Desktop Electron EHR — unified user stories
Source of truth: EHEALTH_DESKTOP_PLATFORM_REQUIREMENTS.md + SPEC.md + TECHNICAL_REQUIREMENTS.md.
| Story ID | User Story | Context | Acceptance Criteria | Parent Epic ID | FR/NFR / REQ | Track | Label | Jira Key |
|---|---|---|---|---|---|---|---|---|
| DESK-US-001 | As a user, I want OIDC/OAuth2 login with PKCE and token refresh in the main process so that desktop auth matches platform IAM. | IAM + Kong | Tokens stored with OS secure storage; refresh on 401 follows policy; logout clears vault; no secrets in renderer bundle. | DESK-EPIC-01 | REQ-DESK-INT-002; TR-DSK-040–042 | baseline | ehr-desktop | GEHR-483 |
| DESK-US-002 | As a developer, I want a minimal typed preload contextBridge API so that the renderer is untrusted and has no Node integration. | Electron security | nodeIntegration: false, contextIsolation: true; IPC payloads validated (Zod); surface documented in shared types. | DESK-EPIC-01 | TR-DSK-001–004; REQ-DESK-NFR-011 | baseline | ehr-desktop | GEHR-484 |
| DESK-US-003 | As a user, I want the client to consume an entitlement bootstrap (config-resolver / IAM aggregate) so that capabilities are server-authoritative. | REQ-DESK-INT-008 | Bootstrap response documented; maps to capability map shape; refresh on policy change; 403 remains backstop. | DESK-EPIC-01 | REQ-DESK-INT-008; REQ-DESK-FR-090 | baseline | ehr-desktop | GEHR-485 |
| DESK-US-004 | As a user, I want router registration and feature flags driven by the capability map so that unlicensed routes are not active. | Modular shell | Routes for disabled modules not registered; deep links to forbidden routes show safe messaging; aligns with REQ-DESK-FR-091–092. | DESK-EPIC-01 | REQ-DESK-FR-090–093 | baseline | ehr-desktop | GEHR-486 |
| DESK-US-005 | As a user, I want a data-driven sidebar and module hub so that navigation matches my entitlements and site profile. | Lab/pharm/imaging | Nav items from capability map; licensed-but-forbidden uses read-only or disabled pattern per product choice; documented in UX spec. | DESK-EPIC-01 | REQ-DESK-FR-091–094 | baseline | ehr-desktop | GEHR-487 |
| DESK-US-006 | As a site admin, I want default landing modules and pinned items by site type (clinic vs lab vs pharmacy vs imaging) without code forks. | Persona | Config-driven defaults; user can override pins where product allows; persists per user/tenant rules. | DESK-EPIC-01 | REQ-DESK-FR-008 | baseline | ehr-desktop | GEHR-488 |
| DESK-US-007 | As a power user, I want command palette / quick-open targets filtered by the same capability map so that I cannot discover hidden admin URLs. | Quick nav | Palette lists only permitted targets; server still enforces on API. | DESK-EPIC-01 | REQ-DESK-FR-095 | baseline | ehr-desktop | GEHR-489 |
| DESK-US-008 | As a multi-tenant user, I want tenant switch to reset local cache, outbox scope, and module visibility without cross-tenant leakage. | Tenant isolation | SQLite rows and queue scoped per tenant; switch clears or rekeys per policy; no merge across tenants. | DESK-EPIC-01 | REQ-DESK-FR-097; TR-DSK-013 | baseline | ehr-desktop | GEHR-490 |
| DESK-US-009 | As finance, I want no background sync jobs for modules that are not licensed so that hidden API usage does not occur. | Licensing | Schedulers register only for licensed modules; verified with integration test or config matrix. | DESK-EPIC-01 | REQ-DESK-FR-009 | baseline | ehr-desktop | GEHR-491 |
| DESK-US-010 | As a user, I want SQLite in main with tenant-scoped queries and migrations so that offline PHI is structured and versioned. | Local DB | tenantId on persisted rows; FK + indexes; migrations run on upgrade; matches TR-DSK-010–013. | DESK-EPIC-02 | REQ-DESK-FR-001; TR-DSK-010–013 | baseline | ehr-desktop | GEHR-492 |
