Technical ReportReport v1.0July 202618 min read

Theo Arca 5.1: A Compliance-Gated Model Platform

By Theo Research

TheoVex, part of the hitheo.ai ecosystem · research@theovex.com

Abstract

Theo Arca is a deployable, self-contained AI stack for regulated industries. It serves the Arca 5.1 model family (Velox, Magnus, Edge, and Code) behind an OpenAI-compatible API, wrapped in a native privacy guardrail, an agentic tool runtime, an immutable audit ledger, and a fleet control plane that manages nodes on customer infrastructure, including air-gapped environments. Our central claim is that trustworthy AI in healthcare and insurance is a systems property, not a model property, so the guarantees are built around the model and verified continuously by a promotion-gating benchmark harness of seven suites. No model version reaches production without a passing scorecard.

Model platformBenchmark-gatedPHI-nativeAgentic

Keywords Compliance-gated promotion, PHI de-identification, Evidence Ledger, Agentic tools and MCP, Benchmark harness, HIPAA

01

Introduction

Healthcare and insurance workloads carry obligations that generic model APIs do not meet by default: HIPAA-grade handling of PHI, auditable decision trails, purpose-of-use accounting, tenant isolation, and deployment on infrastructure the customer controls.

Theo Arca is our answer to that gap. It is not a hosted model endpoint. It is the entire envelope around the model: gateway, guardrails, tools, audit, observability, licensing, and model operations, shipped as a unit (an Arca Node) that runs on the customer's own infrastructure and is centrally coordinated by a control plane (Arca Fleet).

The model inside is deliberately a swappable backend. The product is everything that makes the model safe, governable, and operable, and the benchmark system that proves a given build is fit to serve regulated traffic before it ever goes live.

Design principles

Compliance is architectural

PHI protection does not depend on the model behaving well. Sensitive values are detected, tokenized, and vaulted before inference, so the model only ever sees de-identified text. Logs, metrics, and audit records are PHI-safe by construction.

The consumer contract is frozen

Integrators depend on a small, stable surface: base URL, model IDs, OpenAI-compatible wire shape, error envelope. Weights, serving engines, adapters, routing, and guardrail internals can all change with zero consumer impact.

Promotion is gated by evaluation

A model version cannot go live without a passing scorecard. The registry enforces this mechanically: a promotion request without a passing scorecard is refused.

Fail closed

Unknown keys are rejected, over-quota requests are refused, PHI-classed traffic is never routed to a backend not certified for it, and low-confidence policy decisions escalate rather than pass.

Everything leaves evidence

Every request, guardrail decision, tool execution, and re-identification event lands in an append-only, hash-chained Evidence Ledger that callers can verify through the API.

02

The Theo Arca platform

A Theo Arca deployment has three cooperating parts, and every chat completion passes through the same governed pipeline before a token reaches the caller.

Anatomy of a deployment

Arca Node

The edge gateway that serves the public API. It implements the OpenAI-compatible endpoints with SSE streaming, key authentication and scoping (Tessera), the PHI guardrail pipeline (Praetorian Guard), policy-based routing, the agentic tool loop with domain tool packs and MCP exposure, the Evidence Ledger, and PHI-safe telemetry. Nodes run on customer infrastructure, cloud, datacenter, or air-gapped edge, under a signed license.

Arca Fleet

The control plane. It enrolls and licenses nodes, manages projects and API keys, durably aggregates usage, and hosts the model registry with eval-gated promotion. A node continues to serve within its license terms if the control plane is unreachable.

Console

The administrative UI and playground, served by the fleet. Keys are issued here and shown exactly once.

