Nautilus SPMS — Requirements & Features Specification

This document formalizes the requirements and feature set implied by the April 2026 Cruise SPMS Platform Analysis, augmented with the live NT Maritime product line and the deployed Heimdall analytics platform. It is the working requirements baseline for Nautilus; the source analysis remains authoritative on scope. When a requirement here and the analysis document disagree, resolve the conflict and update whichever is wrong.

v0.16 changes (2026-04-20):

• OQ-22 resolved (subject to legal sign-off): bus + agent contract → Apache 2.0; Signal-Protocol library → AGPL-3.0-with-linking-exception (libsignal pattern); PSI module → Apache 2.0.
• OQ-23 resolved (framework): vendor shortlist Least Authority + Trail of Bits paired primary, NCC Group fallback. Three-phase scope (PSI → Signal-Protocol → multi-tenant + JWT). Realistic total $250–400k (earlier $100–300k estimate was low). ~8–9 months from quote to all audits complete.
• §14 Tier-A descriptions updated with specific per-artifact licenses.
• New §15.7 Pre-publish specialist audit commitment — codifies the audit scope, budget, partners, and the practice of publishing audit reports alongside releases.
• CLAUDE.md licensing section updated to reference Tier-A per-artifact licenses + audit commitment.

v0.15 changes (2026-04-20):

• OQ-18 resolved: commercial smart displays (Samsung Tizen / LG webOS) primary; NUC + commercial display for interactive kiosks; BrightSign HTML5-URL mode for retrofits. Roku / RPi / Android-box rejected.
• Domain 15.C platform foundation: the existing NT Connect signsync codebase (~/src2/signsync) is extended as the Nautilus signage CMS + device-health platform. CMS core retained; Roku-only coupling, single-tenancy, synchronous pull, Firebase Auth, and zero-test posture rewritten.
• 10 new features F-D15-81..90 itemizing the signsync extension (player-agnostic device contract, multi-tenant isolation, Zitadel OIDC migration, NATS listener layer, emergency-override priority playlist, Quanta AI slot prioritization, per-zone targeting, offline-first onboard, multi-language rotation, tests + CI + observability).
• New §6.16 — Signage platform (NFR-180..186): codifies the signsync extension commitments.
• CLAUDE.md NT Connect product list — signsync added as a sibling product being extended for Nautilus.

v0.14 changes (2026-04-20):

• OQ-17 resolved: unicast HLS/DASH with per-vessel origin cache as default. Multicast / multicast-ABR remain optional transport-layer optimizations for bandwidth-constrained vessels — not architecturally incompatible with PWA or BYOD (multicast-to-unicast gateways solve both; earlier v0.14 draft language overstated this).
• F-D15-22 updated — HLS primary, DASH secondary, per-vessel origin cache, EME DRM.
• New §6.15 — Media delivery (NFR-170..178): HLS/DASH primary, per-vessel Nginx+Varnish cache, Shaka Packager pipeline, EME DRM, LL-HLS ~2 s target, 10 Gbps recommended backbone (1 Gbps with optimization layer), multicast-ABR as opt-in optimization, content-provider compatibility requirement, smart-TV renderer path.

v0.13 changes (2026-04-20):

• OQ-21 resolved: Topology 4 — shore full Heimdall + onboard quantized SafeSpace tier on every vessel. INT8 DeBERTa on CPU / L4-class small GPU; CSAM + grooming + NSFW + toxicity + URL scan + profanity run onboard regardless of shore link. Narrative flow / influence / sentiment / summaries stay shore-side.
• OQ-26 resolved: launch single-region shore; Phase 5+ per-region shore SafeSpace + single consolidation region for Enterprise / Studios with metadata-only cross-border flow.
• FR-18 broadened: onboard CSAM detection (not just shore); per-jurisdiction reporting routing (NCMEC / IWF / BKA / eSafety Commissioner / INHOPE) not just NCMEC-only.
• New §6.14 — Heimdall deployment topology (NFR-150..159): onboard module, conservative thresholds, signed weights, model-update bus subject, immutable audit trail, re-scoring on reconnect, Celery-to-NATS bridge, hardware floor (8 CPU / 16 GB or L4), regional topology for multi-tenant, per-jurisdiction reporting routing.
• CLAUDE.md Domain 13 nudged to reference the Heimdall topology.

v0.12 changes (2026-04-20):

• OQ-14 deferred, not resolved. CRS adapter spec is not authored until real CRS API documentation is in hand (Versonix Seaware developer docs or equivalent). Premature design risks baking in wrong assumptions. Phase 1 unblocked via a MockCRSAdapter (F-D2-01a) that generates representative booking / manifest / cabin-assignment events.
• F-D2-01 updated to reference the CRSAdapter interface explicitly (authored in Phase 2, not Phase 1); new F-D2-01a ships the mock adapter in Phase 1.
• OQ-24 updated to note CRS is explicitly not on the Tier-C authoring queue until unblocked.

v0.11 changes (2026-04-20):

• OQ-12 resolved: per-tenant single-region pin (Stance A) + data minimization with crypto-erasure + jurisdiction-aware retention (Stance C), layered. GDPR-grade controls as the global default regardless of tenant region. Multi-region per-tenant deferred to Phase 5+.
• New NFR group 6.13 — Privacy, data residency & DSR (NFR-140..149). Region pinning, GDPR-grade baseline, crypto-erasure, per-category retention, cross-border transfer mechanisms (SCCs + adequacy), DPIA at tenant onboarding, DSR API semantics, special-category consent, maritime legal layer as operational pack, no-secondary-use-without-consent.
• F-D1-09 expanded into a concrete DSR API surface (access / rectify / erase / port / restrict / object) with audit trails and jurisdictional SLAs.
• New OQ-26: Heimdall region strategy (per-region / single-region + SCCs / hybrid); blocks Phase 4.
• CLAUDE.md Architecture Pillar 10 added — Privacy by design, GDPR-grade everywhere.

v0.10 changes (2026-04-20):

