◈ Effort Analysis & Approach Plan

Physical Data Platform
Engineering Assessment

Our concept note describes 8 capabilities across identity, IoT, supply chain, authentication, integration, and AI. This analysis decomposes the platform into buildable layers, estimates effort honestly, and recommends a phased approach that's fundable before it's finished.

0
Core Systems
0
Month Full Build
0
Month MVP
0
Eng Team Size

Layer Decomposition

What's Actually Being Built

The concept consists of 5 distinct systems that must interlock. Each has its own complexity profile, dependencies, and risk surface. Mapping concept's 8 capabilities → 6 engineering layers:

🔑

Identity Resolution Service

→ Trusted identity + Multi-carrier logic

Normalizes barcode, QR, secure QR, NFC, RFID/EPC into a single resolvable master identity. Handles ID generation, format detection, carrier linking, and GS1 Digital Link compliance. This is the foundation everything else depends on.

GS1 Digital Link EPC/SGTIN UUID v7 PostgreSQL Redis
📡

Event Ingestion Pipeline

→ Capture events + RFID bulk reading

Real-time capture from RFID readers, QR scanners, NFC taps, and PUF cameras. Handles high-throughput bulk reads (1000+ items/sec from shelf antennas), deduplication, sequencing, and durable event storage. Factory-floor conditions: intermittent connectivity, dirty data.

MQTT / AMQP Kafka / SQS EPCIS 2.0 TimescaleDB Edge agents
🔗

Supply Chain Genealogy Engine

→ Upstream/downstream traceability

Models the directed acyclic graph: textile roll → cut parts → garment → carton → logistics → retail → consumer. Parent-child relationships, batch splitting/merging, location tracking at each transformation step. Core data model for DPP compliance.

Graph DB (Neo4j) EPCIS events DAG modeling DPP schema
🛡

Authentication & Intelligence Layer

→ Secure auth + scan-history intelligence

Verifies product authenticity via Yometel's cipher-embedded secure QR + PUF matching. Tracks scan history globally, detects anomalies (grey market, counterfeits, suspicious patterns). Feeds intelligence back to brands as dashboards and alerts.

PUF matching ML QR cipher verify Anomaly detection ClickHouse
🔌

Integration & API Platform

→ Open API layer

REST + GraphQL APIs for ERP/SAP/PLM systems, DPP apps (including Yometel's own), brand apps, and third-party analytics. OAuth2 multi-tenant auth, rate limiting, webhooks, and a developer portal. The monetization surface.

FastAPI / Django GraphQL OAuth2 / JWT Webhooks API Gateway
🧠

AI & Analytics Engine

→ Foundation for Physical AI

The "later" layer. Demand forecasting from scan patterns, inventory distortion detection, ESG/waste analytics, and operational optimization. Requires 6-12 months of data accumulation before it delivers real value. Don't build this first.

Python ML stack Time-series models dbt / Airflow Vector DB

Component Effort

Sizing

T-shirt sizes with complexity rationale. These estimates assume a competent team familiar with the domain.

Component Size Weeks Complexity Why
ID Resolution Service M 5-6
Multi-format parsing (EPC, GTIN, SGTIN, QR payloads) + GS1 Digital Link resolver + mapping table. Well-defined problem, moderate edge cases.
Event Ingestion Pipeline L 8-10
Bulk RFID reads at factory scale, intermittent connectivity, dedup, ordering guarantees. Needs edge agent for offline-first. Hardware integration unknowns.
Genealogy Engine L 8-10
Graph data model for multi-level BOM, batch split/merge, location transitions. EPCIS 2.0 event mapping. Most complex domain modeling in the platform.
Auth & Intelligence L 8-10
Depends on Yometel's cipher spec (black box?). PUF matching is ML-grade. Anomaly detection needs training data that doesn't exist yet. High uncertainty.
API Platform M 6-8
Standard REST/GraphQL, multi-tenant OAuth2, rate limiting, webhooks. Well-understood patterns. Complexity comes from breadth of integrations (SAP, PLM, DPP).
AI & Analytics XL 12-16
Demand forecasting, inventory distortion, ESG scoring: each is a standalone ML project. Data dependency: needs ingestion data first. Defer.
Admin Dashboard M 6-8
Multi-tenant brand portal, traceability explorer, scan analytics, config management. Standard SaaS UI but domain-heavy.
Edge Agent (Factory) M 4-6
Offline-first data collector for factory floor. Local buffer, sync on connectivity, RFID reader protocol adapters. Deploy to low-spec hardware.

