{"service":"scrimed-investor-readiness-command-center","route":"/investor-readiness","apiRoute":"/api/investor-readiness/status","status":"synthetic-demo-ready","updated":"2026-06-29","enterpriseDiligenceSnapshot":{"company":"SCRIMED","status":"synthetic-demo-ready","phi_status":"not_enabled","clinical_action_status":"not_enabled","audit_readiness":true,"execution_evidence_binding":true,"deployment_readiness":"buyer_diligence_ready","no_go_boundaries":["Live PHI/ePHI, patient identifiers, source charts, production credentials, or live records.","Autonomous or final diagnosis, triage replacement, or clinical decision authority.","Autonomous treatment plans, patient-specific care instructions, or therapy selection.","Medication prescribing, medication changes, order placement, or pharmacy actions.","Patient texting, calling, emailing, portal messaging, or outreach automation.","Claims submission, prior authorization submission, appeal filing, or reimbursement assurance.","EHR writeback, chart filing, record mutation, order entry, or connector writes.","Production EHR, payer, device, imaging, or third-party connector activation approval.","HIPAA, SOC 2, HITRUST, FDA, ONC, clinical validation, security, or accessibility certification claims."]},"deploymentStatus":{"status":"production-deployed-confirmed-before-this-increment","deploymentReadiness":"buyer_diligence_ready","currentProductionUseBoundary":"Production site may show synthetic/no-PHI readiness evidence only. It is not approved for live PHI, live patient care, payer submission, patient outreach, or EHR writeback."},"smokeTestStatus":{"lastKnownStatus":"passed-confirmed-2026-06-29","aal2SmokeReadinessStatus":"aal2-smoke-readiness-preflight-ready-no-secret","aal2StrictAttemptReady":false,"aal2ProtectedHumanRunRequired":true,"aal2ReadinessApiRoute":"/api/qa-evidence/aal2-smoke-readiness","aal2ReadinessBriefRoute":"/api/qa-evidence/aal2-smoke-readiness/brief","requiredCommands":["npm run smoke:clinical-robustness-lab","npm run smoke:execution-attempt-durable-store","npm run smoke:aal2:readiness","npm run lint","npm run typecheck","npm run test:nonsecret","npm run build"],"protectedOperatorCommands":["npm run smoke:aal2:readiness","npm run smoke:aal2:token -- --prompt-token --write-env-local","npm run smoke:aal2:durable-store:strict","npm run smoke:scrimed-stored-vector-rpc:strict"],"evidenceBoundary":"Smoke status is build/readiness evidence only and does not certify compliance, security, clinical validation, or customer go-live approval."},"safetyStatus":{"policyVersion":"scrimed-safety-governance-v2026-06-29","status":"active-fail-closed","failClosedVerified":true,"blockedActionCount":9},"phiReadinessStatus":{"status":"not_enabled","boundary":"No live PHI workflows are enabled. PHI authority requires BAA/DPA, tenant controls, data classification, retention/deletion, incident response, and customer authorization."},"clinicalReadinessStatus":{"status":"synthetic-readiness-only","averageClinicalReadinessScore":97,"scenarioCount":8,"perturbationCoverage":"18/18","notice":"Research/demo use only. Not for diagnosis, treatment, prescribing, or live patient care."},"evidenceArtifacts":[{"label":"Clinical Robustness Lab","route":"/clinical-robustness-lab","apiRoute":"/api/clinical-robustness-lab","status":"clinical-robustness-lab-active-no-phi"},{"label":"Execution Attempt Envelope","route":"/workflows/execution-attempts","apiRoute":"/api/workflows/execution-attempts/envelope","status":"execution-attempt-envelope-active-no-phi"},{"label":"Execution Attempt Durable Store","route":"/workflows/execution-attempts","apiRoute":"/api/workflows/execution-attempts/durable-store","status":"execution-attempt-durable-store-contract-active-no-phi"},{"label":"AAL2 Smoke Readiness","route":"/qa-aal2-run-evidence","apiRoute":"/api/qa-evidence/aal2-smoke-readiness","status":"aal2-smoke-readiness-preflight-ready-no-secret"},{"label":"Release Evidence Ledger","route":"/release-continuity#release-evidence-ledger","apiRoute":"/api/release-continuity/evidence-ledger","status":"release-evidence-ledger-active-no-secret"},{"label":"Release Evidence Promotion Queue","route":"/release-continuity#release-evidence-promotion","apiRoute":"/api/release-continuity/evidence-promotion","status":"release-evidence-promotion-queue-active-human-gated"},{"label":"Release Evidence