Leon Capital Group — Technology & AI Vertical

Leon Real Estate
Intelligence Platform

48 AI agents & specs (30 AI · 16 hybrid · 1 automation · 1 platform), grouped into six business functions. 4 tenant entities. One unified platform — from deal sourcing to investor reporting, built natively for Leon Capital's real estate verticals.

48
AI Agents & Specs
4
Tenant Entities
5
Deploy Waves
8
RBAC Roles
3
AI Tiers
⚡ Claude Enterprise — Tier 1 ☁️ Azure Container Apps 🔐 Entra ID + Clerk 🗄️ PostgreSQL RLS 🔁 LangGraph Orchestration 📊 dbt + MetricFlow
How It Works
From deal sourcing to investor reporting — in one platform
Every stage of the deal lifecycle is handled by purpose-built AI agents — with accounting/treasury and transactions/compliance running across all stages. No spreadsheet handoffs. No manual re-entry. Fully auditable.
🔍
1. Deal Sourcing
Off-market scanning, market-data synthesis, broker relationships, and deal scoring surface and rank opportunities
📊
2. Underwrite & Model
Rent rolls parsed, T12 normalized, UW models built, scenarios & AVM run, IRR/DSCR modeled
📋
3. IC & Closing
LOI, narrative, sensitivity tables and IC deck assembled; closing coordinated and on-time risk predicted
🏘️
4. Servicing & Asset Mgmt
Loans serviced, NOI gaps surfaced, leases abstracted, covenants and construction draws monitored continuously
📈
5. Portfolio & Investor Reporting
LP reports, board decks, covenant dashboards, and lender packages generated on cadence
Who Uses It
Built for every role across the deal lifecycle
Each role gets a curated view — only the modules, data, and actions relevant to their function
🏛️
Acquisitions Team
Submit deals, view scores, review LOI drafts, and track pipeline stage — without touching a spreadsheet. AI handles sourcing, scoring, and first-draft documents.
Deal Scoring LOI Drafting Market Comps IC Package
📐
Underwriters & Analysts
Receive pre-built UW models with parsed rent rolls and normalized T12s. Run stress tests and sensitivity tables in seconds. Focus on judgment, not data entry.
UW Models DSCR Testing T12 Normalizer Sensitivity
🔑
Asset Managers
NOI gap alerts surface automatically. Lease expirations and renewal probabilities tracked in real time. CapEx schedules maintained without manual updates.
NOI Gaps Lease Abstraction Renewals CapEx
📈
Portfolio & Finance
Cross-portfolio metrics aggregated from live data. Loan covenants monitored automatically. LP reports and lender packages generated on schedule — reviewed, not rebuilt.
Portfolio Metrics Covenants LP Reporting Lender Reports
⚖️
Legal & Compliance
PSA clauses extracted and flagged for review. Title commitments reviewed. Regulatory change feeds monitored. Insurance certificates tracked automatically across the portfolio.
PSA Review Title Review Regulatory Insurance
👔
Executive Leadership
Board decks assembled automatically from live data. Portfolio health visible at a glance. Deal pipeline and risk flags surfaced proactively — no prep work needed before reviews.
Board Decks Portfolio View Risk Flags Deal Pipeline
Platform Capabilities
Everything in one place, for every domain
From first deal submission to final LP distribution — AI handles the heavy lifting at every stage
🔍
Acquisitions Intelligence
Automated off-market sourcing, AI deal scoring, market comp synthesis, LOI drafting, and IC narrative generation. Cut time-to-LOI from days to hours.
📐
Underwriting & Valuation
IRR/NPV modeling, DSCR stress-testing, rent roll parsing, T12 normalization, and sensitivity tables — all built automatically from source documents.
🏘️
Asset Management
NOI gap analysis, lease abstraction, CapEx scheduling, renewal probability scoring, and tenant communication drafting across the managed portfolio.
📈
Portfolio Oversight
Live cross-portfolio metrics, loan covenant monitoring, variance attribution, automated lender reporting, and board-ready narrative generation.
⚖️
Compliance & Risk
Regulatory change monitoring (HUD, LIHTC, local codes), SEC 17a-4 WORM audit archive, lease compliance flagging, and insurance certificate tracking.
🤝
Transaction Support
PSA clause extraction, title commitment review, closing checklist orchestration, 1031 exchange calendar management, and disposition memo drafting.
🧠
Multi-Tier AI Orchestration
Three-tier AI model routing: Claude Enterprise for knowledge work, Claude API + LangGraph on Azure for agentic pipelines, air-gapped LLM for fund-sensitive data.
🔒
Tenant Isolation & Security
PostgreSQL RLS hard tenant boundaries, per-tenant Azure Key Vault (AES-256 CMK), OPA Rego policy enforcement, and Cloudflare One DLP inspection on every request.
By The Numbers
What the platform delivers
48
AI Agents & Specs
30 AI · 16 hybrid · 1 automation · 1 platform — across six business functions
4
Tenant Entities
CoE (Central), Multifamily, Industrial, and Healthcare — fully isolated
<2h
LOI to First Draft
From deal sourcing to attorney-reviewable LOI — fully automated
100%
Audit Coverage
Every LLM call, data access, and user action logged to WORM archive
6
Core Metrics
NOI, DSCR, LTV, Cap Rate, IRR, EM — governed definitions via MetricFlow
0
Public Endpoints
All infrastructure on Azure Private Link — no public-facing database or storage
Entity Coverage
Covering all Leon real estate verticals
Each entity is an isolated tenant with its own data boundary, key vault, and module access profile
🏛️
RE CoE (Central)
T-COE
Central hub — all functions across verticals, plus construction & development finance. All specs. Cross-vertical reporting and board deliverables.
🏠
RE Multifamily
T-MF
Rent roll intelligence, renewal scoring, HUD/LIHTC compliance, tenant communications.
🏭
RE Industrial
T-IND
Triple-net lease intelligence, tenant credit analysis, industrial market comps.
🏥
RE Healthcare
T-HC
Healthcare RE credit — MOB & healthcare facilities; healthcare-tenant credit, specialized leases, licensing compliance.
Technology Stack · 8 Layers

Platform Architecture

Full technology stack — 8 layers from user interface to compliance archive. Multi-tenant, Azure-hosted, AI-native design with OPA policy enforcement and per-tenant data isolation.

🏗️ 8 Architecture Layers 3 AI Deployment Tiers 🔒 OPA + RLS Isolation ☁️ Azure Container Apps
LAYER 1
Access &
Identity
Identity Plane — Auth, DLP, Session Management
In plain terms: The front door and security guard. It verifies who you are, confirms which business unit and data you're allowed to see, and blocks bad or unauthorized traffic before it ever reaches the platform.
Cloudflare (CDN · WAF · Workers · DLP · ZTNA · Bot Mgmt) Clerk (session tokens, MFA, org-scoped JWTs) Azure Entra ID (enterprise SSO, group sync) JWT with tenant_id + roles[] claims Azure PIM — JIT 4-hour TTL elevation
LAYER 2
API Gateway
& Proxy
Traefik v3 — Reverse Proxy on Azure Container Apps (replaces Azure APIM)
In plain terms: The traffic controller. Every request is routed to the right service, each business unit's traffic is kept separate, and usage is throttled and secured — like a smart switchboard for the whole platform.
Traefik v3 (cost-optimized vs APIM) Azure Container Apps (serverless, scale-to-zero) Rate limiting per tenant mTLS enforcement on all internal routes Header-based tenant routing Health checks + circuit breakers
LAYER 3
Orchestration
& Agents
LangGraph Agent Workflows — Stateful, Multi-step AI Pipelines
In plain terms: The workflow engine. It runs each AI agent through its steps in order, lets it use tools (read a document, pull data, do a calculation), and pauses for a person to review or approve whenever a human sign-off is required.
LangGraph (stateful graph-based orchestration) Azure Container Apps (agent execution environment) OPA (Open Policy Agent) Rego policy enforcement Tool use: code interpreter, web fetch, doc parser Human-in-the-loop interrupt nodes Retry + fallback routing
LAYER 4
AI & LLM
Tier
Three-Tier AI Deployment Model
In plain terms: The platform's “brains.” It picks the right AI model for each task and routes accordingly — everyday work on one tier, heavier agent workflows on another, and the most sensitive data on a private, locked-down model — always choosing the best option for cost and confidentiality.
Tier 1: Claude Enterprise / Cowork (knowledge work) Tier 2: Model-agnostic API — Claude / Gemini / open-weight (agentic pipelines) Tier 3: Air-gapped open-weight LLM — Gemma / Llama (Azure VNet, mTLS) Prompt caching for cost optimization Model-agnostic routing — best/cheapest model per task + sensitivity class
LAYER 5
Data Platform
& Integrations
Data Platform & Integrations — SS&C system of record + dbt + MetricFlow + DuckDB + Source Connectors
In plain terms: The single source of truth. It pulls data from SS&C (the core fund/loan system) and every other source, cleans and standardizes it, and computes the official numbers everyone relies on (NOI, DSCR, LTV, cap rate, IRR) so reports never disagree.
dbt Core (data transformation, lineage) MetricFlow (NOI, DSCR, LTV, Cap Rate, IRR, EM) DuckDB (in-process columnar analytics in agent containers) ADLS Gen2 Delta (WORM audit archive, SEC 17a-4) Apache Arrow (cross-engine data interchange) SS&C — core fund / investment / loan system of record (GlobeOp · Geneva · Precision LM) Source connectors: SS&C · Green Street · Crexi · Yardi · Argus · FRED · BLS · Census / HUD · M365
LAYER 6
Database
Layer
Azure Managed PostgreSQL Flexible Server — Per-Tenant RLS
In plain terms: The secure filing cabinet. Each business unit's data sits in its own locked drawer, so one vertical can never see another's information — even though they all run on the same platform.
Azure PostgreSQL Flexible Server (managed, HA) Row-Level Security (RLS) per tenant schema pgvector (embedding storage for semantic search) Connection pooling via PgBouncer Point-in-time restore, geo-redundant backup Azure Private Link (no public endpoint)
LAYER 7
Security
& Keys
Per-Tenant Key Vaults, Encryption, RBAC Enforcement
In plain terms: The vault and rulebook. Everything is encrypted, each business unit's keys are held separately, and a policy engine enforces exactly who is allowed to do what on every single action.
Azure Key Vault (one per tenant, AES-256 CMK) OPA Rego policy bundle (RBAC decision engine) Encryption at rest + in transit (TLS 1.3) Defender for Cloud (threat detection) Azure Policy (governance enforcement) Microsoft Sentinel (SIEM + SOAR)
LAYER 8
Observability
& Audit
Logging, Tracing, Compliance Archive
In plain terms: The flight recorder. It logs everything the platform does — for monitoring, troubleshooting, and a tamper-proof, regulator-ready audit trail of every action and AI decision.
Azure Monitor + Application Insights OpenTelemetry (distributed tracing) ADLS Gen2 WORM (SEC 17a-4 compliant immutable logs) LangSmith (LLM call tracing + prompt versioning) Alert rules: latency, error rate, cost anomaly
AI Deployment Tiers
Tier 1 — Claude Enterprise

