Everything a Chief Architect needs to build the production Marketplace
The Moonlitic Marketplace is the monetization engine of the entire Moonlitic Healthcore Intelligence Platform. Folders 01–05 build a de-identified health data warehouse (patient consent, clinical intelligence, claims processing, reconciliation, payouts). Folder 07 — this system — sells access to that data.
Companies ("Tile Builders") pay a flat $XXX,XXX/year fee to query de-identified cohort data. Every company type gets the same price (OIG Anti-Kickback compliance). What differs is what data they can access — governed by a per-company-type entitlement matrix enforced at every single query.
The Marketplace is NOT a data download portal. It is a zero-trust, compliance-first query platform where:
Marketplace_Portal_v2.html is a fully working single-file prototype (4,443 lines, all 11 engines inline, 11 demo users). Open it in a browser. Click through every role. That is the functional spec. This document explains the why and the who behind every screen you see.
There are 10 distinct actors in the platform (Clinician parked for future). They are not theoretical personas — each one maps to a login in the portal prototype, a role in the codebase, and a set of screens they can see.
Who: An external company visiting the portal for the first time. They have no tile, no data access, no credentials. They are a stranger.
Goal: Apply to become a Tile Builder.
What they can see:
What they can do:
What they CANNOT do:
Demo login: newco@acmebio.com / NewCo2026!
Who: An approved, paying company with an active tile. This specific instance is a Pharmaceutical company (PHARMA type).
Goal: Query de-identified health data for drug research, market analysis, clinical trial feasibility.
What they can see:
Entitlement (PHARMA): Claims ✓, Clinical ✓, Rx ✓, Demographics ✓, SDOH ✗, Genomics ⚡IRB+DUA, Device ✗
Demo login: pharma-demo@acmepharma.com / Demo@Marketplace2026
Who: An approved, paying insurance company with an active tile. Same TILE_COMPANY role, different company type, different entitlements.
Goal: Actuarial analysis, population health insights, claims benchmarking. NOT individual underwriting (ACA §1182).
What they can see: Same screens as Pharma. Different data access.
Entitlement (INSURANCE_PAYOR): Claims ✓, Clinical ✓, Rx ✓, Demographics ✓, SDOH ⚡DUA, Genomics ✗, Device ✗
Key difference from Pharma: Can access SDOH (with DUA), cannot access Genomics at all. Special rule: no individual underwriting decisions.
Demo login: underwriter@blueanchor.com / Demo@Marketplace2026
Who: Jennifer Walsh, Moonlitic internal. Evaluates revenue impact, strategic fit, and customer risk.
Approves FIRST in the 4-step sequence.
What they can see:
What they do:
SLA: 48 hours. Auto-escalates to proxy1 at 48h, proxy2 at 96h, CEO at 120h.
Demo login: jennifer.walsh@moonlitic.com / Approve2026!
Who: Dr. Ravi Nair, Moonlitic internal. Evaluates operational readiness and data governance compliance.
Approves SECOND. Only sees the application after Business approves.
Evaluates: Does the requested data match the stated use case? Is the company type appropriate for the categories requested? Are conditional items (IRB/DUA) present?
SLA: 48 hours. Same escalation chain.
Demo login: ravi.nair@moonlitic.com / Approve2026!
Who: Marcus Thompson, Moonlitic internal. Evaluates commercial terms and account management fit.
Approves THIRD. Only sees the application after Functional approves.
Evaluates: Is the billing contact valid? Are commercial terms understood? Is there a strategic account conflict?
SLA: 48 hours. Same escalation chain.
Demo login: marcus.t@moonlitic.com / Approve2026!
Who: Priya Sethi, Moonlitic internal. Evaluates integration readiness, security posture, and infrastructure requirements.
Approves LAST (4th). The final gate before BAA + invoicing.
Evaluates: Can this company integrate securely? Do they have the technical infrastructure for dataset exports? Any security red flags?
SLA: 48 hours. Escalates to CISO (not CEO).
Demo login: priya.sethi@moonlitic.com / Approve2026!
Who: Moonlitic Finance team. They do NOT approve applications. They manage money — both incoming (B2B collections) and outgoing (consumer payouts).
What they can see:
What they do:
What they CANNOT do:
How it differs from Admin Billing: Admin sees the executive summary (how many paid, how much outstanding). Finance sees the operational detail (who specifically owes, aging buckets, action buttons to send reminders, process payouts). Different audience, different granularity.
