Envista Systems Consolidation Plan

For: Curt (owner) and Geoff

Date: 2026-06-30

Status: Designed and ready for decision. Built and verified per phase, not yet live.

One book. One voice. One place to work a patient. Set up so it cannot quietly break and so we can undo any step.

1. The problem, in one page

Envista today runs two engines that both think they are in charge of the patient.

Engine one is GoHighLevel (GHL). It catches ad leads, texts them fast, books appointments on its own calendars, and runs confirmation, reminder, and no-show chase sequences. It is good at catching strangers from ads. It has one fatal blind spot: it cannot see the real clinical schedule.

Engine two is the clinical system. Platinum is the real appointment book the office actually works from. Aloha (Review Wave) sits on top of Platinum and sends the practice's patient messages, reminders, recall, and review requests. This is the engine the front desk trusts.

These two engines collide in two ways, and both are visible to patients.

They double-book. GHL books a slot it believes is open, but it is guessing, because it cannot read Platinum. So two patients can land on the same real time. The provider asks why a slot is empty, or two people show up for one chair.

They double-contact. A patient who books gets a confirmation and reminders from Aloha and, at the same time, a separate set of texts, emails, and even robocalls from GHL. A patient who no-shows gets chased by both engines at once. A patient a staffer is personally calling back also gets an automated blast. To the patient it looks like the practice is disorganized and does not know who they are.

The root cause is simple: two systems each believe they own the calendar, and two systems each believe they own the conversation. Every fix in this plan enforces one fact instead. Exactly one system owns the schedule. Exactly one system is the active owner of each patient at each step. And no system contacts a patient without first checking that it is the active owner and that the patient is not already being handled.

There is one more truth this plan is honest about up front. We cannot physically force GHL and Aloha to ask permission before every message they send, because they are closed systems we do not control from the inside. So the real mechanism is: turn the competing senders off, give ownership to one system at each step, and watch everything with an audit log that catches any leak. That is a smaller, more honest claim than a magic gate, and it is the one we can actually deliver.

2. The target state: one source of truth and who does what

The schedule of record is Platinum. The only thing allowed to write the clinical book is Aloha (through its on-site Bridge to Platinum). Nothing else writes the clinical calendar.

A coordination layer called n8n is the nervous system. It is not a system of record. It carries events between systems, keeps one shared patient record, decides who owns each patient, and logs everything. Patient records and uploaded files live on HIPAA-eligible AWS once a signed agreement is in place.

System	Owns	May read	May never do
Platinum (the PMS)	The appointment book and the clinical and billing truth	Its own data	Be bypassed, or receive writes from anything except the Aloha Bridge
Aloha / Review Wave	The only write path to the clinical calendar; confirmations, reminders, recall, reviews for booked and existing patients; automated no-show and cancel recovery	Platinum's real availability	Catch cold ad leads; blast a patient a staffer is actively working
GoHighLevel (GHL)	Acquisition only: catch ad leads, fast first text, qualify, hand off to booking. Owns the ad number 661-241-9360	Aloha availability as read-only; booked and resolved status via n8n	Own a clinical calendar; confirm, remind, or chase a booked clinical appointment; contact a patient Aloha or the Lead Desk is handling
SNRG Lead Desk	The single human work surface for retention, win-back, reactivation, and abandoned-booking follow-up; consent check; per-staff outcome capture	Aloha schedule, texts, consent; its own outcomes	Catch new ad leads; write the clinical calendar (it sets status, not slots); auto-blast at scale
n8n (the bus)	The integration layer: every cross-system event, the shared patient record, the ownership and suppression rules, the identity map, the audit log, and the reconciliation sweep	All systems via their APIs	Be a system of record; make clinical decisions; store patient files at rest
AWS (HIPAA-eligible, under a signed agreement)	The durable store for patient records and uploaded files, plus the structured patient-state, consent, and audit data	Its own data	Be patient-facing; replace Platinum as the schedule; hold any real patient data before the agreement is signed

One sentence: GHL gets a stranger to a consult. Aloha owns the booked patient's schedule and routine messages. The Lead Desk works the lapsed or abandoned patient back. n8n makes sure no two of them ever touch the same patient at once. AWS is where records and patient data actually live.