Use case: Knowledge work, analysis, memo drafting, document review

Deployment: Anthropic-hosted Claude Enterprise subscription

Data sensitivity: Non-sensitive, general analytical work

Claude Opus 4.8Claude Sonnet 4.6Projects + Memory
Tier 2 — Model-Agnostic API + LangGraph

Use case: Agentic pipelines, multi-step workflows, tool-using agents

Deployment: Claude API / Google Gemini / open-weight models on Azure + LangGraph on Container Apps

Data sensitivity: Structured deal data, underwriting models

Claude · Gemini · open-weightLangGraphAzure Container AppsOPA enforcement
Tier 3 — Air-gapped Private LLM

Use case: Sensitive deal data, NDA-covered information, PII-adjacent records

Deployment: Azure VNet isolated open-weight LLM (Gemma / Llama), mTLS enforced, no external egress

Data sensitivity: Maximum — capital structure, investor PII, fund terms

Azure VNet isolationmTLSNo internet egress
Infrastructure · AI Tokens · GPU Compute

Platform Costs

Current open-source stack vs Azure-native alternatives — all infrastructure hosted on Azure. Includes model-agnostic AI token estimates (Claude API, Google Gemini, or open-weight models on Azure), Tier-3 GPU compute, and external data subscriptions (Green Street + Crexi; all government/census sources are free).

💰 Infra + AI (current stack): $425–1,755/mo 📊 Data + platform subs: ~$1,870–2,270/mo (Green St + Crexi) + SS&C (TBD) 🧠 Model-agnostic — best model per task (Claude / Gemini / open-weights)
Scope: All servers and infrastructure hosted on Azure. Costs below reflect Azure-hosted deployment for both the current open-source stack and full Azure-native alternatives. AI token costs apply to both scenarios equally.
1. Infrastructure — Current Stack vs Azure-Native
Component Current Choice Current Cost/mo Azure-Native Alternative Azure-Native Cost/mo Δ Cost Notes
API Gateway / Proxy Traefik v3 on Container Apps ~$30–60
(Container Apps compute only)
Azure API Management (APIM) $280–700
(Developer → Standard tier)
+$250–640 APIM offers richer analytics and developer portal. Traefik sufficient for current scope.
Container Orchestration Azure Container Apps $80–200
(scale-to-zero, per vCPU/mem)
Azure Kubernetes Service (AKS) $150–400
(management fee + node VMs)
+$70–200 AKS gives more control; Container Apps is right-sized for current agent workloads.
Database Azure PostgreSQL Flexible Server $120–250
(General Purpose, 4–8 vCores)
Azure PostgreSQL Flexible Server $120–250 $0 Same service. No change.
Data Transformation dbt Core (open source) $0
(runs on existing Container Apps)
Microsoft Fabric (Dataflows Gen2) $524–1,048
(F4–F8 capacity SKU)
+$524–1,048 Fabric includes managed pipelines, OneLake, semantic models. Significant cost for managed convenience.
Metric Governance MetricFlow (open source, in dbt) $0 Power BI Semantic Models (Fabric) $10–20/user/mo
(Pro/PPU × ~20 users = $200–400)
+$200–400 Included in Fabric capacity above. Listed separately for clarity.
In-Agent Analytics DuckDB (open source, in-process) $0 Azure Synapse Serverless SQL $5–40
($5/TB scanned, est. 1–8 TB/mo)
+$5–40 Synapse requires network hop per query. DuckDB is faster and free for in-agent use.
Audit Archive (WORM) ADLS Gen2 Delta + WORM policy $20–80
(storage at $0.018/GB/mo)
ADLS Gen2 / Fabric OneLake $20–80 $0 Same underlying service. Fabric OneLake is a superset with unified namespace.
Policy Engine (RBAC) OPA (open source, sidecar) $0 Azure API Management Policies Bundled in APIM above OPA gives finer-grained Rego policy control than APIM policy expressions.
Agent Orchestration LangGraph (open source) $0 Azure AI Foundry Agent Service $0.05–0.15/agent run
(est. 5K runs/mo = $250–750)
+$250–750 Azure AI Foundry is managed but expensive at volume. LangGraph on Container Apps is free.
Observability Azure Monitor + OpenTelemetry $30–80
(log ingestion ~5–20 GB/mo)
Azure Monitor (same) $30–80 $0 Same service. No change.
Identity Entra ID + Clerk $50–120
(Clerk Pro ~$25/mo + Entra P2 ~$6/user)
Entra ID only (no Clerk) $60–150
(Entra P2 + External Identities)
~$0 Comparable cost. Clerk adds session flexibility; Entra-only is simpler if no external users.
Security (Defender + Sentinel) Defender for Cloud + Sentinel $100–200
(Defender Standard + Sentinel ingest)
Defender for Cloud + Sentinel (same) $100–200 $0 Same service. No change.
Network (VNet, Private Link) Azure VNet + Private Link $30–70
(Private Link endpoints + egress)
Azure VNet + Private Link (same) $30–70 $0 Same service. No change.
2. AI Token Costs — Model-Agnostic (Tier 2)
ModelInput / 1M tokensOutput / 1M tokensBest Used ForWave 1 est.Wave 2 est.Full Platform est.
Claude Haiku 4.5 $1.00$5.00 Routine parsing, tenant comms, insurance tracking ~$10/mo~$30/mo~$60/mo
Claude Sonnet 4.6 $3.00$15.00 Deal scoring, NOI analysis, lease abstraction, most agentic workflows ~$25/mo~$150/mo~$400/mo
Claude Opus 4.8 $5.00$25.00 UW model builder, IC packages, deal narratives, complex reasoning ~$10/mo~$100/mo~$250/mo
Subtotal (Claude API) ~$45/mo~$280/mo~$710/mo
💡 Prompt caching (90% input reduction) + batch processing (50% off) on high-frequency modules can reduce this to ~$350–400/mo at full platform.
🧠 Model-agnostic: agents route to the most cost-effective model per task. Non-Claude options are used where they outperform — Google Gemini (2.x) and open-weight models (Llama, Qwen, DeepSeek, Mistral, Gemma) self-hosted on Azure for cost-sensitive or air-gapped (Tier-3) workloads.
3. Tier 3 Local LLM — Gemma 4 on Azure GPU (A100)
Deployment ModeVM SKUHourly RateEst. Hours/moMonthly CostUse Case Fit
On-demand (job-only) ✓ Recommended NC24ads A100 v4$3.67/hr ~50 hrs (LP reporting, batch jobs) ~$185/mo Spin up for quarterly LP reports, sensitive batch runs. Shut down after.
Spot instance NC24ads A100 v4$0.75/hr ~50 hrs ~$38/mo Cheapest option. Risk of eviction — acceptable for non-real-time batch jobs.
Business hours reserved NC24ads A100 v4~$2.20/hr (1yr) ~220 hrs (10hr/day, 22 days) ~$484/mo For Wave 3+ when Tier 3 usage grows beyond quarterly LP runs.
Always-on reserved NC24ads A100 v4~$2.20/hr (1yr) 730 hrs ~$1,606/mo Only warranted if Tier 3 becomes primary inference path for many modules.
4. Data, Market & Platform Subscriptions
SourceTypeAnnualMonthly equiv.Notes
SS&C TechnologiesCore platform — fund / investment / loan mgmt (system of record)Enterprise SaaS — TBDTBD (quote)GlobeOp fund admin · Geneva investment accounting · Precision LM loan servicing — feeds Fund & Loan Tracking, Accounting, Servicing, LP Reporting, Portfolio Risk
Green StreetCommercial market data + AVM$20,000/yr~$1,667/moAVM Pro, forecasts & scenarios, Market Grade, CPPI, Cap Rate Observer, verified comps, debt/fund DBs
CrexiCommercial listings / comps~$2,400–7,200/yr (est.)~$200–600/moSupplementary on-market listings & transaction comps for sourcing
Gov / Census / Free
Census, FRED, BLS, HUD, BEA, FEMA, EPA, EIA, SEC EDGAR, Assessor…
Public data$0$0All government, census & public APIs — macro, demographic, lending, risk, filings
Subtotal — data subscriptions~$22.4K–27.2K/yr · ~$1,870–2,270/mo+ SS&C core platform (enterprise SaaS, pricing TBD). Common to both stacks below.
5. Total Platform Cost — Current Stack vs Full Azure-Native (all-in)
✓ Current Stack (Recommended)
Open-source tools on Azure infrastructure
Traefik + Container Apps$30–60
PostgreSQL Flexible Server$120–250
dbt Core + MetricFlow + DuckDB$0
LangGraph (on Container Apps)$0
ADLS Gen2 WORM$20–80
Identity (Entra + Clerk)$50–120
Security (Defender + Sentinel)$100–200
Network (VNet + Private Link)$30–70
Observability (Monitor + OTel)$30–80
Infrastructure subtotal$380–860
Claude API (Tier 2)$45–710
Gemma 4 on Azure A100 (Tier 3)$0–185
Data subscriptions (Green St + Crexi)$1,870–2,270
SS&C core platform (system of record)TBD
TOTAL (all-in)$2,295–4,025/mo
Wave 1: ~$2,200/mo · Full platform: ~$3,100–3,800/mo (incl. Green St $20K/yr + Crexi)
Azure-Native Stack (Full Managed)
Replace all open-source with Azure managed services
Azure APIM (Standard tier)$280–700
Azure Kubernetes Service (AKS)$150–400
PostgreSQL Flexible Server$120–250
Microsoft Fabric (F4–F8 SKU)$524–1,048
Azure AI Foundry Agent Service$250–750
Fabric OneLake (WORM)$20–80
Identity (Entra ID)$60–150
Security (Defender + Sentinel)$100–200
Network (VNet + Private Link)$30–70
Observability (Monitor)$30–80
Infrastructure subtotal$1,564–3,728
Claude API (Tier 2)$45–710
Gemma 4 on Azure A100 (Tier 3)$0–185
Data subscriptions (Green St + Crexi)$1,870–2,270
SS&C core platform (system of record)TBD
TOTAL (all-in)$3,479–6,893/mo
Wave 1: ~$3,700/mo · Full platform: ~$5,400–6,800/mo (incl. data subs)
Monthly Savings
$1,200–2,800
current stack vs full Azure-native
Annual Savings
$14K–34K
per year at full platform scale
Cost Reduction
~65%
lower than full Azure-native
* All figures are estimates. Azure pricing varies by region, commitment tier, and actual usage. AI token costs depend heavily on call volume and prompt caching implementation. Prompt caching + batch processing can reduce Claude API costs by 50–70% at full platform scale. Gemma 4 GPU cost assumes on-demand job-only execution for LP reporting workloads. Data subscriptions (Green Street $20K/yr + Crexi) are common to both stacks; all government/census sources are free. The platform is model-agnostic — token figures assume Claude but agents route to whichever model is most cost-effective per task. SS&C core-platform pricing is a pending enterprise quote and is not included in the monthly totals above.
Isolation Model · 4 Business Units

