Akos

SaaS Control Plane

signup.akosmd.com readiness shell

Matrix: SAAS-ARCH-003, SAAS-HIPAA-001, SAAS-SEC-001, SAAS-REL-002
FHIR R4 baseline
No PHI intake
Akos SaaS onboarding
Disabled by default

Akos SaaS signup readiness shell

This is the first isolated runtime surface for future SaaS onboarding. It follows the same Akosv4 card, badge, app-panel, and soft-gradient traditions while keeping all business actions locked.

Signup UI flag

Off

Submissions

Disabled

Host

signup.akosmd.com

No-PHI intake shell
Submit disabled
signup.akosmd.com

Prospect business details

Capture only organization and business-contact information. This form intentionally has no patient, member, insurance-ID, MRN, DOB, claim, transcript, or clinical fields.

DNS label only. Example future URL: client-name.care.akosmd.com.

PHI-safe logging shell
Policy disabled
No log-sink mutation

PHI-safe logging and redaction policy

This shell models logging rules for SaaS control-plane and tenant-sensitive workflows: no raw FHIR, patient, IP, user-agent, transcript, or free-form payload logging.

Raw payload logging

blocked

Raw IP/user-agent

blocked

FHIR/patient payloads

never in logs

Allowed fields

event/status/tenant/severity/timestamp/checksum

Redaction

required before handoff

Retention class

security, operational, or billing non-PHI

Log sink ID

null in this shell

Audit ledger record

null in this shell

Upload quarantine shell
Policy disabled
No upload mutation

File upload quarantine and out-of-MVP policy

This shell keeps public SaaS signup file uploads out of MVP unless a future quarantine path has malware scanning, PHI detection, size/type limits, and redacted logging.

Default posture

uploads out of MVP

Quarantine

required before any upload handoff

Malware scanning

required before any upload handoff

PHI detection

required before any upload handoff

Size limit

maximum 10 MiB in review policy

MIME allowlist

PDF, PNG, JPEG, plain text only

Quarantine bucket

null in this shell

Upload endpoint

null in this shell

Lifecycle shell
Policy disabled
No resource mutation

Tenant lifecycle and suspension policy

This shell models explicit tenant lifecycle states so draft, active, suspended, offboarding, and torn-out states cannot be confused or mutated by the public signup surface.

Explicit lifecycle state

Tenant state must be one of draft, staging, active, suspended, offboarding, or torn_out.

Allowed transition

State movement must follow the documented lifecycle path.

Reversible suspension

Suspension cannot delete or tear out tenant data.

Payment separated

Billing suspension cannot block required data export or legal access.

Audit event

Lifecycle decision must produce a PHI-safe audit event before handoff.

Suspension

reversible and separate from tear-out

Tenant record

null in this shell

Domain activation shell
Policy disabled
No resource mutation

Tenant domain activation policy

This shell keeps tenant domain activation review-only until DNS ownership, managed certificate status, wildcard scope, and two-person approval are verified.

DNS ownership

DNS TXT/CNAME ownership evidence must be present.

Managed certificate

Certificate Manager status must be active; no private keys in repo.

Wildcard scope

Tenant host must fit one-label *.care.akosmd.com coverage.

Two-person approval

Domain activation requires a distinct second approver.

Unknown host test

Unknown-host negative routing evidence must be attached.

DNS writes

blocked in this shell

Certificate IDs

null in this shell

IAM boundary shell
Policy disabled
No resource mutation

Signup service account IAM boundary policy

This shell verifies that the public signup runtime remains least-privilege and cannot directly provision FHIR, billing, IAM, secrets, or production resources.

Intake-only roles

Runtime roles are limited to intake/audit/observability responsibilities.

No provisioning roles

Signup service account cannot create projects, FHIR stores, billing, IAM, or DNS.

No PHI data-plane access

Signup runtime cannot read/write tenant PHI resources.

Secrets blocked

Signup runtime cannot read tenant secret payloads.

IAM diff reviewed

IAM changes require explicit review evidence.

Forbidden roles

owner/admin/healthcare/billing/secret access

IAM mutation

blocked in this shell

Provisioning queue shell
Policy disabled
No resource mutation

Provisioning queue and resumability policy

This shell keeps provisioning behind approval, queue handoff, idempotency, and resume controls. Public signup cannot directly create production resources.

Approved workflow

Only approved workflow states may enter a provisioning queue.

Dry run reviewed

Dry-run report must be reviewed before any real work.