| DESK-US-011 | As a user, I want an outbox with clientMutationId / Idempotency-Key so that sync retries are safe. | Outbox | Outbox schema per TR-DSK-020–022; causal ordering documented for same aggregate. | DESK-EPIC-02 | REQ-DESK-FR-002; TR-DSK-020–022 | baseline | ehr-desktop | GEHR-493 |
| DESK-US-012 | As a user, I want sync with exponential backoff and jitter on 429 and no infinite retry on 401/403. | HTTP | Matches FR-DSK-003 / TR-DSK-030–032; integration tests with mock Kong. | DESK-EPIC-02 | FR-DSK-003; TR-DSK-030–032 | baseline | ehr-desktop | GEHR-494 |
| DESK-US-013 | As a clinician, I want conflict UI for 409 and version conflicts so that silent overwrite never happens. | Conflicts | User-visible resolution; audit trail; aligns with FR-DSK-004. | DESK-EPIC-02 | REQ-DESK-FR-003; FR-DSK-004 | baseline | ehr-desktop | GEHR-495 |
| DESK-US-014 | As a user, I want global connectivity and per-area sync indicators so that I see pending work. | UX | FR-DSK-005; E2E states for pending/syncing/failed. | DESK-EPIC-02 | FR-DSK-005 | baseline | ehr-desktop | GEHR-496 |
| DESK-US-015 | As support, I want X-Correlation-Id (or equivalent) on sync traffic so that we can correlate logs. | Observability | TR-DSK-034; verified in integration test. | DESK-EPIC-02 | REQ-DESK-FR-006; TR-DSK-034 | baseline | ehr-desktop | GEHR-497 |
| DESK-US-016 | As a security officer, I want PHI encrypted at rest in SQLite per policy so that lost devices are mitigated. | Encryption | Matches REQ-DESK-NFR-010 / TR-DSK-011; key derivation documented. | DESK-EPIC-02 | REQ-DESK-NFR-010; TR-DSK-011 | baseline | ehr-desktop | GEHR-498 |
| DESK-US-017 | As a user, I want online-only flows clearly labeled and degraded offline so that I do not mistake cached data for live submission. | Degradation | FR-DSK-006; representative flows covered in E2E. | DESK-EPIC-02 | REQ-DESK-FR-003; FR-DSK-006 | baseline | ehr-desktop | GEHR-499 |
| DESK-US-018 | As registration staff, I want patient intake with offline draft or queue per registration module policy. | Registration | Duplicate search behavior documented; queue uses idempotency when API supports; see specs/modules/registration/. | DESK-EPIC-03 | REQ-DESK-FR-010 | baseline | ehr-desktop | GEHR-500 |
| DESK-US-019 | As a clinician, I want encounter notes with offline draft and optimistic lock on sync. | Notes | 409 handling; versioning per service; specs/modules/clinical-notes/ as applicable. | DESK-EPIC-03 | REQ-DESK-FR-011 | baseline | ehr-desktop | GEHR-501 |
| DESK-US-020 | As a clinician, I want CPOE orders to distinguish unsigned draft vs signed committed orders. | Orders | UI state machine; online-only checks where required; specs/modules/orders-cpoe/. | DESK-EPIC-03 | REQ-DESK-FR-012 | baseline | ehr-desktop | GEHR-502 |
| DESK-US-021 | As a clinician, I want problems, allergies, and medications with cached terminology and critical allergy warnings when offline. | Safety | Warnings per jurisdiction; server authoritative on save; specs/modules/problem-list/, allergies/, medication-management/. | DESK-EPIC-03 | REQ-DESK-FR-013 | baseline | ehr-desktop | GEHR-503 |
| DESK-US-022 | As a nurse, I want vitals and immunizations queued offline when APIs support idempotent POST. | Vitals/immunizations | Matches TR-OFF patterns; module specs for vitals/immunizations. | DESK-EPIC-03 | REQ-DESK-FR-014 | baseline | ehr-desktop | GEHR-504 |
| DESK-US-023 | As a scheduler, I want cached calendars and queued booking intents per scheduling spec. | Scheduling | Live slot search may be disabled offline with clear copy; specs/modules/scheduling/. | DESK-EPIC-03 | REQ-DESK-FR-015; FR-DSK-015 | baseline | ehr-desktop | GEHR-505 |
