Phenome — the evidence layer
What this is: Phenome is three things at once — a consumer app inside the Loop ecosystem, an open evidence corpus of real-world compound use, and a published Standard (an open methodology) that governs what may enter that corpus. It rides the same rails as the intelligence loop: the Decision+Outcome ledger, the model/rule registry, governance, and the PHI controls described in Audit & PHI. Phenome is the layer that turns measured outcomes into publishable, verifiable evidence.
Who it’s for: engineers building on the evidence corpus or its consent rails, anyone integrating a contribution source (a brand’s COA/lot data, a member’s labs/wearables), and anyone reasoning about how Loop earns a scientific claim instead of asserting one.
What to read next: Intelligence layer — the loop · Sequential learning → Helix · AI & ML layer · Audit & PHI · Events.
Framing — read this first. Phenome instruments compound use people are already doing. Loop does not sell, supply, dose, or recommend the compounds — that distinction is load-bearing, scientifically and legally. The marketing line is “the largest human trial.” The scientific reality today is a prospective observational real-world-evidence (RWE) registry with self-selected participants — not a trial. “Largest trial” is a destination, not a description of today. Never publish “safe / effective / cures / proven”; the only sanctioned framing is a real-world safety signal with denominators. Rigor is scientific armor, not legal immunity — counsel vets public claims regardless.
What Phenome is — and is not
| Phenome is | Phenome is not |
|---|---|
| A consumer app in the Loop ecosystem (an OAuth client of the platform) | An inherent insider with standing access to member data |
| A prospective observational RWE registry, safety-first | A clinical trial of an intervention Loop administers |
| A published, versioned, replicable methodology Standard | A regulatory approval, clearance, or endorsement |
| A “real-world safety signal, with denominators” reporter | A source of “safe / effective / cures / proven” claims |
| Brand-blind, member-consented, de-identified at the corpus | A named-buyer roster or a marketing data product |
The goal is an attack-resistant corpus + an open Standard, not FDA approval. Phenome leads with safety surveillance, which is observational and needs no randomization — so it stays clear of the IRB/IND bright line that administering or randomizing an unapproved compound would cross.
The rigor ladder (matched to where the data actually is)
Credibility comes from publishing the methodology and holding to it in the open — and from being honest about which rung the data is on. A result that cannot clear the gate for its rung is corpus-quarantined: retained, but excluded from any published estimate and labelled as such.
| Rung | What it is | Phenome’s stance |
|---|---|---|
| 0 · Anecdote | uncontrolled self-report | marketing only — never evidence |
| 1 · Observational RWE registry | structured baseline → exposure → re-test, no randomization | ≈ here. The safety corpus lives here; no randomization needed. |
| 2 · Pragmatic / decentralized RCT | randomized, pre-registered endpoints, run in routine care | the honest near-term target — gated on the INST/IRB track |
| 3 · Aggregated n-of-1 | each member is their own control; hierarchical Bayes pools across members | the scientifically ideal design for our data shape; only for endpoints passing the eligibility gate |
| 4 · In-silico virtual control arms | a validated digital twin generates counterfactual control trajectories | the north star — this is Helix, a research program with no model today |
The honest near-term target is rungs 1–3, led by safety at rung 1. Rung 4 (Helix) is a program built on top of a validated rung-3 engine, gated on data that has occurred ~0 times so far.
The consumer-app architecture spine
The single most important architectural fact about Phenome: it is a consumer of member data under a granted, revocable permission — never an inherent insider. It sees only what a member grants, enforced at the data layer, revocable anytime.
- The grant is the consent source of truth, and it lives in identity. A member’s OAuth grant to Phenome is the consent — member-facing, self-service, and revocable. Consent is granted and revocable, never inherent. There is one source of truth for it (no split-brain); any per-service consent record is a derived cache of the grant.
- patient-graph and clinical are consented sources, under the same rule. They contribute member data into the corpus only under the member’s grant. patient-graph is a contributing source / identity anchor — not a literal pass-through gateway (the corpus-critical data is split across clinical + intelligence; a forced gateway would fork governance).
- Phenome holds de-identified derivatives, not raw PHI it owns. “Not inherent” is true in spirit and in architecture: the corpus stores de-identified, content-addressed derivatives under a revocable grant. Raw PHI stays behind the Audit & PHI safe-views; revoke → access gone, and revocation propagates to in-flight analysis.
