Validators are independent nodes. They do not produce business answers — they verify the work of crews and agents, decide whether rework is needed, and gate human approval.
Core Validators
9Schema Validator
PassChecks
- • Output completeness
- • Required fields present
- • Correct structure
Auto-pass
Tool Permission Validator
PassChecks
- • Only allowed tools used
- • No restricted APIs called
Auto-pass
Best-Practice Validator
WarningChecks
- • CVD / Well-Architected alignment
- • Reference pattern followed
Error
Landing zone OU structure not aligned with reference
Rework
Risk Validator
PassChecks
- • Risks classified Low/Med/High
- • High-risk items flagged
Auto-pass
Confidence Validator
WarningChecks
- • Confidence ≥ threshold (0.75)
- • Assumptions stated
Error
FinOps confidence 0.68 < 0.75
Rework
Human Approval Validator
PassChecks
- • Human approval gates respected
- • No auto-commit on high-risk
Human approval
Commercial Commitment Validator
FailChecks
- • No final pricing without Finance + MD
- • No discount > policy
Error
Pre-Sales attempted to commit final BoM price
ReworkEscalateHuman approval
Security Exception Validator
PassChecks
- • No unapproved exceptions
- • CISO sign-off recorded
Auto-pass
Legal Clause Validator
WarningChecks
- • Non-standard clauses flagged
- • Fallback wording proposed
Error
Liability cap below standard floor
EscalateHuman approval
Cloud Validators
5AWS Well-Architected Validator
WarningChecks
- • 5-pillar coverage
- • Reference pattern alignment
Rework
Landing Zone Validator
PassChecks
- • OU structure
- • Guardrails enforced
- • Identity baseline
Auto-pass
Migration Readiness Validator
PassChecks
- • 6Rs assessment present
- • Wave plan + rollback
Auto-pass
FinOps Validator
WarningChecks
- • Tag policy enforced
- • RI/SP coverage modelled
- • Anomaly alerts
Rework
Cloud-Ops Readiness Validator
PassChecks
- • Monitoring scope
- • Runbooks exist
- • On-call rota
Auto-pass
Software Validators
4Software Architecture Validator
PassChecks
- • Module decomposition
- • Bounded contexts
Auto-pass
API Integration Validator
PassChecks
- • Contract present
- • Versioning + idempotency
Auto-pass
NFR Validator
WarningChecks
- • Latency / throughput / availability budgets
Rework
Delivery Estimate Validator
PassChecks
- • Assumptions stated
- • Risk-adjusted estimate
Auto-pass
AI/Data Validators
6RAG Grounding Validator
WarningChecks
- • Citations present
- • No ungrounded answers
Rework
Data Source Validator
PassChecks
- • Source-of-truth identified
- • Freshness window
Auto-pass
Model Selection Validator
PassChecks
- • Cost / quality / latency rationale
Auto-pass
Guardrails Validator
WarningChecks
- • PII redaction
- • Prompt-injection defenses
Rework
Token Cost Validator
PassChecks
- • Token projection
- • Caching strategy
Auto-pass
Evaluation Plan Validator
PassChecks
- • Eval set defined
- • Metrics + thresholds
Auto-pass
Security Validators
6Zero Trust Validator
PassChecks
- • Identity-aware access
- • No implicit trust
Auto-pass
IAM/PAM Validator
WarningChecks
- • Least privilege
- • JIT access
Rework
SOC/SIEM Validator
PassChecks
- • Centralised logging
- • Detections in place
Auto-pass
Compliance Mapping Validator
WarningChecks
- • ISO/SOC2/GDPR mapping
Rework
Vulnerability Risk Validator
PassChecks
- • SAST/DAST coverage
- • Critical CVE remediation
Auto-pass
Data Privacy Validator
WarningChecks
- • Data classification
- • DPIA where required
Rework
Rework Loop visualization
- 1 Cloud Crew produces architecture + landing zone
- 2 Security Validator flags missing private endpoints
- 3 Rework routed back to Cloud Crew AND Security Crew
- 4 Updated recommendation generated with controls
- 5 Validator runs again → Pass
- 6 Approval Router decides next step
Agent Inclusion / Exclusion logic
Request: "Design AWS-based RAG assistant integrated with CRM."
Included
AI / Data Crew — AI architecture and RAG design required
Cloud Crew — AWS hosting and landing zone required
Software Crew — CRM integration and APIs required
Security Crew — Data privacy and access control required
Optional
Legal Agent — Customer data and privacy terms may be involved
Finance Agent — Cost estimate may be requested
Excluded
Cisco Crew — No Cisco / network requirement detected
HR Agent — No HR process involved
Triggers
• Mentions 'data privacy' → include Security Crew
• Mentions 'AWS' → include Cloud Crew
• Mentions 'CRM' → include Software Crew
Escalation
⚠ Risk = High → MD approval
⚠ Confidence < 0.75 → Coordinator rework
⚠ Unapproved security exception → CISO