• OQ-10 resolved: vendor-agnostic PaymentProcessor adapter in Domain 3. Ship with Stripe reference adapter (Phase 2 velocity, Apache-2.0 SDK, Connect for multi-tenant). Add Adyen adapter on-demand. Per-tenant sub-merchant model (Stripe Connect / Adyen for Platforms), not platform-as-merchant — keeps Nautilus out of money-transmission licensing.
• NFR-21 tightened: no raw PAN / CVV / magstripe / PIN / chip track anywhere in Nautilus; domain code MUST route through the adapter, not vendor SDKs directly.
• New Domain 3 features F-D3-11 (embark-auth), F-D3-12 (incremental auth), F-D3-13 (network tokens + account updater), F-D3-14 (chargeback evidence pack).

v0.9 changes (2026-04-20):

• OQ-09 resolved: Kong Gateway OSS v3.7+ (Apache 2.0), shore and onboard. DB-less mode onboard; Zitadel OIDC via community plugin; Prometheus + OpenTelemetry plugins; declarative config via decK in GitOps. Kong fronts Heimdall (NFR-125). Cloud-native managed gateways rejected (don't run onboard).
• New NFR section 6.12 — API gateway (Kong) (NFR-120..129).
• New OQ-25: future evaluation of Cilium Gateway API as a Phase 4–5 consolidation option.

v0.8 changes (2026-04-20):

• OQ-08 resolved: no separate service mesh in Phase 1–3. Cilium v1.16+ is the CNI and delivers the mesh's day-one value (WireGuard pod-to-pod encryption, identity-based policy via CiliumNetworkPolicy, eBPF kube-proxy replacement, Hubble flow observability) without sidecar overhead. App-layer observability via OpenTelemetry SDKs (mandatory). Linux kernel 5.15+ required on K3s nodes.
• New NFR group 6.11 — Networking, CNI & in-cluster observability (NFR-100..109).
• NFR-20 rewritten to reflect Cilium + NATS + Kong + cert-manager architecture instead of presupposing Linkerd/Istio.
• Tech-stack row in CLAUDE.md updated from "Service mesh" to "CNI + encryption + policy + observability" (Cilium).

v0.7 changes (2026-04-20):

• OQ-07 resolved: Postgres-only (CNPG v17.2 + JSONB), inheriting the r360-infrastructure pattern. No document store in the Nautilus AGPL tree.
• New NFR group 6.9 — Data storage & replication topology (NFR-80..88). Tiered replica counts (shore 3-instance sync quorum; onboard safety/revenue-critical 2-instance sync-preferred; onboard operational 1-instance; optional shared onboard cluster with per-service databases). Ship↔shore sync via NATS events, not Postgres streaming. PgBouncer + postgres_exporter mandatory.
• New NFR group 6.10 — Secrets management & supply-chain hygiene (NFR-90..94). No secrets in git; Vault + External Secrets Operator; per-tenant overlays in private repos; CI secret-scanning; dependency license audit.
• Tech-stack table in CLAUDE.md updated to match.

v0.6 changes (2026-04-20):

• New Section 14 — Integration Architecture. Three-tier model codified: Tier A open primitives (NATS + Quanta agent contract; Signal-Protocol crypto library; PSI module) to be open-sourced; Tier B closed services (Quanta application services; ConnectOne; CallCraft; Heimdall) stay commercial; Tier C documented interfaces let third parties integrate legacy systems (ship PBXs, iTV head-ends, signage) without replacing them. Retrofit-first posture matches the real cruise-fleet situation.
• New OQs: OQ-22 Tier-A licensing, OQ-23 crypto-audit vendor, OQ-24 interface-spec authoring queue.
• First Tier-C spec published: docs/integrations/ship-pbx.md (ship-PBX ↔ Nautilus bus integration).

v0.5 changes (2026-04-20):

• Comms product naming clarified. The NT Connect comms platform is ConnectOne (working name — subject to change). ConnectOne is the umbrella: Cloud PBX (Domain 14.E) + maritime specialization (Domain 14.F) + voice/video transport (signaling + media). CallCraft is the AI-voice surface inside ConnectOne — the piece that hosts AI agents, AI Notes, voice ordering, concierge intents, emergency AI-guided mustering. All previous doc references that conflated the two have been split.
• Implementation details removed from the public spec. Named third-party media/signaling vendors have been dropped from the requirements doc. OpenSIPS and SIP B2BUA are documented as roadmap for ConnectOne's signaling layer; current-state vendors are treated as implementation detail, not specification.
• OQ-01 resolved. Bus = NATS JetStream with Quanta's agent contract (see Section 13).

v0.4 changes (2026-04-18):

• Domain 14 expanded with 14.E Cloud PBX Platform (full PBX feature set per NT Connect netTALK PBX — virtual receptionists, ring groups, call recording, advanced forwarding, E911, RoboAgent spam filter, hot-desking, TALK + PBX App, SIP trunking, NIST SP 800-171 compliance) and 14.F Maritime PBX Specialization (4,000+ extension hospitality scale, cabin-as-extension, fleet-wide federation, PA/GA tiers, accessibility handsets, wake-up + DND, folio-bound billing, parental childcare devices, legacy TDM/Avaya bridging via PRI handoff).
• Section 15 — Licensing added: source released as AGPL-3.0 with optional commercial license for tenants needing closed distribution / proprietary derivatives.
• Companion document docs/marketing-overview.md created from this spec.

v0.3 changes (2026-04-18):

• Heimdall rescoped to the actual product surface at heimdall.nooz.ai: 900M-param DeBERTa-v3-large multi-task model with 56 manipulation-technique heads, 16 narrative-flow patterns, 8 stealth-propaganda analyzers, 12 content-safety plugins (toxicity, NSFW, CSAM via PhotoDNA + Thorn with NCMEC reporting, 4-analyzer grooming detection, video moderation, URL scanning), 4 audience tiers (COPPA / Teen / General / Relaxed), Signal-to-Noise score, 5-Pathway Influence score, "At a Glance" summarization (local Gemma 4). See FR-13, FR-17–FR-20, Domains 14/15, integrations, and OQ-02.
• Relate-360 reference removed from architecture inspiration — public site (relate-360.com) is a consumer family app, not a CDP/CRM. See OQ-20.

v0.2 changes (2026-04-18):

• Message bus is Quanta (not NATS JetStream); see FR-02 / FR-03 / FR-09 and Section 13. Conflicts with current CLAUDE.md Pillar 2 — see Open Question OQ-01.
• Domain 14 broadened from CallCraft transport to Unified Crew & Guest Communications (voice, video, messaging, push-to-talk, voicemail, omnichannel federation) — modeled on NT Maritime GuestApp + CrewApp.
• Domain 15 extends cabin iTV to first-class video-call endpoint (passenger-to-passenger, passenger-to-crew, telehealth video consults).
• New Domain 16 — Telehealth & Location Intelligence (BLE location services, contact tracing, occupancy heatmaps, telemedicine), modeled on NT Maritime Health.