The request path

01ClientsAny OpenAI-compatible caller

IDE harnesses

Cursor, Claude Code, Warp

SDK

@hitheo/sdk

MCP agents

@hitheo/mcp

Direct REST

OpenAI-compatible

02EdgeTypeScript API surface

Edge API

SSE, idempotency, request id

Tessera

keys, scopes, quotas, metering

03GuardrailPHI never passes in the clear

Praetorian Guard

detect, tokenize

De-identification Vault

per-tenant keys, TTL

Injection screen

policy block on match

04RoutingFail-closed by data class

Policy router

effective data class, tier + budget

05ServingTier serving profiles

Velox

fast

Magnus

deep

Edge

on-prem

Code

domain coding

06ToolsGuarded agentic loop

Tool registry

typed schemas

Domain packs

health, insurance, coding

MCP

JSON-RPC 2.0

07OutboundScoped re-identify, identity scrub

Outbound guard

scoped detokenize

Identity scrub

served-identity policy

08AuditProve it, safely

Evidence Ledger

append-only, hash-chained

Vigiles

PHI-safe telemetry

CertifiedSOC 2 Type IIHIPAAHITRUSTPHI-native by design
Figure 1. The Arca request path, from a caller's harness through the PHI guardrail and a policy-routed serving tier to a signed audit entry.

The life of a request

  1. Authentication and metering (Tessera)

    The bearer key is validated fail-closed, scopes are checked, rate limits and daily token quotas are enforced, and a request ID is assigned. Idempotency keys make retries safe.

  2. Inbound guardrail (Praetorian Guard)

    The request is classified by data sensitivity, PHI and PII entities are detected, and detected values are replaced with format-preserving tokens written to an encrypted, per-tenant, time-bounded vault. Only de-identified text proceeds.

  3. Injection screening

    Prompt-injection patterns are screened before the request reaches a backend. A positive screen is refused as a policy block.

  4. Policy-routed backend selection

    The effective data class, the more sensitive of what the caller declared and what the guardrail detected, determines which backends are eligible. Routing is fail-closed: no eligible backend means no inference.

  5. Inference and the tool loop

    The selected tier's serving profile executes the request. Tool calls are dispatched through the same guardrail in both directions, folded back into context, and continued up to a bounded number of steps.

  6. Outbound guardrail

    Tokens are re-identified only for callers holding the explicit re-identification scope. A final identity scrub enforces the served-identity policy on every response, streaming or not.

  7. Evidence and telemetry

    A hash-chained audit record (request ID, action trail, model, backend kind, data class, content digests) is appended to the Evidence Ledger, and PHI-safe usage metrics are recorded.

The provider contract

  • Base URL https://api.theovex.com/v1 with bearer authentication. There is intentionally no proprietary SDK.
  • Public model IDs (arca-velox-5.1, arca-magnus-5.1, arca-edge-5.1, arca-code-5.1, alias arca-5.1). Responses always echo the public ID, never an internal served-model name.
  • The OpenAI chat-completions wire shape, SSE framing with a terminal [DONE], and one error envelope everywhere.
  • A cold-start signal: 503 with Retry-After and code warming while a scaled-to-zero pool wakes.

Everything else (weights, serving engine, GPU topology, guardrail internals, personas, tool packs, registry versions, adapters) is invisible and free to change. A contract guard test enforces the machine-checkable parts of this promise in CI, so breaking the surface requires deliberately failing a test.

Agentic tools and MCP

Tools are typed, centrally registered functions with JSON-Schema parameters, each declaring required scopes and permitted data classes. Three domain packs ship with the platform, and the same governed tools are exposed over MCP (JSON-RPC 2.0) with identical scope enforcement.

Healthcare

FHIR R4 read and search, HL7v2 parsing and mapping, terminology lookups (SNOMED CT, LOINC, ICD-10, CPT/HCC), prior-authorization drafting, and claims coding support.

Insurance

Eligibility checks, claims-adjudication support, FNOL intake, EOB and form extraction, policy Q&A, and appeals drafting.

Coding

Repository read, search, write, and edit, an atomic multi-file diff editor, sandboxed code execution, and allow-listed build and test runners, plus deterministic scaffolding generators for secure-by-default source.

03

The Arca model family

The 5.1 family has four public tiers, selected per request by model ID. A tier is not a distinct pretraining run. It is a versioned serving profile: a precision and engine build, decode defaults, a system and policy persona, a tool-pack roster, a step budget, and routing policy, bound together and content-hashed.

