Cross-Cutting Concerns

Given the Azure tenant is created, When I inspect the subscription layout, Then I see: moonlitic-dev, moonlitic-staging, moonlitic-prod, each with budget alerts at 80% and 100% of monthly allocation.

Given a developer deploys to dev, When they attempt to access prod resources, Then access is denied by Entra ID role boundaries.

Given the workspace is provisioned, When I send a test FHIR Patient resource via REST, Then it is stored successfully and retrievable via FHIR search with Entra ID bearer token auth.

Given I run the de-identification service on a Patient resource, When the output is returned, Then all 18 HIPAA Safe Harbor identifiers are removed or generalized.

Given the FHIR server is deployed, When I check its network settings, Then public access is disabled and only private endpoint connections from the Moonlitic VNet are accepted.

Given I push a PR, When the CI pipeline runs, Then it executes: lint, unit tests (90%+ coverage gate), SAST scan, dependency vulnerability check, and build — all must pass before merge is allowed.

Given a security vulnerability is found in a dependency, When the scan reports it, Then the PR is blocked with a clear message showing the CVE and affected package.

Given I run terraform plan against the production config, When no changes have been made, Then the plan shows "No changes. Infrastructure is up-to-date."

Given I need a new Azure resource, When I add it to Terraform and submit a PR, Then the plan output is attached to the PR for review before apply.

Given a new version is deployed to the green slot, When health checks pass for 5 minutes, Then traffic is swapped from blue to green with zero dropped requests.

Given the green slot fails health checks, When the failure threshold (3 consecutive failures) is hit, Then traffic stays on blue, the deployment is marked failed, and the team is alerted.

Given Door 2 API response time exceeds 2 seconds (p95), When the threshold is breached for 3 consecutive minutes, Then an alert fires to the ops channel with latency breakdown.

Given I open the uptime dashboard, When the page loads, Then I see: current month uptime %, 90-day trend, incident count, and MTTR for each portal (Doors 1-4).

Given the primary Azure region goes down, When the DR failover is initiated, Then all services are operational in the secondary region within 4 hours with no more than 1 hour of data loss.

Given a quarterly DR drill is scheduled, When the drill completes, Then actual RTO and RPO are measured and any gaps are documented with remediation plans.

Given I open the cost dashboard, When I filter by "production," Then I see month-to-date spend, forecasted month-end, top 5 cost drivers, and comparison to prior month.

Given vendor evaluation is complete, When contract negotiation begins, Then the MSA covers: per-patient pricing, data freshness SLA (24hr max), uptime SLA (99.9%), BAA, breach notification within 24 hours, and 90-day termination notice.

Given the MSA is signed, When I review the contract register, Then renewal date, auto-renewal terms, and price escalation caps are tracked with 120-day advance renewal reminders.

Given we project $X/month Azure spend, When negotiating with Microsoft or a CSP partner, Then we secure: committed spend pricing (vs. pay-as-you-go), Azure credits for healthcare startups if eligible (Microsoft for Startups), signed BAA covering all HIPAA-eligible services, and a named Microsoft account manager.

Given the agreement is signed, When I review the contract, Then it specifies: data residency (US only), HIPAA BAA, HITRUST inheritance, SLA commitments per service, and support tier (Standard or Professional Direct).

Given the Velo Payments application is approved, When the platform agreement is signed, Then it covers: ACH disbursement, split-payment (80/20), KYC for connected accounts (patients), 1099-NEC filing, and PCI DSS compliance.

Given a buyer completes the 4-stakeholder approval, When they reach the DUA step, Then they must digitally sign a DUA covering: permitted use cases, prohibited re-identification, data retention limits, audit rights, and breach notification obligations.

Given a buyer violates the DUA (e.g., attempted re-identification), When the violation is detected, Then automatic API access revocation occurs and the legal team is notified for enforcement action.

Given I sign the DUA, When I review the pricing schedule, Then it shows: Aggregate=$0, Cohort=$350/query, Dataset=$1,200/query, with volume discounts at 50+ and 200+ queries/month.