Demo login: finance@moonlitic.com / Finance2026!
Who: Moonlitic platform administrator. Has the widest view. Responsible for marketplace health.
What they can see:
Unique powers:
Demo login: admin@moonlitic.com / Admin2026!
Who: A real person who has completed Clear IAL2 verification (Folder 01) and consented to share health data categories. Their identity is biometrically verified. They are NOT a company — they are the data source.
What they can see:
What they CANNOT see:
Key rules: MFA optional (B2C-friendly). 4-hour session. Cannot delete records (immutability). Revocation is forward-looking only.
Demo logins: sarah.patient@gmail.com / Patient2026! · james.patient@outlook.com / Patient2026!
| Actor | Internal / External | Role Code | Tabs Visible | Primary Action |
|---|---|---|---|---|
| New Registrant | External | NEW_REGISTRANT | Onboard | Fill wizard, submit application |
| Tile Company (any type) | External | TILE_COMPANY | Onboard, Approval, Billing, Dashboard, ACL | Query data, manage credits |
| Approver — Business | Internal | APPROVER_BUSINESS | Approval, ACL | Approve/reject (1st in sequence) |
| Approver — Functional | Internal | APPROVER_FUNCTIONAL | Approval, ACL | Approve/reject (2nd) |
| Approver — Sales | Internal | APPROVER_SALES | Approval, ACL | Approve/reject (3rd) |
| Approver — Technical | Internal | APPROVER_TECHNICAL | Approval, ACL | Approve/reject (4th, final gate) |
| Finance | Internal | FINANCE | Finance Operations (Billing), ACL | Confirm wire payments, AR aging, AP payouts, collection tracking |
| Admin | Internal | ADMIN | Revenue & Economics, Approvals & Pipeline, Billing & Payments, Analytics & Credits, ACL | Monitor marketplace, reinstate tiles |
| Patient / Consumer | External (B2C) | PATIENT | My Data, Clinical Trials, Earnings | View data value, match trials, earn income |
| # | From | To | Action | System Effect |
|---|---|---|---|---|
| 1 | Registrant | System | Fills wizard, clicks Submit | Application created, compliance screening runs (OIG, SAM, OFAC, CMS). If pass → workflow initiated. |
| 2 | System | Approver Business | Notification: "New application pending" | HMAC token generated, 48h SLA clock starts |
| 3 | Approver Business | System | Reviews, clicks APPROVE | Decision + hashed notes logged to ACL. Advances to Functional. |
| 4 | System | Approver Functional | Notification + new HMAC token | Previous token invalidated (single-use) |
| 5 | Approver Functional | System | Reviews, clicks APPROVE | Advances to Sales |
| 6 | Approver Sales | System | Reviews, clicks APPROVE | Advances to Technical |
| 7 | Approver Technical | System | Reviews, clicks APPROVE | All 4 approved. Workflow COMPLETE. |
| 8 | System | Registrant | BAA modal presented | Must sign before invoice generates |
| 9 | Registrant | System | Signs BAA (E-SIGN Act digital sig) | BAA logged to ACL with HMAC checksum. Invoice auto-generated ($125K). |
| 10 | System | Finance | Invoice appears in Billing tab (SENT) | Wire instructions sent out-of-band |
| 11 | Finance | System | Enters wire ref, confirms amount | Amount validated against HMAC-sealed invoice. If match → tile ACTIVATED. |
| 12 | System | Tile Company | Dashboard unlocked, credentials issued | 1,000 credits loaded. Data Catalog active. 6-month invoice queued. |
| # | From | To | Action | System Effect |
|---|---|---|---|---|
| 3R | Any Approver | System | Clicks REJECT (20+ char justification) | Workflow terminated. All downstream approvals voided. |
| 4R | System | Registrant | Red rejection banner with reason | Billing/Dashboard tabs re-locked |
| 5R | Registrant | System | Clicks "Remediate & Resubmit" | Wizard reopens with preserved data. Can fix issues. On submit → full approval cycle restarts from step 2. |
| # | From | To | Action | System Effect |
|---|---|---|---|---|
| S1 | System | Tile Company | Invoice due date passes, no payment | Grace period starts. Orange banner with countdown. |
| S2 | System (day 16) | Tile Company | Auto-suspend fires | TILE_SUSPENDED logged. All queries return TILE_SUSPENDED denial. Red banner. |
| S3 | Admin | System | Sees alert in Revenue Dashboard, clicks Reinstate | TILE_REINSTATED logged. Access restored. Suspension cleared. |
| # | From | To | Action | System Effect |
|---|---|---|---|---|
| O1 | Tile Company | System | Submits query that exceeds remaining credits | System auto-provisions overage block (100 credits / $500). Query executes normally. |
| O2 | System | Tile Company | Orange overage banner on result + notification | Credit bar shows overage badge. Rate limit info shows cumulative overage cost. |
| O3 | System | Finance | Overage cost accumulated for next billing cycle | Overage invoice auto-generated at next billing event |
The Marketplace is built from 8 independent engines. Each engine has a single responsibility. They communicate through the Payment Orchestrator (engine 8), which wires the lifecycle together. Every engine writes to the ACL before mutating state.
