Coverage is harder to lose than to keep. By design.

Civitas Compliance breaks the noncompliance procedure into 15 sequenced phases. The phases cannot be skipped or reordered. Disenrollment requires passing through statutory notice, an active cure period, case-worker review, an alternative-eligibility check, and a hearing notice in that order. Each transition between phases is timestamped, hash-chained, and written to an immutable audit ledger.

Attempting disenrollment before the statutory deadline raises an exception. The platform refuses the operation in code, not in policy. The case-worker review exit is role-gated; an unauthorized actor cannot advance the procedure. The beneficiary sees the live countdown, the cure steps, and the current state in their mobile app. When the app is offline on a compliance-critical screen, a non-dismissible banner indicates the data may not reflect the latest state decision. Statutory basis: 42 U.S.C. § 1396a(xx)(6).

When a beneficiary sits on a volunteer waitlist because the state has run out of placements, the cure-period countdown legally suspends. The remaining days are preserved. When a slot opens, the countdown resumes at the exact value where it paused.

The legal basis is documented in the body of federal court precedent on Medicaid work-requirement waivers. Gresham v. Azar, 950 F.3d 93 (D.C. Cir. 2020) affirmed the lower-court vacatur of Arkansas Works; Stewart v. Azar, 366 F. Supp. 3d 125 (D.D.C. 2019) reached the same conclusion on Kentucky HEALTH. Both rulings established that administrative actions failing to consider the impact on beneficiary coverage carry an audit-posture risk. The beneficiary's mobile app surfaces a protection indicator and the precise remaining hours on every waitlist entry. The protection is not buried in a privacy policy; it is rendered on screen.

Compliance hours are GPS-verified at a registered worksite. The mobile app sends adaptive-cadence heartbeats throughout the session, with reporting frequency tightening as the beneficiary approaches the geofence boundary. Each heartbeat consumes a server-issued, single-use nonce. A replayed packet is structurally rejected. Production builds gate session issuance on Play Integrity and App Attest.

On the platform side, the device's reported position is checked against the worksite's registered boundary on every tick. Out-of-bounds positions are recorded as violations. Mock-GPS and impossible-accuracy signals raise anomaly flags for downstream review. Nothing about an hour entry is taken on the mobile client's word.

Every endpoint that returns beneficiary data writes an entry to the append-only audit ledger. The beneficiary reads the same audit trail from the mobile side. They see who accessed which media asset, when, and with what role.

Appeal events carry a per-event hash chained against the previous event. Tampering with one row breaks the chain visibly. Single-use download tokens prevent replayed PHI access. Screen-capture and app-switcher protections block exfiltration from the device side. The right of inspection that /platform Decision 01 (append-only ledger) guarantees architecturally becomes a feature the beneficiary can use.

The compliance determination engine is a deterministic, version-pinned rule evaluation. It has no AI input path. The CivicAI assistant is read-only by architecture: it can answer questions about the beneficiary's situation, but it cannot import, call, or mutate any function that affects compliance status. The architectural invariant is enforced by the lack of any code path between them. It is not a policy commitment.

Compliance rules cannot be invented at runtime. Exemption types are a closed enum (see /platform Decision 05 on closed-set actions). The 17 statutory exclusion categories are deterministically evaluated in a documented order. The 9 federal exemption categories from § 71119 are 9 enum members. There is no 10th. A new compliance rule requires a code change, a rule-version bump, and a deployment, not a configuration tweak.