Idempotency key

Every provisioning request requires a deterministic idempotency key.

Resume plan

Partial failures must be resumable without duplicate resources.

Two-person approval

Real provisioning requires two distinct approvers.

Queue job

null in this shell

Production provisioning

blocked

Budget/quota shell
Policy disabled
No resource mutation

Budget, quota, and ownership-label policy

This shell requires budget alerts, quota ceilings, and tenant/environment labels before real provisioning can advance.

Budget defined

Monthly budget must be explicit before tenant resource creation.

Quota ceiling

Quota ceilings must prevent runaway use.

Owner labels

Tenant, environment, owner, and cost-center labels must be present.

Alert recipients

Budget/quota alerts need operations recipients.

Cost dry run

Dry-run cost estimate must be reviewed.

Budget creation

blocked in this shell

Monthly review cap

$500 shell ceiling

Secret reference shell
Policy disabled
No resource mutation

Secret Manager reference policy

This shell accepts Secret Manager references only and rejects raw credentials, private keys, .env-style values, and loggable secret material.

Secret Manager reference

Tenant secrets are referenced by resource name, not stored in repo.

No raw values

Raw tokens, passwords, private keys, and connection strings are rejected.

Accessor scoped

Only the approved runtime gets least-privilege access.

Rotation plan

Rotation and revocation evidence must be attached.

Secret scan

Secret scan must pass before handoff.

Secret creation

blocked in this shell

Raw secret logging

rejected

Backup/restore shell
Policy disabled
No resource mutation

Tenant backup and restore drill policy

This shell requires tenant backup, restore-drill, BAA/service eligibility, and FHIR R4 export alignment before PHI production use.

BAA/service eligible

Backup services must be eligible for ePHI use.

Encrypted backup

Tenant backups must be encrypted with approved keys.

Restore drill

Restore drill evidence must be present before production.

Export alignment

Backup plan must support departing-client export.

Retention defined

Retention, legal hold, and deletion windows must be defined.

FHIR baseline

R4

Backup job

null in this shell

Incident response shell
Policy disabled
No resource mutation

Incident containment and emergency controls policy

This shell models emergency controls for signup pause, provisioning pause, session revocation, IP lock, secret rotation, and communications containment.

Signup pause

Public signup can be paused quickly during attack.

Provisioning pause

Provisioning/export/payment/job handoffs can be paused.

Session revocation

Compromised sessions can be revoked.

Secret rotation

Emergency secret rotation path is documented.

Tabletop exercise

Incident response tabletop evidence is attached.

Kill switch mutation

blocked in this shell

PHI in incident notes

rejected

Feature flag shell
Policy disabled
No resource mutation

Tenant feature flag and kill-switch policy

This shell separates risky feature rollout from deploys by requiring tenant-scoped flags, default-off posture, ring assignment, and kill-switch evidence.

Tenant-scoped flag

Flags must be tenant-scoped, never global-only for risky workflows.

Default off

Risky features start disabled until approval.

Ring assignment

Feature rollout follows the ring registry.

Kill switch tested

Kill switch behavior is tested before enablement.

Rollback documented

Rollback plan is attached for the feature.

Flag registry

null in this shell

Tenant config mutation

blocked

Audit ledger shell
Policy disabled
No resource mutation

Append-only audit ledger and evidence policy

This shell requires append-only, PHI-safe, hash-linked audit evidence for tenant lifecycle/security actions and offboarding certificates.

Append-only

Audit events are append-only and cannot be edited in place.

Actor/action/time

Actor, action, tenant, timestamp, and request ID are required.

Hash chain

Ledger entries need hash-chain or tamper-evidence metadata.

PHI-safe fields

No raw patient/FHIR/member details are logged.

Certificate evidence

Return/destruction/archive certificates link to audit evidence.

Ledger write

blocked in this shell

PHI-safe logging

required

Control completion shell
Policy disabled
Matrix coverage complete

SaaS traceability and architecture completion policy

This final shell closes the remaining documentation and architecture controls: every build maps to matrix IDs, work remains sequential, SaaS stays in the Akosv4 repository, and current care.akosmd.com assets stay untouched during initial rollout.

Matrix IDs mapped

Every implementation PR or ticket must map to one or more traceability matrix IDs.

Sequential build control

Work advances by selecting an ID/bundle, building it, testing it, opening review, then moving to the next bundle.

Same repository, no client forks

SaaS behavior stays in the Akosv4 repository with tenant variance through config, feature flags, and resource boundaries.

