Platform-Wide Authentication Standardization, Clinical Notes at Scale, and Aurora V2 Begins
A massive day across the Acumenus suite — 60 commits touching six repositories. The throughlines: a platform-wide push to standardize authentication using the MediCosts pattern, TypeScript migrations gaining serious momentum in multiple apps, and meaningful OHDSI clinical data work in Parthenon including surfacing 52.6 million clinical notes through a new Patient Profile tab.
Parthenon: Clinical Notes, HEOR Visualization, and Claims Search
The biggest Parthenon feature today is the Clinical Notes tab in Patient Profiles. This surfaces the OMOP CDM note table — 52.6M rows — through a paginated, on-demand UI positioned between the Visits and Precision Medicine tabs.
On the backend, PatientProfileService::getNotes() issues a paginated query against {cdmSchema}.note with LEFT JOINs to the concept table to resolve note_type, note_class, encoding, and language. Given the table size, we force index scans with SET enable_seqscan = off and impose a 10-second query timeout. The API endpoint (GET /sources/{source}/profiles/{personId}/notes) supports page and per_page params (max 100, default 50) and was registered explicitly before the catch-all show route in api.php to avoid routing conflicts.
On the frontend, the PatientNotesTab component renders expandable note cards with type and class badges, date/provider/visit metadata, and a 300-character collapsible preview rendered in monospace. Pagination controls appear at both the top and bottom of the list. Like the Precision Medicine tab, notes load on-demand rather than with the initial profile fetch — a deliberate decision to keep first-load performance fast against this volume of data.
Also shipped today: HEOR analysis tooling — a seeder for analysis data, fixes to evidence synthesis, and a new Claims Explorer tab with dedicated visualization charts. The Claims Explorer is backed by a new Solr core for claims data, with clinical notes indexing also added to the search infrastructure. A companion db:sync Artisan command handles bidirectional sync between local PostgreSQL and Docker PostgreSQL — useful for keeping dev environments aligned without manual dumps.
Authentication Standardization Across the Suite
A clear architectural pattern emerged today: every app is converging on the MediCosts-style auth flow — temporary passwords delivered via Resend, enforced security headers, and consistent session/token handling.
- MediCosts itself continued hardening: Zod validation for auth endpoints, tightened CORS policies, compression middleware, and explicit auth enforcement rules to lock down the paradigm.
- Aurora implemented MediCosts-style auth with Resend temp passwords alongside Spatie RBAC and enhanced security headers.
- Medgnosis implemented the same auth flow with Resend integration.
- MindLog added MediCosts-style demo auth with direct bcrypt login — a lighter variant appropriate for its use case.
- Zephyrus implemented the full MediCosts auth pattern with Resend, plus re-enabled CSRF protection that had been disabled across routes (an important security fix).
Having a single, well-understood auth pattern across all six apps will pay dividends in maintenance and onboarding.
Aurora V2: A Ground-Up Overhaul Begins
Aurora is getting a significant redesign. Today's commits laid the foundation for Aurora V2, documented in a new design document committed alongside the code. The scope is substantial:
- TypeScript migration underway —
tsconfigadded, 11 core components converted. - Frontend architecture modernized with Zustand stores, TanStack Query for data fetching, a command palette, and a toast notification system.
- Backend restructured with a proper service layer extracted from fat controllers,
FormRequestclasses for validation, anApiResponsehelper for consistent API shape, and centralized exception handling. - Infrastructure wired up: Docker Compose, design tokens, and a full CI pipeline with Pest (PHP), Vitest (unit/component), and Playwright (E2E) test runners.
- Spatie Permission RBAC added with health check endpoints and registered API routes.
This is a comprehensive modernization — Aurora V2 is being built with the same architectural standards as the rest of the mature Acumenus apps.
Zephyrus: Matching Aurora's Architecture
Zephyrus received a parallel modernization effort today, largely mirroring what landed in Aurora:
- Acumenus Clinical design system implemented with a responsive sidebar layout.
- Zustand + TanStack Query replacing ad-hoc state management.
- TypeScript migration —
tsconfig, core layouts, contexts, and hooks converted. - Service layer extraction from fat controllers with
FormRequestclasses. - Spatie Permission RBAC replacing hardcoded admin logic.
- Docker Compose + CI pipeline with Pest/Vitest/Playwright.
Medgnosis: API Docs, Tests, and Component Cleanup
Beyond auth, Medgnosis shipped Swagger API documentation, keyboard shortcuts, and a command palette today. The test suite was expanded with unit tests covering risk scoring logic, auth routes, schemas, and the error handler. A refactor split oversized page components and introduced an error boundary — both overdue improvements for a component tree that had grown unwieldy.
MediCosts: TypeScript Migration Begins
MediCosts started its own TypeScript migration today: tsconfig added, with the auth middleware, database module, logger, and validation utilities as the first converted files. The nightly pipeline also had its blog stage removed to streamline CI.
What's Next
- Continue TypeScript migration in MediCosts — the auth layer is converted; database query modules and API handlers are next.
- Aurora V2 design document review — the overhaul is ambitious and will need staged validation.
- Parthenon Claims Explorer: Solr indexing pipeline for claims data needs verification at scale before the tab goes to production.
- Evaluate whether the MindLog bcrypt-direct auth variant needs Resend integration parity or if the simpler flow is appropriate long-term.
- Extend PHPStan coverage in Parthenon following the notes tab addition.