trust-boundary-operational-pass · supabase_json
PVA Free/Paid Trust Boundary Operational Pass
trust-boundary-operational-pass artifact · for Patient Visit Advocate · phase PVA-SLICE-00 · status approved
Agent Handoff
Start Here
trust-boundary-operational-pass artifact · for Patient Visit Advocate · phase PVA-SLICE-00 · status approved
Completion Evidence
No explicit evidence field yet. Require tests, screenshots, linked PRs, or reviewed outputs before marking complete.
Artifact Shape
- phase: id: string, name: string, status: string
- title: PVA Free/Paid Trust Boundary Operational Pass
- product: Patient Visit Advocate
- purpose: Translate the approved PVA Trust Boundary Charter into implementation-ready business rules for the free pocket app and paid memory boundary. Each rule carries an explicit hard stop, acceptance criterion, and copy/implementation owner.
- created at: 2026-05-08T12:39:00.000Z
- created by: priya
- artifact type: trust-boundary-operational-pass
- open decisions: 4 items
- claims boundary: 4 items
- free tier rules: 8 items
- escalation rules: 4 items
- source artifacts: 6 items
Structured Payload
Machine-readable source fields
phase
id
PVA-SLICE-00
name
Trust Boundary — Operational Pass
status
draft
title
PVA Free/Paid Trust Boundary Operational Pass
product
Patient Visit Advocate
purpose
Translate the approved PVA Trust Boundary Charter into implementation-ready business rules for the free pocket app and paid memory boundary. Each rule carries an explicit hard stop, acceptance criterion, and copy/implementation owner.
created at
2026-05-08T12:39:00.000Z
created by
priya
artifact type
trust-boundary-operational-pass
open decisions
| id | context | question | default assumed | must resolve before |
|---|---|---|---|---|
| OD-001 | Patient-data-ai-contract lists this as open. Prototype spec recommends 30 days. | What is the exact default local draft expiry for the free app? | 30 days from last open, device-local. User can delete earlier. | patient testing |
| OD-002 | ESC-002 specifies copy team ownership but does not define medical reviewer involvement. | Who owns copy sign-off on the escalation acknowledgement screen — product lead, medical reviewer, or both? | Product lead + copy team sign-off required. Medical reviewer consulted but not blocking gate. | patient testing |
| OD-003 | Monetization strategy mentions 'limited saved history' as a free limit. Trust charter says free = local draft. Conflict needs explicit resolution to avoid UI confusion at free/paid boundary. | Does the free tier include any limited saved-history (e.g., last 1 visit locally persisted) or is free strictly local-export-only with no persistence beyond the active draft? | Free = one active local draft, 30-day expiry. No saved visit history list. Paid = history. | build gate (SLICE-04) |
| OD-004 | Must be resolved before consent copy and model IO contract can be finalized for SLICE-02. | Which model provider is approved for the server-side MVP paid memory feature, and what are the data retention terms? | TBD — no default. Blocker for SLICE-02 exit. | SLICE-02 exit gate |
claims boundary
| id | owner | category | hard stop | permitted | prohibited |
|---|---|---|---|---|---|
| CB-001 | copy + product | Product Positioning | Any marketing copy, in-app copy, or onboarding using prohibited positioning is a release blocker. | - Patient visit advocacy pocket app - Helps you prepare for and remember your medical appointments - Turns messy health concerns into a clear visit brief and prioritized questions - Saves your visit history so you never lose the thread between appointments (paid) - Warm, supportive patient advocacy — not medical advice | - Diagnosis tool - Clinical decision support - EHR or medical records system - Treatment planner - Triage system - Medical advice provider - Any claim implying clinical accuracy, diagnostic confidence, or treatment recommendation |
| CB-002 | copy + product + engineering | AI Output Claims | In-app AI output copy implying clinical certainty is a patient safety blocker. | - Helps you organize your concerns for discussion with your doctor - Generates a draft question list based on what you shared — review and edit before your visit - AI-assisted structuring — always review before using - Uncertainty preserved: AI output is a starting point, not a clinical fact | - AI-generated diagnosis - This AI is clinically validated - The AI recommends... - Based on your symptoms, you likely have... - Certainty language that replaces clinician judgment |