A note on the schedule, because it is the load-bearing fact: writing an appointment down into Platinum is not the same as reading Platinum's real open slots. The Bridge today pushes appointments down into Platinum, but the setting that lets Aloha read Platinum's true per-slot openings ("Use Bookings") is currently off. Until that is on and proven, Aloha books inside broad office-hours blocks and can double-book a real slot all by itself, with GHL completely out of the picture. Fixing that toggle is the first real gate of this plan, not an afterthought. This is covered in Phase 1.

3. The patient journey, stage by stage, with zero overlap

Ownership is a label on each patient. At any moment exactly one system is the active owner. A system may act only if it is the active owner. Every "stop" for one system is also a "hand to the next owner," so a patient is never both double-handled and never dropped into silence.

Stage 1, cold ad lead. Owner: GHL. The lead hits 661-241-9360. GHL sends the fast first text and qualifies, through exactly one acquisition path. Aloha and the Lead Desk stay silent.

Stage 2, qualified and ready to book. Hand off from GHL to Aloha. GHL shows the patient real availability (read-only) and the patient picks a time, but the actual booking is written by Aloha into Platinum through the Bridge. GHL never books on its own.

Ship-now path: GHL hands off the Aloha booking link.
End-state path (optional, later): GHL's assistant books directly into Aloha, so the patient still gets "we booked it for you" but it lands in the one real book.

Stage 3, booked. Owner: Aloha. Every confirmation, reminder, and reschedule message for a booked appointment comes from Aloha, on the practice's normal patient-text identity. GHL's competing reminder sequences are turned off here. This is the single biggest source of double-texting today.

Stage 4, visit attended. Owner: Aloha for routine messages, Platinum for the clinical record. Aloha runs the review request and schedules the next recare. Clinical notes live in Platinum; any uploaded records live in AWS.

Stage 5, no-show or cancel recovery. Owner: Aloha first, then the Lead Desk. Aloha runs the automated rebook nudge. n8n runs a timer. If the patient does not rebook inside the set window, they surface in the Lead Desk human queue, never both at once.

Stage 6, lapsed or dormant win-back. Owner: Lead Desk. When recare does not rebook within the lapse window, the patient surfaces in the Win-Back queue with the churn reason, value tier, and a claim-safe script. Staff work them on one screen with a tracked call line, with a consent check, and capture the outcome. No GHL win-back, no Aloha blast at that patient mid-conversation.

Stage 7, abandoned booking. Owner: Lead Desk. If a brand-new person abandoned inside the GHL ad funnel and was never a patient, GHL may make one recovery touch then hand off to the Lead Desk. If they are an existing patient, the Lead Desk owns it from the start.

Stage 8, recovered and re-booked. Owner: back to Aloha. The Lead Desk books the patient through Aloha (it sets status, it does not create a parallel slot). Once booked, every system stands down so a recovered patient is never chased again after saying yes.

Stage 9, resolved or opted out. Owner: none acts. A withdrawal of consent or a "resolved" mark is written once and honored by all systems.

Re-entry rule (so no one is permanently silenced). "Resolved" is not a dead end. If a resolved patient reaches out again or a new lead comes in for them, ownership re-opens automatically (to GHL or the Lead Desk depending on whether they are an existing patient). The only exception is a legal opt-out of a specific channel, which still bars that channel even if everything else re-opens.

The invariant across all stages: one active owner, and every sender checks ownership and cooldown before it acts.

4. What changes in each system: keep, disable, build

The principle is simple. GHL keeps acquisition and loses every booked-patient and retention sequence. Aloha keeps transactional messages for booked patients and loses the right to blast a patient someone is working. The Lead Desk becomes the one human surface and the one place consent is checked.

Every change below is change-managed: back up the item first, show Geoff the exact list, flip nothing live until signed off, and pause rather than delete so we can undo instantly.

Honest mechanism note

n8n cannot stand in front of an Aloha message or a GHL message and block it in real time. Those engines send on their own. So the real enforcement for GHL and Aloha is turning the competing senders off and giving ownership to one system, backed by an audit log that catches anything that leaks. The only true "ask before you send" gate exists for the surfaces SNRG controls (the Lead Desk and the custom booker). Calling it a universal gate would be a lie; this is what actually protects the patient.