| DESK-US-024 | As a user, I want secure messaging with read-only cache when policy permits. | Messaging | Online-first live threads; specs/modules/digital-communication/ or messaging module. | DESK-EPIC-03 | REQ-DESK-FR-030 | baseline | ehr-desktop | GEHR-506 |
| DESK-US-025 | As a user, I want OS notifications and in-app notification center with sync-pending awareness. | Notifications | FR-DSK-016; no silent loss of reminders. | DESK-EPIC-03 | REQ-DESK-FR-031; FR-DSK-016 | baseline | ehr-desktop | GEHR-507 |
| DESK-US-026 | As a clinician, I want virtual care join flows marked online-only with clear UX. | Virtual care | specs/modules/virtual-care/; Meet embed security if applicable. | DESK-EPIC-03 | REQ-DESK-FR-032 | baseline | ehr-desktop | GEHR-508 |
| DESK-US-027 | As a clinician, I want care plans, med reconciliation with stale-as-of offline, and eRx draft with online submission. | Med/care | REQ-DESK-FR-040–042; e-prescribing gateway specs; no controlled submit offline. | DESK-EPIC-03 | REQ-DESK-FR-040–042 | baseline | ehr-desktop | GEHR-509 |
| DESK-US-028 | As a lab tech, I want an incoming lab worklist with filters for priority, status, location, and panel. | LIS UI | Consumes LIS list APIs; specs/modules/laboratory-lis/; REQ-DESK-FR-100. | DESK-EPIC-04 | REQ-DESK-FR-100 | baseline | ehr-desktop | GEHR-510 |
| DESK-US-029 | As a collector, I want collection workflow with stat vs routine, labels, barcode capture, and collector attribution. | Collection | Scanner via main or wedge; REQ-DESK-FR-101. | DESK-EPIC-04 | REQ-DESK-FR-101 | baseline | ehr-desktop | GEHR-511 |
| DESK-US-030 | As a lab tech, I want accessioning with match, reject, and partial receive reason codes. | Accessioning | REQ-DESK-FR-102; chain-of-custody per LIS spec. | DESK-EPIC-04 | REQ-DESK-FR-102 | baseline | ehr-desktop | GEHR-512 |
| DESK-US-031 | As a tech, I want result entry/review UI with abnormal flags and critical escalation paths online-first. | Results | REQ-DESK-FR-103; server rules for reflex/critical. | DESK-EPIC-04 | REQ-DESK-FR-103 | baseline | ehr-desktop | GEHR-513 |
| DESK-US-032 | As a tech, I want panels with components, reference ranges, and units per regional profile. | Panels | REQ-DESK-FR-104; locale-aware display. | DESK-EPIC-04 | REQ-DESK-FR-104 | baseline | ehr-desktop | GEHR-514 |
| DESK-US-033 | As QA, I want QC / instrument flows to be online-first with explicit offline messaging. | QC | REQ-DESK-FR-105; no silent QC submit offline. | DESK-EPIC-04 | REQ-DESK-FR-105 | baseline | ehr-desktop | GEHR-515 |
| DESK-US-034 | As a lab manager, I want offline rules that only queue idempotent lab actions and role-gated screens for collection vs auth. | Offline + roles | REQ-DESK-FR-106–107; aligns with LIS backlog stories for server truth. | DESK-EPIC-04 | REQ-DESK-FR-106–107 | baseline | ehr-desktop | GEHR-516 |
| DESK-US-035 | As a pharmacist, I want prescription queues (new/refill/pending verification) with verification gated by permission. | Pharmacy queue | REQ-DESK-FR-110; specs/modules/pharmacy/ | DESK-EPIC-05 | REQ-DESK-FR-110 | baseline | ehr-desktop | GEHR-517 |
| DESK-US-036 | As a tech, I want dispensing fill → check → label → deliver with barcode verification for NDC/package. | Dispensing | REQ-DESK-FR-111 | DESK-EPIC-05 | REQ-DESK-FR-111 | baseline | ehr-desktop | GEHR-518 |
| DESK-US-037 | As inventory staff, I want stock, receiving, and adjustments online-first per inventory service. | Inventory | REQ-DESK-FR-112; offline read-only or explicit queue per policy. | DESK-EPIC-05 | REQ-DESK-FR-112 | baseline | ehr-desktop | GEHR-519 |
