{"service":"scrimed-diligence-packet-manifest","status":"diligence-packet-manifest-active-no-secret","route":"/release-continuity#diligence-packet-manifest","apiRoute":"/api/release-continuity/diligence-packet-manifest","briefRoute":"/api/release-continuity/diligence-packet-manifest/brief","generatedAt":"static-no-secret-diligence-packet-manifest","manifestHash":"diligence-manifest-73403733","noPhiConfirmed":true,"tokenMaterialCaptured":false,"productionApproval":false,"packetUseAuthority":"no-secret-buyer-investor-diligence-only","publicDistributionAuthority":"not-authorized","clinicalCareAuthority":"not-authorized-live-care","phiAuthority":"not-authorized-production-phi","securityCertification":"not-security-certified","itemCount":12,"includeNoSecretCount":6,"summaryOnlyCount":3,"withholdUntilHumanAal2Count":2,"withholdUntilQualifiedReviewCount":1,"noGoCount":3,"items":[{"id":"enterprise-diligence-snapshot","label":"Enterprise diligence snapshot","packetSection":"executive-snapshot","sourceRoute":"/investor-readiness","apiRoute":"/api/investor-readiness/status","status":"synthetic-demo-ready","shareability":"include-no-secret-metadata","goNoGo":"go-no-secret","reviewerOwner":"release steward","allowedFields":["service name","status","public route","API route","brief route","evidence hash","GO/NO-GO state","review owner","blocked claims","safe next action","no-secret boundary"],"withheldMaterial":["bearer tokens","JWTs","refresh tokens","Supabase keys","service-role keys","passwords","PHI","patient identifiers","raw logs","customer data","production connector payloads","clinical conclusions","legal opinions","security certification reports","unreviewed public claims"],"safetyBoundary":"Use only current-state synthetic/no-PHI readiness language; do not imply investment advice, customer approval, certification, or production authority.","nextAction":"Attach the Enterprise Diligence Snapshot JSON and current NO-GO boundaries."},{"id":"diligence-release-gate","label":"Diligence Release Gate","packetSection":"executive-snapshot","sourceRoute":"/release-continuity#diligence-release-gate","apiRoute":"/api/release-continuity/diligence-gate","status":"diligence-release-gate-active-no-production-approval","shareability":"include-no-secret-metadata","goNoGo":"go-no-secret","reviewerOwner":"release steward + claim guard reviewer","allowedFields":["service name","status","public route","API route","brief route","evidence hash","GO/NO-GO state","review owner","blocked claims","safe next action","no-secret boundary"],"withheldMaterial":["bearer tokens","JWTs","refresh tokens","Supabase keys","service-role keys","passwords","PHI","patient identifiers","raw logs","customer data","production connector payloads","clinical conclusions","legal opinions","security certification reports","unreviewed public claims"],"safetyBoundary":"SCRIMED Diligence Release Gate summarizes no-secret buyer diligence readiness while preserving NO-GO boundaries for protected AAL2 proof, public distribution, production release, PHI processing, certification, and live clinical care.","nextAction":"Attach GO/NO-GO gate cards before any buyer or investor distribution."},{"id":"clinical-robustness-lab","label":"Clinical Robustness Lab","packetSection":"synthetic-clinical-readiness","sourceRoute":"/clinical-robustness-lab","apiRoute":"/api/clinical-robustness-lab","status":"clinical-robustness-lab-active-no-phi","shareability":"include-summary-only","goNoGo":"go-no-secret","reviewerOwner":"clinical safety reviewer","allowedFields":["service name","status","public route","API route","brief route","evidence hash","GO/NO-GO state","review owner","blocked claims","safe next action","no-secret boundary"],"withheldMaterial":["bearer tokens","JWTs","refresh tokens","Supabase keys","service-role keys","passwords","PHI","patient identifiers","raw logs","customer data","production connector payloads","clinical conclusions","legal opinions","security certification reports","unreviewed public claims"],"safetyBoundary":"Research/demo use only. Not for diagnosis, treatment, prescribing, or live patient care.","nextAction":"Share synthetic scenario counts and use notice only; do not claim clinical validation."