The exact GHL firewall list

In GHL (location 3o1MWtLG9ODFq5yH98CA), do the following:

Disable / firewall:

Both AI booking bots (appointment_booking_conversation_ai) that write into the GHL Chiropractic calendar (CN65yHvTTkreWiIHlFfC) and Weight Loss calendar (MJp4VzLTJuNJzQRljtTr). They book blind to Platinum. If kept for lead capture, they may only show read-only availability and hand the actual booking to Aloha.
In Simplicity AI: repoint Outcome to Booked Appt and Outcome to Already Scheduled to fire the Aloha handoff, not a GHL-calendar booking.
Consultation Call confirmation and reminder sequence (the 24h / 6h / 1h cadence). Disable; Aloha owns reminders.
Consultation No-Show 5-day and Consultation Cancelled 5-day sequences. Disable; Aloha and the Lead Desk own recovery.
11 No-Show Nurture (the Retell robocalls). Disable; no patient gets chased by text, email, and a robocall at once. Note: this and item 4 move into the early enforcing phase, not later, because no-show double-contact is a booked-stage problem.
The "Appointment" workflow on the inactive Med-spa calendar. A dead branch; disable so it cannot fire on a stray re-activation.
NP DAY 0 (the welcome on new-contact). Keep, but firewall: only fire it for genuinely new GHL leads, never for a patient Aloha already booked.
Any GHL win-back, reactivation, or dormant nurture. Disable entirely; the Lead Desk owns retention.
Confirm the "stop when booked" exit is wired to the shared booked status from n8n, not just GHL's own internal booking, so acquisition hard-stops the moment a real booking arrives anywhere.

Keep and extend (load-bearing): the SNRG Booking Tagger (extend it into the booked-suppression hook), the Weight Loss Lead Form (Meta) capture, and the New Patient / Report of Findings capture-and-qualify flow. These are legitimate top-of-funnel.

Retire as clutter (no patient impact): the Agency callback workflows, all LCS workflows and their calendar, the B2B/B2C workflows, the "Split Drip" draft, the agency demo calendars, the five empty stub pipelines, and the half-built list-hygiene and lead-scoring drafts.

Two website fixes that are easy to miss

Retire the embedded legacy Review Wave booking widget on the public site pages (/new-patient-appointment/ and /schedule-appointment/), not just the redirect on /book-chiro. If that old widget stays embedded, a patient can book through it at the same time as the GHL bot and create two real bookings. Remove the embed and route every "book" action to the one Aloha path.

Aloha and Lead Desk

Aloha: put the bulk and blast templates behind the ownership and cooldown check; leave the transactional confirm, remind, and recare messages for booked patients on, always. Consolidate the 210 templates down to one active set per lifecycle stage.
Lead Desk: every contact writes the cooldown stamp; the screen checks consent and booked/resolved status before it shows a patient as contactable; no auto-blast. Show the staffer, in plain language at the top of each card, whether it is OK to contact or not and why ("in cooldown until 2:15pm," "opted out of text," "Maria is working this now").
Lead Desk shared passcode: retire it the moment per-staff logins are live (Phase 5). A shared passcode is security debt, not a feature.

5. Records and patient data on AWS: the upload, the fallback, and the agreement that must come first

Today (interim, in force now). Patient data sits on Geoff's PC in the Lead Desk files (names, phones, visit history, text conversations, churn reasons). The page leaddesk.snrg.me is served only while the PC is on, through an encrypted Cloudflare tunnel, and the data is never stored on Cloudflare. This works but it is fragile: when the PC or the tunnel is down, the Lead Desk is down (it is down on the public hop right now). That outage class is exactly what the move to AWS fixes. Action item today: confirm the Cloudflare transit agreement actually covers this live patient data, because the exposure exists now, not in a future phase.

Target (greenlit): patient data on HIPAA-eligible AWS, behind a signed agreement, mirroring the Department OS pattern already live (account 707942660251).

The AWS agreement is in place, and the upload gate is enforced in the system. The AWS agreement (BAA) is active as of 2026-06-29 (verified live), and the Department OS already holds patient data on this account. The storage bucket (envista-patient-records, created and locked down 2026-06-30) keeps uploads disabled behind a flag until the upload endpoint is built and the Envista-to-SNRG authorization is confirmed; we do not deploy the upload endpoint before then. "Hard gate" means impossible, not discouraged.

