# SCRIMED Limitations and Workaround Operations Brief

Status: limitations-workaround-control-plane-active
Updated: 2026-06-29
Tracks: 12
Workaround packets: 8
Boundary escalations: 8
Boundary workaround playbooks: 11
Boundary preflight evaluations: 5
Fail-closed preflights: 1
Execution ledger entries: 5
Resolved execution ledger entries: 5
Open risks: 11
Proof routes: 42
Hard stops: 180

## Boundary
SCRIMED Limitations and Workaround Operations turns hard boundaries, defects, bottlenecks, unresolved approvals, and unsupported claims into safe operating alternatives with owners, proof routes, escalation triggers, expiration rules, and graduation gates. It is a workaround and containment layer only. It does not authorize PHI processing, live clinical care, patient matching, EHR writeback, payer submission, production connectors, public API SLAs, contractual uptime, managed service coverage, autonomous remediation, live autonomous AI, production model routing, legal advice, accounting advice, tax advice, audited financial reporting, securities material, revenue guarantees, profit-margin guarantees, security certification, accessibility certification, regulatory approval, public quantum capability claims, or buyer release authority.

This brief is not PHI processing authority, live clinical care authority, legal/accounting/tax advice, audited financial reporting, security certification, accessibility certification, production connector approval, public API SLA approval, live autonomous AI approval, buyer release approval, public quantum capability, revenue guarantee, or profit-margin guarantee.

## Authority
- Limitation authority: workaround-control-only
- Data boundary: synthetic-and-metadata-only
- PHI authority: not-authorized-production-phi
- Clinical care authority: not-authorized-live-care
- Connector authority: not-production-connector-approved
- Autonomy authority: no-autonomous-production-remediation
- AI authority: no-live-autonomous-ai-authority
- Legal authority: qualified-review-required
- Financial authority: not-audited-financial-report
- SLA authority: not-contractual-sla
- Release authority: not-release-approval
- Quantum authority: internal-research-only-no-public-claim

## Counts By State
- resolved-with-control: 0
- workaround-active: 1
- human-review-required: 3
- external-review-required: 5
- blocked-until-approved: 3

## Counts By Category
- clinical-phi-data: 2
- ehr-interoperability: 1
- api-sla-scale: 1
- ai-agent-autonomy: 1
- security-certification: 1
- global-legal-privacy: 1
- finance-revenue-contracts: 1
- onboarding-communications: 1
- release-proof: 1
- accessibility-ui: 1
- innovation-research: 1

## Operating Path
- Classify every issue, blocker, limitation, or buyer request by category, severity, owner, proof route, and authority boundary.
- Prefer a safe workaround packet before inventing a new process: synthetic no-PHI, external evidence reference, human-reviewed communication, AAL2 proof, API contract, model-route register, deal desk, or regional pack.
- Escalate immediately when PHI, live care, legal, finance, tax, security certification, regional approval, production connector, public API SLA, live AI, or buyer-release authority is implied.
- Attach an expiration rule so workaround packets do not become stale informal permission.
- Graduate the workaround only after the required evidence, qualified review, customer authority, release decision, and smoke or protected proof exist.
- Promote repeated issues into Navigation Audit, Operational Efficiency, Boundary Resolution, Platform Power, Service Reliability, or public smoke coverage.

## Buyer Confidence Signals
- Can we evaluate SCRIMED without exposing PHI or live operations? Trust message: Yes. Current demos, assessments, and synthetic pilots are designed around no-PHI inputs, synthetic fixtures, metadata-only references, and explicit live-data hard stops. Commercial value: Buyers can move into a paid workflow assessment or synthetic pilot before privacy, connector, and live clinical approvals are complete. Proof route: /health-records
- Will SCRIMED overpromise compliance, security, or clinical readiness? Trust message: No. The claims register, Trust Center, global certification readiness, and limitation routes separate readiness evidence from certification or approval claims. Commercial value: Procurement, counsel, and security reviewers can evaluate the current posture without forcing the sales team to invent unsupported answers. Proof route: /trust-center
- What happens when a buyer asks for something outside today’s capability? Trust message: SCRIMED converts the request into a workaround packet with owner, safe inputs, output, expiry rule, hard stops, escalation trigger, and graduation gate. Commercial value: Sales momentum continues through scoped alternatives instead of unsafe custom promises or stalled follow-up. Proof route: /limitations-workarounds
- How does SCRIMED keep reliability issues from becoming hidden risk? Trust message: Route checks, release proof, TrustOps incidents, operational-efficiency sprints, and continuous review loops make defects and bottlenecks visible. Commercial value: Enterprise buyers see a vendor operating model they can inspect before a larger pilot or protected activation. Proof route: /trust-safety-operations