| DESK-US-038 | As a pharmacist, I want compounding behind a dedicated feature flag with batch and beyond-use fields. | Compounding | REQ-DESK-FR-113 | DESK-EPIC-05 | REQ-DESK-FR-113 | baseline | ehr-desktop | GEHR-520 |
| DESK-US-039 | As a pharmacist, I want controlled substance flows to use server validation and never bypass EPCS from desktop. | Controlled | REQ-DESK-FR-114; specs/modules/ghasi-e-prescribing-gateway/ as applicable. | DESK-EPIC-05 | REQ-DESK-FR-114 | baseline | ehr-desktop | GEHR-521 |
| DESK-US-040 | As a pharmacist, I want counseling documentation and print/handouts via safe OS print paths. | Counseling | REQ-DESK-FR-115; main print integration. | DESK-EPIC-05 | REQ-DESK-FR-115 | baseline | ehr-desktop | GEHR-522 |
| DESK-US-041 | As pharmacy leadership, I want offline policy for dispense/inventory with stale interaction/formulary data and SoD enforced with 403. | Offline + SoD | REQ-DESK-FR-116–117 | DESK-EPIC-05 | REQ-DESK-FR-116–117 | baseline | ehr-desktop | GEHR-523 |
| DESK-US-042 | As a technologist, I want imaging modality worklists with status, priority, and contrast flags. | RIS worklist | REQ-DESK-FR-120; specs/modules/radiology-pacs/ | DESK-EPIC-06 | REQ-DESK-FR-120 | baseline | ehr-desktop | GEHR-524 |
| DESK-US-043 | As a scheduler, I want imaging orders aligned with slots/resources with server-side conflict surfacing. | Scheduling link | REQ-DESK-FR-121 | DESK-EPIC-06 | REQ-DESK-FR-121 | baseline | ehr-desktop | GEHR-525 |
| DESK-US-044 | As a radiologist, I want prior studies listed with metadata; full prior fetch when online. | Priors | REQ-DESK-FR-122 | DESK-EPIC-06 | REQ-DESK-FR-122 | baseline | ehr-desktop | GEHR-526 |
| DESK-US-045 | As a radiologist, I want viewer launch only through allowlisted BrowserView or external deep link per tenant config. | Viewer | REQ-DESK-FR-123; security review documented. | DESK-EPIC-06 | REQ-DESK-FR-123 | baseline | ehr-desktop | GEHR-527 |
| DESK-US-046 | As a radiologist, I want report states draft/prelim/final/addendum with signing online-only. | Reporting | REQ-DESK-FR-124; local draft marked not released. | DESK-EPIC-06 | REQ-DESK-FR-124 | baseline | ehr-desktop | GEHR-528 |
| DESK-US-047 | As a radiologist, I want peer review / distribution flows online-first with no silent publish offline. | Peer review | REQ-DESK-FR-125 | DESK-EPIC-06 | REQ-DESK-FR-125 | baseline | ehr-desktop | GEHR-529 |
| DESK-US-048 | As PACS admin, I want DICOM/WADO with progress, cancel, and disk cache limits for local artifacts. | Large payloads | REQ-DESK-FR-126 | DESK-EPIC-06 | REQ-DESK-FR-126 | baseline | ehr-desktop | GEHR-530 |
| DESK-US-049 | As security, I want imaging role separation (tech vs radiologist vs clerk) with signing gated by license + role. | RBAC | REQ-DESK-FR-127; REQ-DESK-FR-020–021 summary | DESK-EPIC-06 | REQ-DESK-FR-127 | baseline | ehr-desktop | GEHR-531 |
| DESK-US-050 | As a user, I want document upload/download via main-process file APIs and server policy enforcement. | Documents | REQ-DESK-FR-050; specs/modules/document-management/ | DESK-EPIC-07 | REQ-DESK-FR-050 | baseline | ehr-desktop | GEHR-532 |
| DESK-US-051 | As a user, I want OCR via cloud ai-orchestrator or local ONNX IPC per tenant policy. | OCR | REQ-DESK-FR-051; TR-DSK-080–083; AI_PLATFORM | DESK-EPIC-07 | REQ-DESK-FR-051; TR-DSK-081 | baseline | ehr-desktop | GEHR-533 |
| DESK-US-052 | As a clinician, I must confirm OCR-extracted text before it is committed to the legal record. | Safety | REQ-DESK-FR-051; explicit accept action; audit. | DESK-EPIC-07 | REQ-DESK-FR-051 | baseline | ehr-desktop | GEHR-534 |