1. Purpose & Scope

1.1 Purpose

Define, at a level sufficient for implementation planning, the functional and non-functional requirements of Nautilus, NT Connect Holdings' next-generation Shipboard Property Management System (SPMS).

1.2 In scope

• Shipboard property management across 15 bounded domains (Section 5).
• Shore-side administration, fleet management, and HQ intelligence.
• Guest-facing digital touchpoints (mobile, iTV, kiosk, signage).
• AI-native capabilities via Quanta; voice-native capabilities via ConnectOne (with CallCraft providing the AI-voice surface inside it).
• Multi-tenant, white-label operation for multiple cruise operators.

1.3 Out of scope (for v1)

• Full replacement of Central Reservation Systems (CRS) — Nautilus integrates with Versonix Seaware / Infor / equivalent, does not replace them.
• GDS origination (distribution) — integration only.
• Shipboard navigation/bridge systems — Nautilus consumes GPS/marine data but does not control navigation.
• Casino game engines — Nautilus interfaces with casino cash management only.

1.4 Competitive context

Nautilus is benchmarked against Oracle Hospitality Cruise (SPMS), MXP / MarineXchange, and Otalio. Feature parity minimums and differentiators are called out per domain.

2. Stakeholders & Primary Personas

3. Requirement & Feature Identifiers

• FR-XX: Functional requirement (system-wide).
• NFR-XX: Non-functional requirement.
• F-D{n}-XX: Feature belonging to Domain n (1–15, per Section 5).
• Priority (MoSCoW): M = Must, S = Should, C = Could, W = Won't (v1).
• Phase: 1–6 per the analysis doc phasing.

4. System-Wide Functional Requirements

5. Domain Features (Functional)

Domain 1 — Identity & Guest Profile

Per OQ-20 (resolved 2026-04-18), the data model is designed from scratch (cruise-specific requirements don't fit any off-the-shelf CDP cleanly), but borrows four pillars from Relate-360: Connection Mapping, Relationship Discovery, Story Sharing, and Authentic Identity / no-noise (closed network, no bots, no algorithmic feed in the social surface, no third-party advertising in identity-bound spaces).

1.A — Core identity & profile

1.B — Relationship graph (Relate "Connection Mapping" / "Relationship Discovery")

1.C — Story sharing (Relate "Story Sharing", privacy-first)

1.D — Trust principles (Relate "Authentic Identity / no noise")

Decision (OQ-20): Domain 1 is designed from scratch; Relate-360 inspiration lives in the four pillars above.

Domain 2 — Reservation & Check-in

Domain 3 — Onboard Accounts & Billing

Domain 4 — Point of Sale (POS)

Domain 5 — Gangway & Access Control

Domain 6 — Safety & Muster

Domain 7 — Dining & Restaurant

Domain 8 — Shore Excursions & Activities

Domain 9 — Spa & Wellness

Domain 10 — Crew, HR & Payroll

Domain 11 — Materials & Supply Chain

Domain 12 — Fleet Management & HQ Intelligence

Domain 13 — Quanta AI Services (differentiator)

Domain 14 — Unified Crew & Guest Communications (ConnectOne platform)

Modeled on NT Maritime's deployed product line — GuestApp (passenger voice/video/messaging over ship WiFi), CrewApp (role-based PTT/voice/chat — Cunard Queen Anne replacement of DECT), and the Hospitality PBX/PA/signage stack — and delivered by ConnectOne (NT Connect's comms platform; Cloud PBX + voice/video transport; SIP signaling with B2BUA / OpenSIPS on the roadmap). CallCraft is the AI-voice surface inside ConnectOne: it hosts the AI-voice agents that join calls/rooms (AI Notes, voice ordering, concierge intents, emergency AI-guided mustering). All signaling and state events ride the Quanta bus (NATS JetStream) using Quanta's agent contract (AGENT_MESSAGES / AGENT_RESPONSES).

14.A — Crew communications (CrewApp pattern)

14.B — Guest communications (GuestApp pattern)

14.C — Omnichannel external messaging

14.D — Telephony infrastructure (transport)

14.E — Cloud PBX Platform (full feature set)

Nautilus ships the full Cloud PBX half of ConnectOne — equivalent in scope to NT Connect's netTALK Business PBX, a feature-rich, customizable, contract-free business phone platform — extended for ship deployment. PBX is delivered as a managed cluster (shore + onboard nodes) and provisioned per-tenant per-vessel. End-user clients are SIP phones, ATAs, the TALK app, the PBX App (iOS + Android), the cabin handset, the iTV (ConnectOne endpoint), and the GuestApp / CrewApp.

14.F — Maritime PBX Specialization (ship-specific)

Cruise vessels impose constraints no enterprise PBX handles natively — connectivity over VSAT/Starlink with planned and unplanned outages, room=extension hospitality model, ship-wide PA tiered against general alarms (GA), regulatory PA priority during muster, accessibility handsets, parent↔childcare devices, and fleet-wide federation. 14.F is the layer on top of the Cloud PBX core.

