Salud Vault — Project Overview
Strategic context for every development session
// Core Asset — Start Every Session with This
Salud Capital LLC controls gift card planogram positions in 9,000+ CVS Health pharmacy locations nationwide. This retail distribution moat is the unfair advantage that no blockchain competitor can replicate. Every Salud Vault product decision flows from this asset.
Salud Vault product
Financial inclusion fintech targeting unbanked/underbanked consumers. Three pillars: Financial Wallet (USDC + Visa), Healthcare Credential Vault (EAL6+ chip), DeFi Consumer Gateway (ERC-4337). Co-branded with Tangem two-card set in CVS gift card blister pack format.
Tangem hardware
EAL6+ secure element chip (same grade as US passports). Two form factors: card (blister pack for CVS planogram) and ring (senior-optimized wearable). ISO 14443-A NFC. CTAP2/FIDO2 over NFC. 25-year chip lifespan. Contact: see Credential Vault — Blockchain & Web3 → Tangem
Four-token stack
SLUD (health incentives, ERC-20), SAID (soulbound identity, ERC-5192), SPASS (plan enrollment, ERC-721), REACH (commercial marketing, ERC-1155). All on Polygon PoS (<$0.01/tx). REACH is structurally isolated from health data via HIPAA firewall.
SaludID Plus (premium)
Four-partition sovereign identity ring. P0: Healthcare (ZK scoped). P1: Financial (chip-only). P2: Credential vault (FIDO2/WebAuthn bridge). P3: Recovery/estate (Shamir 3-of-5). BIP-32 hardened derivation. ERC-7231 multi-identity token. CONFIDENTIAL — not shared with CVS/Aetna.
Solo build approach
No developer hire. Claude Code Desktop writes all Solidity, Swift, Kotlin, Python, TypeScript. Builder directs, reviews, and catches domain-logic errors. Only external spend: Cyfrin smart contract audit ($5–15K) before mainnet. 12-week build sequence.
Regulatory moment
CMS contracted ID.me + CLEAR (Dec 2025) for Medicare.gov identity live 2026. CMS-0057-F mandates FHIR R4 APIs across all MA + Medicaid MCOs by Jan 2027. Federal government is building the data pipe Salud connects to.
Brand System
Canonical tokens for every deliverable — HTML, DOCX, presentations
Colors
| Primary teal | #3BBFBF |
| Dark teal | #1B5E72 |
| Mid teal | #237a90 |
| Deep navy | #091E28 |
| Gold | #E6BF42 |
Typography
| Headlines | DM Serif Display |
| UI / buttons | Space Grotesk |
| Monospace / code | Space Mono |
| Body copy | DM Sans |
Visual style
Dark navy background (#091E28) with dot-grid texture. Glassmorphic navigation. Teal accent system throughout. Reference: salud-wireless-v3.html is the source of truth for all brand tokens. Research articles use Playfair Display + Source Sans 3 + JetBrains Mono (Solana-style template).
File paths (local repo)
| Local dev | C:\Users\Admin\Documents\ai coding\salud |
| GitHub Pages | saludcap.github.io/salud/ |
| Root | index.html |
| Research | research/index.html |
| Investor | investor/index.html |
Four-Token Stack Architecture
Why four tokens, and how they interact without violating HIPAA
// The Foundational Principle
Money, identity, legal entitlement, and marketing attribution are legally and operationally distinct. Conflating them creates regulatory ambiguity, HIPAA exposure, and securities risk. SaludReach (Token 4) has zero on-chain cross-reference to SaludID, SaludPass, or SaludCoin. This separation is enforced at the Solidity contract level, not by policy.
ERC-20 Modified
Token 01 — SaludCoin (SLUD)
Healthcare incentive loyalty token. Earned through health behaviors only — cannot be purchased (Howey defense). Transfer-whitelist to prevent speculation. Redeemable against approved healthcare services. Howey test + AKS counsel required before public issuance.
ERC-5192 Soulbound
Token 02 — SaludID (SAID)
Non-transferable identity credential token. Stores keccak256 hashes of healthcare credentials only (HIPAA: no PHI on-chain). Links Tangem card/ring to W3C Verifiable Credentials. locked() always returns true. Verified via ZK proofs.