Current assets untouched

Initial SaaS construction must not mutate current care.akosmd.com production DNS, load balancer, runtime, or tenant data-plane assets.

Docs/runtime boundary

Documentation-only work remains docs-only; runtime shell work is isolated behind disabled-by-default controls.

Protected production host

care.akosmd.com

Repository posture

Akosv4, no long-lived client forks

Completion posture

review-only, no production mutation

Approval workflow shell
Workflow disabled
Provisioning blocked

Controlled approval sequence

This shell models the future approval path after no-PHI intake validation. It does not persist approvals, create tenants, start payment capture, or create Firebase/GCP objects.

  1. Intake validated

    No-PHI prospect intake passed host, security, validation, and audit-envelope checks.

  2. Security review

    Cloud Armor, rate-limit, bot, audit, and control-plane readiness review.

  3. HIPAA / BAA review

    BAA, HIPAA service eligibility, PHI boundary, and no-PHI onboarding review.

  4. Business approval

    Internal commercial, support, and operational approval before staging access.

  5. Approved for staging

    Client may be prepared for a future staging-only tenant process after separate approval.

  6. Provisioning blocked

    terminal guardrail

    Tenant creation, Firebase/GCP object creation, payment, and production cutover remain blocked.

Admin access shell
Policy disabled
No auth mutation

Admin MFA, RBAC, and two-person approval policy

This shell models future SaaS admin-console access controls. Critical actions like provisioning, domain activation, export, tear-out, and production promotion require MFA, RBAC, audit, and approval.

Admin host

console.akosmd.com

MFA

required

RBAC

action-specific role allowlist

IAP/IP context

required before handoff

Critical actions

two-person approval required

Audit event

HIPAA-safe event prepared before action

Session policy ID

null in this shell

Approval record ID

null in this shell

Service eligibility shell
Policy disabled
No vendor/config mutation

HIPAA service eligibility and BAA gate

This shell models the service-by-service ePHI eligibility matrix before any tenant uses PHI, AI, communications, payment, or FHIR services in production.

FHIR baseline

R4

BAA evidence

required before PHI service use

Service eligibility

approved-for-ePHI required

Tenant feature flag

explicitly enabled before PHI use

Payment provider

no-PHI only

AI / communications

tenant-gated and eligibility reviewed

Provider config ID

null in this shell

Compliance record ID

null in this shell

Tenant registry shell
Registry disabled
Staging only

Tenant registry candidate model

This shell defines the future tenant registry candidate shape after approval-for-staging. It intentionally does not persist tenant records or create infrastructure.

tenantCode

DNS-safe internal code

displayName

Business display name only

desiredSubdomain

Validated staging subdomain candidate

environment

staging

dataBoundary

no_phi_control_plane

firebaseProjectId

null in this shell

gcpProjectId

null in this shell

paymentCustomerId

null in this shell

productionHostname

null in this shell

Tenant isolation shell
Policy disabled
No auth/resource mutation

Cross-tenant isolation test policy

This shell models tenant-bound auth, host-only cookies, FHIR R4 resource boundaries, and Client A/B negative tests before tenant-aware SaaS features are activated.

FHIR baseline

R4

Cookie policy

host-only tenant domain

Auth context

tenant-bound session required

Resource policy

tenant-bound resource checks required

Client A/B negative test

required before portal/data-plane handoff

Same-tenant positive test

required before handoff

Evidence record

null in this shell

Auth/resource changes

blocked in this shell

Dry-run provisioning shell
Dry-run disabled
No resource creation

Tenant resource dry-run policy

This shell models planned GCP, Firebase, FHIR R4, IAM, Secret Manager, domain, and budget resources for an approved staging tenant. It never creates cloud resources.

Mode

dry_run_only

FHIR baseline

R4

GCP project

planned ID only

Firebase project

planned ID only

Secret Manager

references only; no repo secrets

IAM/service accounts

planned least-privilege worker only

Budget/quota alerts

required before real provisioning

Actual resource IDs

null in this shell

Payment policy shell
Policy disabled
No provider mutation

Hosted payment tokenization policy

This shell models payment readiness using hosted provider checkout only. Akos stores provider references/status, never PAN, CVV, bank details, or PHI in the SaaS control plane.