| CB-003 | product + legal | Monetization Claims | Monetization copy implying health data exploitation is a trust and regulatory blocker. | - Free: single-visit prep, no account required - Paid: saved history, memory, continuity across visits - Your data is stored on your device in the free tier - Upgrade to save your visit history across appointments | - Advertising claims against user health concerns - Affiliate referral incentives that bias medical questions - Any claim implying health data is sold, shared, or used for lead generation - Clinical outcome or health improvement claims |
| CB-004 | legal + product + engineering | Data Claims | Unsubstantiated data safety claims require legal + engineering sign-off before any patient-facing release. | - Free tier: your data stays on your device - Paid tier: your data is encrypted and stored securely; you control deletion - We do not sell or share your health data - AI output may be processed by [named model provider] — see our privacy policy | - HIPAA-compliant (without formal legal review and certification) - Your data is never used to train AI models (unless contractually confirmed with model provider) - Bank-grade security (without technical substantiation) - Anonymous (when any identifiable data is collected) |
free tier rules
| id | rule | owner | scope | hard stop | acceptance criterion |
|---|---|---|---|---|---|
| FT-001 | The free loop must be completable without an account, login, or payment prompt. | product | - visit.start.fast - intake.capture - intake.review.local - visit.brief.local - question.plan.local - visit.live.note - post.visit.quick.capture - export.confirm.local | Any screen in the free loop that requires account creation before the user receives their visit brief is a blocker. Block build sign-off. | A test user completes messy-intake → visit brief → question plan → quick note → post-visit capture → export without creating an account or seeing a payment prompt. |
| FT-002 | Free data is local-only. No real user health text may be sent to any server, analytics endpoint, cloud model, or third-party service in the free/anonymous flow. | engineering | - local prototype - free app — anonymous flow | Any network call containing user-entered health text, visit context, clinician name, or location during anonymous local use is a build blocker. Must be caught in QA-007. | Network inspection during prototype test confirms zero outbound payloads containing health text when user has not consented to server sync. |
| FT-003 | Local draft must have an explicit, visible retention rule. Default: 30-day device-local expiry unless user deletes earlier. Expiry must be disclosed at draft creation. | product + engineering | - local prototype - free app | No patient testing until retention rule is displayed and deletion is functional. | Draft creation screen shows retention duration. Settings or draft list shows delete option. Expired drafts are not recoverable. |
| FT-004 | Post-visit debrief quick capture is free. The free user must be able to capture what happened, next steps, and follow-up questions without a paywall. | product | - post.visit.quick.capture | Gating debrief capture behind a paid plan in the first-visit flow is a product trust violation. Block release. | Post-visit quick capture screen is accessible without subscription. Captured content is stored locally. |
| FT-005 | Free tier includes local export/share of visit brief, question plan, and debrief. Export requires an explicit export confirmation screen (see TB-006, QA-005). | product + copy | - export.confirm.local | Export without disclosure of sensitive content risk is a blocker. | Export confirmation screen names the content being exported and includes a plain-language disclosure that exported content may contain sensitive health information. User must tap Confirm before export proceeds. |
| FT-006 | Draft recovery must be offered on app reopen if an unfinished draft exists. User must choose to continue or discard — no silent discard. | engineering + product | - draft.recovery | Silent discard of in-progress health context is a UX safety blocker. | Reopening the app with an unfinished draft shows the Draft Recovery screen before any new-visit start. Discard requires explicit confirmation. |
| FT-007 | AI/stub failure must not destroy user input. If brief generation or question-plan AI fails, raw typed input is preserved and user sees a manual fallback path. | engineering | - intake.review.local - visit.brief.local - question.plan.local | Any flow where AI failure results in lost user health text is a blocker. | Simulating AI failure shows raw capture intact. User can view/edit/export raw input without AI output. |
