Current work and proof points

WHPS already has proof that the future platform can be built safely.

GroupLink Portal and the broker/agent pathway build are the visible proof points for a repeatable AI-native delivery capability: modern user experience, secure full-stack engineering, regulated-data controls, audit evidence, and a path to move ServiceLink Portal and other mainframe-dependent capabilities into the same target architecture.

Demo cadence Proof-point map Platform showcase Broker/agent pathway GroupLink status

Leadership answer Validated by artifacts

Can we do this for ServiceLink Portal and mainframe exit?

Yes, if we run the same controlled pattern: targeted legacy discovery, product-domain decomposition, model-agnostic AI SDLC delivery, security-by-design, evidence gates, independent assessment, dual-run proof, and decommission governance.

134 Broker portal requirements inspected from the requirement matrix.

27 MarketLink deployment guide tables including users, brokers, clients, documents, audit logs, consent, EDI, leads, and commissions.

40 / 45 MarketLink security findings documented as fixed in the remediation status; remaining items are infrastructure or platform constraints.

Business case review and demo cadence

The meeting moves from business rationale into architecture, security, flows, and the application.

The cadence uses the EDE broker portal investment case as input while keeping the discussion focused on strategy, platform evidence, architecture, security, and the live workflow path.

00-04 Strategic context

EDE is positioned as a required broker and consumer operating capability, not a side portal.

04-09 Business case

The why-now thesis connects regulatory shift, broker distribution, retention, growth, and HPS differentiation.

09-18 Architecture and security

Broker/agent pathway security posture, EDE flow, platform controls, evidence model, and architecture diagrams establish the technical foundation.

18-32 Application demo

The MarketLink path runs from broker access through agency control, application, plan shopping, consent, and evidence.

32-40 Operating plan

Certification work, security validation, AI SDLC cadence, migration pattern, owners, and decisions close the discussion.

Initial review

Why HPS moves now

The EDE strategy is a platform move: modern broker enrollment, white-label consumer entry, ServiceLink billing and reconciliation depth, secure evidence capture, and a repeatable modernization pattern for the broader ACA operating platform.

Market pull EDE becomes the broker operating path

HPS advantage Enrollment plus billing, service, reconciliation, and evidence

Build leverage AI SDLC, current platform proof, and controlled security gates

01 Regulatory timing creates a real platform need.

CMS is moving the market toward EDE capabilities, which makes broker enrollment, evidence, auditability, and partner readiness a near-term operating requirement.

02 Broker experience is becoming a competitive front door.

The portal must support agency hierarchy, book-of-business visibility, application status, consent, documents, and service follow-up in one governed workspace.

03 HPS can differentiate beyond enrollment UX.

The stronger story is the connection to billing, reconciliation, service workflows, EDI, compliance evidence, and operational support.

04 Initial investment proves adoption and readiness.

Funding is concentrated on certification gap closure, security hardening, audit evidence, broker workflows, and production readiness before broader monetization.

01Business caseWhy now, why HPS, why EDE 02Security architectureEdge, IAM, WAF, SecOps, evidence 03Broker pathwaysBroker, agency, consumer, CMS flows 04EDE transaction flowEligibility, enrollment, notices, audit 05Application demoDashboard to evidence packet 06Evidence closeRequirements, owners, controls, next steps

Demo route

One page to answer: what is underway, what changed, what proves capability, and where the evidence lives.

This is the live status route for AI SDLC, product modernization, security model, and staff realignment proof. These workstreams are the concrete examples.

Proof point 01

GroupLink Portal modernization

Moves group and CSR operations from an antiquated legacy experience toward a modern Group platform.

Prior state: legacy PHP-style CSR workflow with dense screens, manual navigation, and green-screen-like operational patterns.
Target state: modern group administration, census, renewals, billing context, reporting, and delegated operations.
Near-term marker: Christos onboarding is targeted for June 2026 and validated through the release plan.

