Healthcare practices lose seats over expired credentials. The fix is boring and load-bearing: a daily 04:00 UTC cron sweeps every credential, fires reminders into the 90/60/30/7-day expiry windows plus an already-expired bucket, dedups via a CredentialReminderLog row keyed on (credential, window) so a credential expiring tomorrow doesn't blast the inbox at every window pass.
The reminder copy is AI-generated through the HIPAA-aware wrapper, so the language is contextual ("your DEA expires in 30 days" reads differently from "your NPI lapsed last week") without exposing PHI. Falls back to a hand-written template if the Anthropic key is unset. CONTRACT-tier audit row on every fire.