{"service":"scrimed-buyer-release-control-runbook","route":"/buyer-release-control-run","apiRoute":"/api/buyer-release-control-run","briefRoute":"/api/buyer-release-control-run/brief","protectedVerifierRoute":"/api/pilot-workspaces/{workspaceSlug}/buyer-release-control-run","protectedVerifierPacketRoute":"/api/pilot-workspaces/{workspaceSlug}/buyer-release-control-run/packet","protectedVerifierTimelineRoute":"/api/pilot-workspaces/{workspaceSlug}/buyer-release-control-run/timeline","operatorRunScript":"scripts/buyer-proof-release-operator-run.mjs","operatorRunCommand":"SCRIMED_REQUIRE_BUYER_PROOF_OPERATOR_RUN=1 SCRIMED_WORKSPACE_SLUG={workspaceSlug} SCRIMED_BEARER_TOKEN=<fresh-aal2-jwt> npm run smoke:buyer-proof-operator-run","operatorRunStatus":"aal2-buyer-proof-release-operator-run-script-token-boundary","status":"buyer-release-control-runbook-ready","proofStackStatus":"metadata-only-buyer-release-control-runbook-no-release-approval","briefProofStackStatus":"buyer-release-control-runbook-brief-no-secret-no-approval","boundary":"SCRIMED Buyer Release Control Runbook is a public, metadata-only operator sequence for a future protected AAL2 buyer-specific release-control run. It does not execute protected writes, mint or store tokens, store recipient lists, store signed approvals, process PHI, approve public distribution, certify legal/privacy/security posture, authorize live clinical care, guarantee reimbursement, approve production connectors, or replace qualified human review.","executionDecision":"runbook-ready-protected-aal2-required","shareDecision":"internal-only-until-release-chain-retained","stepCount":8,"protectedWriteRouteCount":8,"packetRouteCount":8,"hardStopCount":42,"requiredExternalApprovalDomains":["finance-methodology-policy","qualified-counsel-release-review","executive-release-review","privacy-security-review","clinical-governance-boundary-review","marketing-claims-review","buyer-permission-review"],"requiredReviewerRoles":["finance-reviewer","qualified-counsel","executive-sponsor","privacy-security-owner","clinical-governance-owner","marketing-claims-owner","buyer-permission-owner"],"requiredReleaseAuthorityDomains":["qualified-counsel","customer-permission-owner","executive-sponsor","privacy-security-owner","finance-owner","clinical-governance-owner","marketing-claims-owner"],"steps":[{"order":1,"id":"external-approval-evidence","label":"Reference externally retained approval evidence","state":"external-artifact-required","protectedRoute":"/api/pilot-workspaces/{workspaceSlug}/external-approval-evidence","packetRoute":"/api/pilot-workspaces/{workspaceSlug}/external-approval-evidence/packet","prerequisite":"Qualified external systems retain the actual approvals; SCRIMED stores metadata references only.","operatorAction":"Record one metadata reference per required approval domain after confirming the artifact is retained outside SCRIMED.","safePayloadTemplate":{"domainId":"<required-external-approval-domain>","externalReferenceLabel":"external retained approval reference","externalSystem":"external-system-of-record","referenceLocator":"external-reference:metadata-only","referenceOwner":"<qualified-owner-role>","evidenceRetainedExternally":true,"attestation":"external-approval-evidence-reference-no-phi","dataBoundary":"synthetic-business-workflow-only","reviewNote":"metadata-only approval reference no phi"},"expectedAuditSignal":"append-only approval-reference packet audit event","expectedPacketType":"external-approval-evidence-packet","hardStops":["Fresh human AAL2 tenant-admin session is unavailable.","Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.","The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.","The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.","The protected workspace rejects the request or does not emit an audited packet reference."],"boundary":"A reference proves an external artifact exists for review; it is not the approval artifact itself."},{"order":2,"id":"release-decision","label":"Record versioned release decision candidate","state":"protected-aal2-required","protectedRoute":"/api/pilot-workspaces/{workspaceSlug}/release-decisions","packetRoute":"/api/pilot-workspaces/{workspaceSlug}/release-decisions/packet","prerequisite":"External approval evidence references are complete for the intended audience.","operatorAction":"Record the exact claim text, claim category, distribution audience, and disabled release posture.","safePayloadTemplate":{"audience":"buyer-diligence","claimCategory":"governance","claimVersion":"claims-v1.0.0","claimText":"SCRIMED provides governed synthetic pilot evidence for healthcare workflow intelligence review.","distributionChannel":"buyer-data-room","externalApprovalEvidenceRetained":true,"releaseDisabled":true,"attestation":"protected-release-decision-no-phi-no-public-approval","dataBoundary":"synthetic-business-workflow-only","reviewNote":"no-phi release decision readiness review"},"expectedAuditSignal":"versioned release-decision audit event","expectedPacketType":"release-decision-packet","hardStops":["Fresh human AAL2 tenant-admin session is unavailable.","Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.","The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.","The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.","The protected workspace rejects the request or does not emit an audited packet reference."],"boundary":"A versioned decision candidate keeps language controlled; it is not public-release approval."