Recommended Phasing

Build in 4 Phases, Fund After Phase 2

The critical insight: The full scope requires funded-scale investment. Solution: build a fundable MVP in Phases 1-2 that proves the thesis with earmarked budget, then use traction to unlock Phase 3-4 funding.

01

Foundation: Identity + Ingest

Months 1-3  ·  12 weeks
4-5 engineers
Exit Criteria: A product in a Bangladesh factory gets a master ID (GS1 DL-compliant), its RFID events are captured and stored, and its lineage is queryable via API. One factory, one product line, end-to-end.
ID Resolution Service v1 (QR + RFID → master ID)
Event ingestion for 1 RFID reader model
Core data model (PostgreSQL + TimescaleDB)
Basic REST API (CRUD on items, events)
Edge agent v1 (offline buffer + sync)
Infrastructure (AWS/GCP, CI/CD, monitoring)
02

Traceability: Genealogy + DPP Output

Months 4-7  ·  16 weeks
6-8 engineers
Exit Criteria: Full textile-to-retail genealogy for pilot factory. DPP-compliant data export. Brand dashboard showing item journey. This is the fundable milestone - demonstrable DPP compliance before Jan 2027.
Genealogy engine (roll → cut → garment → carton)
EPCIS 2.0 event mapping
DPP data export (EU regulation compliant)
Multi-carrier ID linking (QR + RFID + NFC)
Brand dashboard v1 (traceability explorer)
API v2 (GraphQL, webhooks, multi-tenant auth)
Second factory onboarded (validation)
03

Intelligence: Auth + Anomaly Detection

Months 8-12  ·  20 weeks
8-10 engineers
Exit Criteria: Secure QR verification live. Scan-history analytics for brands. Grey market detection flagging suspicious patterns. 5+ factories onboarded.
Secure QR cipher verification (Yometel spec)
PUF capture + matching (prototype)
Scan history analytics engine
Anomaly detection v1 (rule-based + ML)
ERP/SAP connectors (2-3 systems)
Developer portal + API docs
Scale: 5+ factories, 2+ brands
04

Scale: AI + Ecosystem

Months 13-18  ·  24 weeks
10-12 engineers
Exit Criteria: AI-powered insights live (demand forecasting, ESG scoring). Open marketplace for third-party app integrations. Platform operating across multiple geographies and product categories.
Demand forecasting from scan patterns
ESG / sustainability scoring
Inventory distortion detection
Third-party app marketplace
Multi-geography deployment
Enterprise SLA + support tier

Critical Design Decision

CMC vs. GS1 Digital Link

A "Common Master Code" (CMC) is a proprietary 17-digit ID that unifies all carrier formats. This is the single most important architectural decision in the platform. Get it wrong, and adoption stalls.

Option A: Proprietary CMC

Create Yometel's own 17-digit master code as the canonical ID.

  • + Full control over ID structure and namespace
  • + Potential IP/moat if adopted widely
  • + No dependency on GS1 membership/fees
  • Adoption friction: every partner must learn a new ID system
  • Not recognized by EU DPP regulation (GS1 is)
  • Requires conversion layer for every external system
  • Brands won't replace their existing GS1/GTIN infrastructure
VS

Option B: GS1 Digital Link + Internal Resolution

Use GS1 DL as the canonical external ID. Maintain an internal resolution layer that maps any carrier to the GS1 DL.

