Golden Paths: Business-Driven Technical Excellence

Start with framework defaults. Add complexity only when a measurable trigger fires.

The ADLC golden path for xOps BC1 — the tested, supported route from docker compose up to production AWS. Every alternative was evaluated and deferred with a documented trigger condition (ADRs).

Path Overview

LOCAL ($0)  →  TEST ($45)  →  SIT ($120)  →  PROD ($180)  →  PEAK ($380)
2 services      ECS staging     Full stack      Graviton4       6 replicas
docker-compose  + EFS           + CloudFront    ARM64 2-6       high volume

Stage 1: Local Golden Path (Wk 1-2)

Target: Developer laptop, $0 infrastructure

# 3 commands to working xOps
git submodule add [email protected]:1xOps/adlc-framework.git .adlc
ln -s .adlc/.claude .claude && ln -s .adlc/.specify .specify
docker compose up -d  # 2 services: openwebui + fastapi+crewai

Component	Golden Path	Alternative	Trigger to Upgrade
AI Provider	Claude API direct via LiteLLM	Ollama local	Privacy mandate
Database	SQLite (Open WebUI default)	PostgreSQL	>50 concurrent writes
Vector DB	ChromaDB (CrewAI Knowledge)	pgvector/Qdrant	Cross-system SQL+vector
Auth	Open WebUI built-in	IAM Identity Center	Enterprise SSO requirement
Services	2 (openwebui + fastapi+crewai)	N microservices	Team >5 engineers
Cache	None	Valkey/ElastiCache	Pub/sub or session sharing
Analytics	File-based JSON/CSV	S3 Tables (Iceberg)	FinOps scan volume >1TB

Validation: npx playwright test --project=local — all containers HTTP 200

ADLC Components: /speckit.specify, /speckit.plan, remind-coordination hook, CLAUDE.md memory

Stage 2: AWS Test Environment (Wk 3-4)

Target: ECS Fargate staging, $45/month

Component	Golden Path	Why
Compute	ECS Fargate (not EKS)	2 services don't need Kubernetes
Storage	EFS ($6/mo)	POSIX filesystem for SQLite + ChromaDB
Identity	IAM Identity Center (M1)	AWS-native, free, SCIM 2.0
Container	Graviton4 ARM64	~30% better price-performance

Terraform Modules: M1 (IAM Identity Center) + M2 (ECS Fargate) — both PUBLISHED

Validation: terraform plan exit 0, checkov 0 FAILED, infracost ≤+5%

Stage 3: Production Golden Path (Wk 7-10)

Target: Full sovereign stack, $180/month

Layer	Technology	Cost	Module
L1 Identity	IAM Identity Center + SCIM 2.0	FREE	M1
L2 Compute	ECS Fargate Graviton4 ARM64	Incl. in $110	M2
L3 Edge	CloudFront + WAFv2 + ALB + ACM	$15-60	M3
L4 Data	SQLite + ChromaDB + EFS	$6	M4
L5 API	FastAPI + CrewAI + LiteLLM	$25-50	M3
L6 UI	Open WebUI 0.8+	$45-85	M3

Module Status

M3 (terraform-aws-web): WIP — Phase 4 deliverable (Wk 7-8) M4 (terraform-aws-efs): Gap — Phase 4-5 deliverable

Self-service Terraform deployment requires M3+M4 completion.

Validation: 4-way cross-validation ≤0.5% tolerance across 24 signals

Stage 3B: K3S Hybrid-Cloud Path (Optional BC2+)

Target: On-prem/IoT/multi-cloud — when ECS-only no longer covers requirements

# Option C Hybrid: ECS AI (Stream 1) + K3S DevOps GitOps (Stream 2)
# Activate only when triggers fire (see below)

# Local: K3D cluster for development
k3d cluster create xops-gitops --servers 1 --agents 2

# Production: K3S 3-node HA
# Uses 161-file IaC at DevOps-Terraform/tf-k3s

Component	Golden Path	Alternative	Trigger to Upgrade
GitOps engine	GitHub Actions	ArgoCD on K3S	IaC PRs >5/week
IaC review	Manual PR review	Atlantis on K3S	Team >3 engineers
Secrets	AWS Secrets Manager	Vault HA on K3S	On-prem mandate
Multi-cloud	AWS-only	Crossplane on K3S	Second cloud provider
Edge compute	N/A	K3S ARM64 edge nodes	IoT/on-prem mandate

Key principle: Stream 1 (ECS AI) and Stream 2 (K3S GitOps) are independent failure domains. Either can be activated, scaled, or decommissioned without affecting the other.

ADR: ADR-005 Hybrid Architecture | IaC: 161 files at DevOps-Terraform/tf-k3s

ADLC Components: Agent kubernetes-engineer, Commands /k3d:* + /k3s:*, Skills terraform/terraform-patterns

Upgrade Triggers

Every component starts at the golden path default. Upgrade only when a measurable trigger fires:

Current	Upgraded	Trigger	How	Cost Impact
SQLite	RDS PostgreSQL	>50 concurrent writes	Migration script + TF module	+$20/mo
ChromaDB	pgvector	Cross-system SQL+vector search	CrewAI Knowledge config	+$20/mo
Claude API	Bedrock VPC	Sovereignty mandate	`LITELLM_MODEL` env var	~same
Open WebUI auth	Keycloak	Enterprise SCIM pipeline	OIDC env var	+$0 (self-hosted)
File-based JSON	S3 Tables (Iceberg)	FinOps scan volume >1TB	Terraform module add	+$5/mo
2 services	N microservices	Team >5 engineers	docker-compose profiles	varies
ECS Fargate	EKS	>6 services + service mesh	Full migration (not config change)	+$73/mo
ECS only	ECS + K3S Hybrid	On-prem/IoT/multi-cloud	Activate tf-k3s (161 files)	+$0-190/mo
GitHub Actions	ArgoCD on K3S	IaC PRs >5/week	K3S + ArgoCD helm	+$0-120/mo

Design Principle: "Start with framework defaults, let HITL add complexity." Every rejected alternative is documented in ADRs with the trigger condition for reconsideration.

Anti-Patterns (What NOT to Do)

Anti-Pattern	Why It Fails at BC1	Golden Path Instead
Start with EKS	$73/mo control plane for 2 services	ECS Fargate (scale to EKS at >6 services)
Start with Aurora	$43/mo min for <50 users	SQLite + EFS ($6/mo)
Start with Keycloak	Full IdP is over-engineering	Open WebUI built-in auth
Start with LangGraph	Adds LangChain dependency	CrewAI (zero LangChain since 0.100+)
Start with Bedrock VPC	VPC endpoint complexity	Claude API direct via LiteLLM
Start with S3 Tables	File-based FinOps sufficient at BC1	JSON/CSV in tmp/

Source: xops.jsx LAYERS[].whyNot[] arrays — 17 alternatives evaluated with rationale

Evidence

Source of truth: docs/src/pages/xops.jsx (LAYERS, COST_ENV, PHASES arrays)
PR/FAQ: xOps BC1 PR/FAQ
ADRs: Architecture Decision Records
Coordination logs: tmp/adlc-framework/coordination-logs/product-owner-2026-03-11-docs-expansion.json

Path Overview​

Stage 1: Local Golden Path (Wk 1-2)​

Stage 2: AWS Test Environment (Wk 3-4)​

Stage 3: Production Golden Path (Wk 7-10)​

Stage 3B: K3S Hybrid-Cloud Path (Optional BC2+)​

Upgrade Triggers​

Anti-Patterns (What NOT to Do)​

Evidence​