THE compliance layer. Called on EVERY query. No caching.
Called by: DeliveryEngine.submitQuery()
Two-step authentication for all actors.
Called by: Login screen
16-step wizard that builds the application record.
Output: Application record handed to Engine 4
12-state lifecycle manager. Re-validates everything (zero trust).
Called by: Orchestrator on application submit
Sequential 4-role approval with HMAC tokens.
Called by: Orchestrator + Approver UI actions
Generates HMAC-sealed invoices. Cannot be modified after creation.
Called by: Orchestrator + Finance UI
Executes queries. 3 delivery tiers. Rate limits. Credit system.
Called by: Tile Company Dashboard UI
THE glue. Wires all engines into one lifecycle.
Called by: All UI actions that change lifecycle state
| Phase | Primary Actor | Entry Trigger | Exit Trigger | What Happens | If Failure |
|---|---|---|---|---|---|
| 1. Onboard | Registrant | User clicks "Begin Onboarding" | Clicks "Submit Application" | 16-step wizard. Fields validated in real-time. Draft auto-saved. On submit: checksum sealed, application record created. | Can save and resume anytime (localStorage) |
| 2. Review | System (automated) | Application submitted | Screening passes | Re-validates all fields. Runs OIG LEIE, SAM.gov, OFAC SDN, CMS exclusion checks. Takes <2 seconds. | COMPLIANCE_FAILED — terminal, no appeal. Registrant told: "Contact legal." |
| 3. Approval | 4 Approvers (sequential) | Screening passes | All 4 approve OR any 1 rejects | BUSINESS → FUNCTIONAL → SALES → TECHNICAL. Each gets HMAC token. 48h SLA each. Sequential — can't skip. | Rejection: 20+ char justification. Registrant sees reason + can remediate and resubmit (full cycle restarts). |
| 4. BAA | Registrant | All 4 approve | BAA signed | Modal with full BAA text. Requires: (1) checkbox "I have read," (2) typed legal name, (3) title/authority. HMAC checksum logged. | Cannot proceed without BAA. No invoice generated until signed. |
| 5. Payment | Finance | BAA executed | Wire confirmed | $125K invoice auto-generated (HMAC-sealed). Finance confirms wire ref + amount. Amount validated against seal. | Mismatch: logged + blocked. No payment by day 16: auto-suspend. |
| 6. Active | Tile Company | Payment confirmed | Annual renewal or suspension | API credentials issued. 1,000 credits loaded. Dashboard + Data Catalog active. 6-month invoice queued. | Non-payment: 15-day grace → auto-suspend. Credit exhaustion: overage auto-provision. |
| Company Type | Claims | Clinical | Rx | Demo-graphics | SDOH | Genomics | Device | Key Restriction |
|---|---|---|---|---|---|---|---|---|
| Pharma / Biotech | ✓ | ✓ | ✓ | ✓ | ✗ | ⚡IRB+DUA | ✗ | No off-label promotion |
| Drug Mfgr / PBM | ✓ | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | Approved indications only |
| Insurance / Payor | ✓ | ✓ | ✓ | ✓ | ⚡DUA | ✗ | ✗ | No individual underwriting (ACA §1182) |
| Clinical Trial / CRO | ✓ | ✓ | ✓ | ✓ | ⚡IRB | ⚡IRB | ⚡IRB | IRB required; protocol-limited |
| Data Aggregator | ✓ | ✗ | ✗ | ✓ | ✗ | ✗ | ✗ | RESALE PROHIBITED |
| Health IT / EHR | ✓ | ✗ | ✗ | ✓ | ✗ | ✗ | ✗ | Interoperability use only |
| ACO / Care Mgmt | ✓ | ✓ | ✗ | ✓ | ✓ | ✗ | ⚡ | Covered entity/BA required |
| Academic Research | ✓ | ✓ | ⚡IRB | ✓ | ⚡IRB | ⚡IRB | ⚡IRB | IRB required; no commercial gain |
| Employer Plan | ✓ | ✗ | ✗ | ✓ | ✗ | ✗ | ✗ | OWN MEMBERS ONLY (GINA/ADA) |
