Restricted · Authorized Access

Overwatch v1.0 Proposal

This document is confidential. Enter the access key provided to you.

Proposal · 2026-04-13

Overwatch v1.0 · delivery response

From
Ketan Khairnar
To
SecComply Technologies
Re
SRS_Overwatch.md v1.0 (Draft — Greenfield), 2026-04-10
Ask on table
Deliver all 17 systems in 2 months, agent-assisted development
TL;DR. We commit to v1.0-Core (audit-ready) in 12 weeks with a 2-senior-engineer team (Ketan Khairnar + senior architect), then v1.0-Extended in W7–W14, overlapping, with 1–2 contractors joining for the connector / scanner work. Total programme 12–14 weeks. Full SRS coverage, mechanism-named deliverables, six pass/fail gates. Three commercial options to pick from in RESPONSE §9; recommended for a first engagement: bi-weekly deliverable + bi-weekly payment.
01 Programme timeline · 12–14 weeks
Foundation
W0 – W2
Platform floor · AuthZ catalog · Audit-chain
⬥ G-Foundation
Auth + Compliance Core
W3 – W6
Auth pillars · pkg/authz · Evidence · Risk
⬥ G-AuthZ · G-Compliance
Modules + Extended start
W7 – W10
Vendor · Policy · Dashboard · CSPM/SCM (contractors join)
⬥ G-Modules
Harden + RC1
W11 – W12
WCAG · Load · Security · UAT
✓ G-UAT · v1.0-Core ships
Extended ships
W13 – W14
IAM · Incidents · Audit · Air-gap
✓ RC2 · v1.0-Extended ships

Each Friday a named shippable lands. Six pass/fail gates structure the calendar. Full Gantt →

02 Team shape · 2 seniors + contractors for Extended
SECURITY-SENSITIVE ZONE · 2 seniors own every commit · W0–W14
cryptosessiontenancypkg/authzpkg/audit chainKeyStore
Delivery + backend lead
Ketan Khairnar
W0 – W14 · primary contact
Senior architect
TBD (similar profile)
W0 – W14 · security + backend
CONTRACTOR-SAFE ZONE · 1–2 mid/senior · W7–W14 only
per-provider SDK shimsCSPM/SCM scannersCRUD modulesseed loaders
Mid/senior eng
+1 contractor
W7 – W14 · joins post G-AuthZ
Mid/senior eng
+1 contractor (optional)
W10 – W14 · peak parallelism

Framework contracts (`pkg/connector`, `pkg/audit` schema, RBAC middleware) frozen at W4-W6 so contractors can build CSPM/SCM/IAM/VA modules without touching security-sensitive code.

03 Three commercial options · pick what suits your procurement
Option A
Fixed-bundle PO
Sponsor exposure
Whole programme
  • Two pre-priced bundles (Core / Core+Extended)
  • Milestone payments tied to four programme gates
  • Cost certainty for SecComply; overrun risk on us
  • Best when procurement requires a committed PO number
Option B
Monthly retainer
Sponsor exposure
One month at a time
  • 3.5 months invoiced in arrears (Net 14)
  • Scope renegotiated at each month boundary
  • Mutual flexibility; both sides can stop at month-end
  • Best when scope might flex mid-stream
Option C · recommended
Bi-weekly deliverable + bi-weekly payment
Sponsor exposure
Two weeks at a time · cancel any fortnight
  • Each fortnight a named shippable lands · paid in arrears
  • Sponsor reviews + accepts before the next invoice
  • Maximum trust-build for a first engagement
  • Best when sponsor wants to verify quality before a long PO

Same scope, same team, same eng-week budget across all three. Only the payment shape and risk allocation differ. Full breakdown in RESPONSE §9 →

Scope · sequencing · effort

Programme response

Eleven sections covering scope split, stack, effort estimate, delivery plan, team, risks, commercials, recommendation. The single canonical document.

≈ 60 min
Visual gallery

Diagrams · 9 pages

MECE overview, four-cluster surface views, traceability matrix, build dependencies, and a week-by-week build Gantt showing what ships each Friday. Brutalist-light theme; click any diagram to expand.

≈ 20 min skim
Legal posture

Legal Posture

Aggregate-distribution analysis for the three non-permissive OSS components in the stack (SSPL-1 + grant, AGPL-3.0, GPL-2.0). Verbatim licence text quoted; deployment shape stated; industry precedent cited. Pass to procurement counsel.

≈ 25 min
Delivery map

Delivery Map

What runs in parallel, what must run serially, the critical path, the six pass/fail gates, and a day-by-day W1 plan. Companion to the response — explains how the work fits at our 2-senior team size.

≈ 30 min

Reading order — by your time budget

20 minSponsor / executive read. The TL;DR above, then the four-cluster diagram on the diagrams index, then RESPONSE §1, §6.1, §9, §11. Decision-quality, not mechanism-quality.
1 hourArchitect first read. Above, plus RESPONSE sections 4 (stack), 5 (effort), 6 (delivery plan), 8 (risks). Skim the diagrams gallery for the build Gantt and traceability matrix.
2 hours · deepArchitect deep-dive. Above, plus DELIVERY_MAP (parallel/serial map + day-by-day W1) and LEGAL_POSTURE (licence analysis with verbatim text). Per-component research is held internally; happy to walk through any specific area on request.

What we'd like back

  1. Sign off (or push back) on the Core/Extended split in RESPONSE §6.1. If anything in Extended is a Core must-have for your release plan, flag it now so we can re-balance.
  2. Confirm the two SRS-side gaps that block W0 in RESPONSE §3: G-1 (reference designs for the 13 summary-only modules) and G-2 (named GRC subject-matter expert for seed-data authorship). The remaining gaps G-3..G-10 are lower-stakes but still pre-W0.
  3. A pick between the three commercial options in RESPONSE §9, or a clear "none fits, here's why" — we'd rather know early than late.
  4. A go/no-go decision target. We can hold team availability until 2026-05-04; beyond that we may need to release a window to another engagement.
Happy to walk you through any of the materials in 30 minutes — just name a time. — Ketan Khairnar
Overwatch v1.0 · proposal response · 2026-04-13 From Ketan Khairnar to SecComply Technologies · access via password gate