Theo Arca 5.1: A Compliance-Gated Model Platform
By Theo Research
TheoVex, part of the hitheo.ai ecosystem · research@theovex.com
Abstract
Theo Arca is a deployable, self-contained AI stack for regulated industries. It serves the Arca 5.1 model family (Velox, Magnus, Edge, and Code) behind an OpenAI-compatible API, wrapped in a native privacy guardrail, an agentic tool runtime, an immutable audit ledger, and a fleet control plane that manages nodes on customer infrastructure, including air-gapped environments. Our central claim is that trustworthy AI in healthcare and insurance is a systems property, not a model property, so the guarantees are built around the model and verified continuously by a promotion-gating benchmark harness of seven suites. No model version reaches production without a passing scorecard.
Keywords Compliance-gated promotion, PHI de-identification, Evidence Ledger, Agentic tools and MCP, Benchmark harness, HIPAA
Introduction
Healthcare and insurance workloads carry obligations that generic model APIs do not meet by default: HIPAA-grade handling of PHI, auditable decision trails, purpose-of-use accounting, tenant isolation, and deployment on infrastructure the customer controls.
Theo Arca is our answer to that gap. It is not a hosted model endpoint. It is the entire envelope around the model: gateway, guardrails, tools, audit, observability, licensing, and model operations, shipped as a unit (an Arca Node) that runs on the customer's own infrastructure and is centrally coordinated by a control plane (Arca Fleet).
The model inside is deliberately a swappable backend. The product is everything that makes the model safe, governable, and operable, and the benchmark system that proves a given build is fit to serve regulated traffic before it ever goes live.
Design principles
Compliance is architectural
PHI protection does not depend on the model behaving well. Sensitive values are detected, tokenized, and vaulted before inference, so the model only ever sees de-identified text. Logs, metrics, and audit records are PHI-safe by construction.
The consumer contract is frozen
Integrators depend on a small, stable surface: base URL, model IDs, OpenAI-compatible wire shape, error envelope. Weights, serving engines, adapters, routing, and guardrail internals can all change with zero consumer impact.
Promotion is gated by evaluation
A model version cannot go live without a passing scorecard. The registry enforces this mechanically: a promotion request without a passing scorecard is refused.
Fail closed
Unknown keys are rejected, over-quota requests are refused, PHI-classed traffic is never routed to a backend not certified for it, and low-confidence policy decisions escalate rather than pass.
Everything leaves evidence
Every request, guardrail decision, tool execution, and re-identification event lands in an append-only, hash-chained Evidence Ledger that callers can verify through the API.
The Theo Arca platform
A Theo Arca deployment has three cooperating parts, and every chat completion passes through the same governed pipeline before a token reaches the caller.
Anatomy of a deployment
Arca Node
The edge gateway that serves the public API. It implements the OpenAI-compatible endpoints with SSE streaming, key authentication and scoping (Tessera), the PHI guardrail pipeline (Praetorian Guard), policy-based routing, the agentic tool loop with domain tool packs and MCP exposure, the Evidence Ledger, and PHI-safe telemetry. Nodes run on customer infrastructure, cloud, datacenter, or air-gapped edge, under a signed license.
Arca Fleet
The control plane. It enrolls and licenses nodes, manages projects and API keys, durably aggregates usage, and hosts the model registry with eval-gated promotion. A node continues to serve within its license terms if the control plane is unreachable.
Console
The administrative UI and playground, served by the fleet. Keys are issued here and shown exactly once.
The request path
IDE harnesses
Cursor, Claude Code, Warp
SDK
@hitheo/sdk
MCP agents
@hitheo/mcp
Direct REST
OpenAI-compatible
Edge API
SSE, idempotency, request id
Tessera
keys, scopes, quotas, metering
Praetorian Guard
detect, tokenize
De-identification Vault
per-tenant keys, TTL
Injection screen
policy block on match
Policy router
effective data class, tier + budget
Velox
fast
Magnus
deep
Edge
on-prem
Code
domain coding
Tool registry
typed schemas
Domain packs
health, insurance, coding
MCP
JSON-RPC 2.0
Outbound guard
scoped detokenize
Identity scrub
served-identity policy
Evidence Ledger
append-only, hash-chained
Vigiles
PHI-safe telemetry
The life of a request
Authentication and metering (Tessera)
The bearer key is validated fail-closed, scopes are checked, rate limits and daily token quotas are enforced, and a request ID is assigned. Idempotency keys make retries safe.
Inbound guardrail (Praetorian Guard)
The request is classified by data sensitivity, PHI and PII entities are detected, and detected values are replaced with format-preserving tokens written to an encrypted, per-tenant, time-bounded vault. Only de-identified text proceeds.