| Government | ⚡DUA | ✗ | ✗ | ✓ | ✓ | ✗ | ✗ | Aggregate only; FOIA risk |
| AI / Analytics | ✓ | ⚡ | ⚡ | ✓ | ✗ | ✗ | ⚡ | Re-identification audit required |
| Category | Grain | Records | Date Range | Refresh | Min Cohort |
|---|---|---|---|---|---|
| Claims Adjudicated | Claim-level | ~48M | 2018-01 to present | Weekly | 50 |
| Clinical Outcomes | Patient-level | ~12M | 2019-06 to present | Monthly | 100 |
| Rx Utilization | Fill-level | ~85M | 2017-01 to present | Weekly | 25 |
| Population Demographics | Patient-level | ~210M | 2015-01 to present | Quarterly | 10 |
| Social Determinants | Census-tract | ~35M | 2020-01 to present | Semi-annual | 50 |
| Genomics Aggregate | Variant-level | ~2M | 2021-01 to present | Quarterly | 1,000 |
| Device Telemetry | Reading-level | ~15M | 2022-01 to present | Daily | 100 |
| Tier | Cost | Rate Limit | Max Records | Mode | Infrastructure |
|---|---|---|---|---|---|
| Aggregate Report | 0 credits (free) | 500/day, 10K/month | N/A (stats only) | Synchronous | Bucketed cohort sizes — no exact counts |
| Cohort Query | 1 credit | 100/day, 1K/month | 10,000 | Synchronous | De-identified record-level data |
| Dataset Export | 50 credits | 5/day, 20/month | 5,000,000 | Async blob | Encrypted Azure Blob. Signed URL: IP-locked, single-use, 24h expiry, 50 MB/s cap |
Zero trust means: every component assumes every other component is compromised. Nothing is cached. Nothing is trusted. Every request is validated from scratch.
Two-step: password (constant-time compare) + TOTP MFA. 5-attempt lockout, 15-min cooldown. JWT bound to IP + user-agent hash. 1-hour expiry.
Role → tab visibility (hard-coded per role). Entitlement → data access (checked at every query). Suspension → query blocking (checked at every query). No caching. No trust.
AES-256-GCM for sensitive fields (EIN, email, phone). HMAC-SHA256 for JWT, approval tokens, invoice seals, BAA checksums, export URL signing. Session keys zeroed on SIGTERM.
Approval tokens: HMAC-signed, 24h expiry, single-use (Set-based replay detection). JWT: 1h expiry. Export URLs: IP-locked, single-use, 24h expiry, signed.
Immutable append-only log. Written BEFORE every state change. If write fails → operation aborts (fail-closed). Covers: logins, queries, approvals, rejections, payments, suspensions, overages.
No single person can approve a tile. 4 different roles evaluate 4 different risk dimensions. Each has 2 proxies + C-suite escalation. No workflow depends on one person.
API keys and tile credentials are ONLY created at the ACTIVE state — after approval, BAA, and payment. Never at any earlier stage. If the tile is suspended, credentials are revoked.
Every query checks cohort size against the category minimum (10–1,000). If the cohort is too small, the query is denied to prevent re-identification. Aggregate sizes are bucketed, not exact.
HMAC seal = sha256(invoiceId + amount + type + dueDate). On payment confirmation, Finance's amount is validated against the seal. Mismatch → logged + blocked. No human can change an invoice amount.
System auto-suspends at day 16 (no human decision). DeliveryEngine checks suspension status at every query. Suspended tiles get TILE_SUSPENDED denial. Only Admin can reinstate.
Every rejection requires 20+ character justification. Stored in ACL. Cannot silently reject. Remediation path preserves data and resets workflow for resubmission.
