User Story Backlog

Given a patient's HbA1c has risen from 6.2 to 7.1 to 8.4 over 3 visits, When I open their record, Then I see an amber "Trending Up" alert on HbA1c with a sparkline showing the trajectory.

Given all lab values are within normal range and stable, When I open the record, Then no alerts are shown and the labs section displays "No significant changes."

Given a patient is on Warfarin and a new prescription for Amiodarone is added, When I open their medication list, Then a red "Severe Interaction" alert appears with the specific risk (increased bleeding).

Given a patient has no known interactions, When I view the medication list, Then a green "No Interactions Detected" indicator is shown.

Given a patient has a new chest CT and a prior CT from 6 months ago, When I open the imaging section, Then I see a delta summary highlighting key changes (e.g., "Nodule: 8mm → 12mm, growth detected").

Given no prior imaging exists for comparison, When I view the study, Then it displays "Baseline study — no prior available for comparison."

Given I am an endocrinologist, When I configure my alert preferences, Then I can enable HbA1c, glucose, and thyroid panel alerts while disabling imaging and cardiac alerts.

Given I have disabled imaging alerts, When a patient gets new imaging, Then I do not receive a notification but the data is still accessible in the full record.

Given my HbA1c result is 8.4%, When I view it on the Health Updates tab, Then I see "Your average blood sugar over 3 months is elevated" with a red severity indicator and a recommendation to discuss with my provider.

Given all my labs are normal, When I view Health Updates, Then I see "All results within normal range" with a green indicator.

Given my Metformin dose was increased from 500mg to 1000mg, When I view Health Updates, Then I see "Metformin dose increased — your provider adjusted this to help manage your blood sugar levels."

Given no medication changes occurred since my last visit, When I view Health Updates, Then the medications section shows "No changes since [last visit date]."

Given I have a critical lab result and a routine medication refill, When I open Health Updates, Then the critical item appears at the top with a red banner, and the routine item appears below with a blue informational indicator.

Given I submit a Dataset query for "Type 2 Diabetes outcomes," When the results are assembled, Then each patient record includes chronological visits, lab trends, medication changes, and outcomes spanning the full consent window.

Given a patient revoked consent partway through, When their data is included, Then only the consented time period is present and a "Consent window: [start] to [end]" field is included.

Given a patient has labs, meds, diagnoses, and imaging all populated, When their record is scored, Then it receives a "High" quality score (90%+).

Given a patient only has diagnoses and no labs or meds, When their record is scored, Then it receives a "Low" quality score (below 50%) with a breakdown showing missing categories.

Given a Dataset query result is ready for export, When the de-identification pipeline runs, Then all 18 HIPAA Safe Harbor identifiers are removed or generalized and a certification report is attached.

Given a record contains a rare diagnosis that could be re-identifying in a small cohort, When the k-anonymity check runs, Then the record is suppressed if the cohort size falls below the k threshold (default k=5).

Given I export a dataset, When I inspect the metadata, Then each record includes consent_granted_at, consent_version, jurisdiction, and categories_consented fields.

Given I am on the Earnings tab and have no bank linked, When I click "Link Bank Account," Then a Plaid modal opens allowing me to search and connect my bank, and upon success, a masked account number (****1234) is displayed.

Given I have linked a bank account, When a payout is triggered, Then the ACH transfer initiates and I see a "Processing" status that updates to "Deposited" within 5 business days.

Given I have 3 pending payouts, When I open the Earnings tab, Then I see each payout with: amount (my 80% net), source (marketplace query or trial), status (pending/processing/deposited), and expected deposit date.

Given a payout completes, When the ACH settles, Then the status updates to "Deposited" with the actual settlement date.

Given my accrued balance is $7.20, When the weekly payout cycle runs, Then no payout is initiated and my balance carries forward with a note "Below $10 minimum — will roll to next cycle."

Given my balance reaches $14.80, When the next payout cycle runs, Then a $14.80 ACH deposit is initiated.

Given a Cohort query is billed at $350 gross, When the attribution event is written, Then the record shows patientNet=$280, moonliticFee=$70, and the split ratio is stored as metadata.