},{"order":3,"id":"named-reviewer-signoffs","label":"Capture named reviewer signoff metadata","state":"protected-aal2-required","protectedRoute":"/api/pilot-workspaces/{workspaceSlug}/reviewer-signoffs","packetRoute":"/api/pilot-workspaces/{workspaceSlug}/reviewer-signoffs/packet","prerequisite":"A release decision candidate exists and remains disabled.","operatorAction":"Record metadata-only reviewer signoff references for every required reviewer role.","safePayloadTemplate":{"releaseDecisionRecordIds":["<ready-release-decision-record-id>"],"reviewerRole":"<required-reviewer-role>","reviewerLabel":"qualified reviewer label","reviewerReferenceLocator":"external-review:metadata-only","externalSignoffRetained":true,"releaseDisabled":true,"attestation":"protected-named-reviewer-signoff-no-phi-no-public-approval","dataBoundary":"synthetic-business-workflow-only","reviewNote":"metadata-only reviewer signoff no phi"},"expectedAuditSignal":"reviewer-signoff packet audit event","expectedPacketType":"reviewer-signoff-packet","hardStops":["Fresh human AAL2 tenant-admin session is unavailable.","Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.","The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.","The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.","The protected workspace rejects the request or does not emit an audited packet reference."],"boundary":"SCRIMED stores reviewer metadata and packet audit evidence, not raw signed approvals or legal opinions."},{"order":4,"id":"distribution-lockbox","label":"Record disabled distribution lockbox","state":"metadata-only-ready","protectedRoute":"/api/pilot-workspaces/{workspaceSlug}/distribution-lockbox","packetRoute":"/api/pilot-workspaces/{workspaceSlug}/distribution-lockbox/packet","prerequisite":"Named reviewer metadata is complete for the intended release audience.","operatorAction":"Create a disabled lockbox manifest that points to external controlled-room artifacts without distributing them.","safePayloadTemplate":{"releaseDecisionRecordIds":["<ready-release-decision-record-id>"],"reviewerSignoffRecordIds":["<ready-reviewer-signoff-record-id>"],"distributionAudience":"buyer-diligence-room","channelControl":"counsel-reviewed-room","manifestVersion":"distribution-v1.0.0","manifestTitle":"SCRIMED controlled buyer diligence packet","artifactLocator":"external-lockbox:controlled-manifest","customerPermissionReference":"external-permission:metadata-only","counselReviewReference":"external-counsel-review:metadata-only","distributionDisabled":true,"attestation":"protected-distribution-lockbox-no-phi-no-distribution","dataBoundary":"synthetic-business-workflow-only","reviewNote":"metadata-only distribution lockbox no phi"},"expectedAuditSignal":"disabled lockbox packet audit event","expectedPacketType":"distribution-lockbox-packet","hardStops":["Fresh human AAL2 tenant-admin session is unavailable.","Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.","The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.","The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.","The protected workspace rejects the request or does not emit an audited packet reference."],"boundary":"The lockbox records distribution controls and disabled state; it does not send files or grant access."},{"order":5,"id":"release-authority-attestations","label":"Record release-authority attestations","state":"protected-aal2-required","protectedRoute":"/api/pilot-workspaces/{workspaceSlug}/release-authority-attestations","packetRoute":"/api/pilot-workspaces/{workspaceSlug}/release-authority-attestations/packet","prerequisite":"A disabled distribution lockbox exists and every external authority remains retained.","operatorAction":"Record metadata-only authority attestations for each required release authority domain.","safePayloadTemplate":{"distributionLockboxRecordIds":["<ready-distribution-lockbox-record-id>"],"authorityDomain":"<required-release-authority-domain>","distributionAudience":"buyer-diligence-room","authorityReferenceLabel":"external release authority