Freshness Guard","route":"/release-continuity#release-evidence-freshness-guard","apiRoute":"/api/release-continuity/evidence-freshness-guard","status":"release-evidence-freshness-guard-active-no-secret"},{"label":"Release Authorization Chain","route":"/release-continuity#release-authorization-chain","apiRoute":"/api/release-continuity/authorization-chain","status":"release-authorization-chain-active-no-release-approval"},{"label":"Diligence Release Gate","route":"/release-continuity#diligence-release-gate","apiRoute":"/api/release-continuity/diligence-gate","status":"diligence-release-gate-active-no-production-approval"},{"label":"Diligence Packet Manifest","route":"/release-continuity#diligence-packet-manifest","apiRoute":"/api/release-continuity/diligence-packet-manifest","status":"diligence-packet-manifest-active-no-secret"},{"label":"Diligence Packet Share Guard","route":"/release-continuity#diligence-packet-share-guard","apiRoute":"/api/release-continuity/diligence-packet-share-guard","status":"diligence-packet-share-guard-active-human-gated"},{"label":"Recipient Qualification Matrix","route":"/release-continuity#recipient-qualification-matrix","apiRoute":"/api/release-continuity/recipient-qualification-matrix","status":"recipient-qualification-matrix-active-no-secret"},{"label":"Enterprise Risk Register","route":"/risk-register","apiRoute":"/api/risk-register","status":"enterprise-risk-register-active-no-phi"},{"label":"Product Readiness Registry","route":"/product","apiRoute":"/api/products/readiness","status":"scrimed-product-readiness-registry-active-no-phi"}],"auditLogs":{"envelopeAuditTraceCount":5,"evidenceAuditTrailCount":5,"durableStoreValidationStatus":"pass","retainedBoundary":"Audit evidence is metadata-only and no-PHI. It does not contain raw chart text, patient identifiers, production connector payloads, secrets, or credentials."},"executionAttemptDurability":{"protectedWritesEnabled":true,"envelopeCount":5,"replayReadyCount":5,"supportedReviewDispositions":["approved-for-synthetic-release","changes-requested","rejected","escalated"],"activationControls":["live-migration-structural-verification","rpc-least-privilege-hardening","authenticated-aal2-smoke","supabase-auth-password-posture","tenant-canary-only"]},"aal2SmokeReadiness":{"status":"aal2-smoke-readiness-preflight-ready-no-secret","route":"/qa-aal2-run-evidence","apiRoute":"/api/qa-evidence/aal2-smoke-readiness","briefRoute":"/api/qa-evidence/aal2-smoke-readiness/brief","strictAttemptReady":false,"protectedHumanRunRequired":true,"operatorTokenRequired":true,"targetFeatureFlagRequired":true,"gateCount":8,"commandCount":4,"noSecretBoundary":"SCRIMED AAL2 Smoke Readiness is a no-secret operator preflight for synthetic AAL2 durable-store and stored-vector RPC smoke tests. It does not mint, expose, retain, validate, or bypass bearer tokens; protected APIs remain the source of truth for role, AAL2, feature flag, tenant, and RLS verification."},"deploymentReleaseChecklist":[{"id":"public-production-smoke","label":"Public production smoke","status":"required-before-release","evidence":"Public smoke remains the no-secret availability and fail-closed boundary check for buyer-facing deployments.","command":"npm run smoke:public","route":"/api/release-continuity","humanReviewRequired":false},{"id":"aal2-smoke-readiness-preflight","label":"AAL2 smoke readiness preflight","status":"aal2-smoke-readiness-preflight-ready-no-secret","evidence":"No-secret readiness API exposes strict-smoke gates, safe commands, and fail-closed modes without token material.","command":"npm run smoke:aal2:readiness","route":"/api/qa-evidence/aal2-smoke-readiness","humanReviewRequired":true},{"id":"strict-aal2-durable-store-smoke","label":"Strict AAL2 durable-store smoke","status":"blocked-until-human-aal2-and-feature-flag","evidence":"Authenticated durable-store record, replay, and review disposition proof remains blocked until a fresh authorized AAL2 operator token and target feature flag exist.","command":"npm run smoke:aal2:durable-store:strict","route":"/api/workflows/execution-attempts/durable-store","humanReviewRequired":true},{"id":"stored-vector-rpc-strict-smoke","label":"Stored-vector RPC strict smoke","status":"blocked-until-human-aal2","evidence":"Stored-vector lookup proof remains protected by the same short-lived AAL2 operator