GroupLink status

Proof point 02

Broker/agent pathway greenfield build

Demonstrates that WHPS can engineer a regulated, secure, modern full-stack platform using the AI SDLC.

MarketLink is treated here as the greenfield build lane feeding the regulated broker/agent capability story.
Documented controls include TLS termination, SSO/MFA, role-based access, encryption keys, audit logs, and health checks.
Independent assessment is planned to begin the week of May 11, 2026, followed by penetration testing, vulnerability scanning, and CMS audit handoff.

Broker/agent pathway status

Replication path

ServiceLink Portal and mainframe exit

Uses GroupLink and the broker/agent pathway as evidence that the same pattern can migrate member service and core domains.

Repeatable factory: capability discovery, domain service design, AI SDLC build, target security, audit packet, dual-run, and decommission.
Legacy remains evidence context and validation input; it does not define the future architecture.
Next proof: ServiceLink member journey, billing parity, secure inbox, coverage lineage, and mainframe retirement ledger.

Replication model

Operating proof

Staff realignment into AI-native teams

Moves the IT model from project-by-project handoffs into product teams with evidence, security, and QA embedded.

Roles align to product ownership, platform architecture, secure engineering, QA automation, evidence control, operations, and SME validation.
Output is measured by released capabilities, risk reduction, audit readiness, and retired legacy cost.
Team structure is tool-agnostic: the process is WHPS AI SDLC Factory governance, not dependency on one vendor tool.

Operating model

GroupLink Portal current work

From legacy CSR operations to a modern group platform.

The goal is not to preserve the old screen pattern. The old experience tells us which operational jobs, validation rules, and service states matter. The future experience organizes those into a cleaner, role-aware, auditable GroupLink Portal.

Prior state Legacy CSR portal pattern

CSR LEGACY PHP PORTAL

GROUP NAMECHRISTOS DEMO GROUP STATUSACTIVE / MANUAL REVIEW BILL CYCLEMONTHLY - LOCKBOX LAST CENSUSFILE IMPORT 00:37 CSR ACTIONF7=UPDATE F9=NOTES F12=BACK

001 ELIGIBILITY CHECK PENDING - SEE MEMO CODE A17

002 BILLING RECON REQUIRES BACK OFFICE FOLLOW-UP

003 RENEWAL PACKAGE SENT BY MANUAL EMAIL

Illustrative reconstruction based on the described current-state pattern. Approved production captures can replace this visual after privacy review.

Future state GroupLink Portal target experience

Selected group Christos Group

Renewal year 2026

Onboarding ready

Group health Modern onboarding workspace

Census, billing, renewal, delegated admin, documents, and service evidence in one role-aware view.

97% Census quality

Census intake

File received, mapped, and validated with exception queue.

Employer review

Eligibility changes, renewal package, and approvals staged.

Billing alignment

Invoice, payment status, reconciliation, and service cases linked.

Evidence Release-grade activity trail

Role, action, source system, approval, timestamp, document, exception, and rollback reference.

RBAC verified Renewal tasks: 4 open Exceptions routed

Target-state visual for leadership discussion. Production captures can replace this visual after UX approval, privacy review, and release readiness.

Clip 01

Old CSR workflow walkthrough

Dense legacy navigation, manual lookup, memo-code interpretation, back-office handoff, and field-by-field updates establish why a target-state redesign is necessary.

Clip 02

Future GroupLink product flow

The modern interface path covers group search, onboarding status, census validation, billing context, renewal approval, delegated administration, and evidence review.

Operating bridge

From screen replacement to operating-model replacement

The legacy screen teaches the business rules. The future product changes the work pattern: guided workflows, reusable services, audit trails, and AI SDLC-controlled releases.