Given I am registering for Moonlitic, When I reach the consent step, Then I see a plain-language summary (8th grade reading level) covering: what data is collected, who can buy it (de-identified only), the 80/20 split, my right to revoke at any time, and dispute resolution.

Given I sign the agreement, When I want to review it later, Then the signed version is accessible in my portal under "My Agreements" with the date signed and version number.

Given I review the compensation agreement, When I read the terms, Then it specifies: 80% patient share, 20% platform fee, weekly ACH payout cycle, $10 minimum, 1099-NEC for earnings over $600/year, and dispute resolution process.

Given a patient in California visits the platform, When they review the privacy policy, Then CCPA rights (access, deletion, opt-out of sale) are clearly stated alongside HIPAA rights.

Given I accept a trial match, When the enrollment flow begins, Then I am presented with the CRO's IRB-approved informed consent form, which I must review and sign separately from my Moonlitic consent.

Given a vendor contract is 120 days from renewal, When the alert fires, Then the founder and legal receive an email with contract summary, current terms, and option to renegotiate or terminate.

Given a patient completes Clear verification and grants consent, When the authorization token is sent to the aggregator, Then FHIR resources (Patient, Condition, MedicationRequest, Observation, DiagnosticReport) are pulled and stored in Azure FHIR within 5 minutes.

Given the aggregator returns partial data (e.g., EHR doesn't support Observation), When the pull completes, Then available resources are stored and missing categories are logged with the EHR source noted.

Given a patient had a lab result added at their EHR today, When the nightly sync runs, Then the new Observation resource appears in Azure FHIR by the next morning and the patient sees it in Door 2 Health Updates.

Given a patient has revoked aggregator authorization, When the sync runs, Then their data pull is skipped, existing data is retained per retention policy, and the patient is notified to re-authorize if they wish.

Given data arrives from Epic (via aggregator) using US Core profiles, When normalization runs, Then all resources conform to the Moonlitic FHIR profile with consent metadata extensions attached.

Given data arrives from a non-US-Core EHR with non-standard coding, When normalization runs, Then codes are mapped to standard terminologies (ICD-10, SNOMED, RxNorm, LOINC) and unmappable codes are flagged for manual review.

Given I click "Verify Identity" during registration, When I complete the Clear flow (photo ID + selfie), Then my Moonlitic account is marked IAL2-verified and I can proceed to link my health data.

Given Clear verification fails, When the failure is returned, Then I see a clear message with the reason and alternative verification options (in-person, phone support).

Given I am on the Earnings tab with no bank linked, When I click "Set Up Payouts," Then the Velo Payments onboarding flow opens in-context, collects my bank details and tax info, and upon completion I see my masked account number and "Ready for Payouts" status.

Given a patient enters their email on the login page, When they click "Continue," Then Twilio sends a 6-digit code to their registered phone and the code expires after 5 minutes.

Given Twilio SMS delivery fails (carrier issue), When the failure is detected, Then the user is offered a fallback (email code or authenticator app).

Given a patient revokes consent, When the confirmation email is sent, Then it arrives within 60 seconds, uses the Moonlitic branded template, and includes a summary of current consent states.

Given an email bounces, When SendGrid reports the bounce, Then the patient's communication preferences flag "Email undeliverable" and an in-app notification is used as fallback.

Given a buyer submits a registration on Door 3, When the application is created, Then a Zoho CRM deal is auto-created with: company name, use case, contact info, and pipeline stage "Application Received."

Given a stakeholder approves in the platform, When the approval is recorded, Then the Zoho CRM deal stage advances accordingly (e.g., "Legal Approved" → "Compliance Review").

Given a buyer runs 10 Cohort queries in March, When the monthly billing cycle closes, Then a Zoho Books invoice is auto-generated for $3,500 (10 x $350) and emailed to the buyer's billing contact.

Given my profile includes Type 2 Diabetes and I'm in Texas, When the trial matcher runs, Then I see active NCT studies for T2D with sites within 50 miles, ranked by eligibility match score.

Given ClinicalTrials.gov API is unavailable, When the sync fails, Then the last successful dataset is used and a "Data as of [date]" notice is shown.