Given an Aggregate query is billed at $0, When the attribution event is written, Then no payout record is created (zero-value queries don't generate earnings).

Given a patient's annual earnings reach $600, When January 31 of the following year arrives, Then a 1099-NEC is generated with their legal name, TIN, and total non-employee compensation, and filed electronically with the IRS.

Given a patient earned $450 for the year, When the 1099 generation runs, Then no 1099 is generated (below $600 threshold) but the income is still reported to the patient in their Earnings tab.

Given 500 patients have pending balances above the minimum, When the weekly batch runs, Then all 500 ACH transfers are submitted in a single Velo Payments batch and a batch receipt is logged with total amount, count, and status.

Given 3 transfers in the batch fail (invalid account), When the batch completes, Then the 3 failures are flagged for retry, the patient is notified to update banking info, and the remaining 497 succeed.

Given I click on a payout record, When the detail view opens, Then I see: source query ID, buyer name, gross amount, 80/20 split breakdown, Velo transfer ID, ACH settlement date, and patient bank (masked).

Given a payout consolidates earnings from 5 queries, When I expand the detail, Then each of the 5 source transactions is listed with individual amounts that sum to the total payout.

Given I earned $120 from marketplace and $500 from a clinical trial in March, When I view the March earnings, Then I see two rows: "Data Marketplace: $120" and "Clinical Trial (Acme Pharma): $500" with a total of $620.

Given I see a payout that looks incorrect, When I click "Report Issue," Then a form opens where I describe the problem, and a support ticket is created with the payout details pre-attached.

Given I have submitted a dispute, When it is being reviewed, Then the payout shows "Under Review" status and I receive email updates as the investigation progresses.

Given a payout fails due to "Insufficient funds" at the receiving bank, When the failure is detected, Then the system retries on the next business day (up to 3 attempts) and logs each attempt.

Given 3 retries have all failed, When the final retry fails, Then the patient receives an email saying "Your payout could not be completed — please update your bank details" and the amount is held in escrow.

Given a batch of 100 837P files arrives from the clearinghouse, When the ingestion pipeline runs, Then all 100 are parsed into structured claim records with: patient ID, provider NPI, diagnosis codes (ICD-10), procedure codes (CPT), billed amount, and service dates.

Given a file has invalid segments, When parsing fails, Then the file is quarantined with an error report listing the specific invalid segments and line numbers.

Given an 835 file arrives, When it is parsed, Then each payment/adjustment is matched to the original 837 claim by claim ID, and the claim record is updated with: paid amount, adjustment reason codes, and patient responsibility.

Given an 835 references a claim not yet in the system, When the match fails, Then it is queued in an "Unmatched Remittance" holding area and re-matched on each subsequent 837 ingestion.

Given a claim arrives with a service date in the future, When validation runs, Then the claim is flagged with "Invalid service date — future date detected" and routed to the exception queue.

Given a duplicate claim (same patient, provider, date, codes) already exists, When validation runs, Then it is flagged as "Potential duplicate" with a link to the original claim for manual review.

Given a claim includes CPT 27447 (knee replacement), When the claim is submitted, Then the system checks the payer's prior auth requirements and if required, auto-generates a prior auth request with the clinical documentation attached.

Given a procedure does not require prior auth, When the claim is submitted, Then it bypasses the auth workflow and proceeds directly to adjudication.

Given I have 12 pending auths, When I open the Prior Auth dashboard, Then I see each with: patient name, procedure, payer, submitted date, days pending, and current status.

Given an auth has been pending for more than 14 days, When I view the dashboard, Then it is highlighted in red with an "Escalate" button that generates a follow-up to the payer.

Given a prior auth for MRI is denied, When I click "Appeal," Then the system generates an appeal letter template with the denial reason, relevant clinical notes, and lab results pre-attached.

Given an appeal is submitted, When the payer responds, Then the auth status updates to "Appeal Approved" or "Appeal Denied — Final" and I am notified.