Tenant Architecture

Hard isolation boundaries — each tenant has its own PostgreSQL schema, Azure Key Vault, RBAC scope, and module access profile. No cross-tenant data leakage by design.

🏛️ T-COE — RE CoE (Central) 🏘️ T-MF — RE Multifamily 🏭 T-IND — RE Industrial 🏥 T-HC — RE Healthcare
🏛️ RE CoE (Central) (T-COE)
Tenant ID
lcg-coe
Isolation
Schema + RLS
Key Vault
kv-lcg-coe
Entra Group
grp-coe-re
Module Access
All 48
AI Tier
1 + 2 + 3
Central / Center-of-Excellence hub — runs originations, capital markets, underwriting, servicing, asset management, accounting, treasury & fund operations across the verticals, plus construction & development finance oversight. Full read access to all tenant data via elevated JIT role; hosts board reporting, LP narrative generation, and cross-portfolio dashboards. Only tenant with Tier 3 (air-gapped LLM) access for fund-level sensitive data.
RE-00RE-01RE-08RE-09RE-16RE-17RE-24RE-25RE-28RE-29+ all
🏠 RE Multifamily (T-MF)
Tenant ID
lcg-mf
Isolation
Schema + RLS
Key Vault
kv-lcg-mf
Entra Group
grp-mf-re
Module Access
22 modules
AI Tier
1 + 2
Residential multifamily portfolio management. Primary user of rent roll intelligence, lease abstraction, renewal scoring, and NOI gap analysis modules. Tenant communication automation and compliance flagging for HUD/LIHTC properties.
RE-00RE-02RE-03RE-04RE-10RE-11RE-12RE-18RE-19RE-26RE-27
🏭 RE Industrial (T-IND)
Tenant ID
lcg-ind
Isolation
Schema + RLS
Key Vault
kv-lcg-ind
Entra Group
grp-ind-re
Module Access
18 modules
AI Tier
1 + 2
Industrial and logistics portfolio. Focused on triple-net lease intelligence, tenant creditworthiness analysis, environmental compliance flagging, and industrial market comp analysis. Uses acquisition pipeline and UW modules for new industrial acquisitions.
RE-00RE-01RE-05RE-06RE-07RE-13RE-14RE-20RE-21RE-30
🏥 RE Healthcare (T-HC)
Tenant ID
lcg-hc
Isolation
Schema + RLS
Key Vault
kv-lcg-hc
Entra Group
grp-hc-re
Module Access
Credit + UW
AI Tier
1 + 2
Healthcare real-estate credit. Medical office buildings and healthcare facilities — healthcare-tenant credit analysis, specialized lease & loan structures, licensing/regulatory compliance, and acquisition & credit underwriting for healthcare assets.
RE-00RE-08RE-17RE-26RE-28RE-30
Tenant Isolation Architecture
🗄️ Database Isolation
PostgreSQL RLS enforces row-level boundaries using tenant_id column. Each tenant has a dedicated schema namespace. Cross-tenant queries are policy-blocked at the OPA layer before reaching the database.
🔑 Key Management
One Azure Key Vault per tenant. Customer-managed keys (CMK) with AES-256 encryption. Key access audited in Azure Monitor. Tenant key rotation does not affect other tenants.
🪪 Identity Scoping
JWT tokens include tenant_id and roles[] claims. Clerk organizations map 1:1 to tenant IDs. Entra ID group membership synced at login. Cross-tenant access requires Azure PIM JIT elevation (4-hour TTL, scoped to deal_id or loan_id).
🛡️ API Enforcement
Traefik v3 enforces tenant header routing. OPA Rego policy bundle evaluates every request for tenant_id match + role authorization before proxying. Failed checks return 403 with audit log entry.
AI Modules · RE-00 through RE-32 · mapped to Platform Playbook specs

Module Registry

All 33 AI agents organized by domain, each tagged with its Playbook agent number (the authoritative spec in the LCG RE AI Initiative Registry). Click any box to open its full specification — role, system prompt, tooling/access, and skills. Each module defines its AI tier, wave deployment target, tenant access, and data dependencies. Modules are independently deployable on the shared platform infrastructure.