Injection screening
Prompt-injection patterns are screened before the request reaches a backend. A positive screen is refused as a policy block.
Policy-routed backend selection
The effective data class, the more sensitive of what the caller declared and what the guardrail detected, determines which backends are eligible. Routing is fail-closed: no eligible backend means no inference.
Inference and the tool loop
The selected tier's serving profile executes the request. Tool calls are dispatched through the same guardrail in both directions, folded back into context, and continued up to a bounded number of steps.
Outbound guardrail
Tokens are re-identified only for callers holding the explicit re-identification scope. A final identity scrub enforces the served-identity policy on every response, streaming or not.
Evidence and telemetry
A hash-chained audit record (request ID, action trail, model, backend kind, data class, content digests) is appended to the Evidence Ledger, and PHI-safe usage metrics are recorded.
The provider contract
- Base URL https://api.theovex.com/v1 with bearer authentication. There is intentionally no proprietary SDK.
- Public model IDs (arca-velox-5.1, arca-magnus-5.1, arca-edge-5.1, arca-code-5.1, alias arca-5.1). Responses always echo the public ID, never an internal served-model name.
- The OpenAI chat-completions wire shape, SSE framing with a terminal [DONE], and one error envelope everywhere.
- A cold-start signal: 503 with Retry-After and code warming while a scaled-to-zero pool wakes.
Everything else (weights, serving engine, GPU topology, guardrail internals, personas, tool packs, registry versions, adapters) is invisible and free to change. A contract guard test enforces the machine-checkable parts of this promise in CI, so breaking the surface requires deliberately failing a test.
Agentic tools and MCP
Tools are typed, centrally registered functions with JSON-Schema parameters, each declaring required scopes and permitted data classes. Three domain packs ship with the platform, and the same governed tools are exposed over MCP (JSON-RPC 2.0) with identical scope enforcement.
Healthcare
FHIR R4 read and search, HL7v2 parsing and mapping, terminology lookups (SNOMED CT, LOINC, ICD-10, CPT/HCC), prior-authorization drafting, and claims coding support.
Insurance
Eligibility checks, claims-adjudication support, FNOL intake, EOB and form extraction, policy Q&A, and appeals drafting.
Coding
Repository read, search, write, and edit, an atomic multi-file diff editor, sandboxed code execution, and allow-listed build and test runners, plus deterministic scaffolding generators for secure-by-default source.
The Arca model family
The 5.1 family has four public tiers, selected per request by model ID. A tier is not a distinct pretraining run. It is a versioned serving profile: a precision and engine build, decode defaults, a system and policy persona, a tool-pack roster, a step budget, and routing policy, bound together and content-hashed.
The four tiers
Arca Velox
arca-velox-5.1. Fast tier, 1,000,000-token context. High-volume, latency-sensitive transforms, routing, and triage.
Arca Magnus
arca-magnus-5.1. Deep tier, 1,000,000-token context. Long-horizon agents and complex clinical and insurance reasoning.
Arca Edge
arca-edge-5.1. On-prem tier, 131,072-token context. Constrained on-premises and air-gapped hardware envelopes.
Arca Code
arca-code-5.1. Domain coding tier, 1,000,000-token context. Building healthcare and insurance software, agentic engineering.
The alias arca-5.1 resolves to Magnus. Callers may adjust reasoning effort and the thinking toggle within tier policy per request.
Tiers are configurations
Because the public contract is the tier ID and not the weights, we can improve any layer (swap weights, change quantization, attach a fine-tuned adapter, replace the serving engine) and ship it as an atomic, reversible pointer update, provided the candidate passes the benchmark gates.
Velox and Magnus
Velox is the low-latency build and Magnus is the full-precision deep-reasoning build. They are the same weights packaged for two operating points.
Edge
The small-footprint build, selected through a capability bake-off for on-premises and air-gapped hardware where the full window is not available.
Code
The deep-reasoning pool with a domain-engineering persona grounded in health interoperability and payer operations, a larger tool-step budget, and the coding tool pack. An optional adapter, trained only on synthetic, PHI-free data, can bake those instincts into weights.
Registry and lifecycle
Every candidate build is an immutable registry entry: ID, family, tier, version, weight digest, engine, precision, configuration hash, optional adapter reference, and its eval scorecard. Entries move through a strict lifecycle.
How we build our benchmarks
Public leaderboards answer how smart a model is. Our benchmarks answer a different question: is this exact build safe and fit to serve regulated traffic? The output of a benchmark run is a scorecard attached to a registry entry, and the registry refuses to promote without a passing one.
