA, CERT-In, MeitY portals on daily heartbeat. New publication → classification → impact-assessment ticket within 24 hours.

• Security Toolchain — adapters for SAST, SCA, DAST, runtime threat detection, secrets scanning. Normalized vulnerability schema. SLA-tracked remediation tickets.

• Development Services — PR creation and review, multi-language, tech debt tracker, dependency management.

• Data Platform — BigQuery, dbt pipelines, Looker Studio dashboards, PII masking, natural-language-to-SQL service.

• FinOps Services — GCP Cost Explorer integration, rightsizing analysis, committed-use discount optimizer, monthly cost reports.

• Client Onboarding Agent — automated workflow that provisions a new client company, registers all 12 Domain Agents, generates initial SKILLS context files, runs the first compliance baseline, and delivers a Day 1 report — in under 4 hours from credentials grant.

3. Agent Registry

Master Orchestrator (Tier 1)

Receives client goal tickets, decomposes into subtasks, creates child tickets for Domain Agents. Wakes on ticket assignment.

Domain Agents (Tier 2)

Requirements & Planning — Heartbeat: 8h — Owns: Backlog, sprints, user-story extraction

Development — Heartbeat: On ticket — Owns: PR creation, peer-review pipeline

Testing & QA — Heartbeat: On ticket + 12h — Owns: Unit, integration, E2E generation

DevOps & Deployment — Heartbeat: 4h — Owns: CI/CD, GitOps, IaC with approval gate

Security & Vulnerability — Heartbeat: 2h — Owns: SAST, SCA, DAST, secrets, runtime

Compliance & Audit — Heartbeat: 6h — Owns: Controls library, evidence, gap assessment

Data & Analytics — Heartbeat: 12h — Owns: Datasets, dashboards, PII classification

Vendor & Procurement — Heartbeat: 24h — Owns: RFPs, contracts, vendor SLA tracking

Customer Success & Demo — Heartbeat: On ticket — Owns: Demo provisioning, voice briefings

FinOps & Cost — Heartbeat: 24h — Owns: Spend, rightsizing, anomaly tracking

Incident & Operations — Heartbeat: 30m — Owns: Alerts, runbooks, RCA generation

Documentation — Heartbeat: Weekly — Owns: Doc coverage, stale doc register, API specs

Sub-Agents (Tier 3 — sample)

Code Review Bot, Secrets Scanner Bot, Evidence Collector Bot, Audit Doc Bot, Policy Checker Bot, Rightsizing Bot, RCA Bot, User Story Bot, Demo Provisioning Bot, Threat Model Bot — fifty-plus in total.

4. Coverage Analysis

A formal coverage analysis was performed against the underlying orchestration platform. Of the 27 Confixa requirements:

• 10 covered fully by the orchestration platform — no Wohlig build needed; configure and deploy.

• 4 covered partially — orchestration platform provides scaffolding; Wohlig builds the capability layer on top.

• 13 require entirely new Wohlig builds — the differentiated capability that makes Confixa worth paying for.

The platform contributes ~37% of operational primitives. The remaining 63% — compliance engine, evidence store, audit pack generator, regulatory intelligence feed, security toolchain adapters, real-time event bridge, agent observatory, data platform, vendor agent, FinOps, customer-success agent, client-onboarding automation, GKE-on-Cloud-SQL deployment — is the Confixa product.

5. The Nine Engineering Gaps

The integration analysis surfaced nine critical gaps that must be filled by Wohlig before any Domain Agent can serve a regulated client:

1. No dynamic context injection (Context API) — Phase 0

2. No real-time event bridge (incidents stall on heartbeat) — Phase 0

3. No approval workflow loop (approval gates dead-end) — Phase 1

4. No evidence store or audit pack generator — Phase 1

5. No regulatory intelligence feed — Phase 1

6. No agent performance monitor (KPIs unmeasurable) — Phase 2

7. No GCP Secret Manager integration (BFSI blocker) — Phase 0

8. Orchestration platform not GKE-deployable out of box — Phase 0

9. No client-onboarding automation (manual = unscalable) — Phase 1

Each is addressed in the build roadmap below.

6. Architectural Risks (Selected)

Orchestration platform breaking changes — Severity: High Mitigation: Wohlig fork pinned on Artifact Registry; thin abstraction layer for all platform calls.

Sub-agent explosion (2,500+ registrations at scale) — Severity: Medium Mitigation: Lazy registration; sub-agents register only on first activation per client.

Cloud SQL connection pool exhaustion — Severity: High Mitigation: PgBouncer pooler; HPA at 70% pool utilization.

LLM API rate limits during peak heartbeat cycles — Severity: Medium Mitigation: Priority queuing — Incidents > Security > DevOps > Compliance > Analytics; tiered model usage; prompt caching.