ERC-721 NFT
Token 03 — SaludPass (SPASS)
Smart contract benefit enrollment NFT. Encodes plan type, copay schedule, expiry. getCopayForService() called by MinuteClinic at point-of-care. Covers Medicare Advantage, Medicaid MCO, Salud tiers, D-SNP dual-eligible.
ERC-1155 Multi-token
Token 04 — SaludReach (REACH)
Programmatic marketing budget token. Brands deposit USDC; consumers earn REACH through commercial interactions (front-store CVS, non-CVS retail, financial partners). Salud earns 15–25% platform fee. Structurally isolated from health data.
HIPAA Structural Firewall
// What REACH Oracle Can NEVER Read
SaludID state · SaludPass enrollment · SLUD earn events · Pharmacy POS · MinuteClinic clinical records · Insurance claims (FHIR) · Medicare/Medicaid IDs · MBI · Any health-coded signal. Enforced by: (1) noHealthData() modifier on mintReach(), (2) separate oracle service with separate signing keys and database, (3) CI/CD test verifyZeroHealthContractReference() on every commit.
SaludCoin (SLUD) — Healthcare Incentive Token
ERC-20 Modified · Polygon PoS · OpenZeppelin v5
Key Contract Logic
// SaludCoin.sol — Key architecture
MINTER_ROLE = keccak256("MINTER_ROLE") // SLUD oracle only
REDEEMER_ROLE = keccak256("REDEEMER_ROLE") // Service contracts
transferWhitelist mapping // CVS, Aetna, Medicare only
// triggerType: 0=MinuteClinic, 1=Rx_refill, 2=Wellness,
// 3=Medicare_AWV, 4=Vaccine, 5=Screening
event HealthActionRewarded(address user, uint8 triggerType, uint256 amount);
function earnReward(address user, uint8 triggerType, uint256 amount, bytes proof)
external onlyRole(MINTER_ROLE)
function redeem(uint256 amount, address serviceContract) external
// Requires whitelist, burns SLUD, calls creditBeneficiary()
// _update override: blocks all non-whitelist, non-mint/burn transfers
Earn Rate Schedule
| Health action | SLUD earned | Notes |
|---|---|---|
| MinuteClinic visit | 50 | Any service type |
| Preventive care (annual) | 200 | Primary care AWV equivalent |
| Rx refill on-time | 25 | Per refill event |
| Medicare Annual Wellness Visit | 500 | Highest single earn event |
| Chronic care check-in | 100 | Monthly recurring |
| Health screening (A1c, BP, lipids) | 150 | Per screening panel |
| CVS pharmacy vaccine | 75 | Any vaccine |
| Medicaid care plan compliance | 300/mo | Monthly |
// Legal — Must Do Before Any Public Mention of SLUD
Securities: Written Howey test opinion from external securities counsel. SLUD is designed to fail Howey (not purchasable, no profit expectation from others' efforts). Design mirrors airline miles and CVS ExtraCare points.
Healthcare: Medicare Anti-Kickback Statute (AKS) safe harbor analysis. SLUD earn triggers must reward health behaviors, not provider-specific usage. Healthcare counsel required before launch.
SaludID (SAID) — Soulbound Identity Token
ERC-5192 · HIPAA-compliant · Hashes only on-chain · PHI on Tangem chip
// SaludID.sol — CredentialRecord struct
struct CredentialRecord {
bytes32 medicareIdHash; // keccak256(MBI) — NOT the MBI
bytes32 medicaidIdHash; // keccak256(Medicaid ID) if dual-eligible
bytes32 aetnaMemberHash; // keccak256(Aetna member ID)
bytes32 rxBenefitHash; // keccak256(Part D plan ID)
string vcCid; // IPFS CID of AES-256 encrypted W3C VC bundle
uint64 expiresAt; // Plan expiry (0 = none)
bool medicareVerified; // Set by ID.me/CMS oracle
bool medicaidVerified; // Set by state Medicaid oracle
}
function locked(uint256) external pure returns (bool) { return true; }
function transferFrom(address,address,uint256) public pure override {
revert("SaludID: identity is not transferable");
}
// verifyMedicareEligibility(tokenId, zkProof): ZK proof verification
// Proves eligibility without revealing MBI or any credential data
// HIPAA Architecture — Why This Is Compliant
No PHI is stored on-chain or on Salud servers. keccak256(MBI) is a one-way hash — the MBI cannot be reconstructed from it. The actual Medicare Beneficiary Identifier, Medicaid ID, and Aetna member number are stored AES-256-GCM encrypted on the Tangem chip. Salud Capital is a credential presenter, not a HIPAA covered entity or business associate, because no PHI transits Salud infrastructure.