reference","authorityReferenceLocator":"external-authority:metadata-only","externalAuthorityRetained":true,"releaseDisabled":true,"attestation":"protected-release-authority-attestation-no-phi-no-release-approval","dataBoundary":"synthetic-business-workflow-only","reviewNote":"metadata-only release authority no phi"},"expectedAuditSignal":"release-authority packet audit event","expectedPacketType":"release-authority-attestation-packet","hardStops":["Fresh human AAL2 tenant-admin session is unavailable.","Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.","The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.","The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.","The protected workspace rejects the request or does not emit an audited packet reference."],"boundary":"Authority attestations describe retained external authority metadata; they do not make SCRIMED the authority."},{"order":6,"id":"recipient-attestations","label":"Record evidence-room recipient controls","state":"protected-aal2-required","protectedRoute":"/api/pilot-workspaces/{workspaceSlug}/evidence-room-recipient-attestations","packetRoute":"/api/pilot-workspaces/{workspaceSlug}/evidence-room-recipient-attestations/packet","prerequisite":"Release-authority metadata is complete and release remains disabled.","operatorAction":"Record intended recipient segment, access window, revocation posture, and packet reference without storing recipient identifiers.","safePayloadTemplate":{"releaseAuthorityAttestationRecordIds":["<ready-release-authority-attestation-record-id>"],"distributionAudience":"buyer-diligence-room","recipientSegment":"named-buyer-reviewers","recipientScopeLabel":"named buyer diligence reviewer group","evidenceRoomReferenceLabel":"external evidence room recipient control","evidenceRoomReferenceLocator":"evidence-room:recipient-control","packetReferenceLabel":"controlled recipient proof packet","packetReferenceLocator":"evidence-room:packet-reference","accessWindowStart":"<iso-8601-date>","accessWindowEnd":"<iso-8601-date>","revocationState":"access-not-issued","revocationTrigger":"revoke and re-review evidence room access if scope changes","externalRecipientAuthorityRetained":true,"exportDisabled":true,"attestation":"protected-evidence-room-recipient-attestation-no-phi","dataBoundary":"synthetic-business-workflow-only","reviewNote":"metadata-only recipient attestation no phi"},"expectedAuditSignal":"recipient-control packet audit event","expectedPacketType":"recipient-attestation-packet","hardStops":["Fresh human AAL2 tenant-admin session is unavailable.","Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.","The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.","The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.","The protected workspace rejects the request or does not emit an audited packet reference."],"boundary":"Recipient controls are segment metadata only; SCRIMED does not store emails, recipient rosters, or access credentials."},{"order":7,"id":"access-log-reconciliation","label":"Reconcile external evidence-room access logs","state":"protected-aal2-required","protectedRoute":"/api/pilot-workspaces/{workspaceSlug}/evidence-room-access-log-reconciliation","packetRoute":"/api/pilot-workspaces/{workspaceSlug}/evidence-room-access-log-reconciliation/packet","prerequisite":"Recipient attestations exist and the external evidence room retains access logs.","operatorAction":"Record metadata-only access-log reconciliation, anomaly posture, and revocation state without copying raw logs.","safePayloadTemplate":{"recipientAttestationRecordIds":["<ready-recipient-attestation-record-id>"],"distributionAudience":"buyer-diligence-room","reconciliationScope":"pre-release-access-log-review","externalLogSystemLabel":"external evidence room access ledger","accessLogReferenceLabel":"metadata access log reconciliation","accessLogReferenceLocator":"evidence-room:access-log-ledger","reconciliationWindowStart":"<iso-8601-date>","reconciliationWindowEnd":"<iso-8601-date>","observedAccessEventCount":0,"expectedRecipientSegmentCount":1,"anomalyState":"none-observed","revocationExerciseState":"not-issued","anomalyEscalationPath":"escalate to governance owner and keep export disabled","externalLogAuthorityRetained":true,"exportDisabled":true,"attestation":"protected-evidence-room-access-log-reconciliation-no-phi","dataBoundary":"synthetic-business-workflow-only","reviewNote":"metadata-only access log reconciliation no phi"},"expectedAuditSignal":"access-log reconciliation packet audit event","expectedPacketType":"access-log-reconciliation-packet","hardStops":["Fresh human AAL2 tenant-admin session is unavailable.","Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.","The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.","The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.","The protected workspace rejects the request or does not emit an audited packet reference."],"boundary":"SCRIMED records reconciliation metadata only; raw logs, device identifiers, IP addresses, and recipient identifiers stay out of SCRIMED."