Given claims data for a population of 10,000, When the HEDIS engine runs, Then it calculates numerator/denominator for each applicable measure and produces a HEDIS scorecard with rates and benchmarks.

Given a measure is below the 50th percentile benchmark, When the scorecard is generated, Then it is flagged "Below Benchmark" with a gap analysis showing which patients are in the denominator but not the numerator.

Given a diabetic patient hasn't had an HbA1c test in 12 months, When I open their record, Then a care gap alert shows "Overdue: HbA1c screening (Comprehensive Diabetes Care measure)."

Given a provider bills 50 knee replacements in one day, When the anomaly engine runs, Then a "Volume Anomaly" flag is raised with the provider's billing pattern compared to peer averages.

Given a claim bills E&M level 5 (99215) for a 2-minute visit, When the upcoding detector runs, Then it flags "Potential Upcoding — high complexity code with minimal time."

Given I search by claim ID or patient name, When results appear, Then I see: submitted date, current status (received/in review/adjudicated/paid/denied), and if adjudicated, the payment amount vs. billed amount.

Given an 835 payment of $450 matches claim #12345 billed at $500, When auto-matching runs, Then the claim status updates to "Partially Paid" with variance of -$50 and the adjustment reason code is displayed.

Given 95% of payments match on first pass, When the batch completes, Then the 5% unmatched are routed to the manual review queue with suggested matches ranked by confidence score.

Given I set the variance threshold at 10%, When a claim billed at $1,000 is paid $800 (20% under), Then an alert fires with "Variance exceeds threshold: -$200 (20%)" and the claim is added to the exception queue.

Given a payment matches within 2% of the billed amount, When reconciliation runs, Then no alert fires and the claim is marked "Reconciled."

Given $10,000 in marketplace queries were processed this month, When reconciliation runs, Then the ledger shows: $10,000 gross revenue, $8,000 patient payouts, $2,000 Moonlitic fees, and any unreconciled variance.

Given a buyer's payment of $350 failed, When the query was already attributed, Then the variance report shows "Uncollected revenue: $350" and the patient payout for that query is held pending collection.

Given a buyer pays $350 for a Cohort query, When the payment is recorded, Then the journal shows: Debit Accounts Receivable $350, Credit Revenue $350; then Debit Revenue $280, Credit Patient Payable $280 (80% share); and Debit Revenue $70, Credit Platform Fees $70 (20% share).

Given the end-of-month close, When the trial balance runs, Then total debits equal total credits and any imbalance triggers an automatic investigation alert.

Given I request an audit report for Q1 2026, When the report generates, Then it includes: all journal entries, summary by account, reconciliation status for each transaction, and any unresolved exceptions.

Given 50 errors occurred in March, When I view the error dashboard, Then I see them grouped: 30 underpayments, 10 unmatched, 8 duplicates, 2 overpayments, with a 6-month trend chart showing if error rates are improving or worsening.

Given an 835 payment arrived before its 837 claim, When the next 837 batch is ingested, Then the system re-attempts matching and auto-reconciles if a match is found.

Given a payment remains unmatched after 30 days, When the aging threshold is hit, Then it escalates to the finance team with a "Stale Unmatched Payment" alert.

Given 25 exceptions are in the queue, When I open the exception dashboard, Then they are sorted by impact score (dollar amount x days outstanding) with the highest at the top.

Given I select "Q1 2026" and click "Payer Summary," When the report generates, Then each payer shows: total claims billed, total paid, variance percentage, and a trend arrow (improving/worsening vs. prior quarter).

Given I submit a $200 write-off adjustment, When I click "Submit for Approval," Then a second finance team member receives a notification to approve or reject the adjustment before it posts to the ledger.

Given the approver rejects the adjustment, When rejection is submitted, Then the adjustment is not posted, I receive a notification with the rejection reason, and the exception remains open.

Given I am on the Demo Data Generator, When I click "Full Happy Path" then "Seed Now," Then localStorage is populated for Door 2, Door 3, and Door 4, a status bar shows "Seeded: Full Happy Path," and all portal links are active.

