MediEco · Sprint 1.1 Kickoff Prep · Q1 Gate

1. 🎯 Sprint Summary

Sprint	1.1 (Foundation · M9)
Duration	11 May - 24 May 2026 (2 minggu)
Modules	M9 AUCM (cross-cutting foundation)
Goal	Audit log infra · auth/RBAC · 11-section Patient model · PII strip · HITL gate · feature flags · citation enforcer — semua MUST be ready before Sprint 1.2
Capacity	4 FTE (3 BE + 1 FE) + 0.5 Founder + 0.5 Doc Zam
Velocity target	52 SP (4 × 13 SP)
Gate at end	Internal demo · downstream M1/M4 unblocked

2. ✅ Q1 Preflight Gate Checklist (10 May 2026)

Sprint 1.1 cannot start tanpa semua items below cleared. Q1 = ALESA Preflight + Doc Zam blueprint sign-off.

2a. Blueprint Sign-off

Doc Zam reviews medieco.alesa.my (all 17 pages) · sign-off
Project Blueprint (charter · scope · RACI · timeline · risks · budget) acknowledged
Dev Blueprint (stack · API · schema · agents) reviewed · technical approval
All 9 module DETAIL specs walked-through with Doc Zam
Repo Scaffolding plan reviewed · executable
Onboarding Agreement template legal-reviewed · ready for Klinik signing
CPG ingestion sources confirmed · MOH PDF acquisition path clear

2b. Repo + Infra

GitHub org alesa-framework/medieco created · billing approved
Repo bootstrapped per /repo/ runbook · 10 init steps complete
CI pipeline runs green on first PR (lint · test · security · build)
Branch protection enabled (main · develop · 1 approval required)
CODEOWNERS · PR template · issue templates configured
Staging env LIVE at staging.medieco.alesa.my · health check passing
Vault secret manager configured · credentials distributed (eng team)
Docker compose dev stack running on each engineer machine

2c. Team & Resources

Eng Lead onboarded · contractual
2 BE devs hired · onboarded · access provisioned
1 FE dev hired · onboarded
Doc Zam advisory contract signed · 4h/week + intensive day-13 commitments
Slack/WhatsApp channels active (#medieco-eng · #medieco-clinical)
Mid-End hardware ordered (Sprint 2 deliverable but procurement long-lead)

2d. Klinik Pilot

3 candidate klinik identified for pilot
Lead klinik LOI signed (Letter of Intent · non-binding) by 15 May
Backup klinik B + C identified · contact established
Klinik IT readiness checklist sent · response received
Onboarding agreement reviewed by klinik (legal review their side)

2e. ALESA Preflight (per CLAUDE.md framework)

🔰 ALESA PREFLIGHT · Sprint 1.1
 Strand 1  AMANAH         — Doc Zam pitch dah approve · masa execute · klinik pilot eyes
 Strand 2  3 LAWS
   Law 1 Backup           — Repo + DB backup procedures documented before any prod write   ☐
   Law 2 Read Before      — All 9 modules + dev blueprint read by team · context full      ☐
   Law 3 Verify Plan      — Q1 gate checklist items 100% checked                            ☐
 Strand 3  RISK           — 🟠 ORANGE · large-scale build · clinical safety stakes
 Strand 4  HARM PREVENT   — Test data only Sprint 1.1 · zero real patient · audit log on Day 1
 Strand 5  SEHATI SEJIWA  — Founder + Doc Zam aligned · written sign-off · weekly review
 Conf: 90% (assuming Doc Zam sign-off received)

3. 📋 Prerequisites Verify

Item	Owner	Status target	Verify method
GitHub repo · CI · staging	DevOps lead	10 May DONE	Smoke PR green
Vault + secrets	DevOps lead	10 May	Token rotation tested
Eng team hired (4 FTE)	Founder	5 May	Contracts signed
Doc Zam advisory contract	Founder	5 May	Signed · pay schedule set
Klinik pilot LOI	Founder BD	15 May	Letter signed
MOH CPG PDF acquisition (top 10)	Eng Lead	10 May	Files available · curated
NPRA Drug DB access	Eng Lead	10 May	API key or scrape pipeline tested
OpenAI API key (cloud burst budget)	Founder	5 May	$1000 cap configured
Test data fixtures (Patient · RX · CPG sample)	Eng Lead	10 May	Loaded ke staging
Local dev environment per engineer	Eng team	10 May	docker compose up · all services healthy