| FT-008 | Analytics in the free tier must track only counters and funnel state transitions. Zero health text, question text, visit context, clinician or location names, brief content, debrief content, or memory content may appear in any analytics event. | engineering + data | - all releases | Any analytics event containing health content is a production blocker. Caught by QA-008. | Analytics schema review confirms all tracked fields are enum/counter/boolean types with no free-text health fields. Reviewed before beta. |
escalation rules
| id | owner | trigger | hard stop | required action | trigger examples |
|---|---|---|---|---|---|
| ESC-001 | product + copy | User inputs text indicating a serious, acute, or potentially life-threatening symptom during intake, quick capture, or post-visit debrief. | Continuing intake without surfacing escalation copy when a trigger is detected is a patient safety blocker. | Immediately surface the escalation acknowledgement screen (safety.escalation.ack) before continuing normal visit prep. | - chest pain - difficulty breathing - sudden severe headache - stroke symptoms - suicidal ideation - inability to speak or move |
| ESC-002 | copy | Escalation copy written inline by engineering without copy review is a blocker. | |||
| ESC-003 | engineering | Escalation must not silently suppress further input or strand the user. | |||
| ESC-004 | copy + product | Escalation copy that makes a diagnostic claim is a regulatory and trust blocker. |
source artifacts
- trust-boundary-charter/PVA-SLICE-00 (78ca477c)
- monetization-strategy/strategy-001 (715faee0)
- patient-data-ai-contract/PVA-SLICE-02 (1d0623fa)
- local-pocket-prototype-spec/PVA-SLICE-01 (ae4aafaa)
- revised-decomposition-plan/PVA-AUTOPILOT-01 (17a8249c)
- safety-privacy-qa-matrix/PVA-SLICE-01 (c7bdfa1d)
paid memory rules
| id | rule | owner | scope | hard stop | acceptance criterion |
|---|---|---|---|---|---|
| PM-001 | Paid value = continuity. Saved visit history, longitudinal memory, searchable/exportable history, unresolved-question tracking across visits, and user-confirmed reusable context are paid features. | product | - paid individual tier | Do not build paid memory features until the free loop is validated with real users. | Paid memory screens are behind an account + subscription gate. Free users see an upgrade prompt only after the free loop is complete — never mid-intake. |
| PM-002 | Generated memory items (AI-extracted context, prior visit summaries, medication/symptom history) cannot be reused in future prompts or shown as fact until the user explicitly confirms or edits each item. | product + engineering | - paid memory - family/caregiver | Auto-applying unconfirmed AI-generated memory to a new visit prep is a trust and safety violation. Block feature release. | Memory confirmation UX: each generated memory item shows Confirm / Edit / Remove before it can appear in any new visit brief or question plan. Confirmed items are versioned. |
| PM-003 | Server-side saved memory requires approved consent flow naming: data processed, stored, model/provider boundary, retention/deletion/export path, and exact consent version before any PHI is transmitted. | product + legal + engineering | - paid individual - beta - production | No real user health text sent to server/model without the consent screen passing QA-009 review. | Consent screen includes: what data is stored, which model/provider processes it, how long it is retained, how user can delete/export it, and consent version. Consent version is logged server-side. |
| PM-004 | Paid memory deletion must be user-initiated and complete. User can delete individual visit records, all memory, or close their account with full data removal. | engineering | - paid individual - paid family/caregiver | No public beta without functional delete-account / delete-all-memory path. | Settings → Delete All Data executes server-side deletion and confirms completion. Account deletion removes all server PHI within the documented retention window. |
| PM-005 | Caregiver/family tier must not be designed or built before individual paid memory is validated in beta. | product + planning | - paid family/caregiver | Any build task for caregiver features before individual paid beta is a sequencing error — block dispatch. | Caregiver tier is gated as SLICE-05 or later in decomposition. Any earlier build task reference is flagged. |
| PM-006 | Upgrade prompts must appear only at natural completion points. Never interrupt mid-intake, mid-brief, or mid-question-plan with a paywall. | product + UX | - free → paid conversion | Mid-flow paywall interrupt is a product trust violation. Caught in UX review. | Upgrade prompt appears only post-export, post-debrief, or in Settings. Tapping out of upgrade returns user to their current flow without data loss. |
sequencing hard stops
- SLICE-00 exit: Trust Boundary Charter approved AND this operational pass approved by exec gate before any implementation begins.