📦 32 Modules 5 Domains 5 Deployment Waves 🤖 3 AI Tiers
Acquisitions & Deal Origination
RE-00 through RE-07 · 8 modules
RE-00 Pipeline Intake Agent Wave 1
Ingests deal submissions from email, broker portals, and OM uploads. Extracts structured fields (address, asset class, asking price, cap rate, seller, broker) and creates a normalized deal record in the pipeline database. Entry point for all acquisitions workflows.
Wave 1 Claude API No dependencies
RE-01 Deal Scoring Engine Wave 1
Scores inbound deals against investment criteria (asset class, geography, deal size, return profile). Generates a 0–100 acquisition priority score with factor attribution. Flags deals for pipeline review or auto-pass with justification memo.
Wave 1 Claude API + dbt metrics Depends: RE-00
RE-02 Market Comp Intelligence Wave 1
Retrieves and analyzes comparable sales and lease comps for target properties. Synthesizes Crexi and internal comp data into a structured comp grid with price-per-unit, cap rate range, and trend analysis. Feeds UW model assumptions.
Wave 1 Claude + web fetch Depends: RE-00
RE-03 LOI Drafting Agent Wave 1
Generates first-draft Letters of Intent from deal parameters, comp data, and term preferences. Produces clean, attorney-reviewable LOI with purchase price, earnest money, due diligence period, closing timeline, and key contingencies. Reduces drafting time from hours to minutes.
Wave 1 Claude Enterprise (Tier 1) Depends: RE-01, RE-02
RE-04 Deal Narrative Generator Wave 2
Produces investment narrative memos summarizing the deal thesis, market context, risk factors, and return outlook. Output formatted for IC presentation. Pulls from deal score, comp data, and UW model summary. Replaces analyst first-draft narrative work.
Wave 2 Claude Enterprise Depends: RE-01, RE-02, RE-08
RE-05 Broker Relationship Manager Wave 2
Tracks broker relationships, deal sourcing attribution, and communication history. Scores broker quality by deal volume, deal conversion rate, and asset class alignment. Drafts follow-up communications and sourcing outreach from templates.
Wave 2 Claude API Depends: RE-00
RE-06 Off-Market Opportunity Scanner Wave 3
Monitors public records, permit filings, distress signals, and owner change data to surface off-market acquisition opportunities matching the investment criteria. Generates a weekly off-market leads report with owner contact research.
Wave 3 Claude + web fetch + LangGraph Depends: RE-01, RE-05
RE-07 IC Package Assembler Wave 2
Aggregates deal score, market comps, UW model summary, narrative memo, risk flags, and comparable transactions into a structured IC presentation package. Outputs formatted PPTX or PDF deck ready for investment committee review.
Wave 2 Claude Enterprise + doc gen Depends: RE-01–RE-04, RE-08
Underwriting & Financial Modeling
RE-08 through RE-15 · 8 modules
RE-08 UW Model Builder Wave 1
Constructs acquisition underwriting models from rent rolls, T12 operating statements, and comp data. Calculates Year 1 NOI, stabilized NOI, IRR, equity multiple (EM), DSCR, LTV, and NPV. Model assumptions documented with data sources. Output: structured JSON + Excel export.
Wave 1 Claude API + DuckDB + MetricFlow Depends: RE-00, RE-02
RE-09 Rent Roll Parser & Normalizer Wave 1
Ingests rent rolls in PDF, Excel, or CSV format. Normalizes unit mix, in-place rents, lease expiration schedule, vacancy, and concessions into a standard schema. Flags anomalies (below-market rents, near-term expirations, unusual concessions). Foundation for all AM modules.
Wave 1 Claude API + doc parser No dependencies
RE-10 T12 Normalization Agent Wave 1
Parses trailing-12-month operating statements from PDF/Excel. Normalizes line items to a standard CoA. Identifies one-time items, capital recoveries, and management fee normalization adjustments. Outputs adjusted T12 NOI with a complete adjustment schedule and footnotes.
Wave 1 Claude API + doc parser No dependencies
RE-11 DSCR Stress Tester Wave 2
Runs multi-scenario DSCR stress tests across interest rate shocks (+50, +100, +200 bps), occupancy haircuts (5%, 10%, 15%), and expense escalation scenarios. Identifies debt coverage breakpoints and generates lender covenant compliance projections.
Wave 2 Claude API + DuckDB Depends: RE-08, RE-10
RE-12 Construction Budget Intelligence Wave 2
Tracks construction budgets against actual draw requests. Flags variance by trade, cost category, and contingency burn rate. Projects completion cost and schedule risk. Interfaces with RE CoE / Central for ground-up development & construction deal oversight.
Wave 2 Claude API + DuckDB Depends: RE-08
RE-13 Sensitivity Analysis Engine Wave 2
Generates two-variable sensitivity tables (e.g., exit cap rate vs. rent growth; LTV vs. interest rate) for IRR, EM, and DSCR. Produces heat-map formatted output for IC presentation. Parameterized by UW model output — no manual re-entry required.
Wave 2 DuckDB + MetricFlow Depends: RE-08, RE-11
RE-14 Lender Reporting Automation Wave 3
Auto-generates lender compliance reports, DSCR certificates, operating statement packages, and reserve account summaries on scheduled cadence. Maps internal data fields to lender-specific report templates. Tracks submission deadlines and flags overdue reports.
Wave 3 Claude Enterprise + doc gen Depends: RE-08, RE-10, RE-11
RE-15 Draw Schedule Tracker Wave 2
Monitors construction loan draw schedules against approved budgets and milestone completion. Alerts when draw requests exceed budget line items or when schedule variance exceeds threshold. Generates inspector-ready draw request summaries for lender review.
Wave 2 Claude API Depends: RE-12
Asset Management
RE-16 through RE-23 · 8 modules
RE-16 NOI Gap Analyzer Wave 1
Compares actual NOI against underwritten NOI on a monthly basis. Decomposes variance into revenue (occupancy, rental rate, ancillary) and expense (OpEx, CapEx, taxes) drivers. Generates narrative explanation of gap with recommended corrective actions.
Wave 1 Claude API + MetricFlow Depends: RE-08, RE-09
RE-17 Lease Abstraction Agent Wave 1
Extracts key lease terms from executed leases (rent, escalations, term, options, TI/LC, co-tenancy, exclusives, SNDA). Normalizes into structured lease database. Flags non-standard clauses and material deviations from form lease. Applies to both residential and commercial leases.
Wave 1 Claude Enterprise (doc review) No dependencies
RE-18 Renewal Probability Scorer Wave 2
Scores lease renewal probability for expiring leases using payment history, space utilization, market alternatives, and tenant communication sentiment. Generates a prioritized renewal outreach list with recommended lease terms and concession budget guidance.
Wave 2 Claude API + LangGraph Depends: RE-09, RE-17
RE-19 Tenant Communication Agent Wave 2
Drafts routine tenant communications: maintenance notices, rent increase letters, lease renewal proposals, default notices, and estoppel requests. Tone-calibrated by communication type and tenant relationship tier. All outputs require human review before sending.
Wave 2 Claude Enterprise Depends: RE-17, RE-18
RE-20 CapEx Scheduling Agent Wave 2
Builds multi-year CapEx reserve schedules based on property age, condition reports, and asset class norms. Prioritizes capex items by urgency (life-safety, deferred maintenance, value-add). Tracks budget vs. actual and reserve fund adequacy.
Wave 2 Claude API + DuckDB Depends: RE-16
RE-21 Property Performance Dashboard Wave 2
Generates standardized property-level performance summaries: occupancy trend, rent collection rate, OpEx ratio, NOI vs. budget, and CapEx spend. Formatted for monthly AM review and investor reporting. Pulls directly from dbt metric definitions.
Wave 2 MetricFlow + Claude narrative Depends: RE-16, RE-09
RE-22 GC Scope Review Agent Wave 3
Reviews general contractor scopes of work, AIA contracts, and change order requests for completeness, ambiguity, and risk allocation. Flags missing exclusions, inadequate retainage terms, and payment milestone misalignment. Outputs a redlined review memo.
Wave 3 Claude Enterprise (doc review) Depends: RE-12, RE-15
RE-23 Insurance Certificate Tracker Wave 3
Monitors tenant insurance certificate expiration dates, coverage limits, and named-insured accuracy across the portfolio. Sends automated renewal requests 60/30/15 days before expiration. Flags non-compliant certificates for PM follow-up.
Wave 3 Claude API + scheduler Depends: RE-17
Portfolio Oversight & Investor Reporting
RE-24 through RE-27 · 4 modules
RE-24 Cross-Portfolio Metric Aggregator Wave 2
Aggregates property-level metrics (NOI, occupancy, DSCR, LTV, IRR-to-date) into portfolio-level summaries by tenant, asset class, geography, and vintage. Source of truth for board reporting. Built on dbt Core + MetricFlow governed metric definitions — all calculations auditable and reproducible.
Wave 2 dbt + MetricFlow + DuckDB Depends: RE-16, RE-21
RE-25 LP Reporting Agent Wave 3
Generates quarterly LP reporting packages: portfolio performance narrative, property-level updates, distribution reconciliation, and market commentary. Tone and detail calibrated to LP sophistication tier. All outputs reviewed by AM team before distribution. Runs on Tier 3 LLM for fund-sensitive data.
Wave 3 Tier 3 Air-gapped LLM Depends: RE-24
RE-26 Loan Covenant Monitor Wave 3
Tracks loan covenant compliance across the portfolio: DSCR minimums, LTV caps, occupancy floors, reserve requirements, and reporting deadlines. Generates a real-time covenant compliance dashboard and alerts for approaching or breached covenants.
Wave 3 MetricFlow + alert engine Depends: RE-08, RE-11, RE-24
RE-27 Board Deck Generator Wave 4
Assembles quarterly board presentation decks from live portfolio metrics, asset highlights, pipeline updates, and market outlook. LCG-branded PPTX output with narrative commentary. Requires board member sign-off workflow before finalization.
Wave 4 Claude Enterprise + pptx gen Depends: RE-24, RE-25, RE-26
Transactions & Compliance
RE-28 through RE-31 · 4 modules
RE-28 PSA Clause Extractor Wave 2
Extracts and summarizes key Purchase and Sale Agreement clauses: representations & warranties, due diligence contingency, closing conditions, indemnification caps, earnest money forfeiture triggers, and seller carve-outs. Outputs a structured clause matrix with risk flags for legal review.
Wave 2 Claude Enterprise (doc review) No dependencies
RE-29 Title Commitment Reviewer Wave 3
Reviews title commitment schedules and exception documents. Flags material title defects, unusual easements, covenant violations, and open liens. Identifies which exceptions are standard vs. objectionable and drafts title objection letters for attorney review.
Wave 3 Claude Enterprise (doc review) Depends: RE-28
RE-30 Regulatory Change Monitor Wave 4
Monitors regulatory change feeds (HUD, LIHTC, IRS, local municipalities) for rule changes affecting portfolio assets. Classifies changes by impact severity and affected properties. Generates compliance action memos with recommended response timelines.
Wave 4 Claude + web fetch + LangGraph Depends: RE-17, RE-23
RE-31 1031 Exchange Calendar Wave 4
Manages 1031 exchange identification and closing deadlines (45-day identification, 180-day closing). Tracks replacement property candidates, QI balances, and deadline countdown alerts. Generates identification period documentation for IRS compliance.
Wave 4 Claude API + scheduler Depends: RE-28
Layer 5 · Data Platform & Integrations

Data Integration Catalog

All source systems feeding the Leon RE Intelligence Platform. Each connector defines ingestion method, target tenants, refresh cadence, and responsible team. Data flows into ADLS Gen2 → dbt transformation pipelines → governed MetricFlow metrics.