Given the scenario is seeded, When I open Door 2, Then Maria Santos' profile appears with all consents ON, data values populated, and trial matches loaded.

Given I start the walkthrough timer, When 10 minutes elapse, Then the timer turns amber as a visual cue to start wrapping up.

Given I complete step 5 of 10, When I mark it done, Then the progress bar shows 50% and auto-scrolls to the next incomplete step.

Given a previous demo scenario is seeded, When I click "Fresh Start," Then all localStorage keys are cleared, the status bar shows "No scenario active," and all portals load in their default empty state.

Given I run the pre-demo check, When all files are present and valid, Then I see a green "All Clear" status with a checklist of verified items (file count, JS syntax, localStorage hooks, link validity).

Given a file is missing or has a JS error, When the check runs, Then I see a red "Issues Found" status listing exactly which files failed and why.

Given a demo session completes, When I review the session log, Then I see: scenario name, start/end time, steps completed (7/10), any browser console errors, and seed log entries.

Given I seed the Consent Revocation scenario, When I open Door 2, Then Maria has 2 categories already revoked (Genetic, Wearable) and the marketplace queries on Door 3 reflect the restricted dataset.

Given I seed the Mid-Approval scenario, When I open Door 3, Then Acme Pharma shows 2 of 4 approvals complete (Legal and Compliance approved, Data Governance and DPO pending).

Given I open the custom scenario builder, When I select "All consents ON" + "3 of 4 approvals" + "Patient Journey focus," Then a custom scenario is generated and I can save it with a name for reuse.

Given I saved a custom scenario, When I return to the Demo Generator, Then my saved scenario appears in the preset list alongside the defaults.

Given I select "Full Happy Path," When I click "View Brief," Then a one-page summary appears with: scenario name, seeded data points, key talking points per door, and recommended demo duration.

Given I am a new buyer, When I complete the registration form, Then my application enters the 4-stakeholder approval queue and I receive a confirmation email with estimated review time.

Given I omit required fields (company name, use case), When I submit the form, Then validation errors highlight the missing fields and submission is blocked.

Given Legal approves a buyer, When the approval is recorded, Then the application advances to Compliance and the Compliance officer is notified.

Given any stakeholder rejects the application, When the rejection is recorded, Then the workflow stops, the buyer is notified with the rejection reason, and the application status shows "Rejected at [stage]."

Given Legal and Compliance have approved but Data Governance is pending, When I log in, Then I see a progress bar showing 2/4 complete with "Awaiting: Data Governance" displayed.

Given my query results are ready, When I choose "Deliver via SFTP," Then the data is encrypted with AES-256 and transferred to my registered SFTP endpoint, and a delivery receipt is logged.

Given I choose "Deliver via API," When I call the results endpoint with my API key, Then I receive the data over TLS 1.3 with a response header showing the dataset hash for integrity verification.

Given I have 5 categories consented, When I view the Data Value section, Then each category shows: estimated monthly value, number of active buyers, and a visual bar proportional to value.

Given I revoke a category, When the Data Value section refreshes, Then that category shows $0 and the total recalculates.

Given I have 3 matched trials, When I open the Clinical Trials tab, Then each trial shows: title, CRO, compensation, eligibility match score, and Accept/Decline buttons.

Given I click "Accept" on a trial, When the action is confirmed, Then my status changes to "Enrolled — Pending Screening" and the CRO is notified.

Given I click "Decline," When the action is confirmed, Then the trial is moved to a "Declined" section and I am not shown that trial again unless I reopen it.

Given I enter a valid email, When I click "Continue," Then a 6-digit MFA code is sent to my phone and I must enter it within 5 minutes.

Given I enter an incorrect MFA code 3 times, When the third attempt fails, Then my account is temporarily locked for 15 minutes and I receive an email alert about the failed attempts.

Given a patient has consented to share Labs and Diagnoses but not Medications, When I open their record, Then I see Labs and Diagnoses sections but the Medications section shows "Access restricted by patient consent."

Given a patient grants Medications consent, When I refresh the record, Then the Medications section becomes visible within 30 seconds.