boundary.","command":"npm run smoke:scrimed-stored-vector-rpc:strict","route":"/api/scrimed-build-roadmap/stored-vector-rpc-smoke","humanReviewRequired":true}],"releaseEvidenceLedger":{"status":"release-evidence-ledger-active-no-secret","route":"/release-continuity#release-evidence-ledger","apiRoute":"/api/release-continuity/evidence-ledger","briefRoute":"/api/release-continuity/evidence-ledger/brief","entryCount":10,"passedNoSecretCount":6,"operatorRequiredCount":2,"externalReviewRequiredCount":1,"tokenMaterialCaptured":false,"productionApproval":false,"boundary":"SCRIMED Release Evidence Ledger records no-secret build, smoke, readiness, and protected-operator evidence metadata only. It does not store PHI, patient identifiers, bearer tokens, Supabase secrets, service-role keys, raw logs, production connector payloads, customer data, certification proof, release approval, or live clinical authority."},"releaseEvidencePromotion":{"status":"release-evidence-promotion-queue-active-human-gated","route":"/release-continuity#release-evidence-promotion","apiRoute":"/api/release-continuity/evidence-promotion","briefRoute":"/api/release-continuity/evidence-promotion/brief","queueCount":10,"shareableNoSecretCount":7,"operatorProofRequiredCount":2,"externalReviewRequiredCount":1,"tokenMaterialCaptured":false,"productionApproval":false,"buyerDistributionAuthority":"protected-buyer-diligence-only-after-review","externalDistributionAuthority":"not-authorized","publicClaimAuthority":"not-authorized-public-claim","boundary":"SCRIMED Release Evidence Promotion Queue converts no-secret release ledger entries into buyer-diligence candidates, protected operator proof blockers, and qualified-review requirements. It does not store PHI, tokens, raw logs, customer data, production connector payloads, certification evidence, public release approval, or live clinical authority."},"releaseEvidenceFreshnessGuard":{"status":"release-evidence-freshness-guard-active-no-secret","route":"/release-continuity#release-evidence-freshness-guard","apiRoute":"/api/release-continuity/evidence-freshness-guard","briefRoute":"/api/release-continuity/evidence-freshness-guard/brief","freshnessHash":"freshness-95ba01b3","freshnessAuthority":"fresh-rerun-required-before-external-use","publicDistributionAuthority":"not-authorized","customerSpecificAuthority":"not-authorized-without-customer-permission","cardCount":10,"internalFreshCount":2,"refreshRequiredCount":5,"humanAal2RefreshCount":2,"qualifiedReviewRefreshCount":1,"tokenMaterialCaptured":false,"productionApproval":false,"clinicalCareAuthority":"not-authorized-live-care","phiAuthority":"not-authorized-production-phi","securityCertification":"not-security-certified","boundary":"SCRIMED Release Evidence Freshness Guard is a no-secret recency and revalidation policy for release evidence. It does not rerun commands, store logs, store PHI, capture tokens, certify evidence, approve public distribution, approve production release, approve customer go-live, or authorize live clinical care."},"diligenceReleaseGate":{"status":"diligence-release-gate-active-no-production-approval","route":"/release-continuity#diligence-release-gate","apiRoute":"/api/release-continuity/diligence-gate","briefRoute":"/api/release-continuity/diligence-gate/brief","buyerDiligenceGate":"go-no-secret-metadata-with-release-steward-review","protectedAal2Gate":"no-go-until-human-aal2-retained-packet","publicDistributionGate":"no-go-until-qualified-review","productionReleaseGate":"no-go-not-release-approval","clinicalProductionGate":"no-go-not-authorized-live-care","gateCount":5,"goCount":2,"reviewRequiredCount":0,"noGoCount":3,"tokenMaterialCaptured":false,"productionApproval":false,"boundary":"SCRIMED Diligence Release Gate summarizes no-secret buyer diligence readiness while preserving NO-GO boundaries for protected AAL2 proof, public distribution, production release, PHI processing, certification, and live clinical care."