🔌 20+ Source Systems 4 Tenants Covered 🗄️ Delta Lake Target ⚡ Azure Data Factory Pipelines

Data Flow Architecture

🏢
Source Systems
SS&C · Green Street · Yardi · Argus · Getbuilt · Crexi
U.S. Census · FRED · BLS · HUD · BEA · FEMA · County Assessor
Excel · SharePoint · M365
⚙️
Azure Data Factory
ETL Pipelines
+ Graph API
🗄️
ADLS Gen2
Delta Lake
Raw + Bronze
📊
dbt Core
Silver → Gold
Transformation
📐
MetricFlow
NOI · DSCR · LTV
Cap Rate · IRR
🤖
AI Modules
48 agents (AI/HY/AT/IN)
LangGraph + multi-model

Source Connectors

Each integration feeds one or more tenants via Azure Data Factory or direct API ingestion into the Delta Lake raw zone.

Free · Government · Census Data Sources (no-cost public APIs)

Public macro, demographic, lending, and risk data — ingested via API into the Delta Lake raw zone alongside the commercial sources. All free.

SourceCategoryKey DataCostRefresh
U.S. Census BureauDemographicsACS, Building Permits Survey, County/ZIP Business Patterns, population estimatesFreeAnnual / quarterly
FRED (St. Louis Fed)Macro / Rates10-yr Treasury, Fed Funds, CPI, mortgage rates, macro seriesFreeDaily
BLSLabor / PricesPPI (construction costs), CPI, QCEW employment by countyFreeMonthly
HUDHousingFair Market Rents, income limits, LIHTC database, USPS vacancyFreeAnnual / quarterly
BEAEconomyGDP by metro, regional personal incomeFreeQuarterly
FEMARiskFlood maps (NFHL), disaster declarationsFreeOn update
EPAEnvironmentalECHO enforcement, brownfields, air/water qualityFreeOn update
EIAEnergyElectricity / gas prices, utility ratesFreeMonthly
USGS / NOAAClimate / GeoSeismic, climate & weather-risk dataFreeOn update
SEC EDGARFilingsREIT 10-K/10-Q, fund filings (comps/benchmarks)FreeOn filing
Treasury / FFIECLendingHMDA mortgage data, census-tract incomeFreeAnnual
IRS SOIMigrationCounty-to-county migration & income flowsFreeAnnual
County AssessorPublic recordsParcel/APN ownership, assessed value, lot dataFreeOn lookup

Commercial & System Connectors

🏦

SS&C Technologies

Core Platform · System of Record ⚙ Wave 1
Core fund, investment & loan management platform — the system of record. SS&C GlobeOp (fund administration), Geneva (investment/portfolio accounting), and Precision LM (loan servicing & management).
Ingestion MethodSS&C APIs / scheduled data extracts → ADF into Delta Lake
Refresh CadenceDaily full + event-driven (transactions, draws, NAV)
Target TenantsAll (T-COE · T-MF · T-IND · T-HC)
Modules FedFund & Loan Tracking · Accounting · Servicing suite · LP Reporting · Portfolio Risk
Key Data: Fund/portfolio accounting, loan servicing & draws, investor/LP positions, NAV, waterfalls. Cost: enterprise SaaS — pricing TBD (SS&C quote). Selected via RE-20.
🟢

Green Street

Market Data & Valuation · PRIMARY ⚙ Wave 1
Institutional CRE data — AVM Pro automated valuations, CRE forecasts & 5 macro scenarios, Market Grade (A++–D), CPPI, Cap Rate Observer, verified sales comps, debt & high-yield fund databases
Ingestion MethodGreen Street API / data feed → ADF; AVM Pro via API
Refresh CadenceDaily (CPPI/rates) · weekly (comps) · quarterly (forecasts)
Target TenantsAll (T-COE · T-MF · T-IND · T-HC)
Modules FedAVM & Valuation · Market Data · Scenario Analysis · Pre-Screen / UW QA · Portfolio Risk · Capital Markets
Cost: $20,000 / year subscription (~$1,667/mo) · Key Data: AVM values + ranges, property cap rates, CPPI, forecasts/scenarios, sales comps, debt & fund databases
🏗️

Yardi Voyager

Property Management ⚙ Wave 1
Core property management system — leases, rent rolls, tenant ledgers, maintenance work orders, occupancy data
Ingestion MethodYardi REST API + ODBC connector via ADF
Refresh CadenceNightly full + 15-min delta sync
Target TenantsT-MF (Multifamily) · T-IND (Industrial)
Modules FedRE-00 AM Dashboard · RE-08 Lease Abstraction · RE-09 NOI Forecasting · RE-10 Maintenance
Key Data: Rent roll, lease schedules, GL accounts, tenant contacts, maintenance requests, occupancy snapshots
📈

Argus Enterprise

Valuation & Underwriting ⚙ Wave 1
Industry-standard DCF and cash flow modeling — asset valuations, IRR projections, hold/sell analysis, scenario modeling
Ingestion MethodFile export (.argus, .xlsx) → ADF blob trigger → parser pipeline
Refresh CadenceOn-demand export + weekly automated pull
Target TenantsT-MF · T-IND · T-COE
Modules FedRE-11 UW Automation · RE-12 Acquisition Scoring · RE-16 Portfolio Analytics · RE-24 Deal Memo
Key Data: DCF models, cap rates, hold period assumptions, IRR/EM projections, sensitivity tables, lease-up schedules
🏥

Built (getbuilt.com)

Construction Finance ⚙ Wave 2
Construction draw management and lender portal — draw requests, budget tracking, inspection reports, lien waivers for RE CoE / Central (construction & development finance)
Ingestion MethodBuilt REST API + Webhook events → ADF event trigger
Refresh CadenceReal-time webhooks (draw events) + daily full sync
Target TenantsT-COE (RE CoE / Central) — construction & development finance
Modules FedRE-20 Construction Draw · RE-21 Budget Tracking · RE-22 Lender Reporting · RE-23 Inspection Workflow
Key Data: Draw requests & approvals, budget vs. actual by line item, inspection findings, lien waiver status, project schedule
📗

Excel & Spreadsheets

Legacy Migration ● Wave 1 Target
Migration of all manual spreadsheet workflows to the platform. Core Wave 1 objective — convert Excel-based underwriting, AM tracking, and reporting models into governed Delta Lake datasets
Ingestion MethodADF Excel connector (OneDrive/SharePoint) + schema mapping + validation pipeline
Refresh CadenceOne-time migration + ongoing file-watch for active workbooks
Target TenantsAll (T-COE · T-MF · T-IND · T-HC)
Modules FedRE-00 AM Dashboard · RE-11 UW · RE-16 Portfolio · RE-24 Deal Memo · RE-27 Board Reporting
Migration Scope: Underwriting models, AM trackers, rent roll workbooks, cap table files, budget templates — ~200+ active workbooks identified across tenants
📁

Microsoft SharePoint

Document Store ● Active
Existing document libraries and SharePoint lists across all business units — PSAs, LOIs, leases, reports, due diligence files. Feeds document intelligence and knowledge modules
Ingestion MethodMicrosoft Graph API (files, lists, pages) via ADF + incremental change tracking
Refresh CadenceReal-time delta (Graph webhooks) + nightly full list sync
Target TenantsAll (T-COE · T-MF · T-IND · T-HC)
Modules FedRE-18 Document Intelligence · RE-15 Lease Abstraction · RE-25 Due Diligence · RE-28 Compliance Docs
Key Data: PSAs, LOIs, executed leases, inspection reports, board packages, due diligence checklists, regulatory filings — structured extraction via Azure Document Intelligence (Form Recognizer)
🏪

Crexi

CRE Marketplace ★ LCG Owned Asset ● Active
Leon Capital Group owns Crexi — the leading CRE marketplace. Provides privileged access to listing data, comp transactions, market analytics, and buyer/seller activity across all asset classes
Ingestion MethodDirect DB access + Crexi internal API (privileged partner tier)
Refresh CadenceReal-time streaming (new listings) + hourly comp updates
Target TenantsT-COE · T-MF · T-IND (all acquisition-facing teams)
Modules FedRE-12 Acquisition Scoring · RE-13 Market Intelligence · RE-14 Deal Sourcing · RE-16 Portfolio Analytics
Competitive Advantage: Proprietary access to listing velocity, buyer intent signals, off-market deal flow, comp transactions, and cap rate trends — unavailable to any external competitor
📧

Microsoft Outlook / Email

Communications ⚙ Wave 3
Broker communications, tenant correspondence, LOI threads, deal email chains. Graph API extraction to feed deal timeline and communication intelligence modules
Ingestion MethodMicrosoft Graph API (mail, calendar) — scoped consent per user/group
Refresh CadenceNear real-time (Graph change notifications)
Target TenantsT-COE · T-MF · T-IND
Modules FedRE-17 Broker Relationship · RE-25 Due Diligence · RE-29 Tenant Communication
Privacy: User-level consent required. PII handling per data classification policy. No bulk email body extraction without explicit opt-in. Metadata only in default scope.
🗃️