GroupLink work underway	What changes from prior state	Evidence to collect	Leadership answer
Christos onboarding path	Moves onboarding out of tribal knowledge and screen-by-screen CSR handling into a visible workflow.	Onboarding checklist, release plan, role matrix, UAT signoff, issue log.	We are proving the new GroupLink operating model on a named onboarding path.
Group administration and delegated operations	Replaces opaque legacy menus with role-aware tasks, approvals, and audit history.	Group role model, delegated admin policy, audit events, access review evidence.	Group administration becomes governable instead of dependent on individual CSR navigation.
Census, eligibility, and renewal workflow	Moves files and exception handling toward validation queues, data quality checks, and replayable evidence.	Census validation rules, exception report, eligibility lineage, renewal task ledger.	The same pattern becomes the foundation for ServiceLink coverage and member-facing parity.
Billing context and service visibility	Surfaces invoice, payment, reconciliation, and support context without jumping between legacy screens.	Billing service contract, source-of-record map, reconciliation proof, support workflow evidence.	We reduce operational friction while preserving source-of-record integrity.

Broker/agent pathway proof point

MarketLink shows a greenfield, secure, audit-facing build capability for regulated broker and agent workflows.

This is the strongest proof point because it is not just a design deck. Available evidence shows deployment, security remediation, role, data, health, audit, and requirement maturity. Final third-party outcomes are still pending and will be added when the reports arrive.

Capability chain

How the broker/agent pathway proof point becomes audit evidence

Every step has a controlled artifact rather than a verbal assurance.

Build

AI SDLC intakeProduct scope, risks, owners, requirements, acceptance criteria.

Greenfield full-stack deliveryModern application, data model, APIs, UI, deployment pipeline.

Secure

Security-by-design controlsSSO/MFA, RBAC, encryption keys, TLS, audit logs, secrets hygiene.

Remediation evidenceCritical/high findings fixed; remaining items tracked as infrastructure/platform work.

Assess

Third-party auditAssessment planned to start the week of May 11, 2026.

Pen test and vulnerability scanIndependent validation follows remediation and deployment readiness.

Submit

CMS audit handoffPackage controls, evidence, scans, exceptions, and approvals for review.

Production readinessGo-live decision requires evidence, not optimism.

Deployment posture

On-prem capable, containerized or manual deployment

The deployment guide defines Docker and manual paths, application port 3000, PostgreSQL on port 5432 as private-network paths, reverse-proxy TLS termination, health endpoint checks, migration commands, and backup/DR expectations.

Identity and access

SSO/MFA and role-based boundaries

Okta SSO is the target authentication path, MFA is required for CMS-aligned control expectations, and credentials-based access is documented as audit-period-only rather than production default.

Data protection

Dedicated secrets and encrypted sensitive data

The guide calls for unique keys for application session signing, PII encryption, MFA secret encryption, and compliance artifact access. Loss of keys is documented as unrecoverable for encrypted data.

Audit trail

AuditLog and long-retention evidence

The deployment collateral identifies an AuditLog table with 10-year retention planning and admin/owner-only audit access, making release and operational actions traceable.

Evidence source	What it proves	Why it matters to leadership	Residual item
Broker Portal requirement matrix	134 requirements across integrations, plan/benefit configuration, quoting, enrollment, payments, fulfillment, book of business, analytics, broker, commission, and group capabilities.	The build is tied to a real product requirement baseline, not an experimental demo.	Map each requirement to release, owner, test, and evidence ID.
MarketLink deployment guide	Defines infrastructure, ports, database, TLS, SSO/MFA, environment variables, health checks, backup, and pre-go-live security checklist.	Shows operational maturity and deployment specificity for a regulated platform.	Confirm production hostname, certificate authority, network rules, monitoring, and runbook ownership.
Security remediation final status	Documents 45 findings with 40 fixed, including critical MFA, credentials, encryption, IDOR, redirect, mass assignment, and password-control issues.	Shows the team can find, fix, and evidence serious security issues before production.	Close infrastructure items: Redis-backed rate limiting, trusted IP source, NIPR API verification, and CSP exception tracking.
Planned independent assessment path	Third-party audit starts the week of May 11, 2026, followed by penetration testing, vulnerability scanning, and CMS audit handoff.	Creates double and triple confirmation that the capability can be validated outside the delivery team.	Add final auditor report, scan results, CMS submission artifacts, and exception disposition when received.