Point-of-Care Flow (MinuteClinic)
MinuteClinic sends NFC challenge → patient holds ring near reader → ring signs challenge inside EAL6+ chip → Salud app calls getCopayForService() on SaludPass → USDC copay routed → simultaneously: SLUD earned (health oracle) + REACH earned (commercial oracle, no health data) — all in one ERC-4337 batch UserOperation, sub-3 seconds.
SaludPass (SPASS) — Benefit Enrollment NFT
ERC-721URIStorage · Smart contract benefit plan · MinuteClinic point-of-care integration
// SaludPass.sol — PlanType enum + key functions
enum PlanType {
SALUD_STARTER, // $15/mo Salud Vault base
SALUD_FAMILIA, // $45/mo family tier
SALUD_PREMIUM, // $55/mo all three pillars
MEDICARE_ADVANTAGE, // Aetna/CVS MA plan
MEDICAID_MANAGED_CARE, // State MCO enrollment
DUAL_ELIGIBLE_SPECIAL, // D-SNP: Medicare + Medicaid (highest value)
CVS_AETNA_EMPLOYEE // CVS employee benefit plan
}
struct PlanMetadata {
PlanType planType; uint64 effectiveDate; uint64 expiryDate;
uint16 copayMinuteClinic; // USDC cents (500 = $5.00)
uint16 copayPrimary; uint16 copaySpecialist;
uint32 rxDeductibleRemaining;
bytes32 planContractHash; // Hash of full plan document
string ipfsContractCid; // IPFS link to plan PDF
bool active;
}
// getCopayForService(tokenId, serviceType) → uint256 USDC
// serviceType: 0=MinuteClinic, 1=primary, 2=specialist
// isActivePlan(tokenId): checks active + effectiveDate + expiryDate
// familyTransfer(tokenId, newHolder, issuerSig): Salud + Aetna co-sign
// D-SNP (Dual-Eligible) — Highest-Value Segment
12 million dual-eligible beneficiaries (Medicare + Medicaid) are the highest-need and highest-cost segment, accounting for 30%+ of Medicaid spending. DUAL_ELIGIBLE_SPECIAL PlanType handles this. CMS actively funds D-SNP innovation through CMMI. Start with Medicare Advantage (simpler, 65M market), then expand to D-SNP as Phase 2.
SaludReach (REACH) — Programmatic Marketing Token
ERC-1155 Multi-token · B2B brand budget · HIPAA structural firewall · Commercial data only
// The Core Insight
Every Tangem ring or card tap at a CVS register is a verified, real-world, hardware-authenticated purchase signal. No cookie-based or wallet-observation ad platform can replicate this. SaludReach turns the 9,000 CVS planogram positions into a programmatic advertising network where brands pay to reach Salud Vault users at the moment of verified retail purchase.
Three-Contract Architecture
SaludReach.sol (ERC-1155)
Token contract. tokenId 0 = base fungible REACH pool. tokenId 1–N = campaign-specific semi-fungible vouchers. mintReach() gated to REACH_ORACLE_ROLE. No function may call SaludID, SaludPass, or SaludCoin.
CampaignManager.sol
B2B brand interface. Brands deposit USDC, define campaign params (target tier, earn rate, expiry). Salud platform fee (15–25%) deducted at deposit. Spend reporting. Brand advertiser portal (Next.js) connects here.
ReachOracle.sol — HIPAA Boundary
Separate oracle, separate signing key, separate database from SLUD oracle. Reads CVS front-store POS, non-CVS retail APIs, opted-in financial behavior. noHealthData() modifier reverts on health contract selectors. CI test verifies zero health cross-reference.