Principles
Gates, not exhibits
Every suite exists to block a promotion, not to decorate a launch page. If a benchmark cannot fail a bad build, we do not ship it.
Safety thresholds are absolute
Suites that guard privacy, identity, and compliance require a pass rate of 1.0. A single failing case blocks the scorecard. We do not average away a PHI leak.
Test the system, not just the model
Requests travel through the real gateway application (authentication, guardrail, persona, routing, streaming, audit), not a bare model endpoint. A benchmark that bypasses the pipeline would certify a system nobody runs.
Adversarial by construction
Where the property is never do X, we build an upstream that tries as hard as possible to do X, including splitting banned content across streaming chunk boundaries, and assert the served output is still clean.
Detectors stricter than filters
The eval-side leak detector is deliberately broader than the runtime rewrite filter, so evasions the filter intentionally leaves alone (letter-spaced spellings, encoded forms) still fail the gate.
Deterministic and PHI-safe
Fixtures use fabricated identifiers, and long-context probes are engineered so planted values cannot trigger PHI or identity rules. Offline runs are fully deterministic, so a red CI is a regression, not noise.
Two modes, offline and live
Offline runs the real gateway over deterministic fake upstreams in CI on every change. Live points the identical probes at a deployed model over HTTP, which is the model-quality gate before promotion.
The harness
The harness is intentionally minimal. A suite is a named set of cases with a pass-rate threshold. A case is a single pass/fail assertion with an explanatory detail on failure. A suite passes when its pass rate meets its threshold, and the scorecard passes only when every suite passes. The eval CLI exits non-zero on any failure, which is what makes it a CI gate.
{
"passed": true,
"suites": {
"safety": { "passed": true, "score": 1.0 },
"capability": { "passed": true, "score": 1.0 },
"identity": { "passed": true, "score": 1.0 },
"coding": { "passed": true, "score": 1.0 },
"longcontext": { "passed": true, "score": 1.0 },
"parity": { "passed": true, "score": 1.0 },
"ops": { "passed": true, "score": 1.0 }
},
"ranAt": 1783000000000
}The seven suites
Safety and compliance
safetyThe privacy promises: PHI detection quality, no raw PHI beyond the vault, scope-gated re-identification, and the identity scrub.
PHI precision and recall over a labeled fixture, literal no-PHI-in-output, both directions of scoped re-identification, and identity rewrite.
Capability
capabilityThe structural correctness of the tool-calling layer.
The tool-schema validator accepts well-formed calls and rejects malformed ones (missing fields, wrong types) across positive and negative fixtures.
Identity integrity
identityThe served-identity policy: answers present as Theo Arca with zero base-model leakage under adversarial pressure.
14 adversarial probes across 9 categories, each run streaming and non-streaming, for 28 graded cases. A guardrail refusal counts as a valid deflection.
Domain coding
codingThat the Code tier produces standards-correct, secure-by-default healthcare and insurance engineering output.
5 probes with structural assertions: a valid FHIR R4 Patient, X12 271 structure, a tenant-scoped audited endpoint, a PHI-in-logs review, and an eligibility interface.
Long-context retrieval
longcontextThe long-context claim: no silent truncation or lost middle.
Needle probes plant a unique pass-phrase at a controlled depth in benign filler and assert it is retrieved verbatim, at shallow, middle, deep, and long-middle placements.
Serving parity
parityThat a quantized, re-engined, or re-pooled build behaves like its reference.
A shared task set runs against two endpoints; per-task quality must agree within tolerance and the aggregate mean-quality delta within a tighter bound.
Operational performance
opsThe serving-performance budget.
Streaming requests at controlled concurrency measure time-to-first-token, p95 latency, and completion-token throughput against a per-pool budget, plus a success-rate case.
From scorecard to promotion
- A candidate build (weights plus tier profile plus optional adapter) is registered, entering the lifecycle at building.
- The eval CLI runs the seven suites, offline suites always and live batteries against the deployed candidate, and emits the scorecard.
- The scorecard is posted to the registry entry, moving it to evaluated, then staged when thresholds are met.
- A promotion request without a passing scorecard is refused with a 409. With one, the build promotes through a blue-green and canary rollout to live, with the previous version retained as an atomic rollback pointer.
- In CI, the same harness runs on every change and exits non-zero on failure, so a change that breaks a pipeline guarantee never reaches a promotable build.
What we deliberately do not do
- We do not publish public-leaderboard numbers: aggregate scores say little about whether this build will keep PHI out of your logs.
- We do not report offline results as model quality.
- We do not average safety failures away under a soft threshold.
- We do not grade the model in isolation from the pipeline it ships inside.