## Workaround Packets
- Synthetic no-PHI packet: A buyer asks for workflow proof, record extraction, AI output, or demo evidence without approved PHI authority. Output: Buyer-safe demo or assessment packet with explicit no-PHI and no-live-care boundary. Expiry: Refresh whenever source class, buyer scope, approval state, or claim language changes. Hard stops: PHI introduced, patient identifier introduced, live chart requested, source artifact pasted
- External evidence reference: The artifact is sensitive, confidential, regulated, buyer-owned, or not safe to store in SCRIMED. Output: Metadata-only reference that points to the authority source without storing the underlying artifact. Expiry: Renew before expiration, owner change, buyer scope change, or regulation/certification scope change. Hard stops: artifact uploaded, secret included, contract pasted, medical record pasted
- Human-reviewed communication packet: Email, calendar, demo, presentation, pilot workshop, proposal, or follow-up language is needed. Output: Draft-only communication with approval slot, send owner, follow-up owner, and blocked-content checklist. Expiry: Re-review after 7 days, pricing change, scope change, reviewer change, or new buyer requirement. Hard stops: autonomous send requested, calendar invite creation requested, contract promise included, PHI included
- AAL2 protected proof packet: A buyer, operator, or reviewer needs retained protected proof instead of public smoke evidence. Output: Protected no-secret proof packet with release decision and buyer-safe claim state. Expiry: Re-run when deployment, route, workspace, reviewer, claim language, or evidence packet changes. Hard stops: token retained, AAL2 bypass attempted, protected route publicly exposed, buyer release claimed early
- API contract readiness packet: A technical buyer needs API detail before public API SLA, SDK, or production connector approval exists. Output: Draft API contract packet with examples, rate-limit posture, no-SLA language, and blocked claims. Expiry: Re-review on schema change, auth change, rate-limit change, version change, or buyer-specific scope. Hard stops: public API SLA implied, production connector promised, PHI payload accepted, unlimited usage promised
- Model-route register packet: A feature proposes AI model execution, provider routing, fallback, evals, or agent reasoning. Output: Readiness-only model-route record with human approval triggers and no-live-AI boundary. Expiry: Re-review on provider, model, data class, cost threshold, eval failure, or customer scope change. Hard stops: PHI routed to model, provider approval missing, production model approval implied, clinical validation claimed
- Deal desk exception packet: Pricing, scope, payment terms, ROI, reimbursement, legal, tax, accounting, securities, or contract language is non-standard. Output: Qualified-review packet with blocked claims, margin notes, counsel/accounting/tax slots, and release gate. Expiry: Re-review on price, scope, buyer, term, reviewer, or claim-language change. Hard stops: legal advice implied, revenue guaranteed, profit guaranteed, contract approved without reviewer
- Global regional workaround pack: A region, public-sector buyer, channel partner, or global certification question appears before local authority exists. Output: Localization pack that frames readiness, evidence needs, hosting questions, and retained external gates. Expiry: Re-review on region, regulation, hosting profile, partner, customer segment, or public-sector scope change. Hard stops: country launch claimed, government endorsement implied, data residency approved early, regional clinical approval claimed