Given a patient has 3 recent visits, When I click "AI Summary," Then a 3-5 sentence summary appears highlighting: key diagnoses, recent lab changes, medication adjustments, and any care gaps — using only consented data categories.

Given a patient has restricted Medications access, When the AI summary generates, Then it does not mention medications and includes a note "Partial view — some categories restricted by patient consent."

Given I enter my email, NPI, and MFA code, When I click "Sign In," Then the system validates my NPI against the NPPES registry and grants access only if the NPI is active and matches my email domain.

Given I enter an invalid or deactivated NPI, When I attempt login, Then access is denied with "NPI not found or inactive — please verify your credentials."

Given I have 8 appointments today, When I view the list, Then each patient shows a consent indicator: green (all categories shared), amber (partial), red (no consent / restricted).

Given patient data is stored in Azure Health Data Services, When I inspect the storage configuration, Then Azure-managed keys (or customer-managed keys) are enforcing AES-256 encryption and no unencrypted blobs exist.

Given a buyer calls the data delivery API, When I inspect the connection, Then TLS 1.3 is enforced and TLS 1.0/1.1 connections are rejected.

Given a user authenticates as a "buyer" role, When they attempt to access patient-level records, Then access is denied with a 403 and the attempt is logged to the security audit trail.

Given a new role is created, When permissions are assigned, Then the role starts with zero permissions and each resource must be explicitly granted.

Given a clinician views a patient record, When the access occurs, Then an audit entry is written with: user ID, patient ID, resource type, action, timestamp, IP address, and consent status at time of access.

Given an auditor requests logs for the last 90 days, When the query runs, Then results are returned within 30 seconds and logs cannot be modified or deleted by any user including admins.

Given the marketplace portal (Door 3) is compromised, When the attacker attempts to reach the patient data store, Then all traffic is blocked by NSG rules and the intrusion attempt triggers an Azure Sentinel alert.

Given a weekly scan runs, When a critical vulnerability is detected, Then a Sev-1 ticket is auto-created, the security team is paged, and a 48-hour SLA for remediation begins.

Given no new vulnerabilities are found, When the scan completes, Then a "Clean Scan" report is generated and archived for compliance records.

Given a buyer API key exceeds 100 requests/minute, When the rate limiter fires, Then subsequent requests receive 429 Too Many Requests and the event is logged.

Given we provision an Azure tenant, When we accept the Microsoft Online Services BAA, Then the signed BAA is archived in our compliance vault and covers all HIPAA-eligible Azure services we use.

Given an auditor asks for our BAA chain, When we produce documentation, Then the chain shows: Moonlitic ↔ Microsoft Azure, Moonlitic ↔ Data Aggregator, Moonlitic ↔ Velo, Moonlitic ↔ Clear.

Given we select an aggregator vendor, When contract negotiation begins, Then BAA execution is a prerequisite before any patient data flows and the BAA specifies data categories, retention, and breach notification obligations.

Given the readiness assessment begins, When gaps are identified, Then each gap has an owner, remediation plan, and target date, tracked in a compliance dashboard.

Given all gaps are remediated, When the external auditor begins the Type II observation period, Then all controls are operating effectively for a minimum 3-month observation window.

Given a potential breach is detected, When the IR process begins, Then the playbook defines: who is notified within 1 hour, containment steps within 4 hours, and HHS notification within 60 days if 500+ records are affected.

Given a tabletop exercise is conducted quarterly, When the exercise completes, Then lessons learned are documented and the playbook is updated.

Given a breach affecting my data is confirmed, When the notification period begins, Then I receive a letter (and email) describing: what data was exposed, when it happened, what Moonlitic is doing, and what I should do (credit monitoring, etc.).

Given the annual pen test is scheduled, When the test completes, Then all critical and high findings have remediation plans within 7 days and are resolved within 30 days.

Given the pen test report is finalized, When an enterprise buyer requests security documentation, Then a redacted executive summary is available showing test scope, methodology, and finding counts by severity.

