METHODOLOGY
Four-layer agentic architecture. Six load-bearing operational mandates. 44 codified lessons. The system isn't a demo — it's an audit-first platform we ship into our own production every day.
If you're a CTO, head of engineering, or compliance officer evaluating ONSET — this is the page that should reassure you. Everything else on the site is marketing. This is the spine.
FOUR-LAYER AGENTIC ARCHITECTURE
The architecture is canonical in onset-platform-spec-v8.md Section 3. Every module ships against this contract or it doesn't ship.
01
Each AI Employee (Module A through ISO) owns one job and one job only. They share a contract — same telemetry, same audit hooks, same error handler — but they don't share state directly. Failures are bounded to one module.
02
When Module W wants Module A to apologise to a slow-payer it just hassled, it doesn't reach into A's state — it calls A through the dispatcher with a typed event. flow_rules table is the canonical wiring; every cross-module call goes through it.
03
Client-configurable trigger chains. "When a new lead comes through Module A, run intake.qualify; if qualified, hand to Mothership; once Mothership generates a proposal, run a margin check before the Telegram approval gate." All configurable, all audited.
04
Goal-directed coordinator. Say "onboard client X" and Council plans the steps, delegates each module as a tool, self-corrects when a step fails, and reports back when finished. The only autonomous agent on the platform — and even it cannot ship outbound without clearing the approval gate.
SIX OPERATIONAL MANDATES
Every outbound, financial, public or destructive action passes through the 30-second Telegram cancel window. No autonomous-send mode exists in the codebase. This isn't a configurable flag — it's a load-bearing architectural constraint.
Any pricing trajectory below 60% blended margin fires an alarm on our internal cost dashboard. We'd rather charge a defensible RM 1,499 than promise RM 999 we can't sustain. Honest pricing is the foundation, not an after-thought.
SHA-256 chain over every audit-log row. Any tampering breaks the chain visibly via a deterministic verification view. Per-tenant advisory locks prevent concurrent-write races. 7-year retention default.
When a production bug surfaces: stop, diagnose, real fix, verify, write the lesson into our internal log, audit other modules for the same pattern, then resume. Process is the moat.
Every page, every workflow, every table ships only when it survives user + admin E2E test on real data. UI without working backend gets deleted, not "completed." If a feature isn't real, it isn't shipped.
A 6-hour session that fixes the root cause beats a 1-hour session that ships a workaround. We don't offer time-vs-correctness choices to ourselves; correctness wins by default.
RELEASE DISCIPLINE
01
Any literal API key / token / .env stage is rejected pre-push
02
13 mechanical checks per module · evidence required
03
0 rows leaked across tenant boundaries
04
Tamper-check view returns 0 broken rows
05
Per-call cost logged · enforces the 60% margin floor
06
Each entry: bug pattern + fix + the audit step that catches recurrence
BEFORE YOU MESSAGE
45 minutes with Reginald + your CTO. We walk the architecture, the audit log, the cost dashboard, and answer anything else that comes up. NDA available before the call if you need it.