Internal Databases & Systems

Internal Systems ● Active
Existing SQL databases, ERP systems, accounting platforms (Yardi GL, QuickBooks), and internal operational data stores across Leon entities
Ingestion MethodADF JDBC/ODBC linked services + Self-Hosted Integration Runtime for on-prem
Refresh CadenceDaily CDC (change data capture) + monthly reconciliation
Target TenantsAll tenants (finance data routed by entity)
Modules FedRE-08 NOI Actuals · RE-16 Portfolio Analytics · RE-27 Board Reporting · RE-30 Audit Trail
📡

External Market Data

Market Intelligence ⚙ Wave 2
Third-party market data feeds — REIS, MSCI, FRED economic data, census data, local market reports, interest rate feeds for cap rate and market context modules
Ingestion MethodREST API feeds + scheduled FTP/SFTP file drops → ADF pipeline
Refresh CadenceDaily (rates/indices) · Weekly (market reports) · Quarterly (census)
Target TenantsT-COE · T-MF · T-IND
Modules FedRE-13 Market Intelligence · RE-12 Acquisition Scoring · RE-14 Deal Sourcing · RE-16 Portfolio Analytics
Sources: MSCI Real Capital Analytics, FRED (Federal Reserve), HUD/Census Bureau, BLS employment data — licensed feeds governed by vendor data agreements

Integration Status Summary

Source System Category Method Tenants Wave Status
Yardi Voyager Property Management REST API + ODBC T-MF, T-IND Wave 1 ◷ Wave 1
Argus Enterprise Valuation / UW File Export → ADF T-MF, T-IND, T-COE Wave 1 ◷ Wave 1
Crexi CRE Marketplace Direct DB + Internal API T-COE, T-MF, T-IND Wave 1 ● Active
Excel / Spreadsheets Legacy Migration ADF Excel Connector All Tenants Wave 1 ● Active
SharePoint Document Store Graph API (Delta) All Tenants Wave 1 ● Active
Internal Databases Internal Systems ADF JDBC/ODBC All Tenants Wave 1 ● Active
Built (Getbuilt) Construction Finance REST API + Webhooks T-COE Wave 2 ⚙ Planned
External Market Data Market Intelligence REST API / SFTP T-COE, T-MF, T-IND Wave 2 ⚙ Planned
Outlook / Email Communications Graph API (Scoped) T-COE, T-MF, T-IND Wave 3 ◌ Future
Mar 2026 → Apr 2027 · 5 Waves

Deployment Sequences

Phased rollout starting with foundational infrastructure, progressing through use case validation, core module deployment, and advanced AI capability expansion across all four tenants.

✓ Pre-Wave: Complete ◉ Wave 1: In Progress Wave 2–5: Planned 32 Modules · Apr 2027 Full Deploy
PRE-WAVE
Mar 2026 — May 2026 · Completed
Platform Concept, Design, Architecture & Planning
Established the base platform vision and all foundational architectural decisions required to begin building the infrastructure that modules would eventually run on. Module scope and requirements were not defined at this stage — the focus was solely on building the right platform foundation. Selected the core stack, designed the tenant isolation model, defined the security framework, and produced the architecture blueprint.
Deliverables
Base platform architecture blueprint, 4-tenant isolation design, 3-tier AI deployment model, RBAC role framework, security & compliance framework, OPA policy schema, stack selection rationale, infrastructure delivery roadmap
Key Architectural Decisions
Traefik v3 over Azure APIM (cost) PostgreSQL RLS tenant isolation LangGraph orchestration 3-tier AI model routing Per-tenant Azure Key Vault dbt + MetricFlow for governed metrics ADLS Gen2 WORM audit archive OPA Rego policy engine
WAVE 1
May 2026 — Active
Use Case Discovery, Foundational Infrastructure & Data Platform
Use case discovery across all real estate verticals to understand where AI can deliver the most value. Stand up the full foundational infrastructure stack and become data-native — converting spreadsheets, forms, and SharePoint stores into a unified, governed data platform. Asset Management selected as the first module deployment due to the maturity and availability of its underlying data.
Infrastructure Deliverables
Azure VNet, Container Apps environment, PostgreSQL Flexible Server + RLS schemas (×4 tenants), Key Vaults (×4), Traefik v3 proxy, OPA bundle deployment, Clerk org setup, Entra ID group sync, ADLS Gen2 WORM container, LangGraph base runtime, dbt + MetricFlow pipeline skeleton, OpenTelemetry + Application Insights. Data harmonisation: migration of spreadsheets, SharePoint lists, and manual forms to structured platform data.
Use Case Discovery
Structured discovery sessions across Multifamily, Industrial, Healthcare, and CoE (Central) teams. Mapped existing manual workflows, identified data gaps, and prioritised AI use cases by business value and data readiness. Output: validated use case backlog feeding Wave 2+ module sequencing.
First Module — Asset Management (data-ready pilot)
RE-16 NOI Gap Analyzer RE-17 Lease Abstraction RE-09 Rent Roll Parser
WAVE 2
Jul 2026 — In Planning
Core Acquisitions, Underwriting & Expanded Asset Management
With the data platform stable and use cases validated from Wave 1, deploy the core acquisitions and underwriting modules alongside expanded asset management intelligence. Enable LangGraph multi-step agentic workflows. Onboard Multifamily and Industrial tenants fully. Deploy cross-portfolio metric aggregation.
Module Deployments
RE-00 Pipeline Intake RE-01 Deal Scoring RE-02 Market Comps RE-03 LOI Drafting RE-04 Deal Narrative RE-05 Broker Mgmt RE-07 IC Package RE-08 UW Model Builder RE-10 T12 Normalizer RE-11 DSCR Stress Test RE-12 Construction Budget RE-13 Sensitivity Analysis RE-15 Draw Schedule RE-18 Renewal Scoring RE-19 Tenant Comms RE-20 CapEx Scheduling RE-21 Property Dashboard RE-24 Portfolio Metrics RE-28 PSA Extractor
WAVE 3
Oct 2026 — Planned
Portfolio Reporting + Compliance + Off-Market Intelligence
Deploy portfolio-level reporting infrastructure, lender automation, and compliance tracking. Enable off-market opportunity scanning. Stand up LP reporting pipeline using Tier 3 air-gapped LLM for fund-sensitive data. Complete construction management module set.
RE-06 Off-Market Scanner RE-14 Lender Reporting RE-22 GC Scope Review RE-23 Insurance Tracker RE-25 LP Reporting RE-26 Covenant Monitor RE-29 Title Review
WAVE 4
Jan 2027 — Planned
Board Reporting + Regulatory Intelligence + Disposition Tools
Complete the platform with board-facing deliverables, regulatory monitoring, and disposition/tax workflow modules. All 48 modules active. Enable cross-tenant data sharing for LP reporting with appropriate consent gates.
RE-27 Board Deck Gen RE-30 Regulatory Monitor RE-31 1031 Exchange
WAVE 5
Apr 2027 — Future
Platform Optimization, External Integrations & Advanced AI
Performance optimization, cost tuning (prompt caching, DuckDB query optimization), external data integration (Crexi API, Yardi, MRI), advanced model fine-tuning on Leon's proprietary deal data, and multi-modal document intelligence (plans, surveys, appraisal maps). Evaluate private model training on internal deal corpus.
Crexi API integration Yardi/MRI connector Prompt cache optimization Multi-modal doc intelligence Fine-tuning evaluation Advanced analytics expansion
Wave Summary
Wave Period Status Focus Modules Key Dependency
Pre-Wave Mar–May 2026 ● Completed Concept, Design, Architecture & Planning No modules — base platform architecture only Stakeholder alignment, stack selection
Wave 1 May 2026 ● Active Infrastructure + Core UW & Acquisitions RE-00–03, 08–10, 16–17 Azure infra, RLS, Key Vaults
Wave 2 Jul 2026 ● In Planning Core Acquisitions, UW & Expanded Asset Management RE-00–05, 07–08, 10–13, 15, 18–21, 24, 28 Wave 1 data platform, validated use cases
Wave 3 Oct 2026 ● Planned Portfolio Reporting + Compliance RE-06, 14, 22–23, 25–26, 29 Tier 3 LLM, LP data
Wave 4 Jan 2027 ● Planned Board + Regulatory + Disposition RE-27, 30–31 Full portfolio data pipeline
Wave 5 Apr 2027 ● Future Optimization + External Integrations External APIs, fine-tuning All 48 modules stable
Defense-in-Depth · Zero Trust · DevSecOps

Security Architecture

12-layer security spanning identity, edge (Cloudflare CDN/WAF/Workers), network, application, data, and DevSecOps pipeline. Continuous vulnerability management via Tenable, AI-powered code security via Claude, and supply chain protection via GitHub Advanced Security.