Safety and privacy architecture
The benchmark system verifies the machinery described here. The guardrail, the Praetorian Guard, is a symmetric pipeline around inference: detect and tokenize on the way in, re-identify under scope on the way out, with tool I/O passing through the same pipeline in both directions.
Inbound
Detect
Recognizers flag clinical and insurance PHI and PII: names, MRNs, member and policy numbers, provider NPIs, and custom patterns. In deployments these are built on Microsoft Presidio, tuned for the domain.
Policy gate
Role, purpose, and confidence checks decide whether the request proceeds, escalates, or is denied. Low confidence escalates rather than passes.
Tokenize
Detected values are replaced with format-preserving tokens, and the PHI-to-token map is written to the encrypted De-identification Vault.
Forward
Only the de-identified text plus the system and policy prompt is forwarded downstream to the router and model.
Outbound
Re-identification gate
Only callers holding the explicit re-identification scope may detokenize. Everyone else receives the tokenized form.
Identity scrub
A stream-safe filter enforces the served-identity policy across both response modes, handling banned terms split across SSE chunk boundaries.
PHI-safe logging
Only redacted or tokenized content is ever logged. Raw PHI stays inside the vault.
Evidence Ledger
An append-only, hash-chained record captures request ID, tenant, model, data class, tool calls, output digest, and timestamps, with content digests instead of content.
The de-identification vault
- Per-tenant data-encryption keys, wrapped by a KMS, with TTL-bound entries.
- Tokens are namespaced per request and tenant to prevent cross-request or cross-tenant correlation.
- Detokenization requires scope, and every vault access is itself an Evidence Ledger event.
- Raw PHI never exists outside the vault's encryption boundary, not in logs, traces, metrics, or training data.
Fail-closed routing by data class
Every request carries an effective data class, the more sensitive of the caller's declaration and the guardrail's own classification, so declaring down does not work. Backends declare which classes they are certified to receive, and the router refuses rather than degrades. The code-execution pack accepts only non-PHI classes, so no prompt-engineering path can move PHI into a sandbox.
Verification status and results
We distinguish sharply between two kinds of claims. The offline harness proves the guarantees the system enforces. The live batteries judge the model. We encourage readers to hold us to the distinction.
What is verified today: the pipeline
The offline harness, all seven suites executed through the real gateway application over deterministic and adversarial upstreams, passes in full. The scorecard below is the actual output of an offline verification run of the current codebase (July 9, 2026).
| Suite | Cases | Threshold | Result |
|---|---|---|---|
safety | PHI precision/recall, no-PHI-in-output, scoped re-identification, identity scrub | 1.0 | pass |
capability | Tool-schema accept/reject fixtures | 1.0 | pass |
identity | 14 adversarial probes, streaming + non-streaming (28 cases) | 1.0 | pass |
coding | 5 domain-engineering probes | 1.0 | pass |
longcontext | 4 needle-retrieval probes | 1.0 | pass |
parity | 4 two-endpoint agreement tasks + aggregate delta | 1.0 | pass |
ops | Success rate, p95 TTFT, p95 latency, throughput vs. budget | 1.0 | pass |
Table 1. Offline verification scorecard, current codebase. Safety, identity, and compliance suites gate at an absolute 1.0.
Read this for what it is: proof that the guarantees enforced by the system hold, and that the harness itself can detect the failures it exists to catch. It is not a claim about live model quality.
What gates a live promotion
Model-quality claims come from the live batteries: the same identity, coding, long-context, parity, and ops probes aimed at a deployed build, whose scorecard is recorded on the registry entry it grades. Those scorecards are operational gate artifacts, produced per candidate and per deployment. We do not publish live numbers in this report, and any future publication will state the exact build, date, probe set, and mode of each figure.
Limitations and future work
We consider the following the honest edges of the current system.
Offline coverage is not model quality
The offline suites prove pipeline guarantees and harness correctness. Only live runs judge the model, and live results are not yet a published series. Establishing a public reporting cadence is planned.
Probe sets are compact and curated
Fourteen identity probes, five coding probes, four needles, and four parity tasks are gates, not exhaustive maps. Expanding the batteries with more languages, evasion classes, and task families is ongoing.
Structural assertions bound quality
The coding battery's structural checks encode non-negotiables. They do not grade elegance or completeness beyond the asserted structure. Richer rubric- and execution-based grading is a natural extension.
Long-context probes ship small
In-repo probes are compact for CI. Systematically sweeping depth by length toward the full window in live runs, and publishing the retrieval surface, is future work.
Ops budgets are deployment policy
We publish the dimensions (TTFT, p95 latency, throughput) rather than universal numbers, because budgets are set per pool and tier. Publishing representative budgets is under consideration.