Given the Azure tenant is created, When I inspect the subscription layout, Then I see: moonlitic-dev, moonlitic-staging, moonlitic-prod, each with budget alerts at 80% and 100% of monthly allocation.

Given a developer deploys to dev, When they attempt to access prod resources, Then access is denied by Entra ID role boundaries.

Given the workspace is provisioned, When I send a test FHIR Patient resource via REST, Then it is stored successfully and retrievable via FHIR search with Entra ID bearer token auth.

Given I run the de-identification service on a Patient resource, When the output is returned, Then all 18 HIPAA Safe Harbor identifiers are removed or generalized.

Given the FHIR server is deployed, When I check its network settings, Then public access is disabled and only private endpoint connections from the Moonlitic VNet are accepted.

Given I push a PR, When the CI pipeline runs, Then it executes: lint, unit tests (90%+ coverage gate), SAST scan, dependency vulnerability check, and build — all must pass before merge is allowed.

Given a security vulnerability is found in a dependency, When the scan reports it, Then the PR is blocked with a clear message showing the CVE and affected package.

Given I run terraform plan against the production config, When no changes have been made, Then the plan shows "No changes. Infrastructure is up-to-date."

Given I need a new Azure resource, When I add it to Terraform and submit a PR, Then the plan output is attached to the PR for review before apply.

Given a new version is deployed to the green slot, When health checks pass for 5 minutes, Then traffic is swapped from blue to green with zero dropped requests.

Given the green slot fails health checks, When the failure threshold (3 consecutive failures) is hit, Then traffic stays on blue, the deployment is marked failed, and the team is alerted.

Given Door 2 API response time exceeds 2 seconds (p95), When the threshold is breached for 3 consecutive minutes, Then an alert fires to the ops channel with latency breakdown.

Given I open the uptime dashboard, When the page loads, Then I see: current month uptime %, 90-day trend, incident count, and MTTR for each portal (Doors 1-4).

Given the primary Azure region goes down, When the DR failover is initiated, Then all services are operational in the secondary region within 4 hours with no more than 1 hour of data loss.

Given a quarterly DR drill is scheduled, When the drill completes, Then actual RTO and RPO are measured and any gaps are documented with remediation plans.

Given I open the cost dashboard, When I filter by "production," Then I see month-to-date spend, forecasted month-end, top 5 cost drivers, and comparison to prior month.

Given vendor evaluation is complete, When contract negotiation begins, Then the MSA covers: per-patient pricing, data freshness SLA (24hr max), uptime SLA (99.9%), BAA, breach notification within 24 hours, and 90-day termination notice.

Given the MSA is signed, When I review the contract register, Then renewal date, auto-renewal terms, and price escalation caps are tracked with 120-day advance renewal reminders.

Given we project $X/month Azure spend, When negotiating with Microsoft or a CSP partner, Then we secure: committed spend pricing (vs. pay-as-you-go), Azure credits for healthcare startups if eligible (Microsoft for Startups), signed BAA covering all HIPAA-eligible services, and a named Microsoft account manager.

Given the agreement is signed, When I review the contract, Then it specifies: data residency (US only), HIPAA BAA, HITRUST inheritance, SLA commitments per service, and support tier (Standard or Professional Direct).

Given the Velo Payments application is approved, When the platform agreement is signed, Then it covers: ACH disbursement, split-payment (80/20), KYC for connected accounts (patients), 1099-NEC filing, and PCI DSS compliance.

Given a buyer completes the 4-stakeholder approval, When they reach the DUA step, Then they must digitally sign a DUA covering: permitted use cases, prohibited re-identification, data retention limits, audit rights, and breach notification obligations.

Given a buyer violates the DUA (e.g., attempted re-identification), When the violation is detected, Then automatic API access revocation occurs and the legal team is notified for enforcement action.

Given I sign the DUA, When I review the pricing schedule, Then it shows: Aggregate=$0, Cohort=$350/query, Dataset=$1,200/query, with volume discounts at 50+ and 200+ queries/month.

