Internal — Technical Spec v2
Four-Token Architecture · April 2025
Technical Architecture Specification · Token Design · Smart Contract Stack · HIPAA Firewall · Medicare/Medicaid Integration
Complete technical specification for the full Salud Vault token stack: SaludCoin (SLUD) healthcare incentives, SaludID (SAID) soulbound identity, SaludPass (SPASS) benefit enrollment, and SaludReach (REACH) programmatic marketing — with HIPAA-structural firewall separating health and commercial data at the contract level. Covers what to build in Claude Chat vs Claude Code Desktop, in what order, across all four tokens.
01 Architecture Overview — Why Four Tokens
The Salud Vault ecosystem requires four tokens because money, identity, legal entitlement, and marketing attribution are legally and operationally distinct. Conflating them in fewer tokens creates regulatory ambiguity, HIPAA exposure risk, and securities classification problems. Each token is optimized for its specific function — and the critical fourth token (REACH) operates in an entirely separate contractual domain from the first three, with no on-chain cross-reference to health data.
The single most important design decision in the four-token stack is that SaludReach must have zero on-chain reference to SaludID, SaludPass, or SaludCoin. This separation must be structural — enforced at the Solidity contract level, not by internal policy. A test that verifies no cross-contract health reference should be a permanent fixture in the CI/CD pipeline. The REACH oracle reads commercial POS data. The SLUD oracle reads health event data. They are deployed as separate services with separate signing keys and separate databases. There is no API connection between them.
02 Four-Token Architecture
Tokens 1–3 are all controlled by the same ERC-4337 smart account anchored to the Tangem card or ring's NFC signing key. Token 4 (REACH) is also stored in the same wallet, but minted and governed by a completely separate contract suite with no health data access. One ring tap at a CVS register can trigger a batch UserOperation that earns SLUD (health reward via SLUD oracle) AND earns REACH (commercial reward via REACH oracle) simultaneously — but the two oracle pipelines share zero data.
Healthcare incentive and marketing utility token. Earned through health behaviors (MinuteClinic visits, Rx refills, Medicare AWV). Transfer-restricted to whitelist. Redeemable against approved healthcare services. Cannot be purchased — Howey test defense.
Non-transferable identity credential token. Stores keccak256 hashes of healthcare credentials (HIPAA: hashes only, never the data). Links Tangem NFC address to W3C Verifiable Credentials: Medicare ID, Medicaid, Aetna, Rx.
Smart contract benefit enrollment token. Represents active plan (Medicare Advantage, Medicaid MCO, Salud tier). Metadata encodes plan type, copay schedule, expiry. getCopayForService() called by MinuteClinic at point-of-care check-in.
Programmatic marketing budget token. Earned through commercial interactions (CVS front-store, non-CVS retail, financial partners). Brands deposit USDC; Salud earns 15–25% platform fee. Zero health data access — HIPAA firewall structural.
03 Tokens 1–3 — Health Ecosystem Contract Specs
contract SaludCoin is ERC20, AccessControl, Pausable { bytes32 public constant MINTER_ROLE = keccak256("MINTER_ROLE"); // SLUD oracle only mapping(address => bool) public transferWhitelist; // CVS, Aetna, Medicare contracts // triggerType: 0=MinuteClinic, 1=Rx_refill, 2=Wellness, 3=Medicare_AWV, 4=Vaccine event HealthActionRewarded(address indexed user, uint8 triggerType, uint256 amount); function earnReward(address user, uint8 triggerType, uint256 amount, bytes calldata proof) external onlyRole(MINTER_ROLE) { _mint(user, amount); } function redeem(uint256 amount, address serviceContract) external { require(transferWhitelist[serviceContract], "Not approved service"); _burn(msg.sender, amount); IServiceContract(serviceContract).creditBeneficiary(msg.sender, amount); } // _update override: blocks all non-whitelist, non-mint/burn transfers }
