MARS — Recovery Administration Platform

2026 Execution Plan

MARS — Managed Addiction
Recovery System

HIPAA-compliant, scalable SaaS administration platform for addiction recovery management. Secure, consent-driven, and built for organizations, courts, employers, and families.

Total Budget

$100K

@ $100/hr

Dev Hours

~1,000

Jan–Nov 2026

Phases

11-month delivery

User Roles

Permission-based

HIPAA Compliant PCI Compliant Zero-Trust Access Multi-Tenant SaaS RumbleDB Encrypted PHI

In Scope — Bluefrog Delivery

✓ SaaS backend & API layer
✓ Admin dashboard (web)
✓ Security, encryption & HIPAA compliance
✓ Reporting & analytics engine
✓ Payment processing integration
✓ Mobile app API integration endpoints

Out of Scope

✗ Mobile app development
✗ Mobile app UI/UX changes
✗ App store deployment & management

Mobile team will be provided with API contracts and integration documentation for all endpoints.

System Design

Architecture & Stack

HIPAA Compliance

Administrative, physical, and technical safeguards. Audit trails for all PHI access. BAA with cloud provider required.

PCI Compliance

Payments offloaded to Stripe/Braintree. Zero card data stored locally. Tokenized transactions only.

Zero-Trust Model

No implicit access — even admins are scoped. All permissions explicit, revocable, and time-bounded.

Technology Stack

Backend

PHP 8.3+ or Node.js (NestJS)

REST + optional GraphQL

OAuth2 / JWT tokens

MFA (TOTP/SMS)

Database

RumbleDB (primary)

Encrypted columns for PHI

Separate analytics tables

Non-identifiable reporting

Infrastructure

HIPAA-eligible cloud (AWS/GCP)

Private VPC

Encrypted backups

WAF + rate limiting

Payments

Stripe or Braintree

PCI offloaded

Subscription management

Invoice generation

System Architecture Flow

Mobile App (Out of Scope)

→

API Gateway OAuth2 + JWT

→

Permission Engine Consent-Gated

→

Core Services Business Logic

→

RumbleDB Encrypted PHI

→

Admin Dashboard Anonymized Reports

Access Control

User Roles & Permission Model

Critical Design Principle

Role ≠ Access. The person in recovery is the primary data owner and sets all permissions per relationship. No user sees data unless explicitly granted consent. All permissions are revocable and optionally time-bounded.

Person in Recovery

Primary Data Owner

Parolee

Court-linked role

Mentor

Support role

Employer

Limited visibility

Family Member

Consent-gated

Patrol Officer

Compliance view

Recovery Specialist

Clinical access

Recovery Organization

Org-level admin

System Administrator

Scoped access

Permission Matrix (User-in-Recovery Controls)

Full Limited None

Data Category	Mentor	Family	Employer	Patrol	Specialist	Org
Meeting Attendance	✓	✓	◐	✓	✓	◐
Journal Entries	◐	✗	✗	✗	◐	✗
Medication Plan	◐	✗	✗	✗	✓	✗
Action Plans & Tasks	✓	◐	◐	◐	✓	◐
Messaging	✓	✓	◐	◐	✓	◐
Check-in/out Status	✓	✓	◐	✓	✓	◐

All permissions shown above are defaults. The person in recovery can override any of these at any time. "Limited" means summary or yes/no only — no raw data access.

Features

Functional Modules

User Invitation System

Initiated from the mobile app. The person in recovery provides a name and email for each person they want to invite. The system sends a secure, tokenized email invitation.

User submits name + email + relationship type via mobile app

System generates one-time secure token with expiration

Email invitation sent with role assignment

Invited user creates account + enables MFA

Permissions applied based on group defaults; user can customize

// Invitation API Contract

POST /api/v1/invitations
{
  "inviter_id": "uuid",
  "invitee_name": "string",
  "invitee_email": "string",
  "relationship_type": "mentor|family|
    employer|patrol|specialist|org",
  "permission_group": "default|custom",
  "custom_permissions": {}
}

Response: 201 Created
{
  "invitation_id": "uuid",
  "status": "pending",
  "expires_at": "ISO8601",
  "token": "[redacted]"
}

Recovery Data Management

Journal System

Encrypted per-user key. Private by default. Shareable by explicit consent only — summaries or full text.