🔒 OPA Rego Policies 🪪 8 RBAC Roles 🔑 AES-256 CMK per Tenant 📋 SEC 17a-4 WORM Archive 🌐 Cloudflare CDN + WAF + Workers 🔍 Tenable Vulnerability Mgmt 🤖 Claude Security AI 🐙 GitHub GHAS + CI/CD
🪪
Identity & Access — Entra ID + Clerk
  • Azure Entra ID: Enterprise SSO with Conditional Access Policies. Group membership synced to Clerk organizations at login.
  • Clerk: Session token management, MFA enforcement, org-scoped JWTs with tenant_id and roles[] claims embedded.
  • JWT Structure: Every request carries tenant_id + roles[] claims, validated at both Traefik and OPA layers.
  • Session TTL: Standard sessions: 8-hour token expiry. Privileged sessions: 4-hour JIT TTL via Azure PIM.
  • MFA: Required for all users. Passwordless preferred for internal staff.
Azure PIM — Just-In-Time Elevation
  • Purpose: Grants temporary elevated access to cross-tenant data or privileged operations without permanent role assignment.
  • TTL: 4-hour maximum, scoped to specific deal_id or loan_id.
  • Approval: Manager approval required for cross-tenant elevation. Automatic approval for intra-tenant escalation within defined bounds.
  • Audit: All PIM activations logged to Azure Monitor with requestor, approver, scope, and duration.
  • Roles eligible for JIT: RE-CEO full cross-tenant read, RE-DATA elevated analytics, RE-COMP regulatory access.
🌐
Cloudflare — Full Stack Edge Security
  • Cloudflare CDN: Global edge caching for all static assets and frontend bundles. Reduces latency for distributed LCG teams. Cache rules scoped per tenant subdomain — no cross-tenant cache pollution.
  • WAF (Web Application Firewall): Managed rulesets (OWASP Top 10, Cloudflare Managed Rules) applied at edge. Custom rules block SQL injection, XSS, path traversal, and malformed JSON payloads targeting RE platform API endpoints.
  • DDoS Protection: Always-on L3/L4/L7 DDoS mitigation. Adaptive rate limiting per IP, ASN, and tenant. Automatic challenge for suspicious traffic patterns.
  • Cloudflare Workers: Edge compute layer for request pre-processing — JWT claim validation, tenant routing, request transformation, and rate-limit enforcement before traffic reaches Azure Container Apps. Eliminates unnecessary origin hits.
  • Cloudflare One (ZTNA): Zero Trust Network Access with device posture checks and identity-aware proxy. All remote access routed through Cloudflare Access — no direct VPN to Azure VNet.
  • DLP (Data Loss Prevention): Inspects outbound HTTP/HTTPS traffic for PII patterns, sensitive financial data (SSN, EIN, account numbers), and deal-level identifiers (deal IDs, loan amounts).
  • JSON Body Inspection: Deep packet inspection on API payloads. Policy violations blocked before reaching application layer.
  • DNS Filtering: Cloudflare Gateway blocks unauthorized egress destinations. Prevents data exfiltration to unknown endpoints.
  • Bot Management: ML-based bot scoring on all API traffic. Automated credential-stuffing and scraping attempts blocked at edge.
  • Threat Intelligence: Real-time feeds for malicious IPs, domains, and threat actors integrated into WAF and DNS policies.
🛡️
OPA — Open Policy Agent (RBAC Engine)
  • Policy Bundle: Rego policies deployed as OPA sidecar in each Container App. Evaluates every API request for authorization.
  • Decision Logic: Checks tenant_id match, role-permission mapping, resource scope (deal_id/loan_id), and PIM elevation validity.
  • Default-Deny: All requests denied unless explicitly permitted by policy. No implicit trust.
  • Policy Updates: Bundle versioned in Azure Blob Storage. Hot-reload without pod restart.
  • Audit: Every OPA decision (allow/deny) written to immutable audit log in ADLS Gen2.
🗄️
Tenant Isolation — Database Layer
  • PostgreSQL RLS: Row-Level Security enforced on every table using tenant_id column. Cross-tenant reads blocked at DB layer even if application layer is compromised.
  • Schema Separation: Each tenant has a dedicated schema namespace (lcg_corp, lcg_mf, lcg_ind, lcg_con).
  • Connection Scoping: PgBouncer connection pool assigns DB connections per tenant role. No shared connection pool across tenants.
  • Azure Private Link: PostgreSQL endpoint not reachable from public internet. VNet-internal only.
  • pgvector: Embedding vectors for semantic search also tenant-scoped via RLS.
🔑
Azure Key Vault — Per-Tenant CMK
  • One Key Vault per tenant: kv-lcg-coe, kv-lcg-mf, kv-lcg-ind, kv-lcg-hc. Strict RBAC — tenant A cannot access tenant B's vault.
  • AES-256 CMK: Customer-managed keys for all data at rest. Key rotation on 90-day schedule.
  • HSM-backed: Premium Key Vault tier with FIPS 140-2 Level 3 HSM for sensitive key material.
  • Secret Management: API keys, connection strings, and service credentials stored in Key Vault. No secrets in code or config files.
  • Access Audit: All key operations logged and monitored for anomalous access patterns.
🔐
Encryption — At Rest & In Transit
  • At Rest: AES-256 encryption for all storage (PostgreSQL, ADLS Gen2, Blob Storage). CMK via Key Vault per tenant.
  • In Transit: TLS 1.3 enforced for all external traffic. TLS 1.2 minimum for internal service-to-service.
  • mTLS: Mutual TLS enforced between all microservices within the VNet. Certificate rotation automated via Azure Managed Certificates.
  • Tier 3 AI Isolation: Air-gapped LLM environment uses mTLS with no internet egress. All inference requests stay within Azure VNet.
  • Key Rotation: Automated 90-day rotation for CMKs, 30-day rotation for service-to-service certificates.
📋
Audit Logging — ADLS Gen2 WORM
  • WORM Archive: ADLS Gen2 with immutable storage policy (Write Once, Read Many). SEC 17a-4 compliant. No deletion or modification possible once written.
  • What's Logged: All API requests (with OPA decision), user actions, LLM calls (prompt + response), data access, PIM activations, key vault access.
  • LangSmith: LLM-specific tracing for prompt versioning, token usage, latency, and model call attribution.
  • Retention: 7-year default retention for compliance logs. 90-day hot tier for operational logs.
  • Log Integrity: Cryptographic hash chain on log entries prevents tampering.
☁️
Microsoft Azure Security Stack
  • Microsoft Defender for Cloud: Continuous security posture assessment, vulnerability scanning, and threat detection across all Azure resources.
  • Microsoft Sentinel: SIEM + SOAR. Ingests logs from all platform components. Custom detection rules for RE platform threat scenarios.
  • Azure Policy: Governance guardrails — enforces approved regions, SKUs, encryption settings, and network rules. Non-compliant resources flagged automatically.
  • Azure DDoS Protection: Standard tier enabled on VNet. Adaptive tuning per application profile.
  • Security Baselines: All resources deployed against Microsoft Security Benchmark v3.
🗃️
Azure Managed PostgreSQL Security
  • Managed Service: Azure PostgreSQL Flexible Server — OS patching, minor version updates, and HA failover managed by Azure.
  • Network: Private endpoint only (no public FQDN). All connections via Azure Private Link from within the VNet.
  • Backups: Geo-redundant automated backups with point-in-time restore up to 35 days. Backup encryption with CMK.
  • High Availability: Zone-redundant HA with automatic failover <120s RPO/RTO.
  • Maintenance: Scheduled maintenance windows during off-peak hours. No-downtime minor upgrades.
🔍
Tenable — Vulnerability Management
  • Tenable.io / Nessus: Continuous vulnerability scanning across all Azure infrastructure — Container Apps, PostgreSQL, Key Vaults, storage accounts, and network configurations. Scans triggered on every infrastructure deployment.
  • Container Image Scanning: All Docker images scanned for CVEs before deployment to Azure Container Registry. Images with Critical/High CVEs blocked from production promotion by CI/CD gate.
  • Cloud Security Posture: Tenable Cloud Security (formerly Accurics) scans IaC templates (Bicep/Terraform) for misconfigurations before deployment. Detects overly permissive IAM, exposed storage accounts, missing encryption settings.
  • Agent-Based Scanning: Tenable Nessus agents deployed on all Container App environment nodes for authenticated OS-level vulnerability detection.
  • Risk Prioritization: CVSS + Tenable VPR (Vulnerability Priority Rating) used to triage findings. Critical findings trigger Sentinel alert and PagerDuty incident automatically.
  • Compliance Benchmarks: Continuous CIS Benchmark assessment for Azure, Docker, and Kubernetes configurations. Results feed into Defender for Cloud compliance dashboard.
  • Remediation Tracking: Findings tracked in Monday.com via API integration. SLA: Critical ≤24h, High ≤7d, Medium ≤30d.
🤖
Claude — AI-Powered Code Security & Review
  • Automated Code Security Review: Claude API (Sonnet tier) integrated into GitHub PR pipeline. Every pull request triggering changes to security-sensitive paths (auth, OPA policies, API handlers, DB migrations) receives an automated security review identifying OWASP vulnerabilities, secrets exposure, SQL injection risks, and insecure patterns.
  • OPA Policy Review: Claude reviews all Rego policy changes for logic errors, unintended permission grants, and tenant isolation bypass risks before merge. Policy PRs require both Claude review pass and human approval.
  • Dependency Analysis: Claude analyzes package.json / requirements.txt changes for known-malicious packages, suspicious new dependencies, and license compliance issues.
  • LangGraph Agent Security: All new LangGraph agent tool definitions reviewed by Claude for prompt injection vulnerabilities, tool misuse vectors, and capability scope creep.
  • Security Documentation: Claude auto-generates security design notes for new modules (threat model, data flows, trust boundaries) as part of the module specification process.
  • Incident Response: Claude assists the security team during incidents — log analysis, anomaly explanation, remediation step generation, and post-incident report drafting.
  • Air-Gap Boundary: Security review workloads use Claude API (Tier 2) only — no sensitive source code or logs sent to Gemma 4 air-gapped tier. All Claude security calls logged in ADLS WORM audit trail.
🐙
GitHub — Security & CI/CD Pipeline
  • GitHub Advanced Security (GHAS): Code scanning (CodeQL) on every push — detects security vulnerabilities in Python, TypeScript, and SQL. Secret scanning blocks accidental credential commits across all repos. Dependency graph + Dependabot alerts for vulnerable packages with automatic PRs.
  • CodeQL Analysis: Custom CodeQL queries tuned for RE platform patterns — detects tenant_id bypass attempts, OPA policy logic errors, and insecure LangGraph tool definitions.
  • Secret Scanning + Push Protection: Pre-receive hook blocks pushes containing API keys, Azure connection strings, JWT secrets, or Clerk credentials. Scanning covers commit history, PRs, issues, and wikis.
  • Branch Protection Rules: Main branch requires: 2 reviewer approvals, passing CI (all checks green), Claude security review pass, Tenable container scan pass, CodeQL zero-critical findings. Force push and deletion blocked.
  • GitHub Actions — CI Pipeline: On every PR: lint → unit tests → CodeQL scan → Tenable image scan → Claude security review → build Docker image → push to ACR (staging tag). Failures block merge.
  • GitHub Actions — CD Pipeline: On merge to main: build production image → Tenable final scan → sign image (Sigstore/cosign) → push to ACR (prod tag) → trigger Azure Container Apps rolling deployment via Azure CLI action → smoke tests → Sentinel alert on deployment event.
  • OIDC Federated Identity: GitHub Actions uses OIDC to authenticate to Azure (no long-lived secrets). Workload identity federation — short-lived tokens scoped to specific repo + branch + environment.
  • Environment Protection Rules: Production deployments require manual approval from Tech Lead + Security role. 15-minute deployment window enforced. Rollback action available for 30 minutes post-deploy.
  • Supply Chain Security: All GitHub Actions pinned to commit SHA (not mutable tags). Actions audited quarterly. Dependency Review action blocks PRs introducing vulnerabilities with known exploits.
  • Audit Log Streaming: GitHub enterprise audit log streamed to Microsoft Sentinel via webhook. All repo events, member changes, and security alerts correlated with platform security events.
RBAC — 8 Roles × Permission Matrix
Role Description Acquisitions Underwriting Asset Mgmt Portfolio Transactions Cross-Tenant
RE-CEO Executive — full read portfolio visibility ✓ Read ✓ Read ✓ Read ✓ Full ✓ Read JIT Only
RE-PM Portfolio / Asset Manager ✓ Full ✓ Full ✓ Full ✓ Full ✓ Full
RE-UW Underwriter / Analyst ✓ Read ✓ Full Read-only Summaries Read
RE-TX Transactions / Acquisitions ✓ Full ✓ Full ✓ Full
RE-SVC Property Services / Operations Ops only
RE-DATA Data / Analytics Engineer Read Read Read ✓ Full JIT Read
RE-COMP Compliance / Legal Read Read Read Read ✓ Full
RE-EXT External / Advisor (read-only, scoped) Specific deals
JIT = Azure PIM Just-In-Time elevation required (4-hour TTL, manager approval). All cross-tenant access requires explicit elevation.
Wave 1 · Resolution Required