Heartbeats too slow for real-time incidents — Severity: Critical Mitigation: Solved by Real-time Event Bridge — non-negotiable Phase 0.

DPDP data localization for client data in model APIs — Severity: High (BFSI) Mitigation: PII scrubbing middleware in Agent Adapter Framework — DLP inspection before any model call; placeholder substitution; full audit.

7. Phased Build Roadmap

Phase 0 — Foundation (Weeks 1–6)

Container the orchestration platform for GKE. Cloud SQL, Workload Identity, Secret Manager integration, GCS bucket, Agent Adapter Framework, Context API v1, Real-time Event Bridge, all 12 Domain Agents registered as pluggable-agent skeletons. All P0. Blockers for production.

Phase 1 — Autonomous DevOps Core (Weeks 7–42)

Approval Workflow Engine. Client Onboarding Agent. Regulatory Intelligence Feed. Evidence Store. DevOps Agent (CI/CD, ArgoCD, Terraform). Security Agent (SAST, SCA, secrets scanning). Compliance Agent (controls library v1 — CERT-In, ISO 27001, DPDP, 100 controls; 6-hour automated checks; consent management). WhatsApp natural-language commands. FinOps v1.

Phase 2 — Full SDLC Autonomy (Weeks 43–78)

Audit Pack Generator. Agent Observatory. Development Agent (PR creation, peer-review pipeline). Testing Agent (unit, integration, E2E from user stories, k6 performance). Requirements Agent (multi-channel ingestion, PRD/User Story auto-generation). Customer Success Agent (Live voice adapter, demo provisioning). PII scrubbing middleware. DAST adapter. Falco runtime. RBI Digital Lending guidelines. SEBI CSCRF gap assessment. SOC 2 Type I readiness. Auditor Query Portal. Documentation Agent.

Phase 3 — Enterprise & Regulatory Scale (Weeks 79–118)

Data & Analytics Agent (BigQuery, NL-to-SQL, dbt, Looker Studio). Vendor Agent (RFP generation, contract risk analysis). BFSI Industry Pack (RBI + SEBI + IRDAI + DPDP integrated controls). Healthcare Industry Pack (HIPAA + DPDP + clinical data). GovTech Industry Pack (MeitY + CMMI + NIC). GDDR. SOC 2 Type II continuous. PCI DSS v4.0. Industry pack templates. Adapter abstraction hardening. Agent pool scaling tests (500 agents × 20 clients). FinOps v2 (auto-implement low-risk savings).

Phase 4 — Fully Autonomous IT Firm (Weeks 119–156)

Strategic Planning Agent. Capacity & Skills Agent. Multi-client scale (50+ concurrent companies). Outcome-based billing engine. White-label mode for IT services firms. Agent self-improvement loop. Cross-client anonymized knowledge transfer. GCP Marketplace listing.

8. Compliance Model

Compliance is a first-class primitive, not a bolt-on. Three principles:

1. Continuous, not point-in-time. The Compliance Agent runs automated control checks on a 6-hour heartbeat. Posture is always current; auditor queries do not require a fire drill.

2. Evidence-first. Every check writes evidence to the Evidence Store, tagged to the control ID. Audit packs assemble in under four hours from trigger.

3. Regulator-aware. The Regulatory Intelligence Feed converts each new RBI / SEBI / IRDAI / CERT-In / MeitY publication into a ticket within 24 hours. The controls library does not drift.

Frameworks covered (Phase 1 → Phase 3): DPDP, RBI Master Directions, SEBI CSCRF, IRDAI cyber guidelines, CERT-In, ISO 27001, SOC 2 Type I and II, GDPR, HIPAA, PCI DSS v4.0, MeitY, NIC standards.

9. Commercial Logic

Confixa is priced as a replacement for an IT services relationship, not as software seats. The economics:

• Reference baseline: mid-tier managed-service contracts for regulated enterprise IT run ₹2–8 crore per year for the scope Confixa covers.

• Confixa value drivers: 24×7 operation, audit-ready evidence on demand, recovered cloud-spend savings (typically 15–30% of GCP bill), zero attrition risk, full data sovereignty.

Pricing is set per phase and per industry pack. Phase 4 unlocks outcome-based billing for enterprise accounts.

10. About Wohlig

Wohlig Transformations is a digital transformation, cloud, and AI consulting firm founded in 2016. We have completed 20+ cloud migrations, shipped 10+ generative-AI solutions in production, and hold 40+ Google Cloud certifications including a Data Analytics specialization. We serve governments (Maharashtra, Gujarat, ONDC), enterprises (Lodha, Eros Now, Hungama), and high-growth consumer companies (Swiggy, Ninjacart, PW Live).

Offices: India and London. Web: www.wohlig.com.

To discuss Confixa for your enterprise or to evaluate a pilot, reach Wohlig at chintan@wohlig.com.