## Boundary Escalation Matrix
- Buyer asks to upload, paste, connect, or analyze PHI, patient identifiers, member IDs, live charts, production records, or customer credentials. Decision: Block the request and re-scope to synthetic, no-PHI, or metadata-only evaluation. Safe response: SCRIMED can evaluate the workflow with synthetic fixtures, metadata-only source references, and a health-record safety plan while PHI authority remains gated. Owner: Privacy, security, clinical governance, customer authority owner, and TrustOS. SLA: Immediate block, same-business-day owner assignment, and daily review until safely re-scoped.. Hard stops: PHI introduced, patient identifier introduced, production credential requested, live chart requested. Graduation evidence: BAA/DPA when required, customer authority, security review, clinical governance approval, connector/data boundary approval
- Buyer, demo, sales, or product language asks SCRIMED to diagnose, treat, triage, prescribe, route patients, sign notes, or provide production CDS. Decision: Hold the claim and convert the workflow to draft-only operational planning with human clinical review. Safe response: SCRIMED can prepare workflow intelligence, draft queues, evidence organization, and governance packets, but live clinical decisions require qualified authority. Owner: Clinical governance, qualified clinicians, legal, privacy, and release stewardship. SLA: Immediate claim hold before external use; qualified review required before any clinical wording expands.. Hard stops: diagnosis implied, treatment implied, autonomous triage requested, clinician signature implied. Graduation evidence: intended-use review, clinical governance approval, customer scope, monitoring/override plan, rollback evidence
- Buyer requests production EHR, HIE, payer, imaging, device, SMART launch, writeback, patient matching, or payer submission connectivity. Decision: Block live connector execution and route to standards mapping, sandbox preflight, and customer authority review. Safe response: SCRIMED can provide standards-aware synthetic conformance review, connector contract planning, and no-mutation evidence before production connectivity is approved. Owner: Interoperability, platform engineering, privacy, security, clinical governance, and customer integration owner. SLA: Immediate block for production endpoints; weekly connector-readiness review once safely scoped.. Hard stops: production endpoint requested, EHR writeback requested, payer submission requested, patient matching requested. Graduation evidence: customer sandbox, security review, connector contract, mutation policy, audit/monitoring, rollback plan
- Procurement asks for SOC 2, HITRUST, ISO, HIPAA certification, penetration testing, vendor-risk approval, BAA/DPA, or security signoff. Decision: Respond with readiness posture, available evidence references, missing artifacts, and external-review owner. Safe response: SCRIMED can provide trust-center readiness evidence, metadata-only artifact references, and a review plan without claiming certification or approval. Owner: Security, privacy, legal, trust operations, customer authority owner, and qualified external reviewer. SLA: Same-business-day evidence owner assignment; weekly procurement evidence review until artifact status changes.. Hard stops: security certified claimed, SOC 2 certified claimed, HITRUST certified claimed, penetration test complete claimed. Graduation evidence: qualified assessment, remediation evidence, approved artifact reference, customer-specific acceptance, release authority
- Buyer asks for public API access, unlimited usage, public SDK, uptime, support coverage, contractual SLA, managed service coverage, or trillion-scale capacity. Decision: Route to API contract readiness and deal-desk review before any external commitment. Safe response: SCRIMED can share route summaries, version posture, boundary headers, rate-class planning, and support assumptions without creating an SLA. Owner: Platform engineering, service reliability, legal ops, finance, customer operations, and executive approver. SLA: Same-business-day API owner assignment; weekly scale council for quota, support, incident, and price-floor decisions.. Hard stops: public API SLA implied, unlimited usage promised, contractual uptime promised, managed service commitment implied. Graduation evidence: contract terms, rate limits, support tier, incident response plan, monitoring, price model, executive approval
- User asks agents to send messages, create invites, execute tools, remediate production, make clinical/legal/financial decisions, or act without human approval. Decision: Switch to recommendation mode and require named human approval before any protected action. Safe response: SCRIMED agents can plan, inspect, draft, evaluate, and route work while protected execution remains human-approved and audit-bound. Owner: AgentOS, TrustOS, QA, security, finance, clinical governance, and approved operator. SLA: Immediate stop for protected execution; approval packet required before action resumes.. Hard stops: tool execution without approval, production remediation requested, clinical decision requested, legal or financial decision requested. Graduation evidence: allowed tool schema, blocked tool list, human approval UI, audit persistence, rollback behavior, customer authority
- Proposal, investor, buyer, or board language asks for legal advice, tax/accounting conclusions, audited financials, valuation, securities material, ROI, revenue, reimbursement, or profit guarantees. Decision: Hold external release and route to deal desk plus qualified legal, finance, accounting, tax, or securities review. Safe response: SCRIMED can provide readiness evidence, fixed-scope offers, buyer-approved measurement plans, and review slots without giving professional advice or guarantees. Owner: Founder, deal desk, legal, finance, accounting, tax, revenue operations, and qualified advisors. SLA: Hold until qualified reviewer signs off on exact language, recipient, scope, and measurement boundary.. Hard stops: legal advice implied, tax advice implied, securities material implied, ROI or revenue guaranteed. Graduation evidence: qualified review, approved language, buyer baseline, measurement plan, recipient context, release decision
- Buyer or partner asks for country launch, public-sector approval, government endorsement, GDPR/EU AI Act conformity, NHS/MHRA/Australia approval, or data-residency approval. Decision: Convert to regional discovery and localization planning until qualified regional authority exists. Safe response: SCRIMED can prepare no-PHI regional packs, deployment questions, and evidence implications without claiming local approval or conformity. Owner: Regional counsel, privacy, security, global partnerships, procurement, and customer authority owner. SLA: Same-business-day region owner assignment; external regional review before any public-sector or country-specific claim.. Hard stops: country launch approved claimed, government endorsement implied, data residency approved claimed, regional compliance approved claimed. Graduation evidence: regional counsel review, privacy/security review, hosting decision, procurement authority, partner/customer signoff