Open Items & Blockers

Active issues and unresolved architectural decisions requiring resolution before Wave 1 completion and Wave 2 kickoff. Tracked by severity with owner and target resolution date.

🔴 2 Critical 🟡 2 High 🔵 1 Medium 5 Open Architecture Decisions
2
Critical
2
High
1
Medium
5
Total
Critical BLOCK-001
OPA Policy Bundle — Rego Authoring Not Started
The OPA Rego policy bundle defining all tenant isolation and RBAC enforcement rules has not been authored. This is a hard blocker for Wave 1 go-live — without it, the platform has no policy enforcement layer and cannot be deployed to production. All 8 RBAC roles, all cross-tenant rules, and all resource-scope checks need to be translated into Rego policies and tested.
Critical BLOCK-002
Tier 3 Air-Gapped LLM — Model Selection & Procurement Pending
The air-gapped private LLM (Tier 3) required for LP reporting (RE-25) and fund-sensitive data processing has not been selected or procured. Decision pending between self-hosted open-weight model (Llama 3, Mistral) on Azure GPU VMs vs. Azure OpenAI on private endpoint with no-logging guarantee. Procurement, security review, and VNet deployment are all required before Wave 3 modules can be scoped.
High BLOCK-003
dbt MetricFlow Metric Definitions — NOI, DSCR, IRR Not Finalized
The governed metric definitions in dbt Core + MetricFlow for the platform's core financial metrics (NOI, DSCR, LTV, Cap Rate, IRR, EM) have not been finalized and approved. Different business units use slightly different calculation methodologies for these metrics. Finance and AM team alignment is required before these are locked in the data model, as downstream modules (RE-08, RE-11, RE-16, RE-24) depend on them.
High BLOCK-004
Clerk ↔ Entra ID Group Sync — Configuration Incomplete
The bidirectional sync between Azure Entra ID security groups and Clerk organizations for all 4 tenants has not been configured. User provisioning, deprovisioning, and role assignment flows are manual until this is resolved. SCIM provisioning from Entra ID to Clerk needs to be set up and tested for all 4 tenant organizations and all 8 RBAC role mappings.
Medium BLOCK-005
Crexi API Access — Data Licensing Under Review
RE-02 (Market Comp Intelligence) and RE-06 (Off-Market Scanner) require structured API access to Crexi market data for comp retrieval and off-market scanning. API licensing terms, data usage rights for AI model ingestion, and cost structure are under legal and procurement review. Module functionality will be limited to internal comp data until API access is confirmed.
Open Architecture Decisions
Multi-tenant vector search strategy
pgvector with RLS enforced at query time vs. separate vector stores per tenant. Tradeoff: operational simplicity vs. search isolation guarantee. Decision pending on data sensitivity classification for embeddings.
Prompt caching cost model
Anthropic prompt caching will be beneficial for RE-08 and RE-16 which use large system prompts with static context. Cost modeling and cache key design not yet scoped. Estimate 40-60% token cost reduction on high-frequency modules.
LangGraph persistence backend
LangGraph checkpoint/state persistence configured for PostgreSQL (existing infra) vs. Redis for lower-latency short-lived workflows. Long-running deal workflows (multi-day) favor PostgreSQL; sub-minute agent loops favor Redis.
RE-EXT external advisor access model
External advisors (attorneys, brokers, consultants) need deal-scoped read access without becoming Entra ID members. Guest account model vs. time-limited signed URL pattern vs. separate Clerk external org. Security review required.
Leadership · Technology · Finance · Legal

Key Contacts

Executive leadership, platform technology team, finance owners, legal, and asset management contacts for the Leon RE Intelligence Platform.

👑 5 Executive Leaders ⚙️ 4 Technology Owners 💼 Finance & Legal & AM
Executive Leadership
FD
Fernando De Leon
Chief Executive Officer
Platform executive sponsor · Strategic direction · Cross-entity oversight
JC
Josh Canafax
Chief Investment Officer
Investment strategy · Acquisitions oversight · RE-00 through RE-07 workflow design · LOI & IC package review
SW
Sean Wood
President, Leon Industrial
Leon Industrial tenant leader · Use case discovery · Asset management module requirements
BS
Blake Schroder
President, Leon Multifamily
Leon Multifamily tenant leader · Rent roll intelligence · Renewal scoring · LIHTC compliance requirements
JS
Jeff Saladin
President, Real Estate Credit
RE Credit vertical leader · DSCR & covenant monitoring · Lender reporting · Loan portfolio oversight
Technology & Engineering
FH
Farhan Hussain
Chief Technology Officer
Also serving as
Platform Architect — Real Estate Intelligence Platform
Platform Owner · Architecture Decisions · Wave Delivery · Security Design · Platform Design · AI & Automations Governance · Data Governance
AK
Akhilendar Kaukuntla
AI & Platform Engineering
AI / Data Engineering · Platform Development · Platform Hosting · Full-Stack Deployment
DL
Dennis Lee
AI Automations Specialist
Automation Engineering · Platform Workflow Development · Module Integration · Data Pipeline Connectors
DR
Daniel Roode
Cyber Security, Platform Security & Identity
Cyber security · Platform security · Identity & access (Entra ID / SCIM) · Security architecture & controls
Finance
AH
Alex Hunter
Finance — Leon Industrial Accounts
Leon Industrial financial accounts · Metric definition sign-off · Lender reporting templates · Financial data harmonisation
CM
Chris Murray
Finance — Leon Multifamily Accounts
Leon Multifamily financial accounts · Metric definition sign-off · Lender reporting templates · Financial data harmonisation
Legal & Compliance
MT
Matt Thompson
Legal / Compliance
Crexi API licensing (BLOCK-005) · RE-EXT access model · Data usage rights · PSA & title module review
Asset Management
SB
Scott Birdsong
Asset Management
RE-16 through RE-23 module requirements · Use case discovery · Tenant onboarding · Wave 1 pilot
JM
Jordan Myller
Asset Management
RE-16 through RE-23 module requirements · Use case discovery · Tenant onboarding · Wave 1 pilot