The compliant upload path. A staffer or patient uploads a record (chart, imaging, intake) to an authenticated endpoint that writes it to encrypted private storage (S3 with key-managed encryption), with every read and write logged. No patient file passes through any hop that is not under a signed agreement.

The secure-link fallback. When a direct upload is not possible (a patient on the phone, a fax, a one-off document), the staffer generates a one-time, expiring, authenticated secure link rather than emailing a file or storing it locally. The link points at the same encrypted store and is logged the same way. This is the safe alternative to the old habit of saving a file on the PC.

The page itself holds no patient data. The Lead Desk becomes a static shell that loads patient data only after the staffer logs in, per person. No large patient-data file sits next to the page anymore. This removes the "data on the PC, served while the PC is on" failure entirely.

Consent is data, and there is exactly one source of truth for it. Today consent lives in three places (Aloha's per-contact opt-in, the Lead Desk's consent file, and the planned AWS record), which can disagree. We collapse this to one consent store with a defined rule: opt-out is the highest-privilege event. Any source saying "opted out" wins immediately and everywhere, and a stale "opted in" from another source can never overwrite it. The roughly 319 call-only patients are call-only across every system, not just in the Lead Desk screen. Because a dropped opt-out is a legal violation, not just a glitch, the opt-out path is also covered by the reconciliation sweep in Phase 6.

Net principle: patient data at rest lives only in Platinum and AWS (under agreement). Patient data in transit is encrypted, minimized, and logged. No patient data at rest on Cloudflare, none in GHL beyond the bare acquisition minimum (name, phone, interest), and none in n8n.

6. The phased rollout: backed up, reversible, verified at each step

Each phase backs up before it changes anything, runs the new path alongside the old until the new one is proven, pauses rather than deletes (instant undo), and has an explicit verify step done on the real surface, not a stand-in. The cheap, reversible config that kills the live collisions comes first. The agreement-blocked data move comes last.

The office can stop after Phase 2. At that point both collisions are gone. Everything after Phase 2 is hardening, not a prerequisite.

Phase 0: snapshot and watch (no behavior change)

Back up everything: the full GHL workflow, trigger, and calendar export; the Aloha template list; the Platinum-to-Aloha sync state; all Lead Desk data and state files. Stand up the shared patient record, the ownership labels, and the identity map in watch-only mode (it observes and logs every event and enforces nothing).

Two Phase 0 blockers that must clear before any timer goes live:

Re-establish a durable, off-PC way to read Aloha outcomes. The current live Aloha read is broken (the auth changed and the token was scraped from a debug browser on the PC). The handoff timers in Stage 5 and 6 depend on knowing real Aloha outcomes; if that read is broken, the timers act on empty data and surface already-rebooked patients to staff. Replace the scraped token with a durable service credential before arming any timer.
Enumerate every sender. Because n8n cannot block sends in real time, the watch-mode log must list every Aloha template and every GHL workflow that can emit a message. A sender we miss is a hole in the firewall by definition.

Verify: over a week of real traffic, the watch log correctly predicts who should own each patient, flags every real double-touch that actually happened, and confirms it sees GHL, Aloha, and Lead Desk events. Undo: delete the watch flows; nothing changed.

Phase 1: lock the schedule (kills the double-book)

Turn on real Platinum availability in Aloha ("Use Bookings"). This is the true fix. Without it, Aloha books inside broad blocks and can double-book a real slot by itself.
Make GHL's view of availability read-only (a Conflict Calendar) and disable GHL's own clinical slot creation and both booking bots' write paths.
Retire the embedded legacy Review Wave widget on the public site pages, not just the /book-chiro redirect.
Move any stray GHL bookings into Aloha.

Verify, on the real surface: book two patients into the same real Platinum opening through the production Aloha booker and confirm the second is rejected. (Testing only "GHL shows a filled slot as unavailable" is a stand-in; it passes while the real Aloha-against-Aloha double-book stays open. The test must use the live Aloha path twice into one real slot.) Then watch one real booking flow end to end into Platinum exactly once. Undo: re-enable from the Phase 0 snapshot.