The four tiers

Arca Velox

arca-velox-5.1. Fast tier, 1,000,000-token context. High-volume, latency-sensitive transforms, routing, and triage.

Arca Magnus

arca-magnus-5.1. Deep tier, 1,000,000-token context. Long-horizon agents and complex clinical and insurance reasoning.

Arca Edge

arca-edge-5.1. On-prem tier, 131,072-token context. Constrained on-premises and air-gapped hardware envelopes.

Arca Code

arca-code-5.1. Domain coding tier, 1,000,000-token context. Building healthcare and insurance software, agentic engineering.

The alias arca-5.1 resolves to Magnus. Callers may adjust reasoning effort and the thinking toggle within tier policy per request.

Tiers are configurations

Because the public contract is the tier ID and not the weights, we can improve any layer (swap weights, change quantization, attach a fine-tuned adapter, replace the serving engine) and ship it as an atomic, reversible pointer update, provided the candidate passes the benchmark gates.

Velox and Magnus

Velox is the low-latency build and Magnus is the full-precision deep-reasoning build. They are the same weights packaged for two operating points.

Edge

The small-footprint build, selected through a capability bake-off for on-premises and air-gapped hardware where the full window is not available.

Code

The deep-reasoning pool with a domain-engineering persona grounded in health interoperability and payer operations, a larger tool-step budget, and the coding tool pack. An optional adapter, trained only on synthetic, PHI-free data, can bake those instincts into weights.

Registry and lifecycle

Every candidate build is an immutable registry entry: ID, family, tier, version, weight digest, engine, precision, configuration hash, optional adapter reference, and its eval scorecard. Entries move through a strict lifecycle.

building
evaluated
staged
live
deprecated
04

How we build our benchmarks

Public leaderboards answer how smart a model is. Our benchmarks answer a different question: is this exact build safe and fit to serve regulated traffic? The output of a benchmark run is a scorecard attached to a registry entry, and the registry refuses to promote without a passing one.

Principles

Gates, not exhibits

Every suite exists to block a promotion, not to decorate a launch page. If a benchmark cannot fail a bad build, we do not ship it.

Safety thresholds are absolute

Suites that guard privacy, identity, and compliance require a pass rate of 1.0. A single failing case blocks the scorecard. We do not average away a PHI leak.

Test the system, not just the model

Requests travel through the real gateway application (authentication, guardrail, persona, routing, streaming, audit), not a bare model endpoint. A benchmark that bypasses the pipeline would certify a system nobody runs.

Adversarial by construction

Where the property is never do X, we build an upstream that tries as hard as possible to do X, including splitting banned content across streaming chunk boundaries, and assert the served output is still clean.

Detectors stricter than filters

The eval-side leak detector is deliberately broader than the runtime rewrite filter, so evasions the filter intentionally leaves alone (letter-spaced spellings, encoded forms) still fail the gate.

Deterministic and PHI-safe

Fixtures use fabricated identifiers, and long-context probes are engineered so planted values cannot trigger PHI or identity rules. Offline runs are fully deterministic, so a red CI is a regression, not noise.

Two modes, offline and live

Offline runs the real gateway over deterministic fake upstreams in CI on every change. Live points the identical probes at a deployed model over HTTP, which is the model-quality gate before promotion.

The harness

The harness is intentionally minimal. A suite is a named set of cases with a pass-rate threshold. A case is a single pass/fail assertion with an explanatory detail on failure. A suite passes when its pass rate meets its threshold, and the scorecard passes only when every suite passes. The eval CLI exits non-zero on any failure, which is what makes it a CI gate.

{
  "passed": true,
  "suites": {
    "safety":      { "passed": true, "score": 1.0 },
    "capability":  { "passed": true, "score": 1.0 },
    "identity":    { "passed": true, "score": 1.0 },
    "coding":      { "passed": true, "score": 1.0 },
    "longcontext": { "passed": true, "score": 1.0 },
    "parity":      { "passed": true, "score": 1.0 },
    "ops":         { "passed": true, "score": 1.0 }
  },
  "ranAt": 1783000000000
}

The seven suites

Safety and compliance

safety

The privacy promises: PHI detection quality, no raw PHI beyond the vault, scope-gated re-identification, and the identity scrub.