| DESK-US-053 | As a biller, I want draft charges locally and payer submission online-only per billing module. | Billing | REQ-DESK-FR-062; specs/modules/billing/ | DESK-EPIC-08 | REQ-DESK-FR-062 | baseline | ehr-desktop | GEHR-535 |
| DESK-US-054 | As finance, I want billing sync retries to show server errors and avoid duplicate charges on replay. | Idempotency | REQ-DESK-FR-062; aligns with claims/billing idempotency docs. | DESK-EPIC-08 | REQ-DESK-FR-062 | baseline | ehr-desktop | GEHR-536 |
| DESK-US-055 | As an analyst, I want population health dashboards online-first with optional cached snapshot and as-of time. | Pop health | REQ-DESK-FR-070; specs/modules/health-population/ | DESK-EPIC-09 | REQ-DESK-FR-070 | baseline | ehr-desktop | GEHR-537 |
| DESK-US-056 | As a manager, I want operational/clinical reports via server execution with export/pagination on desktop. | Reporting | REQ-DESK-FR-071 | DESK-EPIC-09 | REQ-DESK-FR-071 | baseline | ehr-desktop | GEHR-538 |
| DESK-US-057 | As an admin, I want read-only cached labels for org structure when offline for navigation. | Admin | REQ-DESK-FR-072 | DESK-EPIC-09 | REQ-DESK-FR-072 | baseline | ehr-desktop | GEHR-539 |
| DESK-US-058 | As platform ops, I want admin mutations to require explicit idempotent APIs — never silent queue for dangerous admin writes. | Admin safety | REQ-DESK-FR-072; explicit design per admin module. | DESK-EPIC-09 | REQ-DESK-FR-072 | baseline | ehr-desktop | GEHR-540 |
| DESK-US-059 | As a user, I want cloud AI features to call only Kong → ai-orchestrator with JWT and tenant policy. | Cloud AI | REQ-DESK-FR-080; FR-DSK-012; specs/modules/ai-orchestrator/ | DESK-EPIC-10 | REQ-DESK-FR-080; FR-DSK-012 | baseline | ehr-desktop | GEHR-541 |
| DESK-US-060 | As a user, I want optional local ONNX inference in main/worker with IPC timeouts and redaction. | Local AI | REQ-DESK-FR-081; TR-DSK-081–083 | DESK-EPIC-10 | REQ-DESK-FR-081; TR-DSK-081 | baseline | ehr-desktop | GEHR-542 |
| DESK-US-061 | As a user, I want semantic search (if offered) to respect tenant access-policy and licensing. | Search | REQ-DESK-FR-082 | DESK-EPIC-10 | REQ-DESK-FR-082 | baseline | ehr-desktop | GEHR-543 |
| DESK-US-062 | As compliance, I want order/diagnosis suggestions to be non-authoritative with explicit accept and audit. | CDS AI | REQ-DESK-FR-083 | DESK-EPIC-10 | REQ-DESK-FR-083 | baseline | ehr-desktop | GEHR-544 |
| DESK-US-063 | As a user, I want long clinical tables virtualized to maintain UI performance. | Perf | REQ-DESK-NFR-001 | DESK-EPIC-11 | REQ-DESK-NFR-001 | baseline | ehr-desktop | GEHR-545 |
| DESK-US-064 | As a user, I want heavy SQLite operations off the UI thread where appropriate. | Perf | REQ-DESK-NFR-002 | DESK-EPIC-11 | REQ-DESK-NFR-002 | baseline | ehr-desktop | GEHR-546 |
| DESK-US-065 | As a regional user, I want RTL/LTR, keyboard navigation, and compact density per EHR desktop TR/FR. | A11y | REQ-DESK-NFR-040; TR-DSK-070–076; E2E RTL | DESK-EPIC-11 | REQ-DESK-NFR-040; TR-DSK-075 | baseline | ehr-desktop | GEHR-547 |
| DESK-US-066 | As privacy, I want optional crash reporting opt-in with no PHI in payloads. | Telemetry | REQ-DESK-NFR-050 | DESK-EPIC-11 | REQ-DESK-NFR-050 | baseline | ehr-desktop | GEHR-548 |
| DESK-US-067 | As a user, I want lazy-loaded route bundles and entitlement refresh without full restart when feasible. | Lazy + entitlements | REQ-DESK-NFR-052; REQ-DESK-FR-096 | DESK-EPIC-11 | REQ-DESK-NFR-052 | baseline | ehr-desktop | GEHR-549 |
| DESK-US-068 | As release engineering, I want CI smoke on Win/macOS/Linux and documented corporate proxy behavior for Kong. | Cross-platform | REQ-DESK-NFR-030–031 | DESK-EPIC-11 | REQ-DESK-NFR-030–031 | baseline | ehr-desktop | GEHR-550 |