Broker and agent pathways

MarketLink pathway architecture for broker, agency, agent, and consumer enrollment.

A production-facing walkthrough of the MarketLink operating model: broker onboarding, agency hierarchy, agent-scoped books of business, white-label consumer enrollment, CMS EDE transactions, protected-data controls, and the evidence trail needed for a regulated ACA platform.

Architecture Broker desktop, consumer portal, CMS Hub, carrier EDI, and evidence stores.

Shows where users enter, where data lands, and where transactions leave the platform.

Security Identity, MFA, RBAC, agency isolation, encryption, audit, and HMAC events.

Maps controls to the actual release code and CMS broker-agent requirements.

Walkthrough Dashboard, clients, applications, plan shopping, consent, agency, and compliance views.

Shows the operating path from platform access to enrollment evidence.

Review architecture Evidence walkthrough Product screen sequence

MarketLink pathway view Walkthrough-ready architecture

01 Public and branded entry

Agency or broker branded URL, consumer registration, account activation, identity proofing, and portal home.

/b/<slug> -> /portal/register -> /portal/verify-identity

02 Broker workspace

Dashboard, clients, leads, applications, exports, analytics, commissions, payments, book, marketing, agency, and consent.

/dashboard, /clients, /applications, /agency, /consent

03 Security control plane

Geo gate, public-route allowlist, rate limits, CSRF, Okta/IAL2, MFA, registration status, and route-level RBAC.

middleware.ts + NextAuth + API helpers

04 CMS EDE service layer

Marketplace plan data, Hub API modules, mTLS transport, circuit breakers, idempotency, evidence capture, and webhooks.

cms-hub/apis/* + cms-marketplace-api.ts

05 Evidence and data foundation

Prisma/PostgreSQL schema, encrypted PII, masked response boundaries, audit hash chain, document retention, and 834 tracking.

schema.prisma + encryption + audit services

Architecture view

Broker/agent pathway architecture connects users, controls, product functions, CMS transactions, and evidence.

This view is based on the MarketLink release source. It separates user entry paths from the authenticated broker desktop, then shows the control layer, domain services, persistence boundary, CMS/FFE integrations, carrier EDI outputs, and audit evidence.

Security architecture

The pathway is controlled by layered identity, authorization, privacy, API, and evidence gates.

The control pattern is not just login. Requests are filtered before authentication, sessions carry producer and consumer context, routes enforce broker versus portal surfaces, APIs scope data to the authenticated broker, and every sensitive read or write leaves a compliance trail.

01 Ingress controls

Static asset allowlist, public route allowlist, country allowlist, auth rate limits, API rate limits, CSRF checks, CSP, frame protection, and strict referrer policy.

02 Identity assurance

Okta provider path with IAL2 intent, MFA enrollment and verification gates, identity proofing gates, password-change gates, and concurrent session supersession.

03 Role and pathway boundaries

OWNER, ADMIN, AGENT, SUPPORT, platform-admin, broker, and consumer surfaces are separated. Portal users cannot reach broker APIs, and brokers cannot access portal APIs.

04 Minimum necessary data

BrokerId and agencyId scoping, encrypted SSN/email/phone/address where implemented, masked SSN response, protected-data access logging, and protected-field re-proofing logic.

05 Tamper-evident evidence

AuditLog persistence, rowHash/prevHash chain, redacted metadata, protected-data read events, Hub request/response evidence, HMAC-authenticated inbound CMS events.

Broker/agent pathway security posture

The broker/agent pathway is protected as an enterprise broker platform, not only as a portal.

The target security architecture combines edge protection, enterprise identity, application security, protected-data controls, EDE transaction evidence, and continuous SecOps assurance into one defensible posture.

Edge DNS, F5 VIP, reverse proxy, WAF, bot controls, TLS, HSTS, CSP.

Broker, agency, and consumer traffic enters through hardened edge paths before it can reach application routes.

Identity SSO, IAM/IDM, MFA, conditional access, RBAC, broker and agency scoping.

No shared identity model: every producer, admin, support user, and consumer carries scoped session context.

Application BFF, API gateway, CSRF, rate limits, schema validation, mTLS service calls.

Route-level controls separate broker workspace, consumer portal, admin functions, CMS Hub, and evidence actions.

Assurance SAST, DAST, SCA, IaC/container scans, Qualys, pen tests, red-team validation.

Security evidence is produced continuously, not only during certification or audit preparation.