// SaludReach.sol — mintReach() with HIPAA guard
// txType: 0=CVS_front_store, 1=non_CVS_retail, 2=financial, 3=opt_in
// NEVER: 4+ (reserved for health categories — will revert)
function mintReach(address wallet, uint256 campaignId, uint8 txType, bytes calldata proof)
external onlyRole(REACH_ORACLE_ROLE) {
require(txType <= 3, "Health-coded txType rejected"); // HIPAA guard
Campaign storage c = campaigns[campaignId];
require(c.active && block.timestamp <= c.expiresAt, "Campaign inactive");
require(c.budgetSpent + c.earnRate <= c.budgetUsdc, "Budget exhausted");
c.budgetSpent += c.earnRate;
_mint(wallet, BASE_REACH, c.earnRate, ""); // Fungible pool
_mint(wallet, campaignId, c.earnRate, ""); // Campaign semi-fungible
emit CommercialActionRewarded(wallet, campaignId, txType, c.earnRate);
}
Revenue Math
| Scale | Holders | Purchases/mo | Brand cost | Salud fee (20%) | Monthly revenue |
|---|---|---|---|---|---|
| Pilot | 50,000 | 8 | $0.15 | $0.030 | $12,000 |
| Year 1 | 200,000 | 8 | $0.15 | $0.030 | $48,000 |
| Year 2 | 500,000 | 8 | $0.20 | $0.040 | $160,000 |
| Scale | 2,000,000 | 10 | $0.20 | $0.040 | $800,000 |
SaludID Plus — Sovereign Identity Ring
CONFIDENTIAL — Not shared with CVS Health, Aetna, or any healthcare partner
// Confidentiality Note
SaludID Plus is an internal Salud Capital premium product. CVS Health sees only Partition 0 via scoped ZK proofs. Partitions 1–3 are cryptographically undetectable. SaludIDPlus.sol is a completely separate contract from SaludID.sol with separate admin keys and zero cross-reference.
Four Partitions — BIP-32 Hardened Key Derivation
P0 — Healthcare & Government
m/44'/7231'/0' · Scoped ZK access only for CVS/CMS. Stores: ID.me verified identity, CLEAR biometric anchor, Medicare ID (MBI hash), Medicaid enrollment, Aetna member credentials, MinuteClinic access token, CVS Rx benefit ID, HSA/FSA tokens, Passport/State ID hash. On Tangem chip + IPFS (encrypted).
P1 — Financial Identity
m/44'/7231'/1' · Private — CHIP ONLY (no IPFS). Stores: Bank account OAuth (Plaid), brokerage credentials, crypto wallet xPubs, USDC vault, SSN/EIN hash, ACH routing tokens, payment card tokens. Chip-only ensures GDPR right-to-erasure compliance by design (erasure = factory reset ring).
P2 — Credential Vault
m/44'/7231'/2' · FIDO2/WebAuthn bridge. Ring IS the CTAP2 authenticator for Google, Apple Keychain, 1Password, Bitwarden, Microsoft Entra, GitHub, AWS CLI. SSH keys (Ed25519, deterministic). API keys (AES-256-GCM, 15-min session, auto-wipe). Desktop credential agent (macOS/Windows/Linux).
P3 — Recovery & Legacy
m/44'/7231'/3' · Guardian quorum only. 3-of-5 Shamir Secret Sharing. Estate docs hash, healthcare proxy (HIPAA), digital asset inheritance xPub, backup ring address. Chainlink Automation death trigger: 90-day absence + guardian quorum unlocks P3. Chip 25-year lifespan.
// BIP-32 Isolation Guarantee (Mathematical, Not Policy)
All partition keys use hardened derivation (apostrophe in path). Knowing P1_key + master extended public key CANNOT reconstruct the master key or any sibling partition key. CVS receives: ZK proof signed by P0 signing key only. Partitions 1/2/3 existence is cryptographically undetectable from the P0 ZK proof. This is a mathematical guarantee, not an internal policy that could be changed.
CMS & FHIR Integration Architecture
Five-layer bridge from Medicare.gov to the Tangem ring
Layer 1 — ID.me OAuth Bridge
CMS contracted ID.me (Dec 2025) for Medicare.gov identity live 2026. Salud integrates ID.me OIDC during Vault setup. Receives Medicare Beneficiary Identifier (MBI), hashes with keccak256, stores ONLY the hash in SaludID. MBI goes to Tangem chip. Never to Salud servers. API: OAuth 2.0 PKCE.
Layer 2 — FHIR R4 Benefit Data
CMS Blue Button 2.0 FHIR API for Medicare claims. CMS-0057-F mandates FHIR R4 across all MA + Medicaid MCOs by Jan 2027. Reads: Part D formulary, prior auth status, claims history for Rx adherence SLUD earn scoring. Stack: Blue Button 2.0 API + Aetna/CVS FHIR API.