},{"order":8,"id":"buyer-diligence-export-refresh","label":"Refresh Buyer Diligence packet after controls are retained","state":"hard-stop","protectedRoute":"/api/pilot-workspaces/{workspaceSlug}/buyer-room","packetRoute":"/api/pilot-workspaces/{workspaceSlug}/buyer-room/packet","prerequisite":"Every prior release-control packet is visible, externally retained artifacts are confirmed, and qualified humans approve continued internal diligence use.","operatorAction":"Refresh the protected Buyer Pilot Room and export the Buyer Diligence packet only for internal controlled diligence unless external share readiness is complete.","safePayloadTemplate":{"action":"download-buyer-diligence-packet","workspaceSlug":"{workspaceSlug}","shareScope":"internal-protected-diligence-only","requiredState":"release-control-chain-retained","dataBoundary":"synthetic-business-workflow-only"},"expectedAuditSignal":"buyer-room packet-download audit event","expectedPacketType":"buyer-diligence-export-packet","hardStops":["Fresh human AAL2 tenant-admin session is unavailable.","Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.","The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.","The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.","The protected workspace rejects the request or does not emit an audited packet reference.","Any stakeholder asks to send the packet externally before recipient and access-log controls are reconciled.","Any claim expands beyond retained synthetic QA, governance posture, buyer diligence readiness, or explicit limitations."],"boundary":"A refreshed packet can support controlled diligence only; external sharing remains blocked until qualified release-chain evidence is retained."}],"operatorSequence":["Open /pilot-workspace/access with a fresh human AAL2 tenant-admin session.","Confirm the workspace is synthetic and the intended audience is buyer-diligence-room.","Record external approval evidence references for every required domain; keep real approvals outside SCRIMED.","Record a disabled versioned release decision for the exact bounded claim text.","Record metadata-only named reviewer signoffs for every required reviewer role.","Record a disabled distribution lockbox that references external controlled-room artifacts.","Record release-authority attestations for every required authority domain.","Record recipient segment controls and access-window metadata without recipient identifiers.","Reconcile external access logs using metadata counts and anomaly state only.","Refresh the Buyer Pilot Room and export the packet only after the protected chain shows retained packet/audit evidence.","Keep external sharing blocked unless qualified humans explicitly approve the full chain in external systems of record."],"workarounds":["If a bearer token is not available in the current Codex session, use the runbook and browser-protected workspace instead of copying tokens into scripts.","If GitHub Actions cannot safely receive a short-lived secret, execute the protected browser workflow and retain only no-secret packet IDs, hashes, timestamps, and audit-event IDs.","If an approval artifact is confidential, store only a metadata reference label, external system label, owner, and validation timestamp in SCRIMED.","If a buyer asks for external sharing before controls are retained, provide a controlled live review of the protected workspace and keep export distribution disabled.","If a public or investor claim depends on legal, privacy, security, clinical, finance, marketing, customer, or release authority, route it through the release-control chain before use."],"blockedClaims":["SCRIMED is authorized for live clinical care.","SCRIMED can process production PHI.","SCRIMED is HIPAA certified, SOC certified, FDA cleared, security certified, or regionally approved.","SCRIMED guarantees reimbursement or payer acceptance.","SCRIMED has production connector approval.","SCRIMED can autonomously diagnose, treat, submit payer transactions, or contact patients.","A buyer diligence packet is approved for public distribution.","A metadata reference is equivalent to a signed approval, legal opinion, security report, or customer permission."],"nextRecommendedAction":"Run the protected buyer-release chain in /pilot-workspace/access#buyer-release-control-verifier with a fresh AAL2 human session, review the release-readiness timeline, retain the audited chain packet, then refresh the Buyer Diligence Export while keeping external distribution disabled until qualified release authority is complete.","updated":"2026-06-22"}