- SLICE-01 exit: Free loop tested end-to-end with real users. Escalation, export, draft recovery, and AI fallback all functional and QA-signed. No paid memory features before this exits.
- SLICE-02 exit: Local/server/model/free/paid boundaries explicitly approved, model provider named, consent copy reviewed.
- SLICE-04 entry: Prototype learnings documented. Build gate and screen inventory proceed only after learnings exist.
- SLICE-05 entry: Trust, data, and UX gates all exit-approved. No patient-facing build without all three.
- SLICE-06 entry: MVP passes safety/privacy QA. Privacy controls, deletion/export, analytics audit, model provenance, kill switch, and human AI output review all present before closed beta.
implementation acceptance criteria
| id | gate | blocks | criterion | tested by |
|---|---|---|---|---|
| IAC-001 | Free Loop Completable Without Account | prototype sign-off | End-to-end test: new user completes intake → review → visit brief → question plan → quick note → debrief → export with zero account prompts in the critical path. | QA |
| IAC-002 | No Cloud PHI in Anonymous Flow | patient testing | Network inspection confirms no outbound health text during anonymous local use. Zero analytics events contain free-text health fields. | engineering + QA |
| IAC-003 | Draft Retention Rule Visible | patient testing | Draft creation and draft list display the 30-day retention rule. User can delete draft at any point. Expired draft is not recoverable. | QA |
| IAC-004 | Escalation Trigger Functional With Approved Copy | patient testing | Simulated serious-symptom input (≥3 test cases: chest pain, breathing difficulty, suicidal ideation) reliably surfaces the escalation screen with copy-team-approved language before visit prep continues. | copy + QA |
| IAC-005 | Export Requires Confirmation | prototype completion | Export action always shows the confirmation screen with sensitive-content disclosure before any content is sent to clipboard, PDF, or share sheet. | QA |
| IAC-006 | AI Failure Manual Fallback | prototype completion | Simulated AI failure leaves raw user input visible and accessible. User can export or edit raw input without AI output. | engineering + QA |
| IAC-007 | Generated Memory Confirmation Before Reuse | paid memory release | Paid memory: AI-generated memory items show Confirm / Edit / Remove controls. Unconfirmed items do not appear in any new visit brief or AI prompt context. | engineering + QA |
| IAC-008 | Server Consent Before PHI Transmission | server-side PHI / paid beta | First server-side paid flow: consent screen names model provider, retention policy, deletion path, and consent version. Consent version logged server-side before any PHI is transmitted. | engineering + legal + QA |
| IAC-009 | Delete All Data Path Functional | public beta | Account deletion flow executes server-side removal of all PHI. Confirmation message returned. Account cannot be recovered after deletion. | engineering + QA |
| IAC-010 | No Prohibited Claims in Product Copy | any patient-facing release | Copy audit of all in-app text, onboarding, and marketing copy against CB-001–CB-004 before any patient-facing release. Zero instances of diagnosis claims, unsubstantiated HIPAA claims, or health-data monetization language. | copy + product + legal |
| IAC-011 | Upgrade Prompt at Natural Completion Points Only | free-to-paid conversion release | UX review confirms: no paywall interrupts mid-intake, mid-brief, or mid-question-plan. Upgrade prompts appear post-export, post-debrief, or in Settings only. | product + UX |
| IAC-012 | Analytics Schema Excludes Health Text | server MVP | Analytics schema documented. All tracked fields are enum/counter/boolean. No free-text health fields. Reviewed by engineering + data before server MVP. | engineering + data |