Layer 3 — SLUD Earn Oracle
Health actions (MinuteClinic visit, Rx refill, Medicare AWV) verified off-chain via FHIR event. Salud oracle reads event, validates, ECDSA signs proof, calls SaludCoin.earnReward(). Chainlink Functions for production oracle. Separate service from REACH oracle.
Layer 4 — Senior UX (Ring)
Ring hand held near MinuteClinic reader = auth event. App: 18pt+ font, WCAG AAA contrast (8.2:1), 48px tap targets, voice guidance, 3-screen max flow (tap → confirm → done). Zero crypto terminology visible. Tangem ring removes the "where's my card?" problem for seniors.
Layer 5 — MinuteClinic Tap Flow
One ring tap: reader sends challenge → ring signs in EAL6+ → app verifies → calls getCopayForService() on SaludPass → USDC copay routed → SLUD earned (health oracle) + REACH earned (commercial oracle, no health data). All in one ERC-4337 batch UserOperation, sub-3 seconds.
D-SNP & CMMI Opportunity
12M dual-eligible beneficiaries (Medicare + Medicaid) = highest-value segment. CMS CMMI funds innovation in D-SNP space. Salud Vault is a natural fit: hardware-secured identity + preventive care incentives + unbanked access via CVS. Pitch CMS Innovation Center via CMMI LOI.
Partner Stack
Every partner, their role, and the contact or path
Tangem
Hardware (EAL6+ chip) + SDK (MIT license) + Tangem Pay (Visa/Rain Financial). Two-card CVS blister pack format + ring.
see Credential Vault
Rain Financial
Card issuance (BIN sponsorship) + Visa via Tangem Pay integration.
Via Tangem partnership
Circle
USDC + Programmable Wallets API. Settlement rail for all Vault transactions.
circle.com/en/programmable-wallets
PayNearMe
CVS cash-in barcode reload at CVS registers. Critical for unbanked on-ramp.
paynearme.com/contact
Alchemy
ERC-4337 AccountKit + Bundler + Paymaster (gas sponsorship for consumers).
alchemy.com/account-abstraction
Bitso / dLocal
FX remittance corridors: MXN (Bitso), BRL/PHP/GTQ (dLocal). Sub-1% cost.
bitso.com/business · dlocal.com
Aave Protocol
USDC yield on idle Vault balances (Aave v3 on Polygon, permissionless).
Polygon mainnet contracts
Persona
KYC/AML tiered verification (phone number → ITIN → full identity).
withpersona.com
ID.me
Medicare identity bridge. CMS contract live early 2026. OIDC + Blue Button 2.0 FHIR.
CMS contract — OIDC integration
BaaS Bank
MTL/MSB coverage. Critical path item — needed before any money movement. Candidates: Evolve Bank, Thread Bank, Stride Bank.
CRITICAL PATH — engage first
Cyfrin / OZ
Smart contract audit before mainnet. $5–15K one-time. Not a developer hire.
cyfrin.io · openzeppelin.com/audits
Starting Prompts
Copy verbatim into Claude Code Desktop or Claude Chat. Updated with all four tokens.
Claude Code Desktop — Session 1: Tokens 1–3 (Health Stack)
Set up a Hardhat + TypeScript monorepo called salud-vault-contracts. Create /contracts/health/ with three contracts: (1) SaludCoin.sol — ERC-20 with MINTER_ROLE for oracle, transfer whitelist mapping, earnReward(address user, uint8 triggerType, uint256 amount, bytes calldata proof) emitting HealthActionRewarded event, redeem() with burn, using OpenZeppelin v5. (2) SaludID.sol — ERC-5192 soulbound with CredentialRecord struct (medicareIdHash bytes32, medicaidIdHash bytes32, aetnaMemberHash bytes32, rxBenefitHash bytes32, vcCid string, expiresAt uint64, medicareVerified bool), locked() always returns true, transferFrom always reverts with "SaludID: identity is not transferable". (3) SaludPass.sol — ERC-721URIStorage with PlanType enum including DUAL_ELIGIBLE_SPECIAL, PlanMetadata struct with copay fields in USDC cents, isActivePlan() and getCopayForService(tokenId, serviceType) view functions, familyTransfer() requiring issuer co-signature. Configure for Polygon Amoy testnet. Generate comprehensive test files targeting 95%+ branch coverage. Show me how to run tests.