AES-256 encryption at field level

Meeting Check-in/Out

Location-verified or manual check-in. Timestamped records. Shareable as yes/no attendance or full history.

Geofence optional — configurable by org

Medication Plans

Structured medication tracking. Read-only sharing. Recovery specialists can view if permitted.

HIPAA PHI — maximum encryption tier

Action Plans & Tasks

Created by user, specialist, or system-generated. Assignable tasks with due dates. Collaborative when permitted.

Task completion feeds reporting engine

Anonymity Rule

All recovery data uses UUIDs instead of sequential IDs. No names appear in analytics tables. Journals use per-user encryption keys. Field-level encryption for all PHI. Separate reporting database or views.

Administrative Dashboard (Web)

Organization Management

→ Multi-tenant org setup

→ User lifecycle management

→ Role & group configuration

→ Org-level settings

Payments & Billing

→ Subscription tier management

→ Invoice generation & history

→ Payment method management

→ Organization billing controls

Data Operations

→ Meeting data imports (CSV/API)

→ Recovery plan builder

→ Reading plan templates

→ System health monitoring

Anonymized Reporting Engine

All reports are aggregated and anonymized. Drill-down capability respects permission boundaries. No PII surfaces in any report unless explicitly authorized by the person in recovery.

Available Report Types

Participation rates across programs

Meeting attendance trends (aggregate)

Task completion metrics

Program effectiveness (cohort-level)

Compliance audit reports

System usage & health metrics

Drill-Down Rules

Org admins → aggregate org data only

Recovery specialists → permitted individual data

System admins → system metrics (no PHI)

All drill-downs → audit-logged

Schema

Relational Data Model

Core Tables

users

id, email, hashed_pw, mfa_secret, role_id, status, created_at

roles

id, name, description, is_system_role

user_groups

id, name, org_id, created_by

permissions

id, resource, action, scope

user_relationships

id, user_id, related_user_id, relationship_type, status

permission_assignments

id, grantor_id, grantee_id, permission_id, expires_at

Recovery Data (Encrypted)

journals 🔒

id, user_id, encrypted_content, mood, created_at

meetings

id, org_id, name, location, schedule, type

checkins

id, user_id, meeting_id, checked_in_at, checked_out_at

medications 🔒

id, user_id, encrypted_name, dosage, frequency, prescriber

action_plans

id, user_id, title, created_by, status

tasks

id, plan_id, title, assigned_to, due_date, status

System & Audit

audit_logs

id, user_id, action, resource, ip, timestamp

access_logs

id, accessor_id, resource_owner_id, resource_type, timestamp

consent_history

id, grantor_id, grantee_id, permission_id, action, timestamp

reports_cache

id, report_type, org_id, data_hash, cached_at, expires_at

invitations

id, inviter_id, email, token_hash, role, status, expires_at

subscriptions

id, org_id, plan_id, stripe_id, status, renewal_at

Roadmap

2026 Execution Timeline

6 phases across 11 months. Each phase has defined deliverables, hours, and cost at $100/hr.

PHASE 1

Architecture & Compliance Foundation

January – February 2026

$12,000

120 hours

→ System architecture diagrams

→ HIPAA risk assessment

→ Data classification matrix

→ Security & compliance plan

→ Finalized relational schema

→ RumbleDB environment setup

PHASE 2

Core Platform & Authentication

March – April 2026

$18,000

180 hours

→ User authentication system (OAuth2/JWT)

→ Role & permission engine

→ Invitation workflow + email service

→ MFA & token lifecycle management

→ Audit logging infrastructure

→ API contract for mobile team

PHASE 3

Recovery Data Modules

May – June 2026

$22,000

220 hours

→ Journal system (per-user encryption)