struct CredentialRecord { bytes32 medicareIdHash; // keccak256(MBI) — NOT the MBI bytes32 medicaidIdHash; bytes32 aetnaMemberHash; string vcCid; // IPFS CID of AES-encrypted W3C VC bundle uint64 expiresAt; bool medicareVerified; bool medicaidVerified; } function locked(uint256) external pure returns (bool) { return true; } // ERC-5192 function transferFrom(address, address, uint256) public pure override { revert("SaludID: identity is not transferable"); } // verifyMedicareEligibility(tokenId, zkProof): ZK proof — reveals nothing about MBI
enum PlanType { SALUD_STARTER, SALUD_FAMILIA, SALUD_PREMIUM, MEDICARE_ADVANTAGE, MEDICAID_MANAGED_CARE, DUAL_ELIGIBLE_SPECIAL, CVS_AETNA } struct PlanMetadata { PlanType planType; uint64 effectiveDate; uint64 expiryDate; uint16 copayMinuteClinic; uint16 copayPrimary; uint16 copaySpecialist; bytes32 planContractHash; bool active; } function getCopayForService(uint256 tokenId, uint8 serviceType) external view returns (uint256) { require(isActivePlan(tokenId), "Plan expired"); // serviceType: 0=MinuteClinic, 1=primary, 2=specialist }
04 Token 04 — SaludReach (REACH) — Programmatic Marketing
SaludReach is the programmatic marketing budget token that turns the Salud Vault's 9,000 CVS locations into a B2B advertising network. Brands deposit USDC into campaign contracts. Consumers earn REACH through commercial interactions — front-of-store CVS purchases, non-CVS retail partner activity, and opted-in financial behavior. Salud Capital earns a 15–25% platform fee on every brand deposit. Zero health data is required, accessed, or touched.
The token standard is ERC-1155 rather than a second ERC-20 because "brand marketing budget" is not a homogeneous pool. A CVS Beauty campaign, an AARP membership offer, and a Chase credit card promotion have distinct earn rates, expiry dates, and redemption rules. ERC-1155 allows tokenId 0 to be the base fungible REACH pool (cross-campaign redeemable) while tokenIds 1–N represent campaign-specific semi-fungible vouchers, all managed in a single contract with batch transfer capability.
ERC-1155 supports fungible, semi-fungible, and non-fungible tokens in a single contract with batch transfer. One Tangem ring tap at a CVS register can earn base REACH (redeemable anywhere) AND a campaign-specific L'Oréal voucher (redeemable only at CVS beauty) in a single UserOperation. Each brand campaign gets its own tokenId; within that campaign, tokens are fungible. ERC-1155 batch transfers mean multiple brand campaigns fire in one transaction at roughly the same gas cost as one — critical for the high-frequency retail use case.
The token contract. Manages the base REACH pool (tokenId 0) and all campaign-specific semi-fungible token IDs. Minting is gated to REACH_ORACLE_ROLE only. No function in this contract may call SaludID.sol, SaludPass.sol, or SaludCoin.sol. This is enforced at the Solidity level, not by policy.
Key functions: createCampaign(), mintReach(wallet, campaignId, txType, proof), redeemReach(campaignId, amount, rewardContract)
The B2B brand interface. Brands deposit USDC, define campaign parameters (target tier based on wallet-level commercial behavior only), and receive spend reporting. Salud's platform fee is deducted at deposit time and routed to the Salud treasury address.
Key functions: createCampaign(brand, earnRate, expiresAt, targetTier), withdrawUnspentBudget(), getCampaignReport(campaignId)
The critical separation point. This oracle reads exclusively from non-health data sources. It has no API connection, no database link, and no on-chain call to any health data source. Deployed as a separate service with separate signing keys from the SLUD oracle. A modifier noHealthData() reverts if any input bytes match known health contract selectors.