Claude Code Desktop — Session 2: Token 4 (SaludReach + HIPAA Firewall)
In the salud-vault-contracts monorepo, create /contracts/reach/ with three contracts. SaludReach.sol extending ERC-1155 with: Campaign struct (tokenId, brand address, budgetUsdc, budgetSpent, earnRate uint256, expiresAt uint64, targetTier uint8, active bool), BASE_REACH constant = 0 for the fungible cross-campaign pool, nextCampaignId starting at 1 for semi-fungible campaign vouchers, mintReach(wallet, campaignId, txType uint8, proof bytes) with REACH_ORACLE_ROLE gate AND require(txType <= 3, "Health-coded txType rejected") as HIPAA guard, redeemReach() that burns BASE_REACH and calls IRewardContract.issueBrandReward(). CampaignManager.sol: accepts USDC deposits from brands, configurable platform fee (15-25%), calls SaludReach.createCampaign(). ReachOracle.sol: noHealthData() modifier that reverts if input matches known health contract function selectors. CRITICAL: create /test/HIPAAIsolation.test.ts that uses static analysis to verify SaludReach.sol, CampaignManager.sol, and ReachOracle.sol contain zero calls to SaludID.sol, SaludPass.sol, or SaludCoin.sol. This test must be part of CI and must fail if any cross-contract health reference is introduced. Deploy all reach contracts to Polygon Amoy separately from health contracts with a different deployer address.
Claude Chat — Legal Review: Howey + AKS Analysis
Apply the Howey test to SaludCoin (SLUD). SLUD is: (1) earned only through verified health actions — MinuteClinic visits, Rx refills, Medicare Annual Wellness Visits — and cannot be purchased, (2) transfer-restricted to whitelisted service contract addresses only, (3) redeemable only against approved healthcare services, not for cash. Analyze whether SLUD is a security under Howey and SEC no-action letter precedents for loyalty/rewards programs. Also analyze whether SLUD earn triggers implicate the Medicare Anti-Kickback Statute safe harbors — specifically whether rewarding health behaviors (not provider choice) qualifies for the AKS incentive program safe harbor. Separately, analyze SaludReach (REACH): brands deposit USDC into campaign contracts and consumers earn REACH through commercial retail transactions with zero health data component. Does REACH create any independent securities or commodity issues? Draft briefing memos for external securities and healthcare counsel covering both tokens.
Claude Code Desktop — Session 3: Tangem SDK + ERC-4337
In the salud-vault-contracts repo, add Tangem SDK integration for iOS (Swift) and Android (Kotlin). Build the ERC-4337 UserOperation construction layer using Alchemy AccountKit with Tangem as the custom signer. Implement a batch UserOperation that, in ONE card or ring tap, does all of the following: (1) verifies SaludID credential via ZK proof against on-chain commitment, (2) reads SaludPass.getCopayForService() for the service type, (3) pays USDC copay via Circle Programmable Wallet, (4) calls SaludCoin.earnReward() via SLUD oracle proof (health data path), (5) calls SaludReach.mintReach() via REACH oracle proof (commercial data path — completely separate oracle). The health oracle and commercial oracle must be invoked as separate async calls that never share data. Paymaster configuration: Alchemy gas policy sponsors all user transactions so consumers never see gas fees. Show me how to test this on Polygon Amoy with a real Tangem card tap.
Claude Code Desktop — Session 4: SaludID Plus Premium Contract
In /contracts/premium/ (separate from /contracts/health/ and /contracts/reach/), create SaludIDPlus.sol extending ERC-7231 (identity-aggregated NFT) with: PartitionCommitment struct (commitmentHash bytes32, lastUpdated uint64, schemaVersion uint8, active bool). IdentityRecord mapping tokenIds to: p0_healthcare as PartitionCommitment, p1_blinded/p2_blinded/p3_blinded as bytes32 double-blinded salted hashes (NOT confirmable by public), ringAddress, ringFingerprint bytes32, premiumTier bool. verifyHealthcareCredential(tokenId, zkProof bytes, requestedClaim bytes32) external view returning (bool valid, uint64 proofExpiry) — calls IZKVerifier, gives 15-minute proof window. ERC-5192 lock: locked() always true, transferFrom always reverts. initiateGuardianRecovery(tokenId, bytes32[3] guardianShards) checks block.timestamp > lastActivity + ABSENCE_THRESHOLD (90 days). All P1/P2/P3 functions access-controlled to ringAddress only — no public function can confirm P1/P2/P3 existence. Deploy with a DIFFERENT Safe multisig admin than health contracts. Add test verifying SaludIDPlus has zero reference to SaludReach.sol (separate HIPAA domain).
Claude Chat — HIPAA Technical Safeguard Architecture
Design the HIPAA technical safeguard architecture for Salud Vault's four-token system. Key facts: (1) SaludID.sol stores only keccak256 hashes of Medicare IDs on Polygon — not the IDs themselves. (2) Actual credential data (Medicare Beneficiary Identifier, Medicaid ID, Aetna member number) is stored AES-256-GCM encrypted on the Tangem EAL6+ chip and never transmitted to or stored by Salud Capital servers. (3) SaludReach.sol is a completely separate contract with zero on-chain reference to SaludID, SaludPass, or SaludCoin — enforced by a CI/CD isolation test on every commit. (4) The REACH oracle reads only CVS front-store POS and retail partner data — it has no API connection to the SLUD oracle or any health data source. Draft a technical safeguard specification arguing that: (a) Salud Capital is a credential presenter, not a HIPAA covered entity or business associate, because no PHI transits Salud infrastructure; (b) the structural contract-level separation between health tokens and REACH satisfies the minimum-necessary standard; (c) the SaludID Plus P1 financial partition (chip-only, no IPFS) satisfies GDPR right-to-erasure by design. Prepare this document for review by external HIPAA counsel.
Build Tracker
Check off tasks as you complete them — progress persists across sessions
Risk Register
Critical risks to address before mainnet or public token mention
High · Legal
SLUD Securities Classification
SEC may deem SLUD a security, requiring broker-dealer registration. Must have written Howey opinion before any public mention of SLUD.
Mitigation: Howey memo (Claude Chat) → external securities counsel. SLUD cannot be purchased, ever.
High · Regulatory
Medicare Anti-Kickback Statute
SLUD earn triggers rewarding Medicare beneficiaries may implicate AKS. Must be behavior rewards, not provider incentives.
Mitigation: AKS safe harbor analysis (Claude Chat) → healthcare counsel. SLUD rewards behavior, not provider choice.
High · Architecture
REACH–Health Data Leakage
If REACH oracle reads any health signal, the HIPAA firewall is breached. Future developer could introduce cross-contract call without realizing implication.
Mitigation: CI/CD test verifyZeroHealthContractReference() on every commit. noHealthData() modifier. Separate oracle, keys, database.
High · Privacy (Plus)
P1 Financial Data GDPR Erasure
IPFS is immutable. Any personal financial data on IPFS creates right-to-erasure violation under GDPR/CCPA.
Mitigation: P1 Financial is chip-only — zero IPFS. Erasure = factory reset ring. P0/P2 use IPFS with explicit consent.
Medium · Privacy
SaludID On-Chain Correlation
4–5 public SBTs can uniquely identify an individual with 97% accuracy. Even hashes create correlation risk.
Mitigation: ZK proofs for all verification. ERC-4337 stealth addresses. Separate SaludID from financial activity address.
Medium · Platform (Plus)
Android FIDO2 NFC Limitation
Android does not support PIN-protected FIDO2 over NFC. P2 credential vault FIDO2 requires USB reader or BLE bridge on Android.
Mitigation: iOS-first for P2 FIDO2. Android BLE bridge companion app. Monitor Google Play Services v24+ for resolution.
Medium · Commercial
REACH Brand Adoption
Without B2B brand participation, REACH has no liquidity. Must demonstrate proof of concept before launch.
Mitigation: Seed REACH with Salud first-party campaigns. Lock in 2–3 national brand pilots using CVS relationships before public launch.
Low · Business
WordPress Compromised Site
saludcap.com WordPress has confirmed spam injection (Turkish gambling affiliate links). Site is compromised.
Mitigation: Migrate to GitHub Pages static (already started). CNAME saludcap.com → saludcap.github.io. Kill WordPress instance.