Given I am registering for Moonlitic, When I reach the consent step, Then I see a plain-language summary (8th grade reading level) covering: what data is collected, who can buy it (de-identified only), the 80/20 split, my right to revoke at any time, and dispute resolution.

Given I sign the agreement, When I want to review it later, Then the signed version is accessible in my portal under "My Agreements" with the date signed and version number.

Given I review the compensation agreement, When I read the terms, Then it specifies: 80% patient share, 20% platform fee, weekly ACH payout cycle, $10 minimum, 1099-NEC for earnings over $600/year, and dispute resolution process.

Given a patient in California visits the platform, When they review the privacy policy, Then CCPA rights (access, deletion, opt-out of sale) are clearly stated alongside HIPAA rights.

Given I accept a trial match, When the enrollment flow begins, Then I am presented with the CRO's IRB-approved informed consent form, which I must review and sign separately from my Moonlitic consent.

Given a vendor contract is 120 days from renewal, When the alert fires, Then the founder and legal receive an email with contract summary, current terms, and option to renegotiate or terminate.

Given a patient completes Clear verification and grants consent, When the authorization token is sent to the aggregator, Then FHIR resources (Patient, Condition, MedicationRequest, Observation, DiagnosticReport) are pulled and stored in Azure FHIR within 5 minutes.

Given the aggregator returns partial data (e.g., EHR doesn't support Observation), When the pull completes, Then available resources are stored and missing categories are logged with the EHR source noted.

Given a patient had a lab result added at their EHR today, When the nightly sync runs, Then the new Observation resource appears in Azure FHIR by the next morning and the patient sees it in Door 2 Health Updates.

Given a patient has revoked aggregator authorization, When the sync runs, Then their data pull is skipped, existing data is retained per retention policy, and the patient is notified to re-authorize if they wish.

Given data arrives from Epic (via aggregator) using US Core profiles, When normalization runs, Then all resources conform to the Moonlitic FHIR profile with consent metadata extensions attached.

Given data arrives from a non-US-Core EHR with non-standard coding, When normalization runs, Then codes are mapped to standard terminologies (ICD-10, SNOMED, RxNorm, LOINC) and unmappable codes are flagged for manual review.

Given I click "Verify Identity" during registration, When I complete the Clear flow (photo ID + selfie), Then my Moonlitic account is marked IAL2-verified and I can proceed to link my health data.

Given Clear verification fails, When the failure is returned, Then I see a clear message with the reason and alternative verification options (in-person, phone support).

Given I am on the Earnings tab with no bank linked, When I click "Set Up Payouts," Then the Velo Payments onboarding flow opens in-context, collects my bank details and tax info, and upon completion I see my masked account number and "Ready for Payouts" status.

Given a patient enters their email on the login page, When they click "Continue," Then Twilio sends a 6-digit code to their registered phone and the code expires after 5 minutes.

Given Twilio SMS delivery fails (carrier issue), When the failure is detected, Then the user is offered a fallback (email code or authenticator app).

Given a patient revokes consent, When the confirmation email is sent, Then it arrives within 60 seconds, uses the Moonlitic branded template, and includes a summary of current consent states.

Given an email bounces, When SendGrid reports the bounce, Then the patient's communication preferences flag "Email undeliverable" and an in-app notification is used as fallback.

Given a buyer submits a registration on Door 3, When the application is created, Then a Zoho CRM deal is auto-created with: company name, use case, contact info, and pipeline stage "Application Received."

Given a stakeholder approves in the platform, When the approval is recorded, Then the Zoho CRM deal stage advances accordingly (e.g., "Legal Approved" → "Compliance Review").

Given a buyer runs 10 Cohort queries in March, When the monthly billing cycle closes, Then a Zoho Books invoice is auto-generated for $3,500 (10 x $350) and emailed to the buyer's billing contact.

Given my profile includes Type 2 Diabetes and I'm in Texas, When the trial matcher runs, Then I see active NCT studies for T2D with sites within 50 miles, ranked by eligibility match score.

Given ClinicalTrials.gov API is unavailable, When the sync fails, Then the last successful dataset is used and a "Data as of [date]" notice is shown.