},{"id":"execution-attempt-envelope","label":"Execution Attempt Envelope","packetSection":"audit-and-durability","sourceRoute":"/workflows/execution-attempts","apiRoute":"/api/workflows/execution-attempts/envelope","status":"execution-attempt-envelope-active-no-phi","shareability":"include-no-secret-metadata","goNoGo":"go-no-secret","reviewerOwner":"platform audit reviewer","allowedFields":["service name","status","public route","API route","brief route","evidence hash","GO/NO-GO state","review owner","blocked claims","safe next action","no-secret boundary"],"withheldMaterial":["bearer tokens","JWTs","refresh tokens","Supabase keys","service-role keys","passwords","PHI","patient identifiers","raw logs","customer data","production connector payloads","clinical conclusions","legal opinions","security certification reports","unreviewed public claims"],"safetyBoundary":"Execution envelope metadata is no-PHI and does not include raw chart text, patient identifiers, connector payloads, secrets, or credentials.","nextAction":"Attach envelope audit counts and evidence envelope route."},{"id":"execution-attempt-durable-store","label":"Execution Attempt Durable Store","packetSection":"audit-and-durability","sourceRoute":"/workflows/execution-attempts","apiRoute":"/api/workflows/execution-attempts/durable-store","status":"execution-attempt-durable-store-contract-active-no-phi","shareability":"include-no-secret-metadata","goNoGo":"go-no-secret","reviewerOwner":"platform audit reviewer","allowedFields":["service name","status","public route","API route","brief route","evidence hash","GO/NO-GO state","review owner","blocked claims","safe next action","no-secret boundary"],"withheldMaterial":["bearer tokens","JWTs","refresh tokens","Supabase keys","service-role keys","passwords","PHI","patient identifiers","raw logs","customer data","production connector payloads","clinical conclusions","legal opinions","security certification reports","unreviewed public claims"],"safetyBoundary":"Durable-store source contract evidence is metadata-only; protected writes still require AAL2 and target enablement.","nextAction":"Attach durable-store source contract status and protected-write boundary."},{"id":"release-evidence-ledger","label":"Release Evidence Ledger","packetSection":"release-evidence","sourceRoute":"/release-continuity#release-evidence-ledger","apiRoute":"/api/release-continuity/evidence-ledger","status":"release-evidence-ledger-active-no-secret","shareability":"include-no-secret-metadata","goNoGo":"go-no-secret","reviewerOwner":"release steward","allowedFields":["service name","status","public route","API route","brief route","evidence hash","GO/NO-GO state","review owner","blocked claims","safe next action","no-secret boundary"],"withheldMaterial":["bearer tokens","JWTs","refresh tokens","Supabase keys","service-role keys","passwords","PHI","patient identifiers","raw logs","customer data","production connector payloads","clinical conclusions","legal opinions","security certification reports","unreviewed public claims"],"safetyBoundary":"SCRIMED Release Evidence Ledger records no-secret build, smoke, readiness, and protected-operator evidence metadata only. It does not store PHI, patient identifiers, bearer tokens, Supabase secrets, service-role keys, raw logs, production connector payloads, customer data, certification proof, release approval, or live clinical authority.","nextAction":"Attach ledger entry counts, deterministic evidence hashes, and blocked claims."},{"id":"release-evidence-promotion","label":"Release Evidence Promotion Queue","packetSection":"release-evidence","sourceRoute":"/release-continuity#release-evidence-promotion","apiRoute":"/api/release-continuity/evidence-promotion","status":"release-evidence-promotion-queue-active-human-gated","shareability":"include-no-secret-metadata","goNoGo":"go-no-secret","reviewerOwner":"release steward + claim guard reviewer","allowedFields":["service name","status","public route","API route","brief route","evidence hash","GO/NO-GO state","review owner","blocked claims","safe next action","no-secret boundary"],"withheldMaterial":["bearer tokens","JWTs","refresh tokens","Supabase keys","service-role keys","passwords","PHI","patient identifiers","raw logs","customer data","production connector payloads","clinical conclusions","legal opinions","security certification reports","unreviewed public claims"],"safetyBoundary":"SCRIMED Release Evidence Promotion Queue converts no-secret release ledger entries into buyer-diligence candidates, protected operator proof blockers, and qualified-review requirements. It does not store PHI, tokens, raw logs, customer data, production connector payloads, certification evidence, public release approval, or live clinical authority.","nextAction":"Attach lane counts and list withheld operator-proof and external-review blockers."