PHI precision and recall over a labeled fixture, literal no-PHI-in-output, both directions of scoped re-identification, and identity rewrite.

threshold 1.0

Capability

capability

The structural correctness of the tool-calling layer.

The tool-schema validator accepts well-formed calls and rejects malformed ones (missing fields, wrong types) across positive and negative fixtures.

threshold 1.0

Identity integrity

identity

The served-identity policy: answers present as Theo Arca with zero base-model leakage under adversarial pressure.

14 adversarial probes across 9 categories, each run streaming and non-streaming, for 28 graded cases. A guardrail refusal counts as a valid deflection.

threshold 1.0

Domain coding

coding

That the Code tier produces standards-correct, secure-by-default healthcare and insurance engineering output.

5 probes with structural assertions: a valid FHIR R4 Patient, X12 271 structure, a tenant-scoped audited endpoint, a PHI-in-logs review, and an eligibility interface.

threshold 1.0

Long-context retrieval

longcontext

The long-context claim: no silent truncation or lost middle.

Needle probes plant a unique pass-phrase at a controlled depth in benign filler and assert it is retrieved verbatim, at shallow, middle, deep, and long-middle placements.

threshold 1.0

Serving parity

parity

That a quantized, re-engined, or re-pooled build behaves like its reference.

A shared task set runs against two endpoints; per-task quality must agree within tolerance and the aggregate mean-quality delta within a tighter bound.

threshold 1.0

Operational performance

ops

The serving-performance budget.

Streaming requests at controlled concurrency measure time-to-first-token, p95 latency, and completion-token throughput against a per-pool budget, plus a success-rate case.

threshold 1.0

From scorecard to promotion

  1. A candidate build (weights plus tier profile plus optional adapter) is registered, entering the lifecycle at building.
  2. The eval CLI runs the seven suites, offline suites always and live batteries against the deployed candidate, and emits the scorecard.
  3. The scorecard is posted to the registry entry, moving it to evaluated, then staged when thresholds are met.
  4. A promotion request without a passing scorecard is refused with a 409. With one, the build promotes through a blue-green and canary rollout to live, with the previous version retained as an atomic rollback pointer.
  5. In CI, the same harness runs on every change and exits non-zero on failure, so a change that breaks a pipeline guarantee never reaches a promotable build.

What we deliberately do not do

  • We do not publish public-leaderboard numbers: aggregate scores say little about whether this build will keep PHI out of your logs.
  • We do not report offline results as model quality.
  • We do not average safety failures away under a soft threshold.
  • We do not grade the model in isolation from the pipeline it ships inside.
05

Safety and privacy architecture

The benchmark system verifies the machinery described here. The guardrail, the Praetorian Guard, is a symmetric pipeline around inference: detect and tokenize on the way in, re-identify under scope on the way out, with tool I/O passing through the same pipeline in both directions.

Inbound

  1. Detect

    Recognizers flag clinical and insurance PHI and PII: names, MRNs, member and policy numbers, provider NPIs, and custom patterns. In deployments these are built on Microsoft Presidio, tuned for the domain.

  2. Policy gate

    Role, purpose, and confidence checks decide whether the request proceeds, escalates, or is denied. Low confidence escalates rather than passes.

  3. Tokenize

    Detected values are replaced with format-preserving tokens, and the PHI-to-token map is written to the encrypted De-identification Vault.

  4. Forward

    Only the de-identified text plus the system and policy prompt is forwarded downstream to the router and model.

Outbound

  1. Re-identification gate

    Only callers holding the explicit re-identification scope may detokenize. Everyone else receives the tokenized form.

  2. Identity scrub

    A stream-safe filter enforces the served-identity policy across both response modes, handling banned terms split across SSE chunk boundaries.