## Boundary Workaround Playbook
- live PHI, patient identifiers, member data, live charts, and production credentials (blocked-until-evidence): Decision: Block intake, do not store the payload, and re-scope to synthetic or metadata-only review. Safe alternative: Use the Synthetic no-PHI packet, Health Records Safety Exchange source mapping, and external evidence references without copying protected records into SCRIMED. Packet: synthetic-no-phi-packet. Validate: npm run smoke:limitations-workarounds. Fail-closed: Requests that contain PHI or identifiers remain blocked before storage, model routing, connector execution, or buyer-facing output.. Gate: signed authority, data boundary approval, retention policy, monitoring plan, rollback owner
- diagnosis, treatment, prescribing, triage, patient routing, signed notes, and production CDS (external-approval-required): Decision: Convert to draft-only workflow intelligence and require qualified clinical review. Safe alternative: Use clinical-governance preparation, synthetic clinical robustness evaluation, evidence organization, and human review queues. Packet: synthetic-no-phi-packet. Validate: npm run smoke:clinical-robustness-lab. Fail-closed: Clinical outputs remain research/demo or draft-only and cannot become autonomous care, diagnosis, treatment, prescribing, or signed documentation.. Gate: clinical governance signoff, reviewer workflow, risk classification, override policy, rollback evidence
- production EHR/HIE/payer/imaging/device connector use, patient matching, writeback, and mutation (blocked-until-evidence): Decision: Block production connector execution and convert the ask into standards mapping plus sandbox preflight. Safe alternative: Use fixture validation, interoperability conformance metadata, connector contract review, and no-mutation evidence packets. Packet: api-contract-readiness. Validate: npm run smoke:public. Fail-closed: Production connector, writeback, patient matching, and raw connector payload logging stay blocked until explicit customer and technical authority exists.. Gate: sandbox credentials, scoped connector approval, audit trail, rate limits, rollback plan
- payer submission, billing submission, claim filing, reimbursement certainty, and medical-necessity determination (human-review-required): Decision: Keep payer work in documentation readiness or draft-review mode and block submission. Safe alternative: Use Documentation-Before-Authorization checks, RCM denial-risk metadata, payer-policy lookup scaffolds, and human-reviewed packets. Packet: deal-desk-exception. Validate: npm run smoke:documentation-before-authorization. Fail-closed: SCRIMED may identify missing documentation and draft review packets, but it does not submit payer transactions or guarantee reimbursement.. Gate: customer payer authority, billing compliance signoff, human submitter approval, audit log, rollback/void process
- autonomous agent execution, production remediation, model routing, tool calls, email/calendar actions, and protected workflow actions (human-review-required): Decision: Switch to recommendation mode and require named human approval before any protected action resumes. Safe alternative: Use the Meta-Harness, model-route register, manual QA execution console, and no-secret AAL2 operator lanes. Packet: model-route-register. Validate: npm run smoke:scrimed-meta-harness. Fail-closed: Agents can plan, inspect, draft, evaluate, and recommend, but protected execution requires permissioned tools, audit logs, and human approval.. Gate: allowed tool schema, blocked tool list, approval UI, audit persistence, rollback behavior
- SOC 2, HITRUST, ISO, HIPAA certification, penetration test completion, BAA/DPA, and security signoff (external-approval-required): Decision: Respond with readiness posture and evidence request owner, not certification language. Safe alternative: Use Trust Center readiness, global certification readiness, provider security review metadata, and external evidence references. Packet: external-evidence-reference. Validate: npm run smoke:limitations-workarounds. Fail-closed: Security and privacy claims remain readiness-only unless qualified evidence and approved release authority exist.. Gate: assessment report, remediation evidence, artifact reference, release approval, renewal owner
- public API SLA, unlimited usage, contractual uptime, managed service coverage, support guarantee, and scale-equivalence claims (human-review-required): Decision: Route to API contract readiness, pricing, support, incident, and executive review before external commitment. Safe alternative: Share route summaries, version posture, boundary headers, draft quotas, rate classes, support assumptions, and no-SLA language. Packet: api-contract-readiness. Validate: npm run smoke:public. Fail-closed: Public routes remain inspectable readiness surfaces and do not create contractual SLA, unlimited scale, or managed-service obligations.. Gate: contract terms, rate limits, support tier, incident plan, monitoring, price model
- legal advice, tax/accounting conclusions, audited financials, securities material, valuation, ROI, revenue, reimbursement, and profit guarantees (external-approval-required): Decision: Hold external release and route exact language to qualified legal, finance, accounting, tax, or securities review. Safe alternative: Use fixed-scope offers, buyer-approved measurement plans, review slots, finance methodology gates, and no-guarantee language. Packet: deal-desk-exception. Validate: npm run smoke:limitations-workarounds. Fail-closed: Commercial and investor material remains readiness and operating discipline, not legal advice, audited reporting, securities material, or guarantees.. Gate: approved language, recipient context, measurement plan, buyer baseline, release decision
- country launch, public-sector approval, government endorsement, data residency, GDPR, EU AI Act, NHS, MHRA, and regional procurement claims (external-approval-required): Decision: Convert to no-PHI regional discovery and localization planning until qualified local authority exists. Safe alternative: Use global regional workaround packs, deployment profiles, regional evidence implications, and local-counsel owner assignment. Packet: global-regional-pack. Validate: npm run smoke:limitations-workarounds. Fail-closed: Regional work remains discovery and localization planning, not local approval, procurement acceptance, conformity, or launch authority.. Gate: regional counsel review, hosting evidence, privacy/security signoff, partner authority, release decision
- customer go-live, buyer release, protected proof distribution, production support, and launch approval (human-review-required): Decision: Hold release language and require protected proof, reviewer signoff, recipient authority, and claim guard review. Safe alternative: Use QA Completion Bridge, Activation Seal, Manual QA Execution Console, Buyer Proof Release, and no-secret protected evidence packets. Packet: aal2-protected-proof. Validate: npm run smoke:aal2:readiness. Fail-closed: Public smoke and synthetic proof do not become buyer release authority or customer go-live approval.. Gate: fresh AAL2 run, no-secret packet, reviewer signoff, recipient qualification, access-log reconciliation
- public quantum capability, quantum clinical advantage, quantum-safe certification, and future infrastructure superiority (blocked-until-evidence): Decision: Keep the topic internal research only and remove external product, buyer, investor, or security claims. Safe alternative: Use internal research backlog items with hypothesis, source log, review owner, and no-public-claim labels. Packet: external-evidence-reference. Validate: npm run smoke:limitations-workarounds. Fail-closed: Quantum remains internal research and cannot appear as a public capability, certification, clinical advantage, or investor claim.. Gate: validated technical evidence, risk review, qualified legal/security review, approved claim language

## Boundary Preflight Evaluations
- preflight-live-phi-upload: block-fail-closed. Matches: playbook-live-phi-request, playbook-ehr-writeback-connector-request. Packets: synthetic-no-phi-packet, api-contract-readiness. External execution allowed: no. PHI allowed: no. Audit: scrimed-limit-6aad07c3
- preflight-payer-submit: human-review-required. Matches: playbook-payer-submission-request. Packets: deal-desk-exception. External execution allowed: no. PHI allowed: no. Audit: scrimed-limit-ddf12661
- preflight-agent-remediate: human-review-required. Matches: playbook-autonomous-agent-action-request. Packets: model-route-register. External execution allowed: no. PHI allowed: no. Audit: scrimed-limit-286ca658
- preflight-security-certification: external-approval-required. Matches: playbook-security-certification-request. Packets: external-evidence-reference. External execution allowed: no. PHI allowed: no. Audit: scrimed-limit-bd76bab8
- preflight-safe-synthetic-assessment: safe-workaround-only. Matches: none. Packets: synthetic assessment. External execution allowed: no. PHI allowed: no. Audit: scrimed-limit-a4d43dd8

