VeritasFlow API — Explainer

Concept

VeritasFlow is a B2B SaaS compliance and fraud-detection platform for Fintech and Healthtech organisations. It combines real-time event ingestion with an AI agent that evaluates transactions and healthcare record events against natural-language compliance rules — flagging potential violations before costly regulatory penalties occur.

Target buyer pain: compliance teams manually reviewing thousands of events per day against

static, hard-to-maintain rule engines. VeritasFlow replaces spreadsheet-based review with an

always-on AI analyst that explains why something looks suspicious.

---

Architecture

┌──────────────────────────────────────────────────────────────────┐
│  HTTP Layer (Virtual Threads — Tomcat backed by Project Loom)    │
│                                                                  │
│  AuthController   EventController   AlertController              │
│  RuleController   AuditController                                │
└──────────────────────────┬───────────────────────────────────────┘
                           │ Spring Security (JWT Stateless)
┌──────────────────────────▼───────────────────────────────────────┐
│  Service Layer                                                   │
│                                                                  │
│  AuthService          JwtService                                 │
│  EventIngestService  ──afterCommit──► AgentProcessorService      │
│  ComplianceRuleService                    │ (Virtual Thread)     │
│  AlertService                             │ LlmClient (Feign)    │
│  AuditService                             │ + Heuristic fallback │
└──────────────────────────┬───────────────┴──────────────────────┘
                           │ Spring Data JPA
┌──────────────────────────▼───────────────────────────────────────┐
│  Persistence Layer                                               │
│                                                                  │
│  ComplianceRule   TransactionEvent   Alert   AuditLog            │
│  H2 (dev / test)  ·  PostgreSQL (production)                    │
└──────────────────────────────────────────────────────────────────┘

Key design decisions

Decision	Rationale
Virtual Threads for HTTP + @Async	Java 25 Project Loom — handle 10 000+ concurrent event streams without OS-thread exhaustion
afterCommit async dispatch	Agent always reads a committed event row — no lost/phantom reads
LLM + heuristic fallback	App works without an API key; heuristics catch obvious risk signals
Soft-delete for rules	Audit trail stays intact; INACTIVE rules never re-trigger
Records for DTOs	Immutable, compact, idiomatic Java 25
Stateless JWT	Horizontally scalable; no session state (PCI-DSS compatible)

---

Endpoints

Authentication

Method	Path	Auth	Description
%%INLINE2%%	%%INLINE3%%	public	Exchange credentials for JWT

Login example

POST /api/v1/auth/login
{
  "username": "admin",
  "password": "admin123"
}

// 200 OK
{
  "token": "eyJhbGci...",
  "expiresIn": 86400000,
  "tokenType": "Bearer"
}

---

Event Ingestion

Method	Path	Auth	Description
%%INLINE4%%	%%INLINE5%%	JWT	Ingest a real-time event for AI analysis

Ingest example (financial)

POST /api/v1/events
Authorization: Bearer <token>
{
  "eventType": "WIRE_TRANSFER",
  "entityId": "CUST-00123",
  "amount": 95000.00,
  "currency": "USD",
  "payload": "{\"destination\":\"offshore-account\",\"notes\":\"urgent\"}"
}

// 202 Accepted
{
  "eventId": 1,
  "status": "ACCEPTED",
  "message": "Event queued for AI compliance analysis."
}

The AI agent runs asynchronously on a virtual thread; check /api/v1/alerts for results.

---

Compliance Rules

Method	Path	Auth	Description
%%INLINE7%%	%%INLINE8%%	JWT	List rules (filter: ?category=FINTECH&status=ACTIVE)
%%INLINE10%%	%%INLINE11%%	JWT	Get single rule
%%INLINE12%%	%%INLINE13%%	JWT	Create rule in natural language
%%INLINE14%%	%%INLINE15%%	JWT	Update rule
%%INLINE16%%	%%INLINE17%%	JWT	Deactivate rule (soft delete)

Create rule example

POST /api/v1/rules
Authorization: Bearer <token>
{
  "name": "Large Wire Transfer Monitoring",
  "description": "Flag international wire transfers exceeding $10,000",
  "ruleText": "Any wire transfer or international payment exceeding USD 10,000 must be flagged for review. This includes transactions to or from high-risk jurisdictions and any transaction marked as urgent without prior approval.",
  "category": "FINTECH"
}