  3. PHI-safe logging

    Only redacted or tokenized content is ever logged. Raw PHI stays inside the vault.

  4. Evidence Ledger

    An append-only, hash-chained record captures request ID, tenant, model, data class, tool calls, output digest, and timestamps, with content digests instead of content.

The de-identification vault

  • Per-tenant data-encryption keys, wrapped by a KMS, with TTL-bound entries.
  • Tokens are namespaced per request and tenant to prevent cross-request or cross-tenant correlation.
  • Detokenization requires scope, and every vault access is itself an Evidence Ledger event.
  • Raw PHI never exists outside the vault's encryption boundary, not in logs, traces, metrics, or training data.

Fail-closed routing by data class

Every request carries an effective data class, the more sensitive of the caller's declaration and the guardrail's own classification, so declaring down does not work. Backends declare which classes they are certified to receive, and the router refuses rather than degrades. The code-execution pack accepts only non-PHI classes, so no prompt-engineering path can move PHI into a sandbox.

06

Verification status and results

We distinguish sharply between two kinds of claims. The offline harness proves the guarantees the system enforces. The live batteries judge the model. We encourage readers to hold us to the distinction.

What is verified today: the pipeline

The offline harness, all seven suites executed through the real gateway application over deterministic and adversarial upstreams, passes in full. The scorecard below is the actual output of an offline verification run of the current codebase (July 9, 2026).

SuiteCasesThresholdResult
safetyPHI precision/recall, no-PHI-in-output, scoped re-identification, identity scrub1.0pass
capabilityTool-schema accept/reject fixtures1.0pass
identity14 adversarial probes, streaming + non-streaming (28 cases)1.0pass
coding5 domain-engineering probes1.0pass
longcontext4 needle-retrieval probes1.0pass
parity4 two-endpoint agreement tasks + aggregate delta1.0pass
opsSuccess rate, p95 TTFT, p95 latency, throughput vs. budget1.0pass

Table 1. Offline verification scorecard, current codebase. Safety, identity, and compliance suites gate at an absolute 1.0.

Read this for what it is: proof that the guarantees enforced by the system hold, and that the harness itself can detect the failures it exists to catch. It is not a claim about live model quality.

What gates a live promotion

Model-quality claims come from the live batteries: the same identity, coding, long-context, parity, and ops probes aimed at a deployed build, whose scorecard is recorded on the registry entry it grades. Those scorecards are operational gate artifacts, produced per candidate and per deployment. We do not publish live numbers in this report, and any future publication will state the exact build, date, probe set, and mode of each figure.

07

Limitations and future work

We consider the following the honest edges of the current system.

Offline coverage is not model quality

The offline suites prove pipeline guarantees and harness correctness. Only live runs judge the model, and live results are not yet a published series. Establishing a public reporting cadence is planned.

Probe sets are compact and curated

Fourteen identity probes, five coding probes, four needles, and four parity tasks are gates, not exhaustive maps. Expanding the batteries with more languages, evasion classes, and task families is ongoing.

Structural assertions bound quality

The coding battery's structural checks encode non-negotiables. They do not grade elegance or completeness beyond the asserted structure. Richer rubric- and execution-based grading is a natural extension.

Long-context probes ship small

In-repo probes are compact for CI. Systematically sweeping depth by length toward the full window in live runs, and publishing the retrieval surface, is future work.

Ops budgets are deployment policy

We publish the dimensions (TTFT, p95 latency, throughput) rather than universal numbers, because budgets are set per pool and tier. Publishing representative budgets is under consideration.

Retrieval grounding is prompt-based today

The Code tier's domain grounding is persona-driven with an optional adapter. A retrieval corpus for standards and policy text is a documented follow-on.

08

Conclusion

Theo Arca treats the model as the most replaceable component of an AI system for regulated industries, and the guarantees around it as the least. The architecture makes privacy structural: de-identification before inference, scope-gated re-identification after, fail-closed routing in between, and a tamper-evident ledger underneath.

