1. 🎯 Sprint Summary
| Sprint | 3.3 (M8 CONT · Continuity Network · Multi-Tenant) |
| Duration | 29 Oct - 11 Nov 2026 (2 minggu) |
| Module | M8 CONT — Multi-Tenant Continuity + Cross-Clinic Record Portability |
| Goal | Multi-tenant data partition · clinic-scoped queries default · patient consent-led data sharing · cross-clinic record fetch · audit trail across tenants · base for onboarding 3-5 group clinics from 12 Nov. |
| Capacity | 5 FTE (3 BE + 1 FE + 0.5 DevOps) + 0.5 Founder + 0.5 Doc Zam |
| Velocity target | 52 SP |
| Blocked by | Sprint 3.2 (cross-PA bus tested at single-tenant) |
| Blocks | Onboard 3-5 group clinics (start 12 Nov) |
| Demo date | 11 Nov 2026 — Phase 3 closeout demo |
2. 🚦 Pre-Sprint Gate Checklist
- Sprint 3.2 demo passed (M6 in main)
- Multi-tenancy strategy decided (single-DB row-scoped vs schema-per-tenant)
- Patient consent flow for data sharing legally reviewed (PDPA + cross-clinic)
- Group clinic shortlist confirmed · 3-5 clinics signed LOI for onboarding
- Audit trail extended for cross-tenant access (M9)
- Performance baseline: tenant-scoped query latency < 200ms p95
- Penetration test scope including tenant-isolation drafted
3. 📋 Prerequisites
| Item | Owner | By |
|---|---|---|
| Multi-tenancy ADR (Architecture Decision Record) | Founder + Eng Lead | 27 Oct |
| Tenant model + migration scripts | BE | 28 Oct |
| Consent capture UI flow | FE Lead + Doc Zam | 28 Oct |
| Cross-clinic record fetch API spec | Eng Lead | 28 Oct |
| Group clinic LOIs signed | BD + Founder | 27 Oct |
| Pen-test plan reviewed | DevOps + Compliance | 28 Oct |
4. 🧩 Module Scope
- Tenant Model:
tenantstable · scoped middleware · query global scope · admin tenant switcher - Row-Scoped Migrations: Add
tenant_idto all 50+ existing tables · backfill · indexed - Patient Consent for Sharing: Granular toggle (encounters · allergies · Rx history · audio) · per-clinic recipient · revocable
- Cross-Clinic Record Fetch: Patient at Clinic B requests history from Clinic A · A receives consent verify · returns scoped bundle · audit both sides
- FHIR R4 Bundle Output: Standard interop format · Patient + Encounter + MedicationStatement + AllergyIntolerance resources
- Network Directory: List of MediEco clinics · contact · specialties · accept-referral status
- Tenant Admin Panel: Filament page · per-tenant config · branding · feature flags
- Pen-Test Pass: Tenant-isolation verified · cross-tenant data leak prevented
5. 🏗️ Multi-Tenancy Model
STRATEGY · Single-DB Row-Scoped (chosen) Reasons: · Simplest ops (one DB, one backup line) · Easy cross-tenant analytics (with admin scope) · Migration path to schema-per-tenant later if scale demands Layout: tenants (id, slug, name, type, plan, settings_json, ...) users (id, tenant_id, ...) <- existing tables get tenant_id encounters (id, tenant_id, ...) ...all 50+ tables... Middleware: · TenantScope global scope on all tenant-aware models · Auth resolves tenant from user · admin can switch · Cross-tenant fetch goes through explicit ConsentedFetch service · NEVER direct query Audit: · Every cross-tenant access logged: requester · subject · resource · purpose · consent_ref
6. 📅 Day-by-Day Plan (10 Days)
D1Wed 29 Oct · ADR + Tenant Model
Architecture decision recorded.
Architecture decision recorded.
tenants table · seed Doc Zam clinic + 3-5 group clinics.D2Thu 30 Oct · Migration Sprint
Add
Add
tenant_id to all tables · backfill · indexed · TenantScope middleware.D3Fri 31 Oct · Auth + Tenant Resolution
Tenant resolve from user · admin switcher · cross-tenant query block by default.
Tenant resolve from user · admin switcher · cross-tenant query block by default.
D4Mon 3 Nov · Consent UI Flow
Patient grants per-clinic per-resource consent · revoke flow · audit log.
Patient grants per-clinic per-resource consent · revoke flow · audit log.
D5Tue 4 Nov · Mid-Demo + Cross-Clinic Fetch
Mid-demo · ConsentedFetch service · scoped bundle return.
Mid-demo · ConsentedFetch service · scoped bundle return.
D6Wed 5 Nov · FHIR R4 Bundle
FHIR resource serialisation · Patient + Encounter + MedicationStatement + AllergyIntolerance.