---

Alert Dashboard

Method	Path	Auth	Description
%%INLINE18%%	%%INLINE19%%	JWT	List alerts (filter: ?status=OPEN&severity=HIGH)
%%INLINE21%%	%%INLINE22%%	JWT	Get alert with AI explanation
%%INLINE23%%	%%INLINE24%%	JWT	Update case status and notes

Case update example

PATCH /api/v1/alerts/1/case
Authorization: Bearer <token>
{
  "status": "RESOLVED",
  "caseNotes": "Verified with customer. Legitimate business transfer. Closed."
}

---

Audit Reports

Method	Path	Auth	Description
%%INLINE25%%	%%INLINE26%%	JWT	Generate regulatory audit report

GET /api/v1/audit/report?from=2026-05-01&to=2026-05-11
Authorization: Bearer <token>

Returns event counts, alert counts, and a full chronological audit trail suitable for HIPAA / PCI-DSS submission.

---

How to Run

Prerequisites

• Java 25+
• Maven 3.9+
• (Optional) OpenAI-compatible API key for live AI analysis

Run with embedded H2 (zero config)

cd solutions/2026-05-11-veritasflow-api
mvn spring-boot:run

Server starts on http://localhost:8080.

Run with real LLM

mvn spring-boot:run \
  -Dspring-boot.run.jvmArguments="\
  -Dveritasflow.llm.api-key=sk-... \
  -Dveritasflow.llm.model=gpt-4o-mini"

Run with PostgreSQL

mvn spring-boot:run \
  -Dspring-boot.run.jvmArguments="\
  -Dspring.datasource.url=jdbc:postgresql://localhost:5432/veritasflow \
  -Dspring.datasource.username=veritasflow \
  -Dspring.datasource.password=secret \
  -Dspring.jpa.hibernate.ddl-auto=update"

Compile only

mvn clean compile

Quick demo sequence

# 1. Get token
TOKEN=$(curl -s -X POST http://localhost:8080/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"admin123"}' | jq -r '.token')

# 2. Create a compliance rule
curl -X POST http://localhost:8080/api/v1/rules \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name":"Wire Transfer Limit","ruleText":"Flag any wire transfer over $10,000 to offshore accounts.","category":"FINTECH"}'

# 3. Ingest a suspicious event
curl -X POST http://localhost:8080/api/v1/events \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"eventType":"WIRE_TRANSFER","entityId":"CUST-001","amount":95000,"currency":"USD","payload":"{\"destination\":\"offshore\"}"}'

# 4. Check alerts (wait ~1s for AI agent)
curl http://localhost:8080/api/v1/alerts \
  -H "Authorization: Bearer $TOKEN"

# 5. Generate audit report
curl "http://localhost:8080/api/v1/audit/report?from=2026-01-01&to=2026-12-31" \
  -H "Authorization: Bearer $TOKEN"

---

Business Analysis

Market

• TAM: $25B+ compliance & fraud management software market (2026 est.)
• ICP: Mid-market Fintechs (Series B+) and Healthtech SaaS vendors facing regulatory pressure

Monetization

Tier	Events/month	Rules	Price
Starter	100K	10	$499/mo
Growth	1M	50	$1,999/mo
Enterprise	Unlimited	Unlimited	Custom

Competitive moat

1. Natural-language rules — no engineers needed to update compliance logic
2. AI explanations — every alert explains why, reducing analyst time by 70%+
3. Audit trail — one-click HIPAA / PCI-DSS reports replace weeks of manual work
4. Vertical focus — purpose-built for regulated industries, not a generic rules engine

Key risks

• LLM latency / cost at scale → mitigated by async processing + caching frequent rule sets
• Regulatory liability for false negatives → product is a decision-support tool; humans close cases
• OpenAI dependency → LLM provider is configurable; heuristic fallback always active

---

References

• Build MVP Fast — AI Agent SaaS Ideas for Fintech/Healthtech
• Spring Boot 4.0 Reference
• Spring Security 6 JWT Guide
• JJWT 0.12.x Migration Guide
• Java 25 Virtual Threads (JEP 444)
• OpenAI Chat Completions API