## Known Limit Resolution Queue
- Future AAL2 durable-store happy-path smoke runs still require an authorized tenant-admin, pilot-lead, or reviewer to supply a fresh short-lived AAL2 bearer token. (high, requires-human-operator): Workaround: Run npm run smoke:aal2:readiness first, then use the no-secret helper with an explicit token source: npm run smoke:aal2:token -- --clipboard-token --clear-clipboard --write-env-local, or the hidden prompt path when clipboard transfer is blocked. Resolution: Retain only no-secret smoke status, command names, workspace slug, role class, audit metadata, and packet hashes after a human AAL2 operator runs the strict smoke; never store or paste bearer tokens. Proof: npm run smoke:aal2:durable-store:strict Gate: Fresh AAL2 session, authorized role, gitignored .env.local or shell env only, strict smoke pass, no-token evidence packet, reviewer signoff, and re-run before buyer-specific proof is released.
- The deployed app exposes durable-store contracts while protected writes depend on the SCRIMED_EXECUTION_ATTEMPT_DURABLE_STORE_ENABLED runtime flag and protected Supabase RPCs. (high, active-workaround): Workaround: Keep public summary and unauthenticated fail-closed smoke active; use strict AAL2 smoke only with a short-lived authorized operator token and synthetic workspace. Resolution: Keep the flag paired with named synthetic canaries, migration evidence, runtime-token configuration, rollback owner, strict AAL2 proof, and protected audit review. Proof: npm run smoke:aal2:durable-store Gate: Applied migration, server runtime token, feature flag scoped to target, strict AAL2 canary pass, rollback plan, and retained audit event review.
- The local sandbox may fail DNS resolution for app.scrimedsolutions.com, which can block live production smoke checks inside the default sandbox. (medium, resolved-by-workaround): Workaround: Retry the exact same smoke command with approved network escalation, or run against a local dev server with SCRIMED_BASE_URL=http://127.0.0.1:3025. Resolution: Keep every live-domain smoke command reproducible, documented, and paired with a local-server equivalent where practical. Proof: SCRIMED_BASE_URL=https://app.scrimedsolutions.com npm run smoke:public Gate: Live smoke passes from an approved network path and local fallback remains documented for sandbox-limited development.
- Supabase leaked-password protection and password-auth posture must be resolved before password sign-in is used for protected operations. (high, blocked-external-dependency): Workaround: Keep protected durable-store and QA flows on short-lived AAL2 sessions from passkey or magic-link paths; exclude password sign-in from protected smoke instructions. Resolution: Clear the Supabase security advisor item, document the identity posture, and rerun protected AAL2 smoke before broadening password-based operator access. Proof: npm run smoke:aal2:token -- --prompt-token Gate: Advisor clean or password auth excluded, MFA enrollment verified, AAL2 claims present, and tenant role proof retained without secrets.
- Local Next.js builds may warn that the native Darwin SWC binary has a macOS code-signature mismatch and fall back to WASM bindings. (watch, resolved-by-workaround): Workaround: Treat the warning as local toolchain noise when npm run build exits 0; preserve the full build result in release notes. Resolution: Refresh local dependencies or reinstall the native SWC package in a clean workspace when the team wants faster native builds. Proof: npm run build Gate: Clean native SWC load or accepted WASM fallback with successful build, typecheck, lint, and smoke evidence.
- The SCRIMED worktree can carry many staged, modified, and untracked build artifacts across long execution sessions. (medium, active-workaround): Workaround: Use git status --short, git diff --name-only, and focused smoke outputs before summarizing; never revert unrelated user or prior-session changes. Resolution: Create a release checkpoint with scoped files, generated-output policy, commit message, tag, and deployment evidence after human review. Proof: git status --short Gate: Reviewed diff, successful lint/typecheck/build/smoke, clean or intentionally scoped worktree, and release decision recorded.