},"diligencePacketManifest":{"status":"diligence-packet-manifest-active-no-secret","route":"/release-continuity#diligence-packet-manifest","apiRoute":"/api/release-continuity/diligence-packet-manifest","briefRoute":"/api/release-continuity/diligence-packet-manifest/brief","manifestHash":"diligence-manifest-73403733","packetUseAuthority":"no-secret-buyer-investor-diligence-only","publicDistributionAuthority":"not-authorized","clinicalCareAuthority":"not-authorized-live-care","phiAuthority":"not-authorized-production-phi","securityCertification":"not-security-certified","itemCount":12,"includeNoSecretCount":6,"summaryOnlyCount":3,"withholdUntilHumanAal2Count":2,"withholdUntilQualifiedReviewCount":1,"noGoCount":3,"tokenMaterialCaptured":false,"productionApproval":false,"boundary":"SCRIMED Diligence Packet Manifest assembles no-secret buyer and investor diligence metadata only. It does not store PHI, bearer tokens, Supabase secrets, service-role keys, raw logs, customer data, production connector payloads, certification proof, release approval, public distribution approval, or live clinical authority."},"diligencePacketShareGuard":{"status":"diligence-packet-share-guard-active-human-gated","route":"/release-continuity#diligence-packet-share-guard","apiRoute":"/api/release-continuity/diligence-packet-share-guard","briefRoute":"/api/release-continuity/diligence-packet-share-guard/brief","guardHash":"diligence-share-75b52bf1","externalShareAuthority":"protected-diligence-only-after-human-review","recipientAuthorizationAuthority":"recipient-specific-human-approval-required","publicDistributionAuthority":"not-authorized","customerSpecificAuthority":"not-authorized-without-customer-permission","clinicalCareAuthority":"not-authorized-live-care","phiAuthority":"not-authorized-production-phi","securityCertification":"not-security-certified","cardCount":7,"noGoCount":1,"reviewRequiredCount":5,"internalAllowCount":1,"tokenMaterialCaptured":false,"productionApproval":false,"boundary":"SCRIMED Diligence Packet Share Guard is a no-secret recipient and distribution control. It does not share packets, send emails, create calendar invites, approve public distribution, authorize PHI, certify security or compliance, approve production release, approve customer go-live, or authorize live clinical care."},"recipientQualificationMatrix":{"status":"recipient-qualification-matrix-active-no-secret","route":"/release-continuity#recipient-qualification-matrix","apiRoute":"/api/release-continuity/recipient-qualification-matrix","briefRoute":"/api/release-continuity/recipient-qualification-matrix/brief","qualificationHash":"recipient-qualification-e13fcd32","externalShareAuthority":"qualified-recipient-review-required","publicDistributionAuthority":"not-authorized","recipientIdentifierStorage":"not-stored-in-scrimed","customerSpecificAuthority":"not-authorized-without-customer-permission","clinicalCareAuthority":"not-authorized-live-care","phiAuthority":"not-authorized-production-phi","securityCertification":"not-security-certified","recipientClassCount":6,"qualifiedReviewRequiredCount":4,"blockedRecipientCount":4,"revocationRequiredCount":6,"tokenMaterialCaptured":false,"productionApproval":false,"boundary":"SCRIMED Recipient Qualification Matrix is a no-secret recipient policy preflight for diligence packet sharing. It does not store recipient names, recipient emails, access grants, raw access logs, bearer tokens, PHI, customer data, signed approvals, legal opinions, certification evidence, production connector payloads, public distribution approval, customer go-live approval, or live clinical care authorization."},"releaseAuthorizationChain":{"status":"release-authorization-chain-active-no-release-approval","route":"/release-continuity#release-authorization-chain","apiRoute":"/api/release-continuity/authorization-chain","briefRoute":"/api/release-continuity/authorization-chain/brief","authorizationHash":"release-authorization-831a9179","safeUseLabel":"no-secret-metadata-chain-not-release-approval","chainDecision":"blocked-by-design","weakestLink":"diligence-release-gate:blocked-by-design","buyerDiligenceMetadataLane":"available-after-release-steward-review","protectedProofLane":"blocked-until-human-aal2","publicDistributionAuthority":"not-authorized","customerSpecificAuthority":"not-authorized-without-customer-permission","releaseAuthority":"not-release-approval","clinicalCareAuthority":"not-authorized-live-care","phiAuthority":"not-authorized-production-phi","securityCertification":"not-security-certified","controlCount":8,"passedNoSecretCount":2,"humanReviewRequiredCount":1,"operatorRequiredCount":2,"externalReviewRequiredCount":0,"blockedByDesignCount":3,"tokenMaterialCaptured":false,"productionApproval":false,"boundary":"SCRIMED Release Authorization Chain composes the no-secret release ledger, evidence freshness guard, diligence gate, packet manifest, recipient qualification matrix, share guard, and AAL2 readiness into one weakest-link control view. It does not approve release, share packets, store recipient identifiers, retain token material, authorize PHI, certify security or compliance, approve customer go-live, or authorize live clinical care."