},{"id":"aal2-smoke-readiness","label":"AAL2 Smoke Readiness","packetSection":"release-evidence","sourceRoute":"/qa-aal2-run-evidence","apiRoute":"/api/qa-evidence/aal2-smoke-readiness","status":"aal2-smoke-readiness-preflight-ready-no-secret","shareability":"withhold-until-human-aal2","goNoGo":"no-go","reviewerOwner":"approved AAL2 operator","allowedFields":["service name","status","public route","API route","brief route","evidence hash","GO/NO-GO state","review owner","blocked claims","safe next action","no-secret boundary"],"withheldMaterial":["bearer tokens","JWTs","refresh tokens","Supabase keys","service-role keys","passwords","PHI","patient identifiers","raw logs","customer data","production connector payloads","clinical conclusions","legal opinions","security certification reports","unreviewed public claims"],"safetyBoundary":"SCRIMED AAL2 Smoke Readiness is a no-secret operator preflight for synthetic AAL2 durable-store and stored-vector RPC smoke tests. It does not mint, expose, retain, validate, or bypass bearer tokens; protected APIs remain the source of truth for role, AAL2, feature flag, tenant, and RLS verification.","nextAction":"Share readiness preflight only; withhold strict proof claims until retained protected packet metadata exists."},{"id":"protected-boundary-release-evidence-intake-packet","label":"Protected Boundary Release Evidence Intake Packet","packetSection":"release-evidence","sourceRoute":"/pilot-workspace/access#boundary-release-evidence-intake","apiRoute":"/api/pilot-workspaces/{workspaceSlug}/boundary-release-evidence-intake/packet","status":"aal2-audited-boundary-release-evidence-intake-packets-no-phi","shareability":"withhold-until-human-aal2","goNoGo":"no-go","reviewerOwner":"approved AAL2 operator + release steward","allowedFields":["service name","status","public route","API route","brief route","evidence hash","GO/NO-GO state","review owner","blocked claims","safe next action","no-secret boundary","protected packet route","packet proof-stack status","storage authority","release authority"],"withheldMaterial":["bearer tokens","JWTs","refresh tokens","Supabase keys","service-role keys","passwords","PHI","patient identifiers","raw logs","customer data","production connector payloads","clinical conclusions","legal opinions","security certification reports","unreviewed public claims"],"safetyBoundary":"Protected Boundary Release Evidence Intake accepts only tenant-scoped, AAL2-authenticated metadata references to externally retained approval evidence. It does not store PHI, patient identifiers, payer member data, raw clinical records, source contracts, signed BAAs/DPAs, legal opinions, credentials, bearer tokens, raw connector payloads, security reports, certification evidence, customer-confidential artifacts, or release approvals. Intake records cannot relieve preserved SCRIMED boundaries. Packet status: protected-boundary-release-evidence-intake-aal2-metadata-only. Storage authority: external-artifact-reference-only-no-raw-evidence-storage. Release authority: not-authorized-boundary-release.","nextAction":"Run the protected packet route only inside an approved AAL2 session, retain audit metadata, and keep boundary-release claims blocked until qualified external review."},{"id":"product-readiness-registry","label":"Product Readiness Registry","packetSection":"risk-and-products","sourceRoute":"/product","apiRoute":"/api/products/readiness","status":"scrimed-product-readiness-registry-active-no-phi","shareability":"include-summary-only","goNoGo":"go-no-secret","reviewerOwner":"product owner","allowedFields":["service name","status","public route","API route","brief route","evidence hash","GO/NO-GO state","review owner","blocked claims","safe next action","no-secret boundary"],"withheldMaterial":["bearer tokens","JWTs","refresh tokens","Supabase keys","service-role keys","passwords","PHI","patient identifiers","raw logs","customer data","production connector payloads","clinical conclusions","legal opinions","security certification reports","unreviewed public claims"],"safetyBoundary":"Product readiness stages are planning and diligence metadata; blocked production modes remain blocked until formal activation.","nextAction":"Attach product counts, stage counts, and blocked production modes."