## Recent Workaround Execution Ledger
- Tenant-admin workspace bootstrap completed for synthetic canary (proof-retained-no-secret): Resolved boundary: The signed-in founder/operator account existed, but the synthetic workspace did not yet have a verified tenant-admin membership for protected AAL2 smoke execution. Upgrade: Created the protected tenant/workspace membership path for atlas-synthetic-evaluation so authorized AAL2 smoke can prove tenant role, status, and workspace scope before mutation. Evidence retained: No-secret membership facts only: workspace slug, active tenant-admin role class, status, and access-review due date. Verify: npm run smoke:aal2:token -- --clipboard-token --clear-clipboard --write-env-local Residual boundary: Future users still need a governed tenant-access workflow, access review, and offboarding path before they can operate protected workflows. Next control: Promote the founder bootstrap into a reusable tenant-admin access-review checklist with least-privilege role assignment and expiry evidence.
- AAL2 token helper now prefers explicit operator token sources (control-active): Resolved boundary: A stale gitignored local bearer token could be read before a newly copied or prompted token, causing false expired-token failures during strict smoke setup. Upgrade: The helper now prefers explicit session-file, clipboard, or prompt sources before local environment fallbacks and clears the macOS clipboard when requested. Evidence retained: No bearer token retained in source, docs, logs, or smoke output; only redacted preflight status and token policy metadata are shown. Verify: npm run smoke:aal2:policy-test Residual boundary: A valid JWT still depends on a live AAL2 session and may expire before the protected smoke completes. Next control: Add the token-helper preflight to every protected smoke runbook and keep all token-like values behind redaction.
- Durable-store PHI guard precision migrations applied (proof-retained-no-secret): Resolved boundary: The durable-store no-PHI guard treated safe synthetic envelope identifiers as potential PHI, blocking protected synthetic smoke even when no patient data was present. Upgrade: Applied precision migrations so identifier checks use bounded patterns while preserving hard stops for PHI, patient identifiers, live charts, member data, and production records. Evidence retained: Migration file names, contract-check pass state, and synthetic no-PHI smoke result only; no patient data or live records are used. Verify: npm run smoke:execution-attempt-durable-store Residual boundary: Guard precision is a synthetic-safety control, not permission to process PHI or live health records. Next control: Keep adding adversarial synthetic strings to the durable-store contract check before broadening any protected workflow surface.
- Strict AAL2 durable-store smoke passed for record, replay, review, and idempotency (proof-retained-no-secret): Resolved boundary: Before the protected canary, SCRIMED had fail-closed unauthenticated evidence but lacked retained happy-path proof for authenticated durable-store operations. Upgrade: Strict smoke now proves unauthenticated record/replay/review fail closed and authorized AAL2 tenant-admin access can create record, reuse idempotency, replay evidence, and submit review disposition. Evidence retained: No-secret pass/fail status, route class, workspace slug, operation classes, and command names; bearer tokens and protected payload details are not retained. Verify: npm run smoke:aal2:durable-store:strict Residual boundary: This is synthetic protected-workflow proof only; it is not production clinical approval, PHI authority, buyer release authority, or SLA evidence. Next control: Mirror the strict smoke pattern for every future protected workflow before exposing it in demos, pilots, or buyer diligence.
- Vercel deploy hygiene hardened around local dependency archives (control-active): Resolved boundary: A local dependency archive directory could inflate deploy payloads and obscure whether deployment failures came from product code or local machine artifacts. Upgrade: The deploy ignore policy, TypeScript exclusion, and ESLint ignore now contain local dependency artifacts including node_modules 2, and production deploys can use archive mode to reduce file-count risk. Evidence retained: Deployment identifier, ready status, ignore-file policy, and command class only; no secrets or local cache contents are retained. Verify: npm run build Residual boundary: A successful lint, build, typecheck, or deploy does not create launch approval, customer release approval, uptime guarantee, or managed-service coverage. Next control: Keep generated-output hygiene in predeploy checks and require release notes to distinguish product changes from local artifacts.

## Cadences
- Daily limitation intake and workaround triage: Resolve with existing control, assign workaround packet, escalate to qualified review, or block until authority exists. Owner: Boundary owner + operational efficiency owner. Hard stops: owner missing, proof route missing, PHI introduced, unsupported claim repeated
- Daily no-PHI and clinical authority review: Hold, re-scope to synthetic/no-PHI, or escalate to clinical/privacy/legal owners. Owner: TrustOS + privacy + clinical governance. Hard stops: live record requested, diagnosis implied, treatment implied, patient matching requested
- Daily API, UI, and AI boundary scan: Attach contract packet, UI route, model-route record, agent approval trigger, or cost owner. Owner: Platform engineering + Product Console + AI platform. Hard stops: public API SLA implied, live AI implied, agent tool execution without approval, route orphaned
- Weekly legal, finance, and deal-risk council: Approve exact reviewed language, request qualified review, revise scope, or block external use. Owner: Founder + legal + finance + deal desk. Hard stops: legal advice implied, revenue guaranteed, profit guaranteed, securities material created
- Weekly global and certification workaround review: Prepare regional pack, reference external artifact, assign reviewer, or hold until external authority exists. Owner: Security + privacy + regional counsel + global partnerships. Hard stops: certified claim, country launch claim, government endorsement, data residency approved early
- Pre-demo seamless-navigation review: Promote route into navigation, add product action, add smoke coverage, or hold the demo until the path is discoverable. Owner: Product Console + frontend + sales engineering. Hard stops: route hidden, text overlap, mobile route unusable, accessibility certification implied