},"modelProviderReadiness":{"status":"synthetic-fallback-active-provider-calls-disabled-by-default","supportedTiers":["FAST_LOW_COST","ENTERPRISE_REASONING","CLINICAL_REVIEW_SYNTHETIC","CYBER_DEFENSE_SYNTHETIC","RESEARCH_SIMULATION_SYNTHETIC"],"providerCount":8,"externalCallsEnabled":false,"noSecretTestMode":true,"costGuardrails":{"version":"scrimed-cost-api-guardrails-v2026-06-29","failClosedVerified":true,"providerCallsEnabled":false,"costGuardrailsEnabled":true}},"integrationReadiness":{"currentStatus":"synthetic-and-metadata-only","readyFor":"FHIR/HL7/DICOM/X12 architecture review, buyer diligence, and no-PHI connector planning.","notReadyFor":"Production EHR writeback, payer submission, patient outreach, device ingestion, live scheduling, or customer connector activation."},"knownNoGoBoundaries":["Live PHI/ePHI, patient identifiers, source charts, production credentials, or live records.","Autonomous or final diagnosis, triage replacement, or clinical decision authority.","Autonomous treatment plans, patient-specific care instructions, or therapy selection.","Medication prescribing, medication changes, order placement, or pharmacy actions.","Patient texting, calling, emailing, portal messaging, or outreach automation.","Claims submission, prior authorization submission, appeal filing, or reimbursement assurance.","EHR writeback, chart filing, record mutation, order entry, or connector writes.","Production EHR, payer, device, imaging, or third-party connector activation approval.","HIPAA, SOC 2, HITRUST, FDA, ONC, clinical validation, security, or accessibility certification claims."],"nextMilestones":["Run /api/release-continuity/authorization-chain before any external packet reference so the weakest-link state is visible across evidence, freshness, manifest, recipient, share, and AAL2 controls.","Run /api/release-continuity/evidence-freshness-guard before evidence is reused in buyer, investor, clinical, security, public, or customer-specific contexts.","Use /api/release-continuity/recipient-qualification-matrix before external packet references so recipient class, expiry, revocation, and no-identifier storage are explicit.","Use /api/release-continuity/diligence-packet-share-guard before buyer, investor, public, customer-specific, clinical, or security packet references leave SCRIMED.","Use /api/release-continuity/diligence-packet-manifest to assemble buyer and investor packets from allowed no-secret fields while withholding AAL2 proof, public claims, certification claims, PHI, and clinical authority.","Use the Diligence Release Gate to present no-secret buyer-diligence GO items separately from AAL2, public-distribution, production, and clinical NO-GO items.","Use the Release Evidence Promotion Queue to separate shareable metadata, operator proof blockers, and qualified-review blockers before buyer distribution.","Promote AAL2 smoke readiness and strict-smoke outcomes into protected buyer workspaces with tenant RBAC.","Add OAuth scoped-token MCP gateway with revocation and tool-level authorization.","Add reviewer-calibrated evaluation datasets and release-blocking regression checks.","Prepare legal, privacy, security, and clinical governance packets before any PHI or production connector approval."],"riskRegister":{"riskCount":13,"criticalCount":5,"blockedBeforeProductionCount":4,"apiRoute":"/api/risk-register"},"productReadiness":{"productCount":20,"stageCounts":{"synthetic-demo-ready":9,"diligence-ready":7,"protected-pilot-prep":3,"blocked-before-clinical-production":1},"apiRoute":"/api/products/readiness"},"boundary":"Investor Readiness Command Center is a no-PHI diligence and operating-readiness surface. It is not investment advice, securities material, audited financial reporting, compliance certification, clinical validation, live patient-care authority, PHI authority, customer go-live approval, or production connector approval."}