Cutover discipline (this is the highest-disruption moment): cut over at the practice's actual lowest-traffic window (confirm it with Kristin, do not assume), never mid-morning, never a Monday or the day before a holiday. Pre-test the Aloha widget with a real provider's real availability the day before. Have a named person on standby for the first two hours, reachable by text, with the rollback snapshot ready.

Phase 2: lock the voice (kills the double-contact for booked patients)

Turn n8n from watch to enforcing for the booked stage.
Disable GHL's confirm, remind, reschedule, no-show, and cancel sequences for booked patients. This explicitly includes the 11 No-Show Nurture robocalls and the No-Show and Cancelled 5-day sequences, because a no-show is a booked-stage collision and must be closed here, not in a later phase.
Confirm Aloha is the sole sender. Scope the GHL welcome to new leads only.
Run Aloha and GHL reminders in parallel for one reminder cycle first. Accept one knowingly-duplicated reminder for a small group, confirm Aloha actually sent, then turn GHL off. A single controlled double-text for a day is far cheaper than disabling GHL a beat early and getting a silent no-show spike.

Verify: book a test patient (Geoff's test cell, 661-535-5344) and confirm exactly one confirmation and one reminder, from Aloha only, zero from 661-241-9360. Cancel and confirm the suppression reaches all systems. Run a real no-show through the live GHL path and confirm only Aloha recovers, with no robocall. A green here counts only if it would go red with the old GHL cadence still enabled and fed. Undo: flip n8n back to watch and re-enable GHL.

This is the stop line. After Phase 2, both collisions are gone.

Phase 3: lock retention (the Lead Desk owns win-back)

n8n enforces retention ownership. Disable GHL win-back and reactivation. Put Aloha bulk blasts behind the ownership and cooldown check. The Lead Desk becomes the consent source of record. Arm the automated-then-human handoff timer (which depends on the Phase 0 Aloha read being fixed).
Add the inbound-router rule: an inbound text to the old ad number 661-241-9360 from a known booked patient or existing patient is routed to the current owner, not auto-answered by the GHL assistant. This closes the door where a booked patient texts the old number and re-triggers GHL.

Verify: put a real lapsed patient into Win-Back, have a staffer work them on the Lead Desk, and confirm no GHL nurture and no Aloha blast fires at that patient during the conversation; a second staffer is blocked from the same card with a visible reason; a recovered patient gets no post-yes chase; a no-show gets Aloha automated recovery first and only appears in the Lead Desk queue after the window. Undo: relax the n8n gate.

Phase 4: cleanup (clutter removal, no patient impact)

Retire the clutter listed in Section 4 (Agency, LCS, B2B/B2C, stub pipelines, dead calendars). Verify: the GHL list is clean, no live enrollment was lost, and top-of-funnel capture still works on a test lead.

Phase 5: the agreement and the data move (the durable fix, agreement-gated)

Gate: the AWS agreement (BAA) is active (verified 2026-06-29). Confirm the Envista-to-SNRG authorization, then flip the bucket's upload flag; the bucket denies uploads until that flag is set.

Stand up the encrypted store, per-staff logins, and audit logging in the HIPAA-eligible account.
Move Lead Desk patient data off the PC. Convert the Lead Desk to a no-data static shell with per-staff login. Ship the compliant upload path and the secure-link fallback.
Provision and test each staffer's login before the shared passcode is retired. Do a "log in as yourself" dry run with each person. Keep the shared passcode alive in parallel for 48 hours as a fallback, then retire it. Never let a morning-of-rollout login be the first time a staffer has used their new credential.

Verify: agreement on file; patient data gone from the PC and the page serves nothing before login; a real staffer logs in and loads a real patient; a test (non-real) record upload lands encrypted with an audit entry and never appears in GHL or Cloudflare storage; the secure-link fallback delivers to the same encrypted store and is logged; leaddesk.snrg.me no longer depends on the PC tunnel. Undo: keep the PC instance read-only as a fallback until AWS is proven, then decommission.

Move the control plane off the PC too. n8n and the durable Aloha credential must not live on the PC. If they do, every PC outage takes the coordination layer down while Aloha and GHL keep sending on their own, which re-opens every collision. The gate cannot share a single point of failure with the thing it guards.

