Under the Hood

How BHR Is Built

BHR is a gated, audited operating system. Every layer is tested, every decision is logged, and no commit ships unless all suites pass.

System Diagram

The layers, top to bottom.

Natural language in, audited action out — with a gate between every stage.

Natural Language Input

Sophie — plain language questions, commands, reviews

Intent Router

Maps language to the correct module and action

Permission Check

RBAC enforced server-side on every route — not just hidden in the UI

Domain Services

RCM, ATS, Compliance, HR, Workflows, Admin

Postgres + pgvector

Structured records, vector embeddings, append-only audit log

Audit Log

Every action: who, what, when, why — written permanently, never overwritten

Gate Runner (alongside every layer)

228 automated checks across all modules run before any commit ships. Green = ships. Red = blocked.

The Gate

The gate is the enforcer, not the reviewer.

No human needs to decide whether something is safe to ship — the gate decides. If the full suite does not pass, nothing merges.

Every commit triggers a run of 228 automated checks across 7 modules: RCM (53), ATS (43), Compliance (36), HR (23), Workflows (22), Sophie (35), Monitoring (16). Every suite must be green. A single failing check blocks the merge.

This is not a quality suggestion — it is a hard gate. The goal is that no one has to trust a reviewer's judgment about whether the code is correct. The gate tells you.

Last gate run

228 checks total

228 passing

0 failing

Numbers sourced from the project STATUS.md. Updated on each gate run — not a manual claim.

The Audit Trail

Every decision is a permanent record.

Append-only

Audit events are written once. They cannot be edited or deleted. The record is what happened — not what someone wanted it to say.

Timestamped and attributed

Every event carries who performed it, when, and what changed. When an auditor asks, the answer is already there — not reconstructed from memory.

Operator notes

Human decisions get a reason field. If a billing flag is overridden, the reason lives in the audit trail. The record explains itself.

PHI Boundaries

Triple-lock by construction.

Protected health information is handled with a layered isolation model. No PHI touches the build pipeline.

Isolation

PHI lives in a separately governed data boundary. It does not touch the test pipeline, the demo environment, or any synthetic-data path. Boundaries are enforced by architecture, not by policy alone.

Recommend-only AI

The AI layer (Sophie) operates in recommend-only mode. Sophie does not store PHI, does not auto-act on PHI, and does not produce clinical determinations. Every output requires explicit human approval.

BAA before real data

A signed Business Associate Agreement must be in place before any real patient data enters the system. Until then, the platform runs entirely on synthetic, zero-PHI test data — enforced by the gate.

Read how we built it.

The full build methodology — agents, gates, ledger, and the discipline behind every green check.

How We Built It Request a Demo