Collection mode

hosted_provider_checkout

PAN/CVV storage

never stored

Allowed app data

provider IDs and payment status only

Hosted setup session

null in this shell

Provider customer

null in this shell

Provider subscription

null in this shell

Suspension/export split

export access preserved

Tenant access changes

blocked in this shell

Hostname policy shell
Policy disabled
No DNS changes

DNS and hostname review policy

This shell models safe tenant hostname candidates for the future load-balancer path. It never creates DNS records, certificates, load-balancer bindings, or Cloud Armor bindings.

Allowed root

care.akosmd.com

Wildcard cert scope

*.care.akosmd.com

Allowed environment

staging only

DNS target

null in this shell

Load balancer binding

null in this shell

Cloud Armor binding

null in this shell

Certificate policy shell
Policy disabled
No cert changes

SSL and Certificate Manager review policy

This shell models future Google-managed wildcard certificate coverage for tenant hostnames. It never creates certificate resources, certificate-map entries, or load-balancer bindings.

Mode

google_managed_wildcard_review

Certificate location

global

Wildcard scope

*.care.akosmd.com

Certificate map entry

null in this shell

Certificate resource ID

null in this shell

Load balancer cert binding

null in this shell

Load balancer shell
Policy disabled
No GCLB mutation

GCLB host routing review policy

This shell models exact-host routing for signup and tenant hostnames. It never creates URL maps, HTTPS proxies, forwarding rules, backend services, serverless NEGs, or Cloud Run ingress changes.

Allowed signup hosts

signup.akosmd.com, signup-staging.akosmd.com

Tenant host routing

exact one-label host under care.akosmd.com

Unknown host action

deny_or_static_404

HTTP behavior

redirect to HTTPS

Minimum TLS

TLS_1_2

Cloud Run ingress

internal + cloud load balancing required

GCLB resource IDs

null in this shell

Backend / NEG binding

null in this shell

Cloud Armor shell
Policy disabled
No edge mutation

Edge security review policy

This shell models future Cloud Armor controls for SaaS signup/tenant hostnames. It never creates Cloud Armor policies or binds backend services.

allow-known-safe-signup-host

Allow after host/TLS/app guardrails pass

throttle-prospect-intake-posts

Throttle repeated intake attempts

bot-signal-recaptcha-placeholder

Future bot challenge placeholder

deny-non-signup-control-plane-paths

Deny unexpected public paths

CI/CD guardrail shell
Policy disabled
No deploy mutation

Deployment promotion review policy

This shell models the SaaS pipeline rules: PRs validate only, develop targets staging only, and production requires tag/manual approval with an immutable artifact.

Pull requests

validation only; no deployment

Develop merge

staging signup candidate only

Production promotion

release tag + manual approval + known artifact

Production from PR

blocked

Cloud Build trigger IDs

null in this shell

Cloud Deploy pipeline IDs

null in this shell

Cloud Run service changes

blocked in this shell

Current care assets

untouched

Release ring shell
Policy disabled
No promotion mutation

Ring rollout and kill-switch policy

This shell models controlled rollout so one bug cannot automatically affect every SaaS tenant. Features move ring-by-ring; critical hotfixes require approval, regression evidence, and kill switches.

Release rings

0 → 1 → 2 → 3 → 4

Feature default

flag off until approved

Feature promotion

one ring at a time

Critical hotfix

approval + focused regression + kill switch

Kill switches

signup, provisioning, payment, export, jobs, AI, comms

Rollback plan

required before promotion

Release registry

null in this shell

Deployment changes

blocked in this shell

Offboarding shell
Policy disabled
No export/delete mutation

Export and tear-out guardrail policy

This shell models departing-client export, acceptance, legal hold, retention, dry-run tear-out, and certificate controls. It never exports or deletes tenant data.

Export baseline

FHIR R4 + docs + metadata + audit

Manifest

counts/checksums required before package delivery

Payment suspension

separate from export/tear-out

Legal hold

blocks tear-out

Two-person approval

required for PHI export/tear-out

Dry-run tear-out

required before destructive work

Cancel window

minimum 24 hours

Certificate

null in this shell

Client portal shell
Policy disabled
Current portal untouched

Tenant-aware client portal guardrail

This shell models how the existing client portal continues as the tenant-facing product while SaaS signup/admin stay separated by domain, route, RBAC, and host-only cookies.

Existing portal

care.akosmd.com preserved

Control plane

signup.akosmd.com separated

Tenant portal host

tenant-specific care.akosmd.com host

Cookie scope

host-only; no wildcard domain

RBAC boundary

tenant portal separated from SaaS control plane

Cross-tenant tests

Client A/B negative tests required

Portal regression

required before handoff

Route/auth changes

blocked in this shell