The benchmark system makes quality and safety enforceable: seven suites, absolute thresholds where safety is concerned, adversarial construction where the property is never, dual offline and live modes, and a registry that mechanically refuses to promote what has not passed. Gates over leaderboards, systems over models, evidence over assertion.

A

Appendix A. Model catalog

AttributeArca VeloxFastArca MagnusDeepArca EdgeOn-premArca CodeDomain coding
Model IDarca-velox-5.1arca-magnus-5.1arca-edge-5.1arca-code-5.1
TierVeloxMagnusEdgeCode
Context window1,000,0001,000,000131,0721,000,000
Max output131,072131,07232,768131,072
Default efforthighmaxhighmax
Default thinkingoffonoffon
Tool-step budget88816
Best forHigh-volume, latency-sensitive transforms, routing, and triage.Long-horizon agents and complex clinical and insurance reasoning.Constrained on-premises and air-gapped hardware envelopes.Building healthcare and insurance software, agentic engineering.

The alias arca-5.1 resolves to Magnus. Callers may adjust reasoning effort and the thinking toggle within tier policy per request. The catalog is discoverable at runtime via GET /v1/models.

B

Appendix B. Scorecard schema

{
  "passed": "boolean, true only when every suite passes",
  "suites": {
    "<suite-name>": {
      "passed": "boolean, score >= suite threshold",
      "score": "number in [0,1], the suite pass rate"
    }
  },
  "ranAt": "unix milliseconds"
}

Suites in the 5.1 battery: safety, capability, identity, coding, longcontext, parity, ops. All currently gate at threshold 1.0. The scorecard is stored verbatim on the model-registry entry it grades and is a hard precondition for promotion to live.

C

Appendix C. Public API surface

Endpoints

  • POST /v1/chat/completionsOpenAI-compatible chat inference; SSE streaming; server-side tool loop; x_arca extension block.
  • GET /v1/modelsModel catalog with family, tier, context window, and max output.
  • GET /v1/usageTenant-scoped request and token series (counts only, never content).
  • GET /v1/auditTenant-scoped Evidence Ledger records (digests and metadata only) with hash-chain verification.
  • GET /v1/toolsTool catalog with required scopes, permitted data classes, and per-key authorization.
  • POST /v1/mcpThe same governed tools over MCP (JSON-RPC 2.0).
  • GET /v1/healthLiveness and authentication diagnostic.

Error envelope

One error envelope everywhere, including mid-stream: { error: { message, type, code, request_id } }. Cold starts signal 503 plus Retry-After with code warming. Streams use an idle timeout between chunks, never a total-duration cap.

auth_errorpolicy_blockidempotency_conflictvalidation_errorrate_limitednot_foundupstream_errortimeoutinternal_error

Optional request headers

  • x-arca-data-classpublic | internal | pii | phi | secret | source_code
  • x-arca-purposetreatment | payment | operations | underwriting | claims | engineering | research, recorded for HIPAA-style purpose-of-use auditing.
D

Appendix D. Glossary

Arca
The platform and model family. Latin arca: a strongbox or vault, the posture the platform takes toward sensitive data.
Arca Node
The deployable edge gateway serving the public API on customer infrastructure.
Arca Fleet
The control plane: enrollment and licensing, projects and keys, usage, the model registry, and the console.
Tessera
The API key and credential service (a tessera was the Roman token that carried the watchword).
Praetorian Guard
The inbound and outbound PHI guardrail pipeline.
De-identification Vault
The encrypted, per-tenant, TTL-bound store of PHI-to-token mappings; the only place raw PHI exists.
Evidence Ledger
The append-only, hash-chained audit record of every consequential action, verifiable through the API.
Vigiles
Observability and audit watch: PHI-safe logs, metrics, traces, and alerting.
Scorecard
The eval harness's output artifact; stored on a registry entry and required for promotion.
Theo Arca

Put a PHI-native model to work.

Add an Arca key as an external provider and reference a tier. The key plus the model id is the entire integration. Start directly on hitheo.ai.