ControlFrame evidence accelerator

MarketLink also proves the audit package can be built as part of the delivery process.

The local evidence archive includes generated manifests, screenshot metadata, control maps, security evidence, and CMS/EDE readiness artifacts. The review-ready vault publishes 2,337 actual files that can be opened from the executive status deck.

Evidence collection walkthrough Browse actual evidence files Review control register

Repeatable migration pattern

Use GroupLink and the broker/agent pathway as the playbook for ServiceLink Portal and mainframe modernization.

The answer is not "copy the tool." The answer is "copy the governed method." The platforms may differ, but the operating method, evidence gates, security posture, and decommission logic stay consistent.

01 Discover selectively

Extract interfaces, data stores, batch/file jobs, roles, screens, hidden rules, failure modes, and audit obligations.

02 Design the target domain

Define member, group, broker, coverage, billing, document, payment, notification, and service domains.

03 Build through AI SDLC

Use model-agnostic teams, scoped workspaces, code standards, evals, scans, approvals, and release packets.

04 Validate with evidence

Run automated tests, security scans, red-team replays, parity checks, UAT, audit samples, and pilot telemetry.

05 Coexist safely

Use facade APIs, event bridges, reconciliation, manual override, rollback, and operations runbooks during transition.

06 Retire what is replaced

Only count transformation value after retired jobs, screens, licenses, integrations, and run costs are evidenced.

AI-native operating model

Staff realignment shifts work from legacy task handling to product, platform, security, and evidence roles.

This is how leadership can explain the workforce story without making it tool-specific: people move closer to product outcomes, controls, reusable platform services, QA automation, operations, and regulated evidence.

Product

Portal product owners

Own ServiceLink Portal, broker/agent pathways, GroupLink Portal, and Contact Center AI outcomes, roadmaps, acceptance criteria, and business readiness.

Architecture

Domain and platform architects

Own target architecture, domain-service boundaries, integration patterns, security zones, technical debt, and ADRs.

Engineering

AI SDLC delivery teams

Build through controlled scoped workspaces, coding standards, code review, tests, secure release gates, and deployment evidence.

Security

Security and compliance embedded reviewers

Own threat modeling, PHI/PII controls, SSO/MFA posture, scan disposition, audit artifacts, POA&M, and exception management.

Quality

QA automation and evidence control

Own regression, service tests, parity scorecards, AI evals, UAT, traceability, and monthly evidence packets.

Operations

SRE and transition operations

Own monitoring, incident response, runbooks, backup/DR, certificate rotation, rollout controls, rollback, and decommission proof.

Dedicated meeting paths

Dedicated routes connect each discussion topic to the answer surface.

These routes keep the discussion coordinated across product details, AI SDLC methodology, security controls, staff realignment, and migration proof.

Methodology AI SDLC Factory

Model-agnostic delivery process, gateways, team orchestration, release gates, evals, and evidence controls.

Proof point Broker/agent pathway

Greenfield regulated platform build, deployment controls, remediation evidence, third-party audit path.

Evidence accelerator MarketLink evidence walkthrough

ControlFrame-style collection flow, 2,337 published evidence files, review-ready control register, demo media, and audit packet proof.

Proof point GroupLink modernization

Prior-to-current-to-future state story for group operations and the June 2026 Christos onboarding target.

Operating model Staff realignment

How staff shift into product, architecture, secure delivery, QA automation, evidence, and operations roles.

Modernization Mainframe exit strategy

Outcome-driven rebuild, coexistence, validation, dual-run, rollback, wave gates, and decommission ledger.

Evidence Reviewer question map

RACI, coding standards, approved tools, product selection, runbooks, EDE, security, and audit evidence.