  • + EU DPP compliant out of the box
  • + Zero adoption friction — brands already use GS1
  • + Item-level via SGTIN serialization (exactly what DPP needs)
  • + The resolution layer IS the moat (not the ID format)
  • + Interoperable with all existing supply chain systems
  • GS1 membership costs (minor)
  • Less "proprietary" feel

The moat isn't the ID format - it's the resolution layer. The ability to accept ANY input (barcode, QR, NFC, RFID, legacy codes from Bangladesh factories) and resolve it to a standardized, item-level digital identity - THAT is what no one else does well. Build the intelligence in the mapping, not the format. Fragmented IDs across sectors are the problem. The solution is a universal resolver, not a universal replacement.

Risk Register

What Could Derail This

Ordered by likelihood × impact. These aren't hypothetical — they're drawn from the 5 meetings of conversation history between Kshitij and Koji.

High

Scope Ambition vs. Execution Capacity

The concept note describes 8 capabilities. Building all 8 simultaneously would require 15+ engineers and 18+ months. Pre-funding, this isn't viable.

→ Mitigation: Strict phase gating. Phase 1-2 with 5-8 people. Don't start Phase 3 without funding.
High

Hardware-Software Integration Unknowns

RFID reader protocols, edge conditions in factories (heat, dust, intermittent power), Yometel's proprietary cipher spec - all are black boxes until we're on-site.

→ Mitigation: Week 1-2 spike: get hardware specs from Koji, test integration with one RFID reader before committing to architecture.
High

Factory Data Quality (Bangladesh/Sri Lanka)

Legacy systems, manual processes, inconsistent barcode usage. The "ingest" layer must handle extremely dirty data from developing-market factories.

→ Mitigation: Design ingest for worst-case. Validation pipelines, human-in-the-loop for edge cases. Visit a factory before finalizing data model.
Medium

Funding Gap Between Phase 2 and 3

If Phase 2 completes but funding doesn't materialize, development stalls.

→ Mitigation: Phase 2 exit must be independently demonstrable. Build demo environment that sells itself. Revenue possibility: charge per-item DPP compliance from Day 1.
Medium

DPP Regulation Specifics Still Evolving

EU DPP mandates start Jan 2027, but detailed technical requirements (data schemas, verification protocols) are still being finalized.

→ Mitigation: Build on EPCIS 2.0 + GS1 standards (the technical foundation is stable). Keep DPP output layer thin and swappable.
Medium

PUF Technology Maturity

Physically Unclonable Function via micro-lens smartphone photography is cutting-edge. No proven at-scale deployment exists for textile authentication.

→ Mitigation: Phase 3 scope, not Phase 1. Treat as R&D spike. Secure QR is the proven auth path; PUF is additive.

Team Composition

Who Shuru Needs to Field

Phase 1-2 team (MVP funding required). This is the core team that builds the MVP. Roles scale up in Phase 3-4.

1
Tech Lead / Architect
System design, GS1/EPCIS domain, cross-layer decisions
2
Backend Engineers
ID service, event pipeline, genealogy engine, APIs
1
IoT / Edge Engineer
RFID reader integration, edge agent, factory connectivity
1
Frontend Engineer
Brand dashboard, traceability UI, admin portal
1
DevOps / Platform
Infrastructure, CI/CD, monitoring, security
1
Product / Domain
GS1 standards, DPP requirements, factory process mapping

Phase 1-2 total: 7 people  ·  7 months  ·  ~49 person-months
Phase 3 adds: +1 ML engineer, +1 backend, +1 security engineer = 10 people
Phase 4 adds: +2 ML engineers, +1 data engineer = 13 people at peak

The Bottom Line

7 mo
To Fundable MVP
18 mo
Full Platform
49 PM
MVP Person-Months

The platform is real and the timing is right - DPP creates the regulatory forcing function. But the concept note is 3x bigger than what should be built first. The approach: build the identity resolver + event pipeline + genealogy engine in 7 months, prove DPP compliance at one factory, and use that to unlock the funding for intelligence and AI layers.