Export URLs: IP-locked (callerIp baked into HMAC), single-use (tracked), 24h expiry (timestamp in seal), 50 MB/s cap. Direct browser download blocked — API pipeline required.
| Item | Amount | Why It's This Way |
|---|---|---|
| Annual Fee | $XXX,XXX/year | Flat for ALL company types. OIG Anti-Kickback: differential pricing = favoritism risk. |
| Approval Invoice (50%) | $125,000 | Due on approval. Gets them in the door. |
| 6-Month Invoice (50%) | $125,000 | Auto-generated at month 6. Completes the annual fee. |
| Annual Renewal | $XXX,XXX | Auto-generated 30 days before anniversary. |
| Included Credits | 1,000/year | Covers typical query volume for most tiles. |
| Overage Block | $500 per 100 credits | Auto-provisioned when credits exhaust. Not punitive — enables continued access. |
| Payment Method | Wire transfer ONLY | No ACH, no credit card. No bank details stored in system. Wire ref validated. |
| Day | Status | What Happens | Actor Involved |
|---|---|---|---|
| Due Date | CURRENT | Normal operations. No warnings. | — |
| Day 1–15 | GRACE | Orange banner with countdown. Queries still allowed. Progress bar fills. | Tile Company sees warning |
| Day 16 | SUSPENDED | All queries blocked. TILE_SUSPENDED in ACL. Red banner. | System (automatic) |
| After payment | REINSTATED | Admin clicks Reinstate in Revenue Dashboard. Access restored. | Admin |
| Trigger | System Action | Notification |
|---|---|---|
| Query cost > remaining credits | Auto-provision ceil(deficit / 100) blocks × $500 | Orange banner on query result. Overage badge on credit meter. |
| Cumulative overage visible | Rate limit info shows "Overage: $X (N blocks)" | Usage Analytics updated with new total |
| Next billing cycle | Overage costs included in next invoice | Finance sees overage line items |
Admin content is distributed across 5 focused tabs (Onboarding removed from Admin view). Each tab loads its own render function for fast, scrollless UX:
| Tab | Label | Content | Render Function |
|---|---|---|---|
| Revenue | Revenue & Economics | Platform Economics (P&L), Revenue by Company Type, Tile Roster (CRM table) | renderAdminRevenue() |
| Approval | Approvals & Pipeline | Existing approval workflows + Application Pipeline (all pending apps) | renderAdminApproval() |
| Billing | Billing & Payments | Existing billing/invoicing + Payment Status Overview + Suspension Alerts with Reinstate | renderAdminBilling() |
| Dashboard | Analytics & Credits | Marketplace-wide credit utilization (per-tile breakdown) + Query Analytics | renderAdminDashboard() |
| ACL | ACL | Immutable audit trail (unchanged) | — |
Implementation: renderRevenueDashboard() is now a master orchestrator that calls all four renderAdmin*() functions. Each function injects Admin-only content into shared screen divs via hidden <div> containers (adminPipelineSection, adminBillingSection, adminDashboardSection). Tab labels and screen headers are dynamically updated when Admin logs in and reset on logout.
The Revenue & Economics tab (the Admin's default tab) shows the full financial picture: Platform Economics at the top, then Revenue by Company Type, then the full Tile Roster. Operational details like payment alerts, pipeline, and credit analytics live in their respective tabs (Billing, Approvals, Analytics).
But the CEO, CSO, CTO, or COO needs to answer different questions:
This is NOT a new role. The ADMIN role already has the widest view. The Admin's content is distributed across 5 focused tabs (Revenue & Economics, Approvals & Pipeline, Billing & Payments, Analytics & Credits, ACL). The Tile Roster (customer table) and Platform Economics (P&L view) live in the Revenue & Economics tab — the Admin's default landing page.
A sortable, filterable table showing every active, grace, and suspended tile:
| Column | Source | Why It Matters |
|---|---|---|
| Company Name | Onboarding wizard (Step 1) | Who is this customer? |
| Company Type | 11-type entitlement matrix | Pharma, Insurance, CRO, AI, ACO, etc. Drives entitlement + risk profile |
| Tile ID | System-generated | Unique identifier. Links to all ACL entries, invoices, queries |
| Status | BillingEngine + SuspensionEngine | ACTIVE / GRACE / SUSPENDED — color-coded badges |
| Joined | Approval workflow completion date | Customer tenure. Used for cohort analysis |
| ARR | $XXX,XXX flat (all types) | Revenue attribution per customer |
| Collected | BillingEngine payment records | How much has been paid vs. invoiced. Shows collection health |
| Credits Used / Total | DeliveryEngine credit tracker | Usage intensity. High usage = engaged customer. Low usage = churn risk |
| Top Categories | Query history aggregation | Which data categories this tile queries most. Demand signal |
| Overages | DeliveryEngine overage tracker | How many overage blocks purchased. Upsell signal |
Implementation: Built into the Admin's Revenue & Economics tab as a card below Revenue by Company Type. Filter by status (Active/Grace/Suspended), search by company name. All columns sortable.