Domain 15 — Guest Mobile App, Cabin TV & Digital Touchpoints

15.A — Mobile, kiosk, mobile-only

15.B — Cabin Interactive TV (iTV) — full-service in-cabin platform

The cabin TV is treated as a first-class Nautilus touchpoint, not a third-party IPTV add-on. It runs the same React PWA as mobile/kiosk in a TV form factor and acts as: entertainment hub, cruise-info portal, transactional surface (folio / ordering / booking), video-call endpoint, and the guest-facing controller for the cabin Guest Room Management System (GRMS). Hardware integration with the cabin GRMS (HVAC, lighting, drapes, safe, minibar, door lock) is via a pluggable adapter — see OQ-16.

15.B.1 — TV / entertainment

15.B.2 — Cruise info & wayfinding

15.B.3 — Transactional & service

15.B.4 — Cabin / room control (GRMS via iTV)

15.C — Fleet-wide Digital Signage (synced to F&B, activities, excursions, voyage)

A single signage management surface drives every screen on the ship — entrance signs, deck-by-deck wayfinding, restaurant menu boards, activity boards, excursion desks, theater frontages, pool deck displays, gangway boards, and crew areas. Content is event-driven from the source domains (no double entry): when a menu, schedule, or excursion availability changes in Domain 4 / 7 / 8 / 12, every relevant sign updates within seconds via the Quanta bus.

Platform foundation: signsync (extended). Domain 15.C is implemented by extending the existing NT Connect signsync platform (~/src2/signsync — Next.js 15 + Postgres + Drizzle ORM; ~510-commit production codebase with CMS, device health monitoring, schedule filtering, composition generation). signsync's CMS core + device-fleet model are retained; player coupling (currently Roku-only), single-tenancy, and synchronous-pull integration pattern are rewritten. Extension work itemized as F-D15-81 through F-D15-90.

Domain 16 — Telehealth & Location Intelligence (NT Maritime Health pattern)

Modeled on NT Maritime's Health product (deployed on Disney Cruise Line) and its location-services / contact-tracing platform. Splits cleanly from Safety & Muster (which is regulatory/operational): this domain is the medical-care + location-data product surface.

16.A — Telehealth

16.B — Location services & contact tracing

6. Non-Functional Requirements

6.1 Availability & resilience

6.2 Performance / scale

6.3 Security & compliance

6.4 Tenancy & branding

6.5 Observability

6.6 Deployability

6.7 Usability

6.8 Hardware independence

6.9 Data storage & replication topology

6.10 Secrets management & supply-chain hygiene

6.11 Networking, CNI & in-cluster observability (Cilium)

6.12 API gateway (Kong)

6.13 Privacy, data residency & DSR

6.14 Heimdall deployment topology

6.15 Media delivery (IPTV + VOD)

6.16 Signage platform (extended signsync)

7. Integrations

8. Constraints

1. Technology choices are partially pre-committed by the NT Connect stack — Quanta (bus + AI fabric), Zitadel, ConnectOne (PBX + voice/video transport), CallCraft (AI-voice inside ConnectOne), Heimdall, RKE2/K3s, Harvester HCI, Starlink/VSAT.
2. Frontends are PWA-first — POS/kiosk/iTV must share the React PWA codebase. Native mobile is React Native. No separate per-form-factor apps.
3. Offline must not be an afterthought. Every onboard design review asks "what happens with no shore link?" before approval.
4. No shared schemas between domains. Domain services own their data.
5. Phasing gates are real. Phase 1 foundation (NATS, Zitadel, K8s, CI/CD, Identity, Reservation) precedes all revenue-producing domains.

9. Assumptions

1. Quanta, ConnectOne, CallCraft, and Heimdall are available for integration in line with the phasing plan — their teams are NT Connect stakeholders, not external vendors.
2. At least one cruise operator will serve as launch tenant / anchor customer; their real operational data is the validation case.
3. Shipboard hardware refresh (tablets, readers, smart TVs, cabin SIP endpoints) is funded per-vessel as part of onboarding each ship.
4. VSAT bandwidth is sufficient for nominal ship↔shore event streaming; design targets assume degraded/intermittent rather than zero connectivity as the common case at sea.
5. Regulatory reporting formats (SOLAS, ENOAD, EU-LISA) are stable enough to codify; changes are handled via release, not per-vessel patching.

10. Out of Scope (v1, revisit later)

• Native bridge/navigation integration beyond consumption of GPS.
• Replacement of upstream CRS.
• Full native casino game-engine integration (Nautilus handles cashbook only).
• Third-party integrations beyond those listed in Section 7.
• Advanced BI / data-warehouse product (analytics are operational, not a separate BI suite).

11. Phasing Summary

12. Competitive Differentiators (targets, not features)

These are the outcomes that justify building Nautilus at all. If a design choice would weaken one of these, reconsider the choice.

13. Open Questions

These need resolution before the relevant phase begins.

1. OQ-01 — Quanta bus protocol & contract. Resolved 2026-04-20. Bus = NATS JetStream (NATS v2.10+, -js enabled) — exactly as used in production by Quanta, Related, and ConnectOne / CallCraft. Agent integration follows Quanta's contract as documented at ~/src2/experimental/quanta/chat/05-nats-messaging.md: AGENT_MESSAGES (workqueue retention) + AGENT_RESPONSES (ingest) streams, cross-account JetStream sourcing for tenant isolation, agent JWT carrying type: 'agent', capability validation. Wire protocol, throughput, durability, and ship↔shore federation semantics are whatever NATS JetStream gives us — no custom transport.

2. OQ-02 — Heimdall API contract. Public marketing surface at heimdall.nooz.ai (© 2026 NT Connect Holdings) documents the engine and plugin set. Need: actual API endpoints, auth model, per-tenant rate limits, latency SLOs at expected Nautilus volumes, schema for content-safety verdicts vs sentiment vs influence scores, GPU footprint required for the 900M-param model (shore-only? per-vessel for offline? quantized fallback?), and onboard / offline behavior when the shore Heimdall is unreachable. Blocks Phase 4 (FR-13, FR-17–FR-20).

3. OQ-03 — Omnichannel messaging federation. NT Maritime exposes sms / viber / telegram / apple channels via *.omni.nettalkmaritime.com-style addressing. Need: which providers Nautilus reuses vs re-implements, per-channel cost model, regulatory implications (10DLC, sender ID, regional bans), and unified-thread merging rules. Blocks Phase 3 (FR-14).