## Metrics
- Open limitation pressure: 11 tracks still require human, external, or approval-gated resolution. Target: Every open limitation has a safe workaround, owner, proof route, escalation trigger, and graduation gate. Boundary: Lower open pressure is operating discipline, not approval or certification.
- Workaround packet coverage: 8 reusable workaround packets and 8 escalation paths cover the highest-risk boundary classes. Target: Every repeated issue resolves to an approved packet or escalation decision before buyer use. Boundary: Packets are interim controls; they do not become authority without retained evidence.
- Hard-stop visibility: 180 hard stops and blocked claims are visible from this layer. Target: Each hard stop has an escalation owner and no-authority language before external use. Boundary: Hard-stop visibility does not waive qualified review.
- Proof-route coverage: 42 proof routes support workaround routing and graduation checks. Target: Every workaround links to a live route, API, brief, protected workspace, or external evidence reference. Boundary: Proof routes organize evidence; they do not prove protected execution alone.
- Known blocker resolution queue: 6 current operational blockers are tracked, with 4 still requiring active workaround, external dependency closure, or human operator action. Target: Every known blocker has a fail-closed check, safe workaround, next proof command, owner, and graduation gate before launch claims expand. Boundary: A resolution queue is operational control, not production, clinical, security, or release approval.
- No-secret execution ledger: 5 recent limitation workarounds are retained with 5 proof-retained or active-control entries and 0 open dependency entries. Target: Every resolved boundary keeps verification command, rollback path, residual boundary, owner, hard stops, and no-secret evidence-retention language. Boundary: Execution ledger entries prove operational control only; they do not retain tokens, PHI, secrets, or buyer-release authority.
- Boundary workaround playbook coverage: 11 preserved NO-GO boundaries have trigger signals, immediate decisions, safe alternatives, validation commands, fail-closed expectations, approval gates, and residual-risk language. Target: Every high-risk request can be routed to a deterministic workaround before anyone improvises a buyer, clinical, connector, legal, financial, or security promise. Boundary: A playbook creates operating discipline only; it does not release any preserved boundary.
- Boundary preflight fail-closed coverage: 5 synthetic request preflights are evaluated, with 1 fail-closed decisions and 1 safe-workaround-only decisions. Target: Every gray-zone buyer, operator, agent, clinical, payer, connector, security, finance, global, or release request is classified before execution or external language expands. Boundary: Preflight classification is routing and containment only; it does not process PHI, execute tools, submit payer work, or approve customer go-live.

