
SaaS Control Plane
signup.akosmd.com readiness shell
Akos SaaS signup readiness shell
This is the first isolated runtime surface for future SaaS onboarding. It follows the same Akosv4 card, badge, app-panel, and soft-gradient traditions while keeping all business actions locked.
Signup UI flag
Off
Submissions
Disabled
Host
signup.akosmd.com
Prospect business details
Capture only organization and business-contact information. This form intentionally has no patient, member, insurance-ID, MRN, DOB, claim, transcript, or clinical fields.
PHI-safe logging and redaction policy
This shell models logging rules for SaaS control-plane and tenant-sensitive workflows: no raw FHIR, patient, IP, user-agent, transcript, or free-form payload logging.
No logging sink mutation
ENABLE_SAAS_PHI_SAFE_LOGGING_POLICY. Sink handoff remains blocked even when ENABLE_SAAS_LOGGING_SINK_HANDOFF is present. Traceability: SAAS-HIPAA-005, SAAS-HIPAA-004, SAAS-SEC-001.Raw payload logging
blocked
Raw IP/user-agent
blocked
FHIR/patient payloads
never in logs
Allowed fields
event/status/tenant/severity/timestamp/checksum
Redaction
required before handoff
Retention class
security, operational, or billing non-PHI
Log sink ID
null in this shell
Audit ledger record
null in this shell
File upload quarantine and out-of-MVP policy
This shell keeps public SaaS signup file uploads out of MVP unless a future quarantine path has malware scanning, PHI detection, size/type limits, and redacted logging.
No upload/storage/scanner mutation
ENABLE_SAAS_UPLOAD_QUARANTINE_POLICY. Upload handoff remains blocked even when ENABLE_SAAS_UPLOAD_HANDOFF is present. Traceability: SAAS-SEC-006, SAAS-HIPAA-001, SAAS-HIPAA-005.Default posture
uploads out of MVP
Quarantine
required before any upload handoff
Malware scanning
required before any upload handoff
PHI detection
required before any upload handoff
Size limit
maximum 10 MiB in review policy
MIME allowlist
PDF, PNG, JPEG, plain text only
Quarantine bucket
null in this shell
Upload endpoint
null in this shell
Tenant lifecycle and suspension policy
This shell models explicit tenant lifecycle states so draft, active, suspended, offboarding, and torn-out states cannot be confused or mutated by the public signup surface.
No tenant lifecycle mutation
ENABLE_SAAS_TENANT_LIFECYCLE_POLICY. Handoff remains blocked even whenENABLE_SAAS_TENANT_LIFECYCLE_HANDOFF is present. Traceability:SAAS-TENANT-001, SAAS-TENANT-002, SAAS-ARCH-003, SAAS-PAY-002.Explicit lifecycle state
Tenant state must be one of draft, staging, active, suspended, offboarding, or torn_out.
Allowed transition
State movement must follow the documented lifecycle path.
Reversible suspension
Suspension cannot delete or tear out tenant data.
Payment separated
Billing suspension cannot block required data export or legal access.
Audit event
Lifecycle decision must produce a PHI-safe audit event before handoff.
Suspension
reversible and separate from tear-out
Tenant record
null in this shell
Tenant domain activation policy
This shell keeps tenant domain activation review-only until DNS ownership, managed certificate status, wildcard scope, and two-person approval are verified.
No domain activation mutation
ENABLE_SAAS_DOMAIN_ACTIVATION_POLICY. Handoff remains blocked even whenENABLE_SAAS_DOMAIN_ACTIVATION_HANDOFF is present. Traceability:SAAS-TENANT-003, SAAS-INFRA-002, SAAS-INFRA-003, SAAS-SEC-004.DNS ownership
DNS TXT/CNAME ownership evidence must be present.
Managed certificate
Certificate Manager status must be active; no private keys in repo.
Wildcard scope
Tenant host must fit one-label *.care.akosmd.com coverage.
Two-person approval
Domain activation requires a distinct second approver.
Unknown host test
Unknown-host negative routing evidence must be attached.
DNS writes
blocked in this shell
Certificate IDs
null in this shell
Signup service account IAM boundary policy
This shell verifies that the public signup runtime remains least-privilege and cannot directly provision FHIR, billing, IAM, secrets, or production resources.
No IAM policy mutation
ENABLE_SAAS_SIGNUP_IAM_BOUNDARY_POLICY. Handoff remains blocked even whenENABLE_SAAS_SIGNUP_IAM_HANDOFF is present. Traceability:SAAS-SEC-001, SAAS-PROV-001, SAAS-HIPAA-001.Intake-only roles
Runtime roles are limited to intake/audit/observability responsibilities.
No provisioning roles
Signup service account cannot create projects, FHIR stores, billing, IAM, or DNS.
No PHI data-plane access
Signup runtime cannot read/write tenant PHI resources.
Secrets blocked
Signup runtime cannot read tenant secret payloads.
IAM diff reviewed
IAM changes require explicit review evidence.
Forbidden roles
owner/admin/healthcare/billing/secret access
IAM mutation
blocked in this shell
Provisioning queue and resumability policy
This shell keeps provisioning behind approval, queue handoff, idempotency, and resume controls. Public signup cannot directly create production resources.
No provisioning queue mutation
ENABLE_SAAS_PROVISIONING_QUEUE_POLICY. Handoff remains blocked even whenENABLE_SAAS_PROVISIONING_QUEUE_HANDOFF is present. Traceability:SAAS-PROV-001, SAAS-PROV-003, SAAS-SEC-004.Approved workflow
Only approved workflow states may enter a provisioning queue.
Dry run reviewed
Dry-run report must be reviewed before any real work.
Idempotency key
Every provisioning request requires a deterministic idempotency key.
Resume plan
Partial failures must be resumable without duplicate resources.
Two-person approval
Real provisioning requires two distinct approvers.
Queue job
null in this shell
Production provisioning
blocked
Budget, quota, and ownership-label policy
This shell requires budget alerts, quota ceilings, and tenant/environment labels before real provisioning can advance.
No budget/quota mutation
ENABLE_SAAS_BUDGET_QUOTA_POLICY. Handoff remains blocked even whenENABLE_SAAS_BUDGET_QUOTA_HANDOFF is present. Traceability:SAAS-OPS-002, SAAS-PROV-004, SAAS-PROV-002.Budget defined
Monthly budget must be explicit before tenant resource creation.
Quota ceiling
Quota ceilings must prevent runaway use.
Owner labels
Tenant, environment, owner, and cost-center labels must be present.
Alert recipients
Budget/quota alerts need operations recipients.
Cost dry run
Dry-run cost estimate must be reviewed.
Budget creation
blocked in this shell
Monthly review cap
$500 shell ceiling
Secret Manager reference policy
This shell accepts Secret Manager references only and rejects raw credentials, private keys, .env-style values, and loggable secret material.
No secret reference mutation
ENABLE_SAAS_SECRET_REFERENCE_POLICY. Handoff remains blocked even whenENABLE_SAAS_SECRET_REFERENCE_HANDOFF is present. Traceability:SAAS-PROV-005, SAAS-HIPAA-005, SAAS-SEC-001.Secret Manager reference
Tenant secrets are referenced by resource name, not stored in repo.
No raw values
Raw tokens, passwords, private keys, and connection strings are rejected.
Accessor scoped
Only the approved runtime gets least-privilege access.
Rotation plan
Rotation and revocation evidence must be attached.
Secret scan
Secret scan must pass before handoff.
Secret creation
blocked in this shell
Raw secret logging
rejected
Tenant backup and restore drill policy
This shell requires tenant backup, restore-drill, BAA/service eligibility, and FHIR R4 export alignment before PHI production use.
No backup/restore mutation
ENABLE_SAAS_BACKUP_RESTORE_POLICY. Handoff remains blocked even whenENABLE_SAAS_BACKUP_RESTORE_HANDOFF is present. Traceability:SAAS-OPS-003, SAAS-HIPAA-002, SAAS-OFF-001, SAAS-HIPAA-003.BAA/service eligible
Backup services must be eligible for ePHI use.
Encrypted backup
Tenant backups must be encrypted with approved keys.
Restore drill
Restore drill evidence must be present before production.
Export alignment
Backup plan must support departing-client export.
Retention defined
Retention, legal hold, and deletion windows must be defined.
FHIR baseline
R4
Backup job
null in this shell
Incident containment and emergency controls policy
This shell models emergency controls for signup pause, provisioning pause, session revocation, IP lock, secret rotation, and communications containment.
No incident response mutation
ENABLE_SAAS_INCIDENT_RESPONSE_POLICY. Handoff remains blocked even whenENABLE_SAAS_INCIDENT_RESPONSE_HANDOFF is present. Traceability:SAAS-OPS-001, SAAS-REL-003, SAAS-SEC-002.Signup pause
Public signup can be paused quickly during attack.
Provisioning pause
Provisioning/export/payment/job handoffs can be paused.
Session revocation
Compromised sessions can be revoked.
Secret rotation
Emergency secret rotation path is documented.
Tabletop exercise
Incident response tabletop evidence is attached.
Kill switch mutation
blocked in this shell
PHI in incident notes
rejected
Tenant feature flag and kill-switch policy
This shell separates risky feature rollout from deploys by requiring tenant-scoped flags, default-off posture, ring assignment, and kill-switch evidence.
No feature flag mutation
ENABLE_SAAS_FEATURE_FLAG_POLICY. Handoff remains blocked even whenENABLE_SAAS_FEATURE_FLAG_HANDOFF is present. Traceability:SAAS-REL-001, SAAS-REL-002, SAAS-REL-003.Tenant-scoped flag
Flags must be tenant-scoped, never global-only for risky workflows.
Default off
Risky features start disabled until approval.
Ring assignment
Feature rollout follows the ring registry.
Kill switch tested
Kill switch behavior is tested before enablement.
Rollback documented
Rollback plan is attached for the feature.
Flag registry
null in this shell
Tenant config mutation
blocked
Append-only audit ledger and evidence policy
This shell requires append-only, PHI-safe, hash-linked audit evidence for tenant lifecycle/security actions and offboarding certificates.
No audit ledger mutation
ENABLE_SAAS_AUDIT_LEDGER_POLICY. Handoff remains blocked even whenENABLE_SAAS_AUDIT_LEDGER_HANDOFF is present. Traceability:SAAS-HIPAA-004, SAAS-HIPAA-005, SAAS-OFF-005.Append-only
Audit events are append-only and cannot be edited in place.
Actor/action/time
Actor, action, tenant, timestamp, and request ID are required.
Hash chain
Ledger entries need hash-chain or tamper-evidence metadata.
PHI-safe fields
No raw patient/FHIR/member details are logged.
Certificate evidence
Return/destruction/archive certificates link to audit evidence.
Ledger write
blocked in this shell
PHI-safe logging
required
SaaS traceability and architecture completion policy
This final shell closes the remaining documentation and architecture controls: every build maps to matrix IDs, work remains sequential, SaaS stays in the Akosv4 repository, and current care.akosmd.com assets stay untouched during initial rollout.
No production or repository mutation
ENABLE_SAAS_CONTROL_COMPLETION_POLICY. Handoff remains blocked even when ENABLE_SAAS_CONTROL_COMPLETION_HANDOFF is present. Traceability: SAAS-DOC-001, SAAS-DOC-002, SAAS-DOC-003, SAAS-ARCH-001, SAAS-ARCH-002.Matrix IDs mapped
Every implementation PR or ticket must map to one or more traceability matrix IDs.
Sequential build control
Work advances by selecting an ID/bundle, building it, testing it, opening review, then moving to the next bundle.
Same repository, no client forks
SaaS behavior stays in the Akosv4 repository with tenant variance through config, feature flags, and resource boundaries.
Current assets untouched
Initial SaaS construction must not mutate current care.akosmd.com production DNS, load balancer, runtime, or tenant data-plane assets.
Docs/runtime boundary
Documentation-only work remains docs-only; runtime shell work is isolated behind disabled-by-default controls.
Protected production host
care.akosmd.com
Repository posture
Akosv4, no long-lived client forks
Completion posture
review-only, no production mutation
Controlled approval sequence
This shell models the future approval path after no-PHI intake validation. It does not persist approvals, create tenants, start payment capture, or create Firebase/GCP objects.
Disabled-by-default controls
ENABLE_SAAS_INTAKE_APPROVAL_WORKFLOW. Provisioning handoff remains blocked even if ENABLE_SAAS_APPROVAL_PROVISIONING_HANDOFF is present in this construction increment. Traceability: SAAS-ARCH-003, SAAS-HIPAA-001, SAAS-SEC-001, SAAS-REL-002.Intake validated
No-PHI prospect intake passed host, security, validation, and audit-envelope checks.
Security review
Cloud Armor, rate-limit, bot, audit, and control-plane readiness review.
HIPAA / BAA review
BAA, HIPAA service eligibility, PHI boundary, and no-PHI onboarding review.
Business approval
Internal commercial, support, and operational approval before staging access.
Approved for staging
Client may be prepared for a future staging-only tenant process after separate approval.
Provisioning blocked
terminal guardrailTenant creation, Firebase/GCP object creation, payment, and production cutover remain blocked.
Admin MFA, RBAC, and two-person approval policy
This shell models future SaaS admin-console access controls. Critical actions like provisioning, domain activation, export, tear-out, and production promotion require MFA, RBAC, audit, and approval.
No admin auth/RBAC mutation
ENABLE_SAAS_ADMIN_ACCESS_POLICY. Handoff remains blocked even when ENABLE_SAAS_ADMIN_ACCESS_HANDOFF is present. Traceability: SAAS-SEC-003, SAAS-SEC-004, SAAS-HIPAA-004.Admin host
console.akosmd.com
MFA
required
RBAC
action-specific role allowlist
IAP/IP context
required before handoff
Critical actions
two-person approval required
Audit event
HIPAA-safe event prepared before action
Session policy ID
null in this shell
Approval record ID
null in this shell
HIPAA service eligibility and BAA gate
This shell models the service-by-service ePHI eligibility matrix before any tenant uses PHI, AI, communications, payment, or FHIR services in production.
No service/vendor mutation
ENABLE_SAAS_SERVICE_ELIGIBILITY_POLICY. Handoff remains blocked even when ENABLE_SAAS_SERVICE_ELIGIBILITY_HANDOFF is present. Traceability: SAAS-HIPAA-002, SAAS-HIPAA-006, SAAS-HIPAA-003.FHIR baseline
R4
BAA evidence
required before PHI service use
Service eligibility
approved-for-ePHI required
Tenant feature flag
explicitly enabled before PHI use
Payment provider
no-PHI only
AI / communications
tenant-gated and eligibility reviewed
Provider config ID
null in this shell
Compliance record ID
null in this shell
Tenant registry candidate model
This shell defines the future tenant registry candidate shape after approval-for-staging. It intentionally does not persist tenant records or create infrastructure.
No infrastructure creation
ENABLE_SAAS_TENANT_REGISTRY. Firebase projects, GCP projects, payment customers, production hostnames, and DNS records remain null/blocked. Traceability: SAAS-ARCH-003, SAAS-HIPAA-001, SAAS-SEC-001, SAAS-REL-002.tenantCode
DNS-safe internal code
displayName
Business display name only
desiredSubdomain
Validated staging subdomain candidate
environment
staging
dataBoundary
no_phi_control_plane
firebaseProjectId
null in this shell
gcpProjectId
null in this shell
paymentCustomerId
null in this shell
productionHostname
null in this shell
Cross-tenant isolation test policy
This shell models tenant-bound auth, host-only cookies, FHIR R4 resource boundaries, and Client A/B negative tests before tenant-aware SaaS features are activated.
No tenant isolation mutation
ENABLE_SAAS_TENANT_ISOLATION_POLICY. Handoff remains blocked even when ENABLE_SAAS_TENANT_ISOLATION_HANDOFF is present. Traceability: SAAS-TENANT-004, SAAS-SEC-005, SAAS-HIPAA-003.FHIR baseline
R4
Cookie policy
host-only tenant domain
Auth context
tenant-bound session required
Resource policy
tenant-bound resource checks required
Client A/B negative test
required before portal/data-plane handoff
Same-tenant positive test
required before handoff
Evidence record
null in this shell
Auth/resource changes
blocked in this shell
Tenant resource dry-run policy
This shell models planned GCP, Firebase, FHIR R4, IAM, Secret Manager, domain, and budget resources for an approved staging tenant. It never creates cloud resources.
No GCP / Firebase / FHIR mutation
ENABLE_SAAS_DRY_RUN_PROVISIONING. Real provisioning remains blocked even when ENABLE_SAAS_REAL_PROVISIONING_HANDOFF is present. Traceability: SAAS-PROV-001, SAAS-PROV-002, SAAS-PROV-003, SAAS-PROV-004, SAAS-PROV-005, SAAS-OPS-002, SAAS-HIPAA-003.Mode
dry_run_only
FHIR baseline
R4
GCP project
planned ID only
Firebase project
planned ID only
Secret Manager
references only; no repo secrets
IAM/service accounts
planned least-privilege worker only
Budget/quota alerts
required before real provisioning
Actual resource IDs
null in this shell
Hosted payment tokenization policy
This shell models payment readiness using hosted provider checkout only. Akos stores provider references/status, never PAN, CVV, bank details, or PHI in the SaaS control plane.
No payment-provider mutation
ENABLE_SAAS_PAYMENT_POLICY. Provider handoff remains blocked even when ENABLE_SAAS_PAYMENT_PROVIDER_HANDOFF is present. Traceability: SAAS-PAY-001, SAAS-PAY-002, SAAS-HIPAA-006.Collection mode
hosted_provider_checkout
PAN/CVV storage
never stored
Allowed app data
provider IDs and payment status only
Hosted setup session
null in this shell
Provider customer
null in this shell
Provider subscription
null in this shell
Suspension/export split
export access preserved
Tenant access changes
blocked in this shell
DNS and hostname review policy
This shell models safe tenant hostname candidates for the future load-balancer path. It never creates DNS records, certificates, load-balancer bindings, or Cloud Armor bindings.
No DNS / SSL / load balancer mutation
ENABLE_SAAS_HOSTNAME_POLICY. DNS handoff remains blocked even when ENABLE_SAAS_DNS_CHANGESET_HANDOFF is present. Traceability: SAAS-ARCH-003, SAAS-SEC-001, SAAS-REL-002.Allowed root
care.akosmd.com
Wildcard cert scope
*.care.akosmd.com
Allowed environment
staging only
DNS target
null in this shell
Load balancer binding
null in this shell
Cloud Armor binding
null in this shell
SSL and Certificate Manager review policy
This shell models future Google-managed wildcard certificate coverage for tenant hostnames. It never creates certificate resources, certificate-map entries, or load-balancer bindings.
No certificate mutation
ENABLE_SAAS_CERTIFICATE_POLICY. Certificate Manager handoff remains blocked even when ENABLE_SAAS_CERTIFICATE_MANAGER_HANDOFF is present. Traceability: SAAS-ARCH-003, SAAS-SEC-001, SAAS-REL-002.Mode
google_managed_wildcard_review
Certificate location
global
Wildcard scope
*.care.akosmd.com
Certificate map entry
null in this shell
Certificate resource ID
null in this shell
Load balancer cert binding
null in this shell
GCLB host routing review policy
This shell models exact-host routing for signup and tenant hostnames. It never creates URL maps, HTTPS proxies, forwarding rules, backend services, serverless NEGs, or Cloud Run ingress changes.
No load-balancer mutation
ENABLE_SAAS_LOAD_BALANCER_POLICY. Handoff remains blocked even when ENABLE_SAAS_LOAD_BALANCER_HANDOFF is present. Traceability: SAAS-INFRA-001, SAAS-INFRA-004, SAAS-INFRA-005, SAAS-INFRA-006.Allowed signup hosts
signup.akosmd.com, signup-staging.akosmd.com
Tenant host routing
exact one-label host under care.akosmd.com
Unknown host action
deny_or_static_404
HTTP behavior
redirect to HTTPS
Minimum TLS
TLS_1_2
Cloud Run ingress
internal + cloud load balancing required
GCLB resource IDs
null in this shell
Backend / NEG binding
null in this shell
Edge security review policy
This shell models future Cloud Armor controls for SaaS signup/tenant hostnames. It never creates Cloud Armor policies or binds backend services.
No Cloud Armor mutation
ENABLE_SAAS_CLOUD_ARMOR_POLICY. Handoff remains blocked even when ENABLE_SAAS_CLOUD_ARMOR_HANDOFF is present. Traceability: SAAS-SEC-001, SAAS-REL-002, SAAS-HIPAA-001.allow-known-safe-signup-host
Allow after host/TLS/app guardrails pass
throttle-prospect-intake-posts
Throttle repeated intake attempts
bot-signal-recaptcha-placeholder
Future bot challenge placeholder
deny-non-signup-control-plane-paths
Deny unexpected public paths
Deployment promotion review policy
This shell models the SaaS pipeline rules: PRs validate only, develop targets staging only, and production requires tag/manual approval with an immutable artifact.
No Cloud Build / Deploy / Run mutation
ENABLE_SAAS_CICD_GUARDRAIL_POLICY. Deployment handoff remains blocked even when ENABLE_SAAS_CICD_DEPLOY_HANDOFF is present. Traceability: SAAS-CICD-001, SAAS-CICD-002, SAAS-CICD-003, SAAS-REL-004.Pull requests
validation only; no deployment
Develop merge
staging signup candidate only
Production promotion
release tag + manual approval + known artifact
Production from PR
blocked
Cloud Build trigger IDs
null in this shell
Cloud Deploy pipeline IDs
null in this shell
Cloud Run service changes
blocked in this shell
Current care assets
untouched
Ring rollout and kill-switch policy
This shell models controlled rollout so one bug cannot automatically affect every SaaS tenant. Features move ring-by-ring; critical hotfixes require approval, regression evidence, and kill switches.
No release/deploy mutation
ENABLE_SAAS_RELEASE_RING_POLICY. Promotion handoff remains blocked even when ENABLE_SAAS_RELEASE_PROMOTION_HANDOFF is present. Traceability: SAAS-REL-001, SAAS-REL-002, SAAS-REL-003, SAAS-OPS-001.Release rings
0 → 1 → 2 → 3 → 4
Feature default
flag off until approved
Feature promotion
one ring at a time
Critical hotfix
approval + focused regression + kill switch
Kill switches
signup, provisioning, payment, export, jobs, AI, comms
Rollback plan
required before promotion
Release registry
null in this shell
Deployment changes
blocked in this shell
Export and tear-out guardrail policy
This shell models departing-client export, acceptance, legal hold, retention, dry-run tear-out, and certificate controls. It never exports or deletes tenant data.
No export or tear-out mutation
ENABLE_SAAS_OFFBOARDING_POLICY. Tear-out handoff remains blocked even when ENABLE_SAAS_TEAR_OUT_HANDOFF is present. Traceability: SAAS-OFF-001, SAAS-OFF-002, SAAS-OFF-003, SAAS-OFF-004, SAAS-OFF-005, SAAS-TENANT-002, SAAS-OPS-003.Export baseline
FHIR R4 + docs + metadata + audit
Manifest
counts/checksums required before package delivery
Payment suspension
separate from export/tear-out
Legal hold
blocks tear-out
Two-person approval
required for PHI export/tear-out
Dry-run tear-out
required before destructive work
Cancel window
minimum 24 hours
Certificate
null in this shell
Tenant-aware client portal guardrail
This shell models how the existing client portal continues as the tenant-facing product while SaaS signup/admin stay separated by domain, route, RBAC, and host-only cookies.
No client portal mutation
ENABLE_SAAS_CLIENT_PORTAL_POLICY. Portal handoff remains blocked even when ENABLE_SAAS_CLIENT_PORTAL_HANDOFF is present. Traceability: SAAS-PORTAL-001, SAAS-PORTAL-002, SAAS-TENANT-004, SAAS-SEC-005.Existing portal
care.akosmd.com preserved
Control plane
signup.akosmd.com separated
Tenant portal host
tenant-specific care.akosmd.com host
Cookie scope
host-only; no wildcard domain
RBAC boundary
tenant portal separated from SaaS control plane
Cross-tenant tests
Client A/B negative tests required
Portal regression
required before handoff
Route/auth changes
blocked in this shell