4. OQ-04 — BLE wearable + gateway vendor. NT Maritime Health uses BLE wearables + strategically placed gateways (Disney deployment). Need: vendor SKU choice, per-vessel hardware budget, opt-in UX, GDPR posture, retention policy. Blocks Phase 4 (FR-15).

5. OQ-05 — Telehealth clinician network. Onboard medical is in-house; shore-side specialty consults need a clinician-network partner with maritime / multi-jurisdiction licensing. Blocks Phase 4 (FR-16).

6. OQ-06 — Cabin TV form factor & input. Choose: COTS smart TV running PWA in browser, smart TV + STB, or smart TV + paired mobile-as-remote. Affects hardware standard NFR-70 and Domain 15.B feature set. Blocks Phase 3.

7. OQ-07 — Document store. Resolved 2026-04-20. Postgres-only for Nautilus. PostgreSQL v17.2 deployed via CloudNativePG (CNPG) operator (inheriting the NT Connect pattern proven in production for Related and Quanta per ~/src2/experimental/related/r360-infrastructure). JSONB handles flexible-schema needs (voyage journal, preferences, menus, excursion catalogs, tenant configs). No document store in the AGPL Nautilus distribution. (Note: MongoDB Atlas is used elsewhere in the NT Connect stack — specifically by Heimdall's article-ingest service for deeply-nested versioned analysis documents — but Heimdall is closed-source, so its SSPL/Atlas licensing doesn't contaminate Nautilus.)

8. OQ-08 — Service mesh. Resolved 2026-04-20. No separate service mesh in Phase 1–3. Cilium v1.16+ is the CNI and carries WireGuard transparent encryption (NFR-101), identity-based CiliumNetworkPolicy authorization (NFR-102), eBPF kube-proxy replacement (NFR-103), and Hubble flow observability (NFR-104) — covering the mesh's day-one value without sidecar tax. App-layer observability comes from OpenTelemetry SDKs (NFR-105). Revisit in Phase 4–5 only if direct service-to-service HTTP/gRPC develops needs Hubble + Kong + OTel + ArgoCD Rollouts cannot satisfy; first option then is Cilium Service Mesh (continues the same CNI), Linkerd as fallback (NFR-109). See §6.11.

9. OQ-09 — API gateway. Resolved 2026-04-20. Kong Gateway (OSS, Apache 2.0) — shore and onboard. Inherits the NT Connect r360 pattern; AGPL-clean; Zitadel OIDC integration via community plugin; DB-less mode onboard to minimize vessel footprint; decK declarative config fits the GitOps pattern. See §6.12. Cloud-native managed gateways (OCI / AWS / Azure) were rejected because they do not run onboard — Nautilus needs one gateway that works shore and onboard, and cloud-managed options only cover shore. A future evaluation of Cilium Gateway API (Envoy-based, already part of the Cilium CNI) is tracked as OQ-25; revisit in Phase 4–5 once Cilium Service Mesh L7 features mature and if consolidation becomes attractive.

10. OQ-10 — Payments. Resolved 2026-04-20. Vendor-agnostic payment-adapter abstraction. Domain 3 (Onboard Accounts & Billing) defines a PaymentProcessor interface; adapters implement it per vendor. Ship with Stripe as the reference adapter (developer experience accelerates Phase 2 velocity; Stripe Connect covers multi-tenant sub-merchant flows; AGPL-compatible Apache-2.0 SDKs). Add an Adyen adapter when a tenant requires it (enterprise cruise lines, APAC-heavy operations, or existing Adyen relationships). Per-tenant adapter choice at provisioning time; Nautilus does not mandate one processor. Payment orchestration layer (Primer / Basis Theory / Spreedly) deferred unless multi-processor routing emerges as a concrete need. Tenant contract model: each tenant is a sub-merchant under its own merchant-of-record relationship (Stripe Connect / Adyen for Platforms), not platform-as-merchant — keeps Nautilus out of money-transmission licensing.

11. OQ-11 — Launch tenant. Who is the anchor customer? All Phase 1–3 scope decisions are easier with a real operator's data and calendar.

12. OQ-12 — Data residency. Resolved 2026-04-20. Per-tenant single-region pin (Stance A) + data minimization with crypto-erasure + jurisdiction-aware retention (Stance C), layered. Each tenant picks one primary shore region at provisioning (EU / UK / US / AU / SG / BR / LATAM as initial set; more on-demand). GDPR-grade controls as the global default (highest common denominator). Crypto-erasure as the defensible mechanism for non-deletable stores (backups, audit logs, WAL archives). Per-category retention policy service extends NFR-25's passport-only scope to all PII categories. Cross-border transfers use SCCs + adequacy decisions; ship↔shore is a documented controlled transfer. Multi-region per single tenant deferred to Phase 5+ — architecture builds the region-pinning primitive in Phase 1, exercises it single-region until tenant demand justifies otherwise. Maritime legal layer (flag-state law at sea, port-state law in port, tenant-region law post-sync) is documented in a per-tenant onboarding legal pack — not Nautilus code. Detailed requirements in §6.13.

13. OQ-13 — Hardware standards. Tablet / reader / smart-TV / SIP-endpoint / wearable / gateway SKUs.

14. OQ-14 — CRS adapters at launch. Deferred 2026-04-20: a CRS adapter interface spec is not authored until real CRS API documentation is in hand (Versonix Seaware developer-portal access, sample anonymized booking payloads from a willing operator, or OpenTravel Alliance OTA_Cruise schemas as a floor). Premature design risks baking in wrong assumptions from general hospitality knowledge that won't survive contact with a cruise-specific API. Unblocking strategy: Domain 2 scaffolds against a MockCRSAdapter (F-D2-01a) that generates representative booking events for development, CI, and first-vessel dry-run testing. The real CRSAdapter interface and first reference adapter (almost certainly Versonix) get authored in Phase 2 once one of the information sources above is available. Promoted to Tier-C spec (docs/integrations/crs-adapter.md) at that point. Related to OQ-24 (interface-spec authoring queue).