- Two compliance-decoupled streams keep a non-HIPAA brand from ever holding PHI. A brand stream carries non-PHI product / COA / lot / assay data; a participant stream carries PHI the member authorizes directly to Loop under a research Data-Share Agreement. Loop joins them inside its own compliant boundary — the brand never sees PHI, and therefore needs no BAA.
Same rails as the intelligence loop
Phenome is not a parallel stack. It is the evidence layer built on the intelligence loop’s primitives:
- The Decision+Outcome ledger is the trial data-capture + allocation log.
- The re-test cycle (baseline lab → intervention → re-test) is already a proto-n-of-1 period — the raw material an aggregated-n-of-1 design needs.
- Off-policy evaluation (
policy_value/ IPS) supplies the effect-estimation rails. - The registry + governance loop provides protocol versioning and the human-in-the-loop oversight gate — the loop proposes, scientists approve.
- Guardrails + audit + PHI safe-views/erasure provide safety, data integrity, and privacy.
What Phenome adds on top of those rails is the evidence discipline: tamper-evident pre-registration, exposure/COA verification, the methodology gates, a research Data-Share Agreement, and the open App Directory + scopes that let third parties contribute.
The Standard’s gates (what may enter the corpus)
The Phenome Standard is the published bar. Conformance is per-result, not a blanket badge. Each gate is a hard precondition for a result to count as evidence:
- Exposure verification (the assay requirement). Every analyzed exposure links dose-taken → batch/lot → a machine-readable Certificate of Analysis with measured content/purity. Gray-market peptides assay 8–14% of label in published surveys; vendor COAs are necessary-but-not-sufficient, and an independent batch assay is the higher grade. Unverified exposures are quarantined.
- n-of-1 eligibility. Aggregated n-of-1 is valid only for reversible, fast-readout, stable endpoints — irreversible / structural / longevity targets are rejected before a schedule is produced.
- Multiplicity / false-discovery control (Benjamini–Hochberg FDR) on any multi-endpoint, multi-arm, or subgroup result.
- Unmeasured-confounding sensitivity — every observational estimate reports a VanderWeele E-value.
- Surrogate-endpoint policy — a biomarker is not a health outcome; un-validated surrogates are labelled “biomarker-effect, not a health claim.”
- Claims lexicon — a declarative ban on efficacy/safety claims, enforced on the publication path (not just AI chat).
- Null-publication commitment + a commerce firewall — null results publish on the same footing as positive ones, and the entity producing evidence earns nothing tied to a compound’s sales.
Current state — honestly (built vs designed)
| Layer | Status |
|---|---|
| Commerce intelligence loop | Built and deployed-but-dark; the outcome edge is already live (order.placed.v1). One wire from turning — nothing calls /rank yet, so the ledger is empty by design. Needs no consent gateway, no PHI. |
| Phenome evidence layer | Shipped, additive · dark, honest. The Standard, exposure/COA verification, methodology guards, a research-DSA ledger, the contribution pipeline, and the App Directory + scopes exist — a correct skeleton with two live gates. Built, but not yet wired to a serving path. |
| Connection to the web app | None. loop-health references the evidence/intelligence system in zero files today. |
| Helix (the in-silico twin) | Design + ADR-0095 (proposed), zero code. Gated on data that has occurred ~0 times. See Sequential learning → Helix. |
Everything Phenome ships is additive, dark by default, and reversible, with honest labeling and no silent mocks — that honesty is the whole credibility thesis. The Standard is not published externally claiming enforcement Loop does not yet have.
The roadmap, in one line
The phases are sequenced by data-readiness and value, not by maximal governance up front:
- Turn the commerce loop — connect one surface to
/rankso real decisions + outcomes accrue (data we already have; no consent gateway). - Phenome becomes a consumer app — register it as an OAuth client; make the member grant the consent source of truth; build the delegated-token rail.
- The evidence corpus turns — gated on the re-test behavior; safety corpus + pharmacovigilance light up first; the methodology guards wire to a real publication path.
- The open network — publish the Standard externally, open the App Directory to third parties, and offer qualified-researcher aggregate access.
- Helix (horizon) — only after rung-3 validates and longitudinal data exists and the twin passes TRIPOD+AI validation.
The full sequencing, gates, and the consent/ADR plan live in the Phenome roadmap spec and the evidence-engine plan.