Layer	Controls	Evidence to maintain	Operating cadence
Edge and network	DNS controls, F5 VIP, reverse proxy, WAF, bot rules, DDoS/CDN posture, TLS 1.3, HSTS, CSP, certificate rotation.	DNS change record, VIP config, WAF policy export, TLS scan, certificate inventory, firewall rule approval.	Change-controlled; certificate and WAF review on release and scheduled control review.
Identity and access	Enterprise SSO, IAM/IDM joiner-mover-leaver, MFA, conditional access, RBAC/ABAC, brokerId/agencyId scoping, support break-glass.	Access review, MFA report, privileged access log, broker role evidence, session timeout test, deprovisioning sample.	Continuous enforcement; periodic access review and privileged access recertification.
Application security	SAST, DAST, SCA, IaC scan, container scan, secrets scan, CSRF, rate limits, schema validation, secure headers, threat model.	Scan reports, remediation tickets, architecture threat model, exception register, release approval, dependency risk record.	Every build and release; formal exception review before production movement.
SecOps and assurance	Cortex XDR/SIEM/SOAR telemetry, Tanium endpoint posture, Qualys vulnerability scans, pen tests, red-team exercises, incident runbooks.	SIEM correlation, endpoint compliance, vulnerability report, pen-test attestation, red-team findings, incident tabletop record.	Continuous monitoring, scheduled vulnerability scanning, annual or risk-triggered penetration test and red team.

Security documentation pack

BrokerPortal security review materials are packaged as architecture, controls, and release evidence.

These documents establish the security narrative, the control-to-evidence trail, and the testing artifacts needed to support architecture, risk, compliance, and release review.

Security Architecture Overview

Narrative architecture view covering ingress, identity, application controls, protected data, evidence lifecycle, and SecOps assurance.

Download DOCX

Controls and Evidence Matrix

Control matrix mapping identity, edge, application, data, vulnerability, continuity, and integration controls to evidence artifacts, owners, and review cadence.

Download DOCX

Testing and Release Evidence Checklist

Release evidence checklist covering threat model, SAST, SCA, secrets, DAST, vulnerability scans, access review, remediation, and approval criteria.

Download DOCX

Evidence boundary

Operating effectiveness is confirmed by attaching dated artifacts such as scan outputs, access reviews, WAF/TLS evidence, threat model approval, remediation tickets, and release signoff.

EDE transaction flow

Application, consent, plan shopping, submission, status, and carrier handoff are separate controlled steps.

MarketLink operates as a workflow system, not as a collection of disconnected screens. The value is the controlled sequence: identify the broker, prove the consumer, scope the data, capture permission, call CMS safely, track evidence, resolve DMI/SVI, and produce downstream enrollment outputs.

Requirements map

Business requirements tie directly to platform functions, controls, and walkthrough views.

The traceability model connects ACA broker operations to the platform capabilities, controls, and evidence required to operate a governed enrollment pathway at scale.

Requirement area	Platform function	Security / evidence control	Walkthrough view
Broker and agency onboarding	Broker profile, agency profile, join code, member roster, lead-agent accountability, agency role assignment, NPN fields.	Registration status gate, NPN/RCL fields, OWNER/ADMIN role control, audit log for role and profile changes.	Dashboard checklist, Agency, Settings.
Agent downline and book ownership	OWNER/ADMIN can manage agency-wide activity; AGENT is scoped to assigned clients and applications unless delegated.	brokerId and agencyId filters, route RBAC, no shared identities, API helper auth, PII access logging.	Agency roster, Clients, Applications.
White-label consumer enrollment	Agency or broker slug resolves branded consumer entry and broker attribution before portal account creation.	Reserved slug validation, broker attribution metadata, consumer userType isolation, identity proofing before protected portal actions.	Branded portal, Register, Verify Identity, Portal Home.
Client and household management	Client profile, household members, dependents, documents, follow-ups, SVI/DMI queue, book import.	AES-256-GCM PII encryption, SSN masking, protected-field re-proofing, PHI access logging, soft delete.	Clients, Client detail, Documents, Follow-ups.
Application and plan shopping	Application draft, household income, county, APTC/CSR, plan comparison, selected plan, effective date.	Protected-data access logging, Zod validation, PlanCache, CMS Marketplace retry/cache controls, broker ownership checks.	Applications, New Application, Plan Shopping.
Consent, AOR, and permission	Electronic, verbal, written, three-way call, AOR transfer, consent scope, revocation, expiration.	ConsentRecord with IP, user agent, timestamp, consumer/agent context, E-SIGN-compatible signature field, audit retention.	Consent Library, Collect Consent, Three-Way Calls.
CMS EDE Hub transactions	StoreIDProofing, StorePermission, SubmitApp, SubmitEnrollment, GetApp, GetEnrollment, GetDMI, GetSVI, NoticeRetrieval, UpdatePolicy.	mTLS-capable keep-alive transport, circuit breakers, idempotency rows for non-idempotent submissions, correlation IDs, evidence capture.	Application submit, Compliance, EDE testing evidence.
Carrier and downstream operations	EDI 834 generation, 999/997 acknowledgment tracking, carrier appointment context, commissions, exports, payments.	Transaction IDs, validation errors, acknowledgment status, retry counts, export controls, commission records.	Exports, Commissions, Payments, Reports.
Audit and compliance evidence	Compliance artifacts, audit report, audit integrity verification, CMS package, security remediation evidence.	AuditLog hash chain, redacted audit metadata, Hub evidence folder, HMAC webhook receipts, generated certification artifacts.	Compliance, Audit Report, Evidence Hub.