15. OQ-15 — Regulatory reporting depth. Which jurisdictions' reports are v1 vs later?

16. OQ-16 — Cabin GRMS integration. Domain 15.B.4 assumes cabin lighting / HVAC / drapes / safe / minibar / door lock are reachable from the iTV via a Guest Room Management System adapter. Need: vendor / protocol choice (KNX, BACnet, DALI, vendor-proprietary), per-cabin retrofit cost, whether new-build vessels and existing vessels share the same adapter, and the abstraction the PWA renders against. Blocks Phase 3 (Domain 15.B.4).

17. OQ-17 — IPTV transport. Resolved 2026-04-20. Unicast HLS / DASH with per-vessel origin cache as the Nautilus default. Chosen for operational simplicity, standard EME DRM (FairPlay / Widevine / PlayReady), and single-pipeline-matches-PWA-pillar — not because multicast is architecturally incompatible with PWA or BYOD (multicast-to-unicast gateways solve both). Vessels with constrained backbones MAY deploy multicast or multicast-ABR (Synamedia / Broadpeak / OSS equivalents) as a transport-layer optimization without changing the app layer. Default ABR ladder + LL-HLS target latency ~2 s for live content (standard HLS 4-10 s acceptable for most cruise content). See §6.15. Coordinates with OQ-19 (VOD / IPTV content licensing) — content partners must support HLS/DASH + EME.

18. OQ-18 — Signage hardware standard. Resolved 2026-04-20. Primary: commercial smart displays running the Nautilus PWA natively (Samsung Tizen, LG webOS, Philips). One unit per screen (display + runtime combined); commercial-grade warranty; vendor fleet management (Samsung MagicInfo / LG SuperSign) or direct PWA URL. Secondary: NUC-class x86 + commercial display for interactive kiosks where touch + heavy JS + full Chrome matters (wayfinding, guest-service interactive). Tertiary: BrightSign retained for retrofits where already deployed — point at Nautilus PWA URL; do not buy new. Rejected: Raspberry Pi (not fleet-commercial), Android signage boxes (quality variance too high for 200-vessel operations), Roku (consumer-oriented; signsync's current coupling is a liability). Platform: extended signsync (see §6.16, F-D15-81..90) hosts the CMS + device-fleet-health model across all primary/secondary/tertiary player targets.

19. OQ-19 — VOD / IPTV content licensing. Maritime film/TV licensing is not the same as consumer streaming — confirm content partner (Swank Maritime / equivalent) and whether catalog is fleet-wide or per-tenant.

20. OQ-20 — Guest-identity / CDP baseline. Resolved 2026-04-18: option (c) — design Domain 1 from scratch, with inspiration drawn from the four Relate pillars (Connection Mapping, Relationship Discovery, Story Sharing, Authentic Identity / no-noise). Realized as Domain 1.B (relationship graph), 1.C (voyage journal & memories), 1.D (trust principles). Confirmed 2026-04-20 by code review of ~/src2/experimental/related/related-backend — the real relatedlabs-api (v1.9.36) is a genealogy + family-social product (deep FamilySearch integration, only friend / block edges, single-tenant, consumer-grade privacy). Not suitable as a direct baseline; the pillar-level inspiration remains the right framing. Reusable patterns: Postgres + Sequelize schema discipline, Circle + role + membership model (adaptable for crew/guest hierarchy), NATS cross-pod pub-sub, Helm + ArgoCD deployment boilerplate.

21. OQ-21 — Heimdall onboard / offline strategy. Resolved 2026-04-20. Topology 4: shore full + onboard quantized-safety-tier. Shore runs the full 900M-param DeBERTa-v3-large FP16 + all plugins + narrative-flow engine + Gemma-4 "At a Glance" + Enterprise / Studios tiers. Onboard runs an INT8-quantized SafeSpace-only module (CSAM, grooming 4-analyzer, NSFW, toxicity, URL scanning, profanity) on CPU or small GPU (NVIDIA L4-class, ~$2-3k per vessel vs ~$15-20k for A100). CSAM and grooming (FR-18, FR-19) run onboard regardless of shore link — legally defensible. Everything else (narrative flow, influence, sentiment, summaries) runs shore-side on reconnect. Onboard module is closed-source Tier B; Nautilus calls it through a published Tier-C interface. See NFRs 150–157 (§6.14). Celery-broker question for ingest's async pipeline: resolved by bridging to NATS via a Nautilus-side adapter — no separate RabbitMQ in the Nautilus tree.

22. OQ-22 — Tier-A licensing finalization. Resolved (subject to legal sign-off) 2026-04-20. Per-artifact licenses for the Tier-A open-source releases: Bus + agent contract (and SDK helpers) → Apache 2.0 (matches NATS upstream, Kong, cloud-native ecosystem default; explicit patent grant; trademark clause covers Quanta / ConnectOne marks). Signal-Protocol library + reference SDKs → AGPL-3.0-with-linking-exception (the libsignal pattern — crypto-community consensus; strong copyleft on library, permissive on linked apps; matches the reference implementation to avoid gratuitous divergence). PSI contact-discovery module → Apache 2.0 (matches Google's private-set-intersection reference; standard for crypto primitives; patent grant essential for PSI). Nautilus-the-application remains AGPL-3.0 (Section 15); Tier-C specs CC BY 4.0; conformance harnesses Apache 2.0 (Section 14). Still required: licensing-attorney sign-off on the AGPL-linking-exception wording + CLA alignment before first publish.