A single card showing the full financial picture of the Moonlitic platform — both sides of the marketplace:
| Metric | Calculation | Audience |
|---|---|---|
| Revenue (Money In) | ||
| Total B2B Revenue (ARR) | Active tiles × $XXX,XXX/year | CEO, CFO |
| Collected YTD | Sum of all confirmed wire payments | CEO, CFO |
| Outstanding (Receivables) | Total ARR − Collected | CFO |
| Overage Revenue | Overage blocks × $500/block | CSO (upsell signal) |
| Consumer Payouts (Money Out) | ||
| Total Patient Payouts | Sum of all Velo disbursements (Folder 03) | CEO, CFO |
| Data Monetization Payouts | Revenue share to consented patients from marketplace queries | CEO |
| Clinical Trial Payouts | CRO compensation passed through to patients | CEO |
| Avg Patient Monthly Earnings | Total payouts / active patients / months | CPO (product health) |
| Platform Margin | ||
| Gross Margin | (B2B Revenue − Consumer Payouts) / B2B Revenue | CEO, Board |
| Net Platform Revenue | B2B Revenue − Consumer Payouts − Operating Costs | CFO |
| Consumer Pool Health | ||
| Total Registered Patients | Count of PATIENT role users (Folder 01) | CPO |
| Actively Monetizing | Patients with ≥1 category toggled ON | CPO |
| Trial Enrollment Funnel | Matched → Invited → Accepted → Active | CSO (CRO value prop) |
| Avg Categories per Patient | Monetizing categories / active patients | CPO |
Implementation: KPI row at the top of the Revenue Dashboard showing Revenue In, Payouts Out, Margin %. Below that, two side-by-side cards: "B2B Revenue" (left) and "Consumer Payouts" (right). All with (i) tooltips.
The prototype demonstrates every workflow end-to-end. The following table distinguishes what's already working from what needs production implementation. Use your judgment on sequencing.
| Capability | Status | Notes |
|---|---|---|
| 16-step onboarding wizard with validation | Working | All field types, formatting, draft save/resume |
| Two-step login (password + MFA) | Working | Lockout, IP+UA binding, JWT |
| 4-role sequential approval workflow | Working | HMAC tokens, replay detection, notes hashing |
| Rejection & Remediation flow | Working | 20-char justification, data preservation, resubmit |
| BAA execution (E-SIGN Act) | Working | Digital signature, HMAC checksum in ACL |
| Invoice generation (HMAC-sealed) | Working | Tamper-proof, amount validation on payment |
| Wire payment confirmation | Working | Ref validation, amount match, Finance role |
| Finance Operations (AR + AP) | Working | Collection status, AR aging report with actions, AP consumer payouts with process/batch, info tooltips |
| Entitlement enforcement (11 × 7 matrix) | Working | Checked at every query, not cached |
| 3 delivery tiers with rate limits | Working | Credit metering, k-anonymity, bucketed sizes |
| Export Job Tracker | Working | QUEUED → PROCESSING → READY with timers |
| Auto-suspension & grace period | Working | 15-day grace, query blocking, Admin reinstate |
| Overage credit provisioning | Working | Auto-provision, notification, cost tracking |
| Usage Analytics & burn rate | Working | 14-day chart, projections, category breakdown |
| Admin Tab Redistribution (5 tabs) | Working | Revenue & Economics, Approvals & Pipeline, Billing & Payments, Analytics & Credits, ACL — no scrolling |
| ACL audit logging | Working | Every action logged, filterable by module |
| Role-based progressive tab enablement | Working | Tabs lock/unlock based on role + lifecycle phase |
| Interactive data catalog with schema docs | Working | Grain, fields, sample rows, refresh cycle per category |
| Patient/Consumer portal (My Data tab) | Working | 12 category cards, monetization toggles, value estimates, provenance trail, activity feed |
| Clinical Trial Matching (two-way) | Working | Patient sees matching trials, accept/decline, enrollment. CRO sees aggregate match counts. |
| Earnings Dashboard (Patient) | Working | Two income streams, payout history (simulated Velo), revocation impact tracking |
| CRO Patient Matching Card | Working | Aggregate match counts on CLINICAL_TRIAL tile dashboard. No individual identities. |