},{"id":"enterprise-risk-register","label":"Enterprise Risk Register","packetSection":"risk-and-products","sourceRoute":"/risk-register","apiRoute":"/api/risk-register","status":"enterprise-risk-register-active-no-phi","shareability":"include-summary-only","goNoGo":"review-required","reviewerOwner":"security/privacy/compliance reviewer","allowedFields":["service name","status","public route","API route","brief route","evidence hash","GO/NO-GO state","review owner","blocked claims","safe next action","no-secret boundary"],"withheldMaterial":["bearer tokens","JWTs","refresh tokens","Supabase keys","service-role keys","passwords","PHI","patient identifiers","raw logs","customer data","production connector payloads","clinical conclusions","legal opinions","security certification reports","unreviewed public claims"],"safetyBoundary":"Risk register material is not approval, certification, legal advice, security attestation, or clinical validation.","nextAction":"Attach risk counts and mitigations, then route high-risk claims to qualified review."},{"id":"qualified-external-approval-claims","label":"Qualified External Approval Claims","packetSection":"blocked-authority","sourceRoute":"/approvals-readiness","apiRoute":"/api/global-certification-readiness","status":"external-review-required","shareability":"withhold-until-qualified-review","goNoGo":"no-go","reviewerOwner":"legal/privacy/security/clinical/regulatory reviewers","allowedFields":["service name","status","public route","API route","brief route","evidence hash","GO/NO-GO state","review owner","blocked claims","safe next action","no-secret boundary"],"withheldMaterial":["bearer tokens","JWTs","refresh tokens","Supabase keys","service-role keys","passwords","PHI","patient identifiers","raw logs","customer data","production connector payloads","clinical conclusions","legal opinions","security certification reports","unreviewed public claims"],"safetyBoundary":"No internal release artifact can create legal, privacy, security, certification, regulatory, reimbursement, connector, customer go-live, or clinical authority.","nextAction":"Withhold external approval claims until qualified evidence and reviewer signoff exist."}],"allowedClaims":["SCRIMED can provide no-secret synthetic diligence metadata for buyer and investor review.","SCRIMED separates metadata-safe evidence from protected AAL2 proof blockers and qualified-review blockers.","SCRIMED preserves NO-GO boundaries for PHI, live clinical care, public distribution, certification, production connector approval, and customer go-live."],"blockedClaims":["diligence packet is production approval","public distribution approved","PHI processing authorized","live clinical care authorized","strict AAL2 protected proof retained","HIPAA, SOC 2, HITRUST, FDA, ONC, security, or clinical validation completed","boundary release approved","production connector approved","payer submission or reimbursement certainty approved","customer go-live approved"],"requiredReviewerRoles":["release steward","claim guard reviewer","security/privacy reviewer before security or PHI claims","clinical/regulatory reviewer before clinical claims","legal/reimbursement reviewer before payer, financial, or regional claims","buyer authorization owner before customer-specific distribution"],"packetAssemblyRules":["Include no-secret metadata only: status, routes, evidence hashes, safe-use labels, review owners, and blocked claims.","Attach Diligence Release Gate state before any buyer or investor packet is shared.","Withhold strict AAL2 proof claims until retained protected packet metadata exists.","List protected packet routes as withheld artifacts until an approved human AAL2 operator and release steward review the packet audit metadata.","Withhold public distribution, certification, PHI, clinical, connector, reimbursement, and customer go-live claims until qualified review.","Never paste bearer tokens, JWTs, Supabase secrets, service-role credentials, PHI, customer payloads, or raw logs into a diligence packet."],"boundary":"SCRIMED Diligence Packet Manifest assembles no-secret buyer and investor diligence metadata only. It does not store PHI, bearer tokens, Supabase secrets, service-role keys, raw logs, customer data, production connector payloads, certification proof, release approval, public distribution approval, or live clinical authority."}