Platform walkthrough

The platform operates from broker access to enrollment evidence across one governed workflow.

MarketLink is presented through an end-to-end operating sequence: broker readiness, agency governance, book management, application workflow, plan shopping, consent, submission, and compliance evidence.

00-02 Access and readiness

Broker dashboard establishes FFM integration status, onboarding readiness, certification training, and operational next steps.

02-04 Agency and agent control

Agency roster, role boundaries, NPN management, carrier appointments, invitations, and approval workflow define controlled access.

04-06 Book of business

Clients, leads, import, follow-ups, renewals, documents due, AOR at risk, and SVI tracking provide broker operating visibility.

06-09 Application and plan shopping

Application workflow validates household details, calculates APTC/CSR context, compares plans, and selects coverage.

09-12 Consent and submission

Consent, submission, confirmation, review tasks, and consumer notification complete the controlled enrollment path.

12-14 Evidence and operations

Audit report, compliance artifacts, Hub evidence, DMI/SVI remediation, exports, commissions, and support readiness close the loop.

MarketLink broker dashboard with FFM integration and onboarding checklist

Dashboard Broker command center and readiness checklist

This view anchors operational readiness: FFM integration, broker profile, NPN/license verification, agency setup, branded enrollment site, and consent configuration.

Agency Agency hierarchy, member roster, NPN, and approval controls

Establishes governed agency administration, agent access, and delegated operating control.

Clients Book of business, search, tabs, documents, SVI, and follow-up queues

Provides agent-scoped client operations with documents, follow-ups, renewals, and issue tracking.

Applications Drafts, submitted applications, CMS IDs, and status filters

Connects enrollment work to controlled status tracking and broker ownership.

Plan shopping Plans, eligibility context, quote search, and plan selection

Supports the APTC/CSR and plan-selection stage of the EDE pathway.

Consent Consent library, collection, three-way call, AOR, and revocation evidence

Shows how the platform captures permission before enrollment actions.

Compliance Certification artifacts, audit report, remediation, and evidence package

Packages certification artifacts, remediation status, audit trail integrity, and compliance evidence.

Current UAT evidence vault

MarketLink evidence is published as a current UAT packet plus a 2,337-file historical archive.

The UAT packet shows freshness from UAT-MarketLink.healthplan.com; the historical archive shows evidence depth with screenshots, metadata, audit reports, CMS deliverables, and compliance artifacts.

Current UAT evidence walkthrough View current UAT packet Browse historical archive

Production readiness priorities

The operating model advances through governed controls, automation, and evidence-backed readiness.

These priorities define the control posture for a regulated ACA enrollment platform: enforce access at the data layer, standardize identity assurance, automate producer validation, formalize CMS contracts, and operate evidence as a managed compliance asset.

Data isolation

Enforce minimum necessary access below the application layer.

Database-level policy for agencyId, brokerId, clientId, and delegated-book access strengthens broker separation and reduces dependency on route-only controls.

Identity

Standardize enterprise SSO, MFA, and session governance.

Producer, agency, support, and consumer pathways should carry verified identity context, MFA enforcement, step-up policy, timeout controls, and clear deprovisioning evidence.

NPN and AOR

Automate producer validation and consent lifecycle controls.

NPN/NIPR validation, RCL status, annual certification evidence, AOR consent, dispute handling, and revocation proof become governed operating services.

Hub contracts

Formalize CMS Hub service contracts and transaction behavior.

Typed request and response schemas, contract tests, replay fixtures, idempotency controls, and correlation IDs create predictable integration behavior for every submission path.

Evidence operations

Operate evidence as a protected compliance system.

Hub evidence, wire metadata, audit logs, DMI/SVI history, and enrollment outputs require governed retention, redaction, access review, and export controls.

Operational continuity

Maintain one governed enrollment record across the full lifecycle.

Broker, agency, agent, consumer, application, selected plan, consent, DMI/SVI activity, 834 transaction, and audit evidence remain connected across every operating view.

Capability baseline

The pathway is grounded in concrete product, security, integration, and evidence capabilities.

The capability baseline links validated platform functions to the security, integration, and evidence controls needed for a corporate-grade broker and consumer enrollment platform.

Product capability Broker workspace, agency model, and consumer entry path

Dashboard readiness, role-aware navigation, broker portal functions, branded entry, application workflow, and EDE operating status.

Broker-agent requirements Broker hierarchy, producer validation, and minimum necessary access

OWNER/ADMIN/AGENT/SUPPORT boundaries, NPN validation, AOR consent, minimum necessary access, and audit evidence.

Security capability Identity, route control, data protection, and tamper-evident audit

Route gates, Okta/IAL2 path, MFA, CSRF, rate limits, geo control, encrypted PII, protected-data logs, and audit row hash.

Integration capability Marketplace services, CMS Hub transport, and downstream enrollment files

Plan search, SLCSP/APTC context, mTLS-ready Hub transport, idempotency, correlation IDs, evidence capture, and downstream carrier enrollment.