Platform Reference

Architecture

Canonical source: SYS: Platform Architecture

Quick Reference

API Deployment

Fly.io (sjc region, stratum-platform-api.fly.dev)

Frontend Deploy

Cloudflare Pages (manual upload, platform.stratumcollective.co)

Database

Postgres 16 (Fly, Development tier)

Authentication

⚠️ Phase 1: X-User-Id header (not production-ready)

Multi-tenancy

All queries filtered by tenant_id

Soft Deletes

Archive status, never hard delete (7-year HIPAA retention)

Marketplace Gate

2+ distinct tenants per cluster required

Registry API Endpoints (15 total, all public read-only)

Payer Intelligence (3)

GET /registries/payers

GET /registries/payers/:family/profile

GET /registries/ma-payers

Denial & Appeal Patterns (3)

GET /registries/denial-reasons

GET /registries/appeals

GET /registries/inappropriate-denial-patterns

State & Regulatory (4)

GET /registries/states

GET /registries/states/:state

GET /registries/parity-tracker

GET /registries/nqtl-violations

Clinical & Medical Necessity (3)

GET /registries/criteria

GET /registries/cms-coverage

GET /registries/x12-denial-codes

Research & Precedents (2)

GET /registries/research

GET /registries/precedents

Pipeline Stages

Ingest → Validate PHI/SUD → Aggregate → Mint Credits → Publish

Data & Registries

Canonical source: 04. OPS: Data Sourcing

Quick Reference

Source	Count	Location
Raw Public Data Sources	24	`stratum-corpus-data/public-data-sources.md`
Processed JSON Registries	14	`stratum-corpus-data/registries/`
Access Tracking DB	20	Notion Data Source Acquisition Tracker

Registry Inventory Sample

Registry	Records	Size
payer	307	144K
appeal_outcome	244	88K
state_bh	31	36K
denial_reason	20	28K
academic_research	—	—
cms_ncd_lcd	—	—

These 14 registries are loaded at startup by stratum-platform/src/registries/index.ts, exposed as 15 public API endpoints (no authentication required), and consumed by prediction models (Phase 2A opportunities).

Compliance & Governance

Canonical source: 04 OPS: Data Management Plan

Status Summary

Item	Status
HIPAA Audit	✓ Complete (25 gaps identified)
Phase 1 Go-Live	✓ Public registries only (no customer data)
Phase 2 Blocker	✗ Blocked on BAAs, encryption, audit logging, IRB protocol
Auth Critical Flag	⚠️ X-User-Id placeholder; Phase 2 = Auth0/Clerk

Open Compliance Gaps

Anti-virus product (needs specific product name)
Password complexity policy (specific length/character rules)
Failed login lockout (max attempts + duration)
Security risk assessment (none yet; document planned date)
Staff exit procedure (immediate access termination policy)

PHI Validation Middleware

Aspect	Status
Current Coverage	10/18 Safe Harbor identifiers (SSN, phone, MRN, etc.)
Remaining Work	8/18 identifiers (Phase 2B)
Enforcement	422 rejection on PHI detected in request body

WA-APCD Application

Status: Blocked pending cloud storage compliance decision (45 CFR 164.514)
Impact: Medicaid data ingestion deferred to Phase 2B

Cross-Reference Map

Architecture ↔ Data Sourcing

14 registries defined in Data Sourcing, loaded and exposed as 15 API endpoints in Architecture

Architecture ↔ Compliance

Auth Phase 1/2 roadmap tied to DMP security timeline; soft delete pattern supports 7-year audit retention (DMP requirement); PHI validation middleware implements Safe Harbor compliance

Data Sourcing ↔ Compliance

All 24 raw sources verified as public domain (DMP requirement); no customer data until BAAs signed (Phase 2 gate)

How to Use This Dashboard

Developer

Architecture → API endpoints → Code links

Ops/Data

Data & Registries → Registry inventory → Sourcing guide

Compliance/Legal

Compliance & Governance → Open gaps → DMP full doc

Product

Architecture → Pipeline stages; Data & Registries → What's available