→ Meeting check-in / check-out

→ Medication plan management

→ Action plans & task system

→ Permission-aware data access layer

→ Mobile API endpoints for all modules

PHASE 4

Admin Dashboard & Reporting

July – August 2026

$20,000

200 hours

→ Full admin UI (Tailwind-based)

→ Aggregated anonymized reporting

→ Drill-down controls (permission-safe)

→ Data import tools (meetings, programs)

→ Organization management panel

→ Recovery & reading plan builders

PHASE 5

Payments & SaaS Operations

September 2026

$8,000

80 hours

→ Stripe/Braintree integration

→ Subscription tier management

→ Invoice management system

→ Organization billing controls

PHASE 6

Security Hardening & Launch

October – November 2026

$10,000

100 hours

→ Penetration test + remediation

→ Logging & monitoring setup

→ Disaster recovery plan

→ Full system documentation

→ Go-live readiness assessment

→ Production deployment

Investment

Budget & Cost Breakdown

Cost Distribution by Phase

Hours by Phase

Cumulative Budget Burn (2026)

Phase Summary

Phase	Timeline	Hours	Cost
1. Architecture & Compliance	Jan – Feb	120	$12,000
2. Core Platform & Auth	Mar – Apr	180	$18,000
3. Recovery Data Modules	May – Jun	220	$22,000
4. Admin Dashboard & Reporting	Jul – Aug	200	$20,000
5. Payments & SaaS Ops	Sep	80	$8,000
6. Security Hardening & Launch	Oct – Nov	100	$10,000
Total		~1,000	$100,000

Documentation

Notes, SOW Guidance & Key Decisions

Confidentiality — Non-Negotiable

The person in recovery's anonymity is the bedrock of this system. Mobile app never directly accesses raw PHI. All data flows through permission-checked APIs. Journals are encrypted with per-user keys. Admins cannot bypass consent. UUIDs replace sequential IDs everywhere. No names surface in analytics tables.

HIPAA — What It Actually Means for This Build

HIPAA isn't a checkbox — it's a framework. This project requires: a formal risk assessment before writing code, Business Associate Agreements with cloud providers, encryption at rest and in transit for all PHI, audit trails for every access to protected health information, a breach notification plan, workforce training documentation, and ongoing compliance monitoring. Phase 1 addresses all of this before a single line of application code is written.

RumbleDB — Client Preference

Client has specified RumbleDB as the database layer. The schema and relational model have been designed with this in mind. If RumbleDB's encryption capabilities prove insufficient for field-level PHI encryption, we may need to implement application-layer encryption as a supplement. This will be evaluated during Phase 1.

Data Ownership Model — Consent-Driven Architecture

Every data access decision in this system is gated by the person in recovery's explicit consent. Permissions are defined by data category, action type, and time window. The invitation flow requires the person in recovery to initiate all relationships. This is not just a feature — it's the core architectural principle.

Mobile Integration Boundary

The mobile app already exists and is out of scope. Bluefrog's responsibility is to provide well-documented REST API endpoints with clear contracts. The mobile team will receive: OpenAPI/Swagger documentation, authentication flow diagrams, webhook specifications for real-time events, and a staging environment for integration testing.

Scalability — Built for National Expansion

This system is designed to scale to courts, recovery organizations, employers, and family support networks nationwide without re-architecture. Multi-tenant design from day one. Horizontally scalable API layer. Cached reporting with configurable refresh intervals. No hard-coded organization limits.

PCI Compliance — Offloaded by Design

No credit card data is ever stored in this system. All payment processing is offloaded to Stripe or Braintree via tokenized transactions. This dramatically reduces PCI scope. The admin dashboard handles subscription management and invoice display — never raw card data.

Next Steps After Approval

Once the client approves this plan, Bluefrog can immediately begin Phase 1 deliverables: formal SOW document for signature, technical architecture diagrams, HIPAA policy language drafts, detailed database schema with ERD, and API contract documentation for the mobile development team.

MARS — Managed AddictionRecovery System