## Tracks
- PHI and live patient-data boundary (clinical-phi-data, critical, blocked-until-approved): Current public and synthetic workflows cannot ingest PHI, patient identifiers, payer member data, live charts, production credentials, or source medical records. Workaround: Use synthetic fixtures, metadata-only references, external evidence-room pointers, no-PHI excerpts, and Health Records Safety Exchange source mapping. Control: No-PHI intake lint, route headers, source-class labels, blocked-input copy, and protected AAL2 evidence references. Gate: Executed customer authority, BAA/DPA when required, security review, clinical governance approval, connector approval, monitoring, rollback, and retained evidence.
- Live clinical care and CDS authority (clinical-phi-data, critical, external-review-required): SCRIMED can prepare workflow intelligence, draft-only outputs, and governance evidence, but cannot diagnose, treat, route patients, sign notes, or provide live clinical decision support. Workaround: Frame outputs as synthetic workflow planning, review queues, draft-only documentation, and clinical-governance preparation with explicit human review. Control: Clinical Authority Readiness, Clinical Care Activation gates, Claim Guard, and no-live-care headers. Gate: Clinical governance approval, regulatory classification, customer scope, clinician workflow controls, monitoring, override, and rollback evidence.
- Production EHR connector and writeback boundary (ehr-interoperability, critical, blocked-until-approved): FHIR, SMART, HL7, DICOM, X12, terminology, and connector planning are synthetic; production connectors, writeback, payer submission, and patient matching remain blocked. Workaround: Use fixture validation, synthetic conformance kits, connector contract review, external artifact references, and no-mutation evidence. Control: Interoperability standards map, Health Records Safety Exchange, connector blocked-claim list, and synthetic extraction evaluator. Gate: Customer sandbox, security review, connector contract, data boundary approval, mutation policy, audit, monitoring, and rollback evidence.
- Public API, SLA, and unlimited-scale boundary (api-sla-scale, high, human-review-required): Route handlers, summaries, and briefs are inspectable contract-readiness surfaces, not public API marketplace launch, contractual SLA, unlimited rate limit, or uptime guarantee. Workaround: Use route summaries, boundary headers, version posture, draft quotas, rate-limit classes, support assumptions, and no-SLA language. Control: Platform Power API contract register, Enterprise Scalability SLO readiness, Service Reliability fault classes, and Navigation Audit route counts. Gate: Contract terms, staffing model, support tier, incident response, monitoring, rate limits, price model, and executive approval.
- Live AI, production model-routing, and agent autonomy boundary (ai-agent-autonomy, critical, external-review-required): Agents may plan, route, inspect, recommend, and produce synthetic evidence, but they cannot execute protected clinical, legal, financial, customer, or production actions autonomously. Workaround: Use model-route registers, allowed/blocked data classes, eval packs, red-team loops, human approval triggers, and protected AAL2 operator lanes. Control: AgentOS, TrustOS, Platform Power, QA Claim Guard, Runtime Safety, and Continuous Review loops. Gate: Approved provider, model route, data policy, eval pass criteria, monitoring, tool schema, approval UI, rollback, audit persistence, and customer authority.
- Security, privacy, SOC 2, HITRUST, and certification boundary (security-certification, high, external-review-required): SCRIMED can organize readiness evidence, controls, and protected review paths, but cannot claim SOC 2, HITRUST, ISO, HIPAA certification, penetration-test completion, or security approval without qualified evidence. Workaround: Use Trust Center, Provider Security Reviews, Procurement Evidence Registry, Global Certification Readiness, and no-sensitive-artifact references. Control: Evidence-room metadata, owner matrix, certification tracks, blocked claims, renewal queue, and protected access logs. Gate: Qualified assessment, remediation evidence, approved artifact reference, customer-specific acceptance, and release authority.
- Global legal, privacy, AI Act, GDPR, NHS, MHRA, and regional boundary (global-legal-privacy, high, external-review-required): Global expansion readiness can map evidence needs and regional packs, but cannot claim local legal approval, procurement approval, data-residency approval, EU AI Act conformity, GDPR compliance approval, NHS DTAC approval, MHRA approval, or government endorsement. Workaround: Use regional buyer packs, deployment profiles, official-source evidence implications, partner authority registers, and qualified regional counsel review. Control: Global Certification Readiness, Global Reach, Deployment Profiles, Claim Guard, and Boundary Resolution. Gate: Qualified regional legal/privacy/security review, hosting decision, procurement authority, partner approval, and retained release evidence.
- Legal, finance, accounting, tax, revenue, and profit boundary (finance-revenue-contracts, high, external-review-required): Enterprise Business Ops can prepare deal desk, pricing, margin, billing, and review packets, but cannot provide legal/accounting/tax advice, audited financial reporting, contract approval, securities material, revenue guarantees, ROI guarantees, or profit-margin guarantees. Workaround: Use fixed-scope offers, price floors, buyer-approved measurement plans, counsel review slots, finance/accounting/tax triage, and qualified release authority. Control: Enterprise Business Ops, Growth Engine, Capital Vitality, Public Market Readiness, Deal Room, and Claim Guard. Gate: Qualified review, signed approval, buyer baseline, measurement plan, billing setup, payment terms, and retained release authority.
- Email, calendar, demo, meeting, and buyer communication boundary (onboarding-communications, medium, human-review-required): SCRIMED can prepare email-ready copy, calendar-ready agendas, demo scripts, meeting notes, and follow-up packets, but cannot autonomously send emails, create calendar invites, approve procurement, or commit scope. Workaround: Use human-reviewed templates, meeting packets, owner handoffs, no-PHI notes, and explicit send/invite approval fields. Control: Client Onboarding and Communications stages, handoffs, templates, calendar packets, and blocked-content list. Gate: Human approval of exact content, recipients, timing, scope, no-PHI boundary, pricing, and follow-up owner.
- Protected QA, buyer proof, and release authority boundary (release-proof, high, human-review-required): Public smoke can prove route availability and fail-closed protected behavior, but cannot prove protected happy-path execution, buyer-specific release, authenticated QA completion, or customer evidence-room distribution. Workaround: Use AAL2 protected workspaces, no-secret operator packets, QA Completion Bridge, Activation Seal, Proof Promotion, Buyer Proof Release, and release-control runbooks. Control: Release Continuity, QA Launch Kit, Manual QA Execution Console, Buyer Release Control Runbook, protected evidence packets, and no-token policy. Gate: Fresh human AAL2 run, no-secret packet, reviewer signoff, release decision, lockbox, recipient authority, access-log reconciliation, and claim guard approval.
- UI quality, accessibility, and seamless navigation boundary (accessibility-ui, medium, workaround-active): Navigation can be improved continuously, but current UI polish, responsive behavior, keyboard path, contrast, and accessibility posture are not formal WCAG, VPAT, Section 508, or external UX certification. Workaround: Use site navigation, role journeys, Navigation Audit, Product Console, Hub cards, smoke-covered routes, and manual UI review before demos. Control: SiteNavigation, Navigation Audit inventory, Product Console proof stack, Platform Power UI role journey control, and smoke checks. Gate: Manual responsive review, keyboard path review, contrast review, copy fit, accessibility remediation evidence, and qualified external review if claims expand.
- Internal innovation, quantum, and future infrastructure boundary (innovation-research, watch, blocked-until-approved): Internal research may investigate quantum, advanced model routing, privacy-preserving computation, and future infrastructure, but public product claims remain blocked. Workaround: Keep research assigned to the internal research team with private hypotheses, no-public-claim labels, source logs, review owners, and claim-guard blocks. Control: Continuous Review and Innovation control plane, internal research assignments, Claim Guard, Boundary Resolution, and no-public-quantum authority headers. Gate: Validated technical evidence, risk review, qualified legal/security review, buyer-safe claim language, and approved release decision.

## Blocked Claims
- PHI processing authorized
- live clinical care authorized
- patient matching approved
- EHR writeback approved
- payer submission approved
- production connector approved
- public API SLA approved
- contractual uptime guaranteed
- managed service coverage active
- autonomous remediation approved
- live autonomous AI approved
- production model routing approved
- legal advice provided
- accounting advice provided
- tax advice provided
- audited financial reporting completed
- securities offering material approved
- revenue guaranteed
- profit margin guaranteed
- security certified
- accessibility certified
- regulatory approval granted
- public quantum capability available
- buyer release approved

## Next Build Step
Attach this workaround layer and boundary escalation matrix to every new limitation found in sales, demos, QA, API, UI, AI, clinical, finance, legal, security, global, and release work; if a workaround repeats twice, promote it into smoke coverage, route inventory, Boundary Resolution, Operational Efficiency, Platform Power, or Service Reliability before claims expand.
