Product Console

Buyer Release Control

SCRIMED now has a no-secret operator runbook for buyer-specific proof release.

The runbook sequences external approval references, release decision, named reviewer signoffs, distribution lockbox, release authority, recipient controls, access-log reconciliation, and Buyer Diligence refresh while keeping external sharing, clinical authority, PHI authority, reimbursement, public claims, and certification claims blocked.

Statusbuyer-release-control-runbook-ready
Executionrunbook-ready-protected-aal2-required
Share decisioninternal-only-until-release-chain-retained
Steps8
Protected routes8
Packet routes8
Hard stops42

Boundary

Public runbook access does not create buyer release authority.

SCRIMED Buyer Release Control Runbook is a public, metadata-only operator sequence for a future protected AAL2 buyer-specific release-control run. It does not execute protected writes, mint or store tokens, store recipient lists, store signed approvals, process PHI, approve public distribution, certify legal/privacy/security posture, authorize live clinical care, guarantee reimbursement, approve production connectors, or replace qualified human review.

01SCRIMED is authorized for live clinical care.
02SCRIMED can process production PHI.
03SCRIMED is HIPAA certified, SOC certified, FDA cleared, security certified, or regionally approved.
04SCRIMED guarantees reimbursement or payer acceptance.
05SCRIMED has production connector approval.
06SCRIMED can autonomously diagnose, treat, submit payer transactions, or contact patients.
07A buyer diligence packet is approved for public distribution.
08A metadata reference is equivalent to a signed approval, legal opinion, security report, or customer permission.

Operator sequence

Use this order when the protected AAL2 session is available.

01Open /pilot-workspace/access with a fresh human AAL2 tenant-admin session.
02Confirm the workspace is synthetic and the intended audience is buyer-diligence-room.
03Record external approval evidence references for every required domain; keep real approvals outside SCRIMED.
04Record a disabled versioned release decision for the exact bounded claim text.
05Record metadata-only named reviewer signoffs for every required reviewer role.
06Record a disabled distribution lockbox that references external controlled-room artifacts.
07Record release-authority attestations for every required authority domain.
08Record recipient segment controls and access-window metadata without recipient identifiers.
09Reconcile external access logs using metadata counts and anomaly state only.
10Refresh the Buyer Pilot Room and export the packet only after the protected chain shows retained packet/audit evidence.
11Keep external sharing blocked unless qualified humans explicitly approve the full chain in external systems of record.

Release-control chain

Every step has a protected route, packet route, payload template, and retained hard stop.

external-artifact-required

1. Reference externally retained approval evidence

A reference proves an external artifact exists for review; it is not the approval artifact itself.

Protected route

/api/pilot-workspaces/{workspaceSlug}/external-approval-evidence

Record one metadata reference per required approval domain after confirming the artifact is retained outside SCRIMED.

Packet route

/api/pilot-workspaces/{workspaceSlug}/external-approval-evidence/packet

append-only approval-reference packet audit event

Prerequisite

external-approval-evidence-packet

Qualified external systems retain the actual approvals; SCRIMED stores metadata references only.

Safe payload template

external-approval-evidence

{
  "domainId": "<required-external-approval-domain>",
  "externalReferenceLabel": "external retained approval reference",
  "externalSystem": "external-system-of-record",
  "referenceLocator": "external-reference:metadata-only",
  "referenceOwner": "<qualified-owner-role>",
  "evidenceRetainedExternally": true,
  "attestation": "external-approval-evidence-reference-no-phi",
  "dataBoundary": "synthetic-business-workflow-only",
  "reviewNote": "metadata-only approval reference no phi"
}
Hard stops

5 checks

  • Fresh human AAL2 tenant-admin session is unavailable.
  • Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.
  • The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.
  • The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.
  • The protected workspace rejects the request or does not emit an audited packet reference.
protected-aal2-required

2. Record versioned release decision candidate

A versioned decision candidate keeps language controlled; it is not public-release approval.

Protected route

/api/pilot-workspaces/{workspaceSlug}/release-decisions

Record the exact claim text, claim category, distribution audience, and disabled release posture.

Packet route

/api/pilot-workspaces/{workspaceSlug}/release-decisions/packet

versioned release-decision audit event

Prerequisite

release-decision-packet

External approval evidence references are complete for the intended audience.

Safe payload template

release-decision

{
  "audience": "buyer-diligence",
  "claimCategory": "governance",
  "claimVersion": "claims-v1.0.0",
  "claimText": "SCRIMED provides governed synthetic pilot evidence for healthcare workflow intelligence review.",
  "distributionChannel": "buyer-data-room",
  "externalApprovalEvidenceRetained": true,
  "releaseDisabled": true,
  "attestation": "protected-release-decision-no-phi-no-public-approval",
  "dataBoundary": "synthetic-business-workflow-only",
  "reviewNote": "no-phi release decision readiness review"
}
Hard stops

5 checks

  • Fresh human AAL2 tenant-admin session is unavailable.
  • Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.
  • The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.
  • The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.
  • The protected workspace rejects the request or does not emit an audited packet reference.
protected-aal2-required

3. Capture named reviewer signoff metadata

SCRIMED stores reviewer metadata and packet audit evidence, not raw signed approvals or legal opinions.

Protected route

/api/pilot-workspaces/{workspaceSlug}/reviewer-signoffs

Record metadata-only reviewer signoff references for every required reviