Buyer Release Control
SCRIMED now has a no-secret operator runbook for buyer-specific proof release.
The runbook sequences external approval references, release decision, named reviewer signoffs, distribution lockbox, release authority, recipient controls, access-log reconciliation, and Buyer Diligence refresh while keeping external sharing, clinical authority, PHI authority, reimbursement, public claims, and certification claims blocked.
Boundary
Public runbook access does not create buyer release authority.
SCRIMED Buyer Release Control Runbook is a public, metadata-only operator sequence for a future protected AAL2 buyer-specific release-control run. It does not execute protected writes, mint or store tokens, store recipient lists, store signed approvals, process PHI, approve public distribution, certify legal/privacy/security posture, authorize live clinical care, guarantee reimbursement, approve production connectors, or replace qualified human review.
Operator sequence
Use this order when the protected AAL2 session is available.
Release-control chain
Every step has a protected route, packet route, payload template, and retained hard stop.
1. Reference externally retained approval evidence
A reference proves an external artifact exists for review; it is not the approval artifact itself.
/api/pilot-workspaces/{workspaceSlug}/external-approval-evidence
Record one metadata reference per required approval domain after confirming the artifact is retained outside SCRIMED.
/api/pilot-workspaces/{workspaceSlug}/external-approval-evidence/packet
append-only approval-reference packet audit event
external-approval-evidence-packet
Qualified external systems retain the actual approvals; SCRIMED stores metadata references only.
external-approval-evidence
{
"domainId": "<required-external-approval-domain>",
"externalReferenceLabel": "external retained approval reference",
"externalSystem": "external-system-of-record",
"referenceLocator": "external-reference:metadata-only",
"referenceOwner": "<qualified-owner-role>",
"evidenceRetainedExternally": true,
"attestation": "external-approval-evidence-reference-no-phi",
"dataBoundary": "synthetic-business-workflow-only",
"reviewNote": "metadata-only approval reference no phi"
}5 checks
- Fresh human AAL2 tenant-admin session is unavailable.
- Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.
- The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.
- The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.
- The protected workspace rejects the request or does not emit an audited packet reference.
2. Record versioned release decision candidate
A versioned decision candidate keeps language controlled; it is not public-release approval.
/api/pilot-workspaces/{workspaceSlug}/release-decisions
Record the exact claim text, claim category, distribution audience, and disabled release posture.
/api/pilot-workspaces/{workspaceSlug}/release-decisions/packet
versioned release-decision audit event
release-decision-packet
External approval evidence references are complete for the intended audience.
release-decision
{
"audience": "buyer-diligence",
"claimCategory": "governance",
"claimVersion": "claims-v1.0.0",
"claimText": "SCRIMED provides governed synthetic pilot evidence for healthcare workflow intelligence review.",
"distributionChannel": "buyer-data-room",
"externalApprovalEvidenceRetained": true,
"releaseDisabled": true,
"attestation": "protected-release-decision-no-phi-no-public-approval",
"dataBoundary": "synthetic-business-workflow-only",
"reviewNote": "no-phi release decision readiness review"
}5 checks
- Fresh human AAL2 tenant-admin session is unavailable.
- Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.
- The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.
- The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.
- The protected workspace rejects the request or does not emit an audited packet reference.
3. Capture named reviewer signoff metadata
SCRIMED stores reviewer metadata and packet audit evidence, not raw signed approvals or legal opinions.
/api/pilot-workspaces/{workspaceSlug}/reviewer-signoffs
Record metadata-only reviewer signoff references for every required reviewer role.
/api/pilot-workspaces/{workspaceSlug}/reviewer-signoffs/packet
reviewer-signoff packet audit event
reviewer-signoff-packet
A release decision candidate exists and remains disabled.
named-reviewer-signoffs
{
"releaseDecisionRecordIds": [
"<ready-release-decision-record-id>"
],
"reviewerRole": "<required-reviewer-role>",
"reviewerLabel": "qualified reviewer label",
"reviewerReferenceLocator": "external-review:metadata-only",
"externalSignoffRetained": true,
"releaseDisabled": true,
"attestation": "protected-named-reviewer-signoff-no-phi-no-public-approval",
"dataBoundary": "synthetic-business-workflow-only",
"reviewNote": "metadata-only reviewer signoff no phi"
}5 checks
- Fresh human AAL2 tenant-admin session is unavailable.
- Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.
- The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.
- The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.
- The protected workspace rejects the request or does not emit an audited packet reference.
4. Record disabled distribution lockbox
The lockbox records distribution controls and disabled state; it does not send files or grant access.
/api/pilot-workspaces/{workspaceSlug}/distribution-lockbox
Create a disabled lockbox manifest that points to external controlled-room artifacts without distributing them.
/api/pilot-workspaces/{workspaceSlug}/distribution-lockbox/packet
disabled lockbox packet audit event
distribution-lockbox-packet
Named reviewer metadata is complete for the intended release audience.
distribution-lockbox
{
"releaseDecisionRecordIds": [
"<ready-release-decision-record-id>"
],
"reviewerSignoffRecordIds": [
"<ready-reviewer-signoff-record-id>"
],
"distributionAudience": "buyer-diligence-room",
"channelControl": "counsel-reviewed-room",
"manifestVersion": "distribution-v1.0.0",
"manifestTitle": "SCRIMED controlled buyer diligence packet",
"artifactLocator": "external-lockbox:controlled-manifest",
"customerPermissionReference": "external-permission:metadata-only",
"counselReviewReference": "external-counsel-review:metadata-only",
"distributionDisabled": true,
"attestation": "protected-distribution-lockbox-no-phi-no-distribution",
"dataBoundary": "synthetic-business-workflow-only",
"reviewNote": "metadata-only distribution lockbox no phi"
}5 checks
- Fresh human AAL2 tenant-admin session is unavailable.
- Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.
- The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.
- The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.
- The protected workspace rejects the request or does not emit an audited packet reference.
5. Record release-authority attestations
Authority attestations describe retained external authority metadata; they do not make SCRIMED the authority.
/api/pilot-workspaces/{workspaceSlug}/release-authority-attestations
Record metadata-only authority attestations for each required release authority domain.
/api/pilot-workspaces/{workspaceSlug}/release-authority-attestations/packet
release-authority packet audit event
release-authority-attestation-packet
A disabled distribution lockbox exists and every external authority remains retained.
release-authority-attestations
{
"distributionLockboxRecordIds": [
"<ready-distribution-lockbox-record-id>"
],
"authorityDomain": "<required-release-authority-domain>",
"distributionAudience": "buyer-diligence-room",
"authorityReferenceLabel": "external release authority reference",
"authorityReferenceLocator": "external-authority:metadata-only",
"externalAuthorityRetained": true,
"releaseDisabled": true,
"attestation": "protected-release-authority-attestation-no-phi-no-release-approval",
"dataBoundary": "synthetic-business-workflow-only",
"reviewNote": "metadata-only release authority no phi"
}5 checks
- Fresh human AAL2 tenant-admin session is unavailable.
- Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.
- The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.
- The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.
- The protected workspace rejects the request or does not emit an audited packet reference.
6. Record evidence-room recipient controls
Recipient controls are segment metadata only; SCRIMED does not store emails, recipient rosters, or access credentials.
/api/pilot-workspaces/{workspaceSlug}/evidence-room-recipient-attestations
Record intended recipient segment, access window, revocation posture, and packet reference without storing recipient identifiers.
/api/pilot-workspaces/{workspaceSlug}/evidence-room-recipient-attestations/packet
recipient-control packet audit event
recipient-attestation-packet
Release-authority metadata is complete and release remains disabled.
recipient-attestations
{
"releaseAuthorityAttestationRecordIds": [
"<ready-release-authority-attestation-record-id>"
],
"distributionAudience": "buyer-diligence-room",
"recipientSegment": "named-buyer-reviewers",
"recipientScopeLabel": "named buyer diligence reviewer group",
"evidenceRoomReferenceLabel": "external evidence room recipient control",
"evidenceRoomReferenceLocator": "evidence-room:recipient-control",
"packetReferenceLabel": "controlled recipient proof packet",
"packetReferenceLocator": "evidence-room:packet-reference",
"accessWindowStart": "<iso-8601-date>",
"accessWindowEnd": "<iso-8601-date>",
"revocationState": "access-not-issued",
"revocationTrigger": "revoke and re-review evidence room access if scope changes",
"externalRecipientAuthorityRetained": true,
"exportDisabled": true,
"attestation": "protected-evidence-room-recipient-attestation-no-phi",
"dataBoundary": "synthetic-business-workflow-only",
"reviewNote": "metadata-only recipient attestation no phi"
}5 checks
- Fresh human AAL2 tenant-admin session is unavailable.
- Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.
- The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.
- The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.
- The protected workspace rejects the request or does not emit an audited packet reference.
7. Reconcile external evidence-room access logs
SCRIMED records reconciliation metadata only; raw logs, device identifiers, IP addresses, and recipient identifiers stay out of SCRIMED.
/api/pilot-workspaces/{workspaceSlug}/evidence-room-access-log-reconciliation
Record metadata-only access-log reconciliation, anomaly posture, and revocation state without copying raw logs.
/api/pilot-workspaces/{workspaceSlug}/evidence-room-access-log-reconciliation/packet
access-log reconciliation packet audit event
access-log-reconciliation-packet
Recipient attestations exist and the external evidence room retains access logs.
access-log-reconciliation
{
"recipientAttestationRecordIds": [
"<ready-recipient-attestation-record-id>"
],
"distributionAudience": "buyer-diligence-room",
"reconciliationScope": "pre-release-access-log-review",
"externalLogSystemLabel": "external evidence room access ledger",
"accessLogReferenceLabel": "metadata access log reconciliation",
"accessLogReferenceLocator": "evidence-room:access-log-ledger",
"reconciliationWindowStart": "<iso-8601-date>",
"reconciliationWindowEnd": "<iso-8601-date>",
"observedAccessEventCount": 0,
"expectedRecipientSegmentCount": 1,
"anomalyState": "none-observed",
"revocationExerciseState": "not-issued",
"anomalyEscalationPath": "escalate to governance owner and keep export disabled",
"externalLogAuthorityRetained": true,
"exportDisabled": true,
"attestation": "protected-evidence-room-access-log-reconciliation-no-phi",
"dataBoundary": "synthetic-business-workflow-only",
"reviewNote": "metadata-only access log reconciliation no phi"
}5 checks
- Fresh human AAL2 tenant-admin session is unavailable.
- Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.
- The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.
- The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.
- The protected workspace rejects the request or does not emit an audited packet reference.
8. Refresh Buyer Diligence packet after controls are retained
A refreshed packet can support controlled diligence only; external sharing remains blocked until qualified release-chain evidence is retained.
/api/pilot-workspaces/{workspaceSlug}/buyer-room
Refresh the protected Buyer Pilot Room and export the Buyer Diligence packet only for internal controlled diligence unless external share readiness is complete.
/api/pilot-workspaces/{workspaceSlug}/buyer-room/packet
buyer-room packet-download audit event
buyer-diligence-export-packet
Every prior release-control packet is visible, externally retained artifacts are confirmed, and qualified humans approve continued internal diligence use.
buyer-diligence-export-refresh
{
"action": "download-buyer-diligence-packet",
"workspaceSlug": "{workspaceSlug}",
"shareScope": "internal-protected-diligence-only",
"requiredState": "release-control-chain-retained",
"dataBoundary": "synthetic-business-workflow-only"
}7 checks
- Fresh human AAL2 tenant-admin session is unavailable.
- Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.
- The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.
- The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.
- The protected workspace rejects the request or does not emit an audited packet reference.
- Any stakeholder asks to send the packet externally before recipient and access-log controls are reconciled.
- Any claim expands beyond retained synthetic QA, governance posture, buyer diligence readiness, or explicit limitations.
Safe workarounds
Known operational limits are routed through safer evidence processes.
Run the protected buyer-release chain in /pilot-workspace/access#buyer-release-control-verifier with a fresh AAL2 human session, review the release-readiness timeline, retain the audited chain packet, then refresh the Buyer Diligence Export while keeping external distribution disabled until qualified release authority is complete.