| Approver Queue KPIs | Working | Pending count, total in review, coming next, sequence position, SLA per role. Shows on approver login. |
| Tile Company Welcome-Back | Working | Credits remaining, utilization, payment status, data refreshes since last login, quick action buttons. |
| Cross-Role Notifications | Working | Context-aware alerts on login: approver queue size, applicant status updates, Finance overdue/payout alerts, Admin platform health. |
| Patient Returning Experience | Working | New trial matches, pending payouts, last payout, query activity since last visit. Clickable cards to jump to detail. |
| Item | Priority | Current State (Demo) | Production Requirement | Suggested Tech |
|---|---|---|---|---|
| Encryption at Rest | P0 | Web Crypto API referenced; fields stored in JS objects | Server-side AES-256-GCM with managed key rotation | Azure Key Vault + Cosmos DB encrypted properties |
| Government DB Checks | P0 | Pattern match ("EXCLUDED" / "SANCTIONED") | Real API integration to OIG LEIE, SAM.gov, OFAC SDN, CMS | Scheduled batch + real-time check on submit. Cache 24h. |
| ICD-10 Query Filtering | P0 | Prohibitions displayed; no query-level filtering | Delivery Engine must strip/block F10–F19, F20–F91, Z14–Z84 from all results | SQL WHERE clause exclusion + post-query audit scan |
| Identity Provider | P0 | 11 hardcoded demo users in source code (9 B2B + 2 Patient) | External IdP with SSO, real MFA, password policy | Azure AD B2C / Entra ID + TOTP (Authenticator app) |
| ACL Backend | P0 | In-memory array with timestamps | Immutable, append-only, auditor-accessible ledger | Azure Confidential Ledger or Azure Immutable Blob Storage |
| Real Data Warehouse | P0 | Simulated query results with random data | De-identified data warehouse from Folders 01–05 | Microsoft Fabric / Databricks with row-level security |
| Export Blob Storage | P1 | Signed URLs with placeholder domain | Encrypted Azure Blob + SAS tokens with IP range + single-use tracking | Azure Blob Storage (hot tier) + Redis for URL redemption tracking |
| Approval Escalation Scheduler | P1 | Manual escalation function (no time trigger) | Auto-escalation at 48h → 96h → 120h per the SLA | Azure Durable Functions with timer triggers |
| Email Notifications | P1 | Gmail MCP drafts (3 templates created) | Transactional email at each lifecycle event | SendGrid / Azure Communication Services |
| Renewal Invoice Scheduler | P1 | Described in architecture; no cron | Auto-generate 6-month + annual invoices on schedule | Azure Logic Apps with billing calendar |
| Wizard Draft Storage | P2 | localStorage (plaintext on client) | Server-side encrypted draft with session key | Cosmos DB with client encryption SDK |
| Employer Membership Filter | P2 | "OWN MEMBERS ONLY" in special rules text | Cross-reference employer_id against member enrollment at query time | Query-time JOIN with enrollment table |
| AI Re-identification Audit | P2 | "Model re-identification audit required" in special rules | Periodic audit of AI/Analytics tile query patterns for re-identification risk | Scheduled analysis job + alert threshold |
Sprint 1 (Weeks 1–4): Identity Provider + ACL Backend + Encryption at Rest. These are prerequisites for everything else. Stand up Azure AD B2C, Confidential Ledger, and Key Vault. Port auth, ACL, and crypto modules from prototype.
Sprint 2 (Weeks 5–8): Government DB Integration + ICD-10 Filtering + Real Data Warehouse. Connect OIG/SAM/OFAC APIs. Build the query engine against Fabric/Databricks with row-level security and diagnosis code exclusions.
Sprint 3 (Weeks 9–12): Export Blob Storage + Email Notifications + Escalation Scheduler. Complete the async delivery pipeline. Wire up transactional emails. Implement time-based approval escalation.
Sprint 4 (Weeks 13–16): Renewal Scheduler + Employer Filter + AI Audit + Polish. Billing automation. Edge-case compliance. Load testing. Security review.
Total estimate: 16 weeks to production with a team of 4–6 engineers, assuming the prototype as functional spec and this document as architectural spec.