23. OQ-23 — Crypto-audit vendor & budget. Resolved (framework) 2026-04-20; vendor selection remains operational. Vendor shortlist: Least Authority (NL) + Trail of Bits (US) paired as primary; NCC Group (UK/US) fallback. Least Authority leads PSI (EU jurisdiction helps GDPR posture; prior Zcash / MobileCoin / Signal work); Trail of Bits takes Signal-Protocol + integration (larger capacity; strong C++ review). Cure53 considered but declined on capacity; boutique Web3-chasing auditors rejected (specialist bias mismatch). Three-phase scope: (1) PSI module — timing / cache / protocol correctness, 4–6 wk audit + 2 wk remediation, ~$60–120k; (2) Signal-Protocol library — Double-Ratchet / X3DH / key-derivation / session-store atomicity / test-vector compliance, 6–8 wk + 2–3 wk, ~$100–180k; (3) multi-tenant isolation + agent JWT lifecycle (10-year token lifetime flagged for review) — cross-account JetStream boundary, 3–4 wk + 2 wk, ~$50–100k. Plus ~20–30% remediation-reaudit contingency. Realistic total: $250–400k (earlier $100–300k estimate was low). Timeline: ~8–9 months from quote-request to all three audits complete. Bus + agent contract (Apache 2.0) can publish on a general code-review basis without specialist crypto audit. Operational next steps: source quotes from all three vendors; negotiate SOW; execute Phase 1 (PSI) first. Blocks Tier-A #2 and #3 publishes; does not block Tier-A #1.

24. OQ-24 — Interface-spec authoring queue (Tier C). Ship-PBX spec drafted (docs/integrations/ship-pbx.md). Next candidates in priority order: (i) Heimdall content-safety API; (ii) CallCraft agent contract (extends the Quanta agent contract with voice/video-session semantics); (iii) ConnectOne E911 + PA-GA + muster signaling; (iv) Tier-B Quanta keys-service protocol; (v) iTV GRMS adapter contract (OQ-16). Each spec takes 1–2 weeks to author + review. Publish as ready; no blocking dependencies. CRS adapter spec is explicitly NOT on this queue (see OQ-14) — deferred until real CRS API docs are available to validate against.

25. OQ-25 — Future evaluation of Cilium Gateway API as Kong replacement. Kong is the Phase 1–3 gateway (OQ-09). Cilium Gateway API (Envoy-based, already part of the Cilium CNI — NFR-100) is architecturally attractive for Phase 4–5 consolidation: unified CNI + gateway data plane, eBPF-accelerated, Hubble observability, no extra component. Evaluate when: (a) Cilium Service Mesh L7 features mature past where they are in 2026; (b) HTTP/3 or gRPC-heavy workloads emerge where Envoy's protocol coverage earns the migration; (c) Kong Enterprise-feature gating creates meaningful friction. No decision required before Phase 4.

26. OQ-26 — Heimdall region strategy. Resolved 2026-04-20. Launch: single-region shore Heimdall in the launch tenant's home region; onboard quantized SafeSpace module on every vessel (per OQ-21). Phase 5+ (multi-tenant, multi-region): evolve toward the hybrid — per-region shore SafeSpace as each new tenant region comes online (so safety-critical analysis stays in-region); single consolidation region for Enterprise / Studios / narrative scoring with metadata-only cross-border flow (content stays in tenant region; only hashes, embeddings, classification results, and aggregated metrics cross). SCCs + Transfer Impact Assessments cover the metadata flow. See NFR-158 (§6.14).

14. Integration Architecture (Open Primitives / Closed Services / Documented Interfaces)

Nautilus and its NT Connect sibling products follow a deliberate three-tier model. Understanding it is required to correctly scope Nautilus code, licensing, and third-party integration patterns (especially retrofitting onto vessels with legacy PBX / IT already aboard).

14.1 The three tiers

Tier A — Open primitives (published, permissively licensed)

• NATS JetStream + Quanta agent contract — stream definitions (AGENT_MESSAGES workqueue + AGENT_RESPONSES ingest), agent JWT schema, capability validation, cross-account JetStream sourcing for tenant isolation. Apache 2.0.
• Signal-Protocol crypto library — X3DH + Double Ratchet + session management + key-bundle format, compatible with what the closed Quanta keys-service + messaging-service run in production. Reference SDKs in TS / Kotlin-Java / Swift. AGPL-3.0 with linking exception (libsignal pattern; OQ-22 resolved).
• PSI (Private Set Intersection) contact-discovery module — C++ native module + protocol spec. Apache 2.0 (OQ-22 resolved; matches Google's PSI reference).

Tier B — Closed services (commercial NT Connect products, integrated via Tier-C interfaces)

• Quanta application services — auth, messaging-service, keys-service, websocket-gateway, push, media, group, admin, video, contact-discovery service wrapping the open PSI module.
• ConnectOne — full Cloud PBX + voice/video transport, maritime specialization.
• CallCraft — AI-voice surface (agents) inside ConnectOne.
• Heimdall — DeBERTa-based content safety, sentiment, analytics (see Section 7 / FR-13 / FR-17–FR-20).

Tier C — Documented interfaces (published, CC BY 4.0 for specs + Apache 2.0 for reference stubs and conformance harnesses)

Every bus-fronted or API-fronted closed service exposes a published interface spec so third parties can (a) integrate legacy systems against Nautilus / Quanta without replacing them, (b) build compatible open-source alternatives where desired, or (c) buy the NT Connect managed implementation off-the-shelf.

Published Tier-C specs include — at minimum:

• Bus subject contracts (event schemas, headers, ordering / delivery semantics per stream).
• REST / gRPC API contracts where the closed service exposes one.
• JWT claim schemas for bus auth (per integration type — agent, PBX bridge, admin, etc.).
• Conformance test harness so an integrator can run their implementation against a fake closed service locally.
• Reference stubs (minimal open implementations) for development and CI.

The first Tier-C spec, Ship-PBX Integration, is published at docs/integrations/ship-pbx.md. Additional specs land in docs/integrations/ as each integration surface is opened.

14.2 Why this split

1. Open the primitives where trust is cryptographic. Signal-Protocol + PSI are only credible when auditable. Keeping them closed caps Quanta's addressable market (regulated industries, privacy-sensitive verticals, government) and undercuts the security story.
2. Keep the service implementations where the commercial moat is operational. Running the auth + keys + messaging + media services at scale, with SLA, uptime, security-response, is where NT Connect earns. Opening the service code without opening the operational capability just lets competitors copy the easy parts.
3. Publish the interfaces where the integration pattern matters. Most cruise vessels arrive with a pre-existing PBX, a pre-existing iTV head-end, a pre-existing signage system. Nautilus deployments are retrofit-first in practice; greenfield is the exception. Tier-C specs make retrofit a day of work instead of a quarter.