FHIR resource serialisation · Patient + Encounter + MedicationStatement + AllergyIntolerance.
D7Thu 6 Nov · Network Directory + Admin Panel
MediEco clinic list · per-tenant config UI · branding · feature flags.
MediEco clinic list · per-tenant config UI · branding · feature flags.
D8Fri 7 Nov · Pen-Test Day 1
Tenant-isolation testing · cross-tenant access attempts · authorisation bypass.
Tenant-isolation testing · cross-tenant access attempts · authorisation bypass.
D9Mon 10 Nov · Pen-Test Fixes + Hardening
Address pen-test findings · perf check tenant-scoped queries · E2E.
Address pen-test findings · perf check tenant-scoped queries · E2E.
D10Tue 11 Nov · Phase 3 Closeout Demo
9am demo · 11am retro · 2pm onboarding kickoff (12 Nov).
9am demo · 11am retro · 2pm onboarding kickoff (12 Nov).
7. 📦 Deliverables
| FR | Item | SP |
|---|---|---|
| FR-8.1 | Tenant model + seed | 3 |
| FR-8.2 | tenant_id migration · all tables | 8 |
| FR-8.3 | TenantScope middleware | 5 |
| FR-8.4 | Tenant auth resolution + admin switcher | 5 |
| FR-8.5 | Patient consent UI · per-clinic per-resource | 5 |
| FR-8.6 | ConsentedFetch service + cross-tenant API | 8 |
| FR-8.7 | FHIR R4 bundle serialiser | 5 |
| FR-8.8 | MediEco network directory | 3 |
| FR-8.9 | Tenant admin Filament panel | 5 |
| FR-8.10 | Pen-test pass + hardening | 5 |
| TOTAL | 52 SP |
8. 👥 Team Capacity
| Role | Allocation |
|---|---|
| Eng Lead / BE | 1.0 FTE · architecture · ConsentedFetch service |
| BE Dev 2 | 1.0 FTE · migrations · TenantScope |
| BE Dev 3 | 1.0 FTE · FHIR · admin panel |
| FE Dev | 1.0 FTE · consent UI · directory · admin panel |
| DevOps / Security | 0.5 FTE · pen-test coordination |
| Founder | 0.5 FTE · ADR · BD · onboarding prep |
| Doc Zam | 0.5 FTE · consent flow review · network directory |
| QA | 0.5 FTE · tenant-isolation tests · E2E |
9. 🔔 Sprint Ceremonies
- Wed 29 Oct 9am — Sprint Planning + ADR walk (90 min)
- Daily 9am — Standup (15 min)
- Tue 4 Nov 4pm — Mid-sprint demo + cross-clinic fetch (45 min)
- Fri 7 Nov 2pm — Pen-test debrief (60 min)
- Tue 11 Nov 9am — Phase 3 Closeout Demo (90 min)
- Tue 11 Nov 11am — Sprint Retro + Phase 3 Retro (90 min)
10. 🩺 Doc Zam Sign-off Items
- Consent flow clinically + legally acceptable
- Cross-clinic data sharing scope clinically appropriate
- FHIR bundle clinically meaningful · receiving clinician test reads OK
- Network directory accurate · specialties verified
- Pen-test results acceptable · 0 high · ≤ 2 medium with mitigations
- Phase 3 closeout demo (11 Nov) — written sign-off · go-ahead for onboarding
11. 🎬 Phase 3 Closeout Demo — 11 Nov 9am (90 min)
| Time | Segment |
|---|---|
| 0-10 | Phase 3 narrative · M3+M6+M8 closed · onboarding starts 12 Nov |
| 10-25 | Multi-tenant walkthrough: 3 clinics in same DB · zero cross-leak |
| 25-40 | Patient consent flow · per-resource toggle · revocation |
| 40-55 | Cross-clinic record fetch live · FHIR bundle · audit on both sides |
| 55-70 | Network directory · admin panel · pen-test results |
| 70-80 | Onboarding plan · 3-5 group clinics · roles · timelines |
| 80-90 | Doc Zam sign-off · all 9 modules complete |
12. 🛡️ Contingency
| Risk | Trigger | Response |
|---|---|---|
| Migration breaks production | Backfill error | Stage on staging · backup before production migrate · rollback ready |
| Cross-tenant data leak | Pen-test finds high-sev | Hot-fix sprint · go-live blocked until fixed · external audit if needed |
| FHIR partner rejects bundle | Format invalid | FHIR validator pre-send · per-receiver adapter · escalate to ops |
| Group clinics LOI not signed | BD slip | Onboard remaining single-tenant · activate when clinic ready |
| Perf regression from tenant scoping | p95 > 200ms | Index optimisation · query rewrite · partial denormalisation |