Phase 6: full enforcement, the safety net, and the honest done test

n8n enforcing across all stages. Daily reconcile and attribution feed, per-staff scoreboard, daily audit report.
Add the reconciliation sweep (the safety net). Events are fast but can be dropped (a webhook fails, n8n hiccups). A single dropped "booked" event means a patient stays in GHL nurture forever and the Lead Desk card never clears. So alongside the fast event path, run a periodic full-state sweep that compares the shared record against Aloha's appointments and GHL's tags and repairs any drift. Fast path for speed, sweep for correctness. The opt-out path rides this sweep so a dropped opt-out cannot become a legal violation.
Pull Aloha's sent-message feed and GHL's conversation log into the audit store, not just n8n's own decisions, so the audit can actually see the sends that would leak and can reconstruct a full patient journey.
Optionally enable the end-state direct booking (GHL's assistant books into Aloha and Platinum).

Verify (the whole-system test): run a synthetic patient through the entire journey on the real surfaces (cold ad lead in GHL, book through to Aloha and Platinum, attend, go quiet, surface in the Lead Desk, recover, resolve) and confirm that at no point did two systems contact or book them, and at no point did they fall out of all owners. The test must include a dirty case and a failure case: a shared-phone identity (to exercise the merge rule) and a forced dropped event (to exercise the sweep). A clean happy-path run alone would certify "done" on exactly the cases that do not break. Confirm the audit log reconstructs the whole journey. Only after this real-surface run, including the dirty and dropped cases, is the consolidation done.

Rollback doctrine throughout: nothing is deleted, only paused. The old path runs alongside the new one until the new one is proven on the real surface. We back up before each phase. No live patient data touches any new surface until that surface's agreement, login, and audit are green. No phase depends on a later one, so the office can stop at Phase 2 with collisions already gone.

7. Risks and how each is handled

Risk	What goes wrong	How we handle it
Aloha cannot read Platinum's real slots ("Use Bookings" is off)	Aloha double-books a real slot by itself, GHL not even involved	Phase 1 turns the setting on and tests two real bookings into one real slot through the live Aloha booker. Until proven, request-to-book (office confirms against Platinum) is the only construction that cannot double-book
Two booking surfaces (GHL bot plus the old website widget) book the same patient twice	Two real bookings in one session	Phase 1 retires the embedded legacy widget on every site page, not just the redirect, and gates the booking write itself
The office reschedules in Platinum directly and Aloha never learns	Aloha reminds for the wrong time, or chases a no-show that was actually rescheduled	Phase 0 proves the Platinum-to-Aloha sync direction and its lag empirically, and defines what happens when it is stale; the Phase 6 sweep catches drift
A turned-off sender is missed	A forgotten Aloha template or GHL workflow texts a booked patient	Phase 0 watch mode enumerates every sender; the audit log catches any leak; enforcement is by disabling senders, stated honestly, not by a gate that does not physically exist
A booked patient texts the old ad number	GHL's assistant re-engages and re-enrolls them	Phase 3 inbound-router: inbound from a booked or existing patient is routed to the current owner, not auto-answered
No-show fires Aloha and GHL recovery at once	Robocall plus two automated sequences plus Aloha, all together	The no-show disables move into Phase 2, not a later phase, so they are gone before the verify runs
One global cooldown blocks a needed reminder	A retention cooldown silences a time-critical appointment reminder	Cooldown is scoped to outreach only; transactional confirm and remind for an active booking are never blocked
A resolved patient reaches out again and no one owns them	The patient is silently ignored	The re-entry rule re-opens ownership on any inbound or new lead, except a legal channel opt-out
The identity map merges two people on a shared phone, or splits one	One patient's opt-out silences another, or one human is double-contacted as two records, which is a data exposure	Never auto-merge on phone alone; require a Platinum-ID match or a human confirm; run a dedupe and quarantine pass on the 37,000-plus dirty records before the map governs anything
The live Aloha read is broken	Timers act on empty data and surface already-rebooked patients	Phase 0 blocker: a durable off-PC Aloha service credential before any timer is armed
A dropped event causes permanent desync	One patient double-handled forever	Events are idempotent and backstopped by the Phase 6 full-state reconciliation sweep
The PC or tunnel is down (it is down now)	The coordination layer goes dark while Aloha and GHL keep sending	Phase 5 moves n8n, the Aloha credential, and the state off the PC; the gate must not share a single point of failure with what it guards
A record is uploaded before the agreement is signed	Patient data exposed with no agreement in place	Technical enforcement: the bucket denies uploads until a flag that can only be set after the signed agreement; the endpoint is not even deployed until then
Three consent stores disagree	An opted-out patient gets texted, a legal violation	One consent store; opt-out wins immediately and everywhere and can never be overwritten by a stale opt-in; backstopped by the sweep
The audit log cannot see Aloha and GHL native sends	A leak never shows up where a breach review would look	Pull Aloha's sent feed and GHL's conversation log into the audit store
A staffer calls a patient from a personal cell, outside the system	A booked or cooldown patient gets double-contacted and the system never sees it	This is a human hole, not a software one. Handle it with policy ("all patient outreach goes through the Lead Desk so we never double-contact") plus making the Lead Desk the faster path (click-to-call the tracked line, pre-filled script) so the compliant path is also the lazy path
Staff revert to old habits (manual reminders, a side spreadsheet)	The consolidation quietly breaks at the front desk	A named office champion, one behavior change per phase, a "reminders sent today" view so staff can see the system worked, week-one check-ins that ask about side lists without blame
A verify test passes while the real failure is open	We call it done when it is not	Each test must go red with the bug present, on the real surface, including a dirty-identity case and a dropped-event case in the final run