14.3 Nautilus's relationship to the tiers

• Nautilus source is AGPL-3.0 (see Section 15) — application code, not library code.
• Nautilus depends on Tier-A libraries (Apache / MPL / AGPL-with-linking-exception): it imports them; AGPL-Nautilus using Apache-licensed libraries is a standard, non-controversial pattern.
• Nautilus integrates Tier-B services via Tier-C interfaces. No proprietary Tier-B SDKs in the Nautilus tree; all integration is at the published-spec level so forks that swap in alternative Tier-B implementations remain possible.
• Tenants choose their Tier-B operators. Default is NT Connect's managed services. Alternatives: bring-your-own-PBX (via docs/integrations/ship-pbx.md), bring-your-own-AI-voice (via the agent-contract spec), bring-your-own-Heimdall-equivalent (via the content-safety API spec).

14.4 Publishing sequence

Tier-C specs and Tier-A libraries publish in this order (lowest risk first):

1. Tier-C specs — interface definitions only. No crypto risk, no code-audit dependency. Can ship as soon as authored + reviewed.
2. Tier-A #1 — bus + agent contract — small, standards-play, Apache 2.0.
3. Tier-A #3 — PSI module — after specialist crypto audit (Trail of Bits / NCC Group / Least Authority class).
4. Tier-A #2 — Signal-Protocol library — largest; publish after audit + SDK maturation across at least three languages (TS, Kotlin-Java, Swift).

Tier-B services remain closed throughout.

14.5 Implications for OQ tracking

• OQ-01 (bus) is resolved (Section 13): NATS JetStream, Tier A.
• OQ-02 (Heimdall API contract) — the Tier-C spec for Heimdall lands in docs/integrations/heimdall.md when drafted.
• New: OQ-22 — Tier-A licensing finalization. Signal-Protocol library: AGPL-with-linking-exception vs MPL-2.0 decision; PSI module: Apache vs MPL. Blocks first Tier-A release.
• New: OQ-23 — Crypto-audit budget and vendor. Trail of Bits / NCC Group / Least Authority class. Blocks Tier-A #2 and #3.
• New: OQ-24 — Interface-spec authoring queue. Ship-PBX is drafted (docs/integrations/ship-pbx.md); next candidates: Heimdall content-safety API, CallCraft agent contract, ConnectOne E911 / PA-GA signaling, Tier-B Quanta keys-service protocol.

15. Licensing

Nautilus source is released under a dual-license model:

15.1 Open-source license — AGPL-3.0

• All Nautilus source code (every domain service, the React PWA, the React Native app, the iTV / kiosk / signage clients, infrastructure-as-code, Helm charts, documentation) is published under the GNU Affero General Public License, version 3 (AGPL-3.0).
• AGPL applies to network use: any organization deploying a modified Nautilus instance and offering it as a network service to third parties (passengers, crew, other tenants) must publish the corresponding modified source under the same AGPL-3.0 terms.
• Nautilus consumers (cruise operators, system integrators, partners) may run unmodified Nautilus internally without source-disclosure obligations beyond what AGPL otherwise requires.
• Third-party dependencies must be license-compatible (no GPLv2-only or proprietary components in the AGPL distribution).

15.2 Commercial license (optional)

• A commercial license is offered by NT Connect Holdings to tenants who:
  • want to ship a closed-source derivative (white-label SaaS, embedded OEM, vessel-firmware bundles),
  • cannot meet AGPL's network-use disclosure obligations (e.g., proprietary integrations whose source they cannot publish), or
  • require commercial terms (indemnification, support SLA, escrow, contractual roadmap influence).
• The commercial license is identical in code — same software, different rights — and includes commercial support, SLA, security patch guarantees, and indemnification.

15.3 Contributor License Agreement (CLA)

• External contributors sign a CLA assigning copyright (or a sufficient license back) to NT Connect Holdings so that the dual-license model remains viable.
• All inbound contributions land under AGPL-3.0; commercial relicensing is performed by the project maintainer.

15.4 NT Connect product dependencies

• Nautilus integrates Quanta, ConnectOne, CallCraft, and Heimdall as sibling NT Connect products via documented APIs.
• Whether those sibling products are themselves AGPL, commercially licensed, or hosted SaaS is out of scope for Nautilus's license; integration contracts (API + bus schema) are stable and documented.

15.5 Trademark

• "Nautilus", the Nautilus marks, and the cruise-operator white-label brand assets are not licensed under AGPL — they remain owned by NT Connect Holdings (or the respective tenant for their own brand assets).

15.6 Why dual-license

• AGPL maximizes ecosystem trust, third-party scrutiny, and adoption by integrators / academics / small operators.
• The commercial license keeps the path open for large operators with proprietary go-to-market constraints, and funds ongoing development.

15.7 Pre-publish specialist audit commitment

• The Signal-Protocol library and PSI contact-discovery module (Tier-A cryptographic code per §14) SHALL undergo independent specialist audit before first public release.
• Expected audit partners: Least Authority + Trail of Bits as paired primary; NCC Group as fallback (OQ-23 vendor shortlist).
• Audit scope covers: PSI timing / cache / side-channel analysis; Signal-Protocol wire-format compatibility + Double-Ratchet / X3DH / key-derivation correctness + session-store atomicity + test-vector compliance; cross-account JetStream multi-tenant isolation; agent JWT lifecycle (the current reported 10-year token lifetime is flagged for remediation before publish).
• Budget commitment: $250–400k across three phases + remediation re-audits (OQ-23).
• Audit findings + remediation history SHALL be published alongside the library releases — public audit reports are a marketing asset and a condition of credibility for Signal-Protocol-based crypto.
• Bus + agent contract (Apache 2.0, OQ-22 artifact (a)) does not require specialist crypto audit prior to publish; general code review + security-disclosure policy suffice.

16. Glossary