4. 📅 Sprint 1.1 Day-by-Day

1Mon 11 May · Kickoff

Day 0 Sprint Planning (90 min · all team) · break down 50-SP epic
Repo init verification · branch feat/M9-foundation created
Auth scaffold start (Sanctum · Spatie Permissions) · seed roles
11-section Patient model migration draft

2Tue 12 May · Day 2

Patient migration finalize · 11-section + 6 related tables
Test fixtures · 50 sample patients (generic identifiers)
Auth + RBAC complete · 6 roles seeded · matrix tests

3Wed 13 May · Day 3

PII filter · regex 12 patterns + NER scaffold
Token map (per-tenant · vault stored)
Unit tests for PII strip (50 sample sentences)

4Thu 14 May · Day 4

PII filter complete · NER (Malay name model) integrated
Detok at UI layer (response middleware)
Smoke test ke OpenAI/Llama with PII test data · verify zero leak

5Fri 15 May · Day 5

Audit log table (PostgreSQL partitioned monthly)
Async writer (Redis stream → PostgreSQL)
Audit middleware (Laravel + Python)
Sprint mid-check informal · 30 min sync

6Sat 16 May · Day 6

Audit log query API (paginated · filter)
WORM enforcement (DB-level deny UPDATE/DELETE on audit_log)
50 sample audit events test (1000 writes/sec target)

7Sun 17 May · CPG Day 1

CPG pipeline scaffold · PDF extraction (PyMuPDF)
Chunking strategy implementation · semantic + overlap
BGE-M3 embedding · pgvector storage · HNSW index

8Mon 18 May · CPG Day 2

Retrieval API (cosine + BM25 hybrid + re-ranker)
Ingest top-10 MOH CPG (~12,000 chunks · ~30 min embed)
Doc Zam validation 50 sample queries (4h intensive)

9Tue 19 May · Day 9

HITL gate library (Python decorator + PHP middleware)
HITL UI prompt component (Filament · Livewire)
30-prompt jailbreak suite (security test)

10Wed 20 May · Day 10

HITL workflow end-to-end (request · pending · approve/reject · timeout)
Audit integration · per-action log
UAT prep · sample HITL scenarios

11Thu 21 May · Day 11

Feature flag service (Redis cache + DB) · admin UI
Feature flag audit (toggle each = audit event)
Default OFF for all 18 flags catalog (per Dev Blueprint)

12Fri 22 May · Day 12

Citation enforcer (response validator · retry logic)
Clinical safety block list (hardcoded · extensible)
Safety scenario tests (controlled drug · paeds dose >2× · etc)

13Sat 23 May · Integration · Doc Zam

End-to-end integration test (Patient · Auth · PII · Audit · HITL · Citation · Flags)
100% audit coverage check · sample 50 actions traced
Doc Zam intensive review (Day 13 mode) · 4h walkthrough
Issue list compiled · prioritised

14Sun 24 May · Demo + Retro

Sprint Demo (60 min · Founder · Doc Zam · team)
Retrospective (45 min · what went well/what to improve)
Merge feature branch ke develop · staging deploy auto
Sprint 1.2 (M1 Patient PA) prep · backlog grooming

5. 📦 Sprint 1.1 Deliverables

11-section Patient model + 6 related tables · migrations + seeders
Auth/RBAC · Sanctum + Spatie · 6 roles · matrix tested
PII filter · 12 PII types · regex + NER · 95%+ accuracy
Audit log · partitioned · WORM · query API · ≥1000 writes/sec
CPG library · 12,000 chunks ingested · retrieval <500ms · Doc Zam validated
HITL gate · decorator + middleware + UI component · 30 jailbreak attempts blocked
Feature flag service · 18 flags catalogued · default OFF · audit on toggle
Citation enforcer · response validator · 100% clinical claims cite source
Clinical safety block list · 10+ scenarios hardcoded · extensible
Integration test suite · 100% audit coverage · E2E pass
Documentation · ADR-001 (M9 architecture) · runbook updates
Doc Zam clinical sign-off pada CPG retrieval relevance

6. 👥 Team Capacity Allocation

Role	Allocation	Primary Tasks
Eng Lead (DevOps + Architecture)	1 FTE	Repo · CI · Auth scaffold · ADR · review
Backend Dev #1 (PHP/Laravel)	1 FTE	11-section Patient model · audit middleware · feature flags · HITL Laravel side
Backend Dev #2 (Python)	1 FTE	PII filter · audit writer · CPG pipeline · HITL Python side · citation enforcer
Frontend Dev (Filament + UI)	1 FTE	Admin UI · HITL prompt component · audit timeline · feature flag toggles
Founder (Architecture · oversight)	0.5 FTE	Sprint review · Q1 gate · Doc Zam coordination · risk monitoring
Doc Zam (Clinical advisory)	4h/week + Day 8 (4h) + Day 13 (4h)	CPG validation · safety block list · final sign-off