Retrieval grounding is prompt-based today
The Code tier's domain grounding is persona-driven with an optional adapter. A retrieval corpus for standards and policy text is a documented follow-on.
Conclusion
Theo Arca treats the model as the most replaceable component of an AI system for regulated industries, and the guarantees around it as the least. The architecture makes privacy structural: de-identification before inference, scope-gated re-identification after, fail-closed routing in between, and a tamper-evident ledger underneath.
The benchmark system makes quality and safety enforceable: seven suites, absolute thresholds where safety is concerned, adversarial construction where the property is never, dual offline and live modes, and a registry that mechanically refuses to promote what has not passed. Gates over leaderboards, systems over models, evidence over assertion.
Appendix A. Model catalog
| Attribute | Arca VeloxFast | Arca MagnusDeep | Arca EdgeOn-prem | Arca CodeDomain coding |
|---|---|---|---|---|
| Model ID | arca-velox-5.1 | arca-magnus-5.1 | arca-edge-5.1 | arca-code-5.1 |
| Tier | Velox | Magnus | Edge | Code |
| Context window | 1,000,000 | 1,000,000 | 131,072 | 1,000,000 |
| Max output | 131,072 | 131,072 | 32,768 | 131,072 |
| Default effort | high | max | high | max |
| Default thinking | off | on | off | on |
| Tool-step budget | 8 | 8 | 8 | 16 |
| Best for | High-volume, latency-sensitive transforms, routing, and triage. | Long-horizon agents and complex clinical and insurance reasoning. | Constrained on-premises and air-gapped hardware envelopes. | Building healthcare and insurance software, agentic engineering. |
The alias arca-5.1 resolves to Magnus. Callers may adjust reasoning effort and the thinking toggle within tier policy per request. The catalog is discoverable at runtime via GET /v1/models.
Appendix B. Scorecard schema
{
"passed": "boolean, true only when every suite passes",
"suites": {
"<suite-name>": {
"passed": "boolean, score >= suite threshold",
"score": "number in [0,1], the suite pass rate"
}
},
"ranAt": "unix milliseconds"
}Suites in the 5.1 battery: safety, capability, identity, coding, longcontext, parity, ops. All currently gate at threshold 1.0. The scorecard is stored verbatim on the model-registry entry it grades and is a hard precondition for promotion to live.
Appendix C. Public API surface
Endpoints
POST /v1/chat/completionsOpenAI-compatible chat inference; SSE streaming; server-side tool loop; x_arca extension block.GET /v1/modelsModel catalog with family, tier, context window, and max output.GET /v1/usageTenant-scoped request and token series (counts only, never content).GET /v1/auditTenant-scoped Evidence Ledger records (digests and metadata only) with hash-chain verification.GET /v1/toolsTool catalog with required scopes, permitted data classes, and per-key authorization.POST /v1/mcpThe same governed tools over MCP (JSON-RPC 2.0).GET /v1/healthLiveness and authentication diagnostic.
Error envelope
One error envelope everywhere, including mid-stream: { error: { message, type, code, request_id } }. Cold starts signal 503 plus Retry-After with code warming. Streams use an idle timeout between chunks, never a total-duration cap.
auth_errorpolicy_blockidempotency_conflictvalidation_errorrate_limitednot_foundupstream_errortimeoutinternal_errorOptional request headers
x-arca-data-classpublic | internal | pii | phi | secret | source_codex-arca-purposetreatment | payment | operations | underwriting | claims | engineering | research, recorded for HIPAA-style purpose-of-use auditing.
Appendix D. Glossary
- Arca
- The platform and model family. Latin arca: a strongbox or vault, the posture the platform takes toward sensitive data.
- Arca Node
- The deployable edge gateway serving the public API on customer infrastructure.
- Arca Fleet
- The control plane: enrollment and licensing, projects and keys, usage, the model registry, and the console.
- Tessera
- The API key and credential service (a tessera was the Roman token that carried the watchword).
- Praetorian Guard
- The inbound and outbound PHI guardrail pipeline.
- De-identification Vault
- The encrypted, per-tenant, TTL-bound store of PHI-to-token mappings; the only place raw PHI exists.
- Evidence Ledger
- The append-only, hash-chained audit record of every consequential action, verifiable through the API.
- Vigiles
- Observability and audit watch: PHI-safe logs, metrics, traces, and alerting.
- Scorecard
- The eval harness's output artifact; stored on a registry entry and required for promotion.
Put a PHI-native model to work.
Add an Arca key as an external provider and reference a tier. The key plus the model id is the entire integration. Start directly on hitheo.ai.