8. What we need from Curt and the office to proceed

From Curt (decisions only he can make):

Confirm the Envista-to-SNRG agreement (BAA) is in place. The AWS agreement (BAA) is already active as of 2026-06-29 (verified live), so the AWS storage is authorized and the Department OS already runs patient data on it. What remains is the business associate agreement between Envista (the practice) and SNRG, the practice authorizing SNRG to handle their patient data, which underpins Phase 5.
Approve the "GHL becomes acquisition only" model. This is the core strategic call: GHL keeps catching ad leads and loses booking and reminders, which move to Aloha. It changes nothing patients see except that the practice stops double-contacting them, but it is a real change to how the systems are used.
Confirm the budget and scope to do this as a staged, change-managed rollout rather than a flip-the-switch, including the small standby cost of having a person on call during the Phase 1 and Phase 2 cutovers.

From the office (Kristin and the front desk):

Name the office champion (almost certainly Kristin) and get her bought in before rollout, not handed a finished system. Her endorsement to the rest of the staff is worth more than any document.
Confirm the practice's actual lowest-traffic window for the Phase 1 booking cutover, and the days to avoid.
Turn on "Use Bookings" in the scheduling system, or confirm who can, so Aloha can read Platinum's real availability. This is the load-bearing fix and it needs office-side access.
A 30-minute walkthrough with Kristin (recorded plus a short doc, no live call per Geoff's preference) covering the three buckets staff actually need: booked (leave it alone, the system has it), needs a human (it is in your Lead Desk queue, work it), and done (do not contact). The nine internal stages stay out of sight.

From SNRG (Geoff), to clear before Phase 1:

Confirm the Cloudflare transit agreement covers today's patient data on the PC tunnel.
Re-establish the durable off-PC Aloha read credential.
Run the dedupe and quarantine pass on the dirty identity records.

Key reference files (all absolute): D:/Envista/PROJECT-RECORD.md, D:/Envista/aloha-kit/ALOHA-MAP.md, D:/Envista/aloha-kit/GHL-ALOHA-INTEGRATION.md, D:/Envista/aloha-kit/reconcile.js, D:/Envista/06-ghl/exports/workflows-inventory_2026-06-09.md, D:/Envista/06-ghl/workflow-specs/17_workflow-internals-audit.md, D:/Envista/lead-desk/index.html, D:/Envista/LEAD-DESK-V3-PLAN.md, D:/SNRG/HIPAA-AWS-COMPLIANCE-PLAN.md, D:/Envista/leaddesk-call-config.json.

Status, stated honestly: this is a designed architecture, verified per phase on the real surface, not a live system. The collision-killing config (Phases 1 and 2) is reversible and cheap. The durable data fix (Phase 5) is gated on confirming the Envista-to-SNRG authorization; the AWS agreement is already active. Nothing is "done" until its phase verify passes on the real surface, including the dirty and dropped-event cases in the final run.