7. 🎯 Sprint Ceremonies

Event	When	Duration	Attendees
Day 0 Sprint Planning	Mon 11 May 9 AM	90 min	All team + Founder
Daily standup (async Slack)	Daily 10 AM	~5 min written	All team
Mid-sprint sync	Fri 15 May 4 PM	30 min	All team
Doc Zam CPG validation	Mon 18 May 2 PM	4 hours	Doc Zam · Eng Lead · Backend #2
Doc Zam Day 13 review	Sat 23 May 10 AM	4 hours	Doc Zam · Founder · Eng Lead
Sprint Demo	Sun 24 May 10 AM	60 min	All + Founder + Doc Zam
Retrospective	Sun 24 May 11 AM	45 min	All team

8. 📜 Doc Zam Sign-off Items

Critical for Sprint 1.1 success — Doc Zam written sign-off pada items below.

Pre-sprint (10 May): Blueprint sign-off (medieco.alesa.my v1.3 all 17 pages reviewed)
Pre-sprint: Onboarding Agreement template clinical clauses approval
Pre-sprint: CPG curated list (top 10 MOH CPG selection)
Mid-sprint (Day 8): CPG retrieval relevance (50 sample queries · ≥80% relevant)
End-sprint (Day 13): Clinical safety block list (10+ scenarios hardcoded review)
End-sprint (Day 13): M9 audit log review (sample 50 entries · MOH-readiness assessment)
End-sprint (Day 13): HITL workflow review (30 jailbreak prompts · safety verify)
End-sprint (Day 14): Sprint demo attendance + sign-off Q1.5 (mid-gate)

9. 🎤 Sprint Demo Agenda (Day 14 · Sun 24 May)

10:00-10:05  Welcome · attendance (Founder · Doc Zam · 4 eng team)
10:05-10:15  Sprint goals recap · 50 SP delivered
10:15-10:30  Demo: Auth + RBAC + 11-section Patient model
              · Login flow · role gating · sample patient CRUD
10:30-10:45  Demo: PII filter
              · Live LLM call with PII test data · zero leak verified
              · Token map + detok at UI
10:45-11:00  Demo: Audit log
              · Sample 50 actions traced · query UI walkthrough
              · WORM enforcement verified
11:00-11:15  Demo: HITL gate
              · Sample request → pending → approve flow
              · 30-prompt jailbreak resistance
11:15-11:30  Demo: CPG library
              · Doc Zam favorite query → relevant chunks retrieved
              · Citation card UI preview
11:30-11:45  Demo: Feature flags + Citation enforcer
              · Toggle flag = audit · LLM response without citation = blocked
11:45-12:00  Q&A + Doc Zam sign-off · sprint review
              · Sprint 1.2 (M1 Patient PA) preview
12:00-12:45  Retrospective (team only)

10. 🛡️ Contingency Plans

Scenario	Trigger	Response
Velocity behind	Day 9 burn <30% remaining for 50 SP	Trim citation enforcer (move ke Sprint 1.2) · keep audit + PII + HITL · M9 minimal viable
Doc Zam unavailable Day 13	Personal/professional conflict	Reschedule to following Mon · sprint demo Day 14 still go · async sign-off acceptable
Critical bug pre-demo	Integration test fail Day 12	Day 13 fully fix-mode · Day 14 demo focused on what works · honest disclosure on what's pending
NPRA/MOH CPG access blocked	Public PDF not available	Use cached versions from Doc Zam library · alternative: WHO guidelines as proxy
BGE-M3 model not loading on RTX 4090	VRAM fit issue	Use BGE-base-en-v1.5 (smaller · 768-dim) · accept reduced quality · upgrade hardware Sprint 2
Eng team capacity short	1 FTE ill / unavailable	Contractor pool activation · scope-trim feature flags ke Sprint 1.2 (non-blocker)
OpenAI API budget exhausted	Cloud burst usage > $200/wk	Hard cap · switch to local Llama-only mode · accept latency hit

🚨 STOP triggers (escalate Founder · halt sprint):

Critical safety bug blocks all dev (e.g. PII leak in CI)
Doc Zam withdraw approval mid-sprint
Klinik pilot LOI fails to materialize by Day 5