Data sources allowed: CVS front-store POS (non-pharmacy registers), non-CVS retail partner APIs, opted-in financial transaction metadata · Data sources blocked: All pharmacy POS, MinuteClinic, SLUD earn events, SaludID state, SaludPass enrollment
contract SaludReach is ERC1155, AccessControl { // ARCHITECTURAL RULE: No function here may call SaludID, SaludPass, or SaludCoin. // Enforced by test: verifyZeroHealthContractReference() must pass in CI/CD. bytes32 public constant REACH_ORACLE_ROLE = keccak256("REACH_ORACLE_ROLE"); uint256 public constant BASE_REACH = 0; // Fungible cross-campaign pool uint256 public nextCampaignId = 1; // Campaign-specific token IDs struct Campaign { uint256 tokenId; address brand; uint256 budgetUsdc; uint256 budgetSpent; uint256 earnRate; uint64 expiresAt; uint8 targetTier; bool active; } mapping(uint256 => Campaign) public campaigns; // txType: 0=CVS_front_store, 1=non_CVS_retail, 2=financial_partner, 3=opt_in // CRITICAL: txType MUST NOT include any health-coded category (4+) function mintReach( address wallet, uint256 campaignId, uint8 txType, bytes calldata proof ) external onlyRole(REACH_ORACLE_ROLE) { require(txType <= 3, "Health-coded txType rejected"); // HIPAA guard Campaign storage c = campaigns[campaignId]; require(c.active && block.timestamp <= c.expiresAt, "Campaign inactive"); require(c.budgetSpent + c.earnRate <= c.budgetUsdc, "Budget exhausted"); c.budgetSpent += c.earnRate; _mint(wallet, BASE_REACH, c.earnRate, ""); // Base fungible pool _mint(wallet, campaignId, c.earnRate, ""); // Campaign semi-fungible emit CommercialActionRewarded(wallet, campaignId, txType, c.earnRate); } function redeemReach(uint256 campaignId, uint256 amount, address rewardContract) external { _burn(msg.sender, BASE_REACH, amount); IRewardContract(rewardContract).issueBrandReward(msg.sender, amount, campaignId); } }
SaludReach turns the 9,000 CVS planogram positions into a programmatic advertising network where brands pay to reach Salud Vault users at the moment of verified retail purchase. A ring tap is a real-world, hardware-authenticated commercial transaction — infinitely more valuable than a cookie-based or wallet-observation signal. Brands pay USDC into campaign contracts; Salud earns 15–25% platform fee at deposit time.
Revenue projection: 50,000 Vault holders × 8 front-store purchases/month × $0.15 brand cost per REACH earn event × 20% Salud fee = $12,000/month from CVS front-store alone. At 500,000 holders: $120,000/month, scaling linearly with enrollment — completely independent of subscription revenue or healthcare relationships.
05 SLUD Tokenomics — Earn and Redeem Schedule
SLUD cannot be purchased (only earned through health actions) and is earned for the holder's own behavior — not as an investment expecting profit from others' efforts. This mirrors CVS ExtraCare points and airline miles. External securities counsel must confirm before public issuance. Also review Medicare Anti-Kickback Statute (AKS) safe harbor before launch — SLUD earn triggers must reward health behaviors, not provider-specific usage.
| Health action | SLUD |
|---|---|
| MinuteClinic visit | 50 |
| Preventive care (annual) | 200 |
| Rx refill on-time | 25 |
| Medicare Annual Wellness Visit | 500 |
| Chronic care check-in (mo) | 100 |
| Health screening (A1c, BP) | 150 |
| CVS pharmacy vaccine | 75 |
| Medicaid care plan compliance | 300/mo |
| Redemption | SLUD cost |
|---|---|
| $1 CVS purchase credit | 100 |
| $1 USDC to Vault balance | 110 |
| MinuteClinic copay waiver | 500 |
| Rx copay reduction ($10 off) | 1,000 |
| Medicare Part D supplement | 2,000 |
| Salud plan upgrade (1 mo) | 3,000 |
| Aave yield 2x (1 mo) | 5,000 |
| Telehealth visit (CVS HUB) | 1,500 |
06 Build Plan — All Four Tokens — Claude Chat vs Claude Code
| Task | Tool | Priority | Deliverable | Effort |
|---|---|---|---|---|
| Phase 1 — Tokens 1–3 Smart Contracts (Weeks 1–4) | ||||
SaludCoin.sol (ERC-20 + whitelist) Earn/burn/whitelist + roles + 95%+ tests | Claude Code | Critical | Hardhat, OpenZeppelin v5, Polygon Amoy deploy, Polygonscan verify | 4–8 hrs |
SaludID.sol (ERC-5192 soulbound) Credential struct, IPFS CID, issuer roles, ZK verifier hook | Claude Code | Critical | locked() always true, transferFrom reverts, revocation logic, test suite | 4–6 hrs |
SaludPass.sol (ERC-721) PlanType enum, copay lookup, family transfer | Claude Code | Critical | ERC-721URIStorage, getCopayForService(), isActivePlan(), familyTransfer() with issuer sig | 4–6 hrs |
Howey memo + AKS analysis Securities + healthcare counsel briefing doc | Claude Chat | Critical | Legal memo for external securities + healthcare counsel. Do before any public token mention. | 2–4 hrs |
| Phase 2 — Token 4 (SaludReach) Contracts (Weeks 3–6, parallel) | ||||
SaludReach.sol (ERC-1155) Campaign struct, mintReach(), redeemReach(), HIPAA guard modifier | Claude Code | Critical | ERC-1155, BASE_REACH tokenId 0, campaign tokenIds 1+, txType <= 3 guard, isolation test in CI | 6–10 hrs |
CampaignManager.sol Brand USDC deposit, platform fee deduction, campaign creation | Claude Code | Critical | USDC transfer, 15–25% fee config, createCampaign(), withdrawUnspentBudget(), spend reporting | 4–8 hrs |
ReachOracle.sol + HIPAA isolation test Commercial POS only, noHealthData() modifier, CI test | Claude Code | Critical | Separate oracle deployment, noHealthData() revert on health selectors, test that verifies zero cross-reference to health contracts | 4–8 hrs |
CVS front-store POS webhook Non-pharmacy register integration only | Claude Code | High | Python FastAPI webhook from CVS front-store POS API (separate endpoint from pharmacy API), oracle signing, mintReach() call | 6–10 hrs |
| Phase 3 — Identity + FHIR Layer (Weeks 5–8) | ||||
ID.me OAuth + Medicare MBI bridge MBI → keccak256 hash → SaludID mint | Claude Code | High | Node.js: ID.me OIDC, MBI extract, hash, issueSaludID(), Tangem chip write via SDK | 6–10 hrs |
CMS Blue Button 2.0 FHIR + SLUD oracle Part D claims, Rx adherence, earn oracle service | Claude Code | High | FastAPI: BB2.0 OAuth, FHIR R4 parsing, health event detection, ECDSA signing, SaludCoin.earnReward() | 8–12 hrs |
| Phase 4 — Tangem SDK + App (Weeks 9–14) | ||||
Tangem SDK NFC integration iOS Swift + Android Kotlin, card + ring | Claude Code | Critical | TangemSdk.startSession(), ERC-4337 UserOp signing, credential chip write, backup ring linking | 8–14 hrs |
ERC-4337 batch UserOperation One tap: SLUD earn + REACH earn + copay payment | Claude Code | Critical | Alchemy AccountKit, batch ops combining health + commercial rewards in one ring tap, Paymaster gas sponsorship | 6–10 hrs |
React Native senior-optimized app WCAG AAA, 18pt+ font, voice guidance, 3-screen max | Claude Code | High | Expo, wagmi, NativeWind, 8 screens (wallet, tap-to-pay, remittance, SLUD rewards, REACH rewards, Medicare card, Rx, MinuteClinic) | 10–16 hrs |
Brand advertiser portal (Next.js) Campaign creation, USDC deposit, spend dashboard | Claude Code | Medium | Next.js + wagmi: brand wallet connect, USDC deposit, campaign builder (target tier, earn rate, expiry), real-time spend reporting | 8–14 hrs |
07 Risk Register — All Four Tokens
08 Starting Prompts — Open Claude Code Desktop Now
"Set up a Hardhat + TypeScript monorepo called salud-vault-contracts. Create /contracts/health/ with: SaludCoin.sol (ERC-20 with MINTER_ROLE, transfer whitelist, earnReward() emitting HealthActionRewarded event, redeem() with burn, OpenZeppelin v5), SaludID.sol (ERC-5192 soulbound with CredentialRecord struct: medicareIdHash bytes32, medicaidIdHash bytes32, aetnaMemberHash bytes32, rxBenefitHash bytes32, vcCid string, expiresAt uint64, medicareVerified bool — locked() always true, transferFrom always reverts), SaludPass.sol (ERC-721URIStorage with PlanType enum including DUAL_ELIGIBLE_SPECIAL, PlanMetadata struct, isActivePlan() and getCopayForService() returning USDC cents). Configure for Polygon Amoy testnet. Generate comprehensive test files targeting 95%+ branch coverage."
"In the salud-vault-contracts monorepo, create /contracts/reach/ with three contracts. SaludReach.sol extending ERC-1155 with: Campaign struct (tokenId, brand, budgetUsdc, budgetSpent, earnRate, expiresAt, targetTier, active), BASE_REACH constant = 0, mintReach(wallet, campaignId, txType uint8, proof bytes) with REACH_ORACLE_ROLE gate and require(txType <= 3) HIPAA guard, redeemReach(campaignId, amount, rewardContract). CampaignManager.sol: USDC deposit from brands, configurable platform fee (15–25%), createCampaign() call. ReachOracle.sol: commercial POS data only, noHealthData() modifier that reverts if input matches known health contract selectors. CRITICAL: add a test file /test/HIPAAIsolation.test.ts that verifies SaludReach.sol has zero function calls to SaludID.sol, SaludPass.sol, or SaludCoin.sol. This test must be part of CI and must fail if any cross-contract health reference is introduced. Deploy all three to Polygon Amoy in a separate deployment from the health contracts."
"Apply the Howey test to SaludCoin (SLUD). SLUD is earned only through verified health actions, cannot be purchased, is transfer-restricted to whitelisted service contracts only, and is redeemable only against approved healthcare services. Analyze whether SLUD is a security and whether earn triggers implicate the Medicare Anti-Kickback Statute safe harbors. Also: analyze whether SaludReach (REACH) creates any separate securities or commodity issues — REACH is minted by brands depositing USDC and distributed to consumers for commercial retail transactions with no health component. Draft briefing memos for external securities and healthcare counsel covering both tokens."
Salud Capital LLC · Four-Token Architecture Spec v3 + Unstoppable Domains · Internal — April 2026 · Not for external distribution · Not legal or investment advice
09 Unstoppable Domains — Full Integration Spec
Salud Vault's primary users are unbanked, cross-border senders who must never see a 42-character hex address. One typo loses funds permanently. Unstoppable Domains replaces 0x742d35Cc6634C0532925... with saludcap.x. UD domains live on Polygon PoS — the same chain Salud Vault is built on — so resolution is native, cheap (<$0.01), and permanent with no renewal fees.
Resolves to Gnosis Safe multisig (Salud Capital treasury). B2B partner USDC deposits. "Login with Unstoppable" OAuth entry point. Investor/partner-facing identity. Also linked to SaludID SAID tokens as the user-facing identity string at MinuteClinic check-in.
Resolves to CampaignManager.sol contract address. Brands deposit USDC to saludrewards.x — no hex address needed. Consumer-facing Salud Tokens + REACH rewards portal entry point.
Resolves to Bitcoin receiving address (from Bitso account). Opens BTC remittance rail alongside USDC. Senders use saludcap.bitcoin; Bitso handles USDC↔BTC↔MXN swap. No Bitcoin infrastructure build required.
Resolves to ERC-4337 smart account factory + IPFS dApp hash. Decentralized hosting alongside salud-vault.com. No server to go down, no domain registrar seizure. Reinforces "you own your assets" brand narrative.
import Resolution from '@unstoppabledomains/resolution'; const resolution = new Resolution(); async function resolveRecipient(input: string): Promise<string> { if (ethers.isAddress(input)) return input; // already a hex address if (input.includes('.')) { try { const addr = await resolution.addr(input, 'MATIC'); // Polygon-native if (addr) return addr; } catch { throw new Error(`Domain "${input}" not found.`); } } throw new Error('Enter a wallet address or domain (e.g. saludcap.x)'); } // UI: recipient field shows "✓ saludcap.x → 0x742d..." green text // User MUST tap "Confirm & Send" — never auto-send to resolved address
After Phase 6 mainnet deploy: log into unstoppabledomains.com dashboard. For each domain, set the Polygon (MATIC) resolution address to the deployed contract or Gnosis Safe address. saludcoin.x: set immediately as a redirect — do not wait for mainnet. This is a web UI operation, not a smart contract call. No gas cost. Permanent.
Salud Capital LLC · Four-Token Architecture Spec v3 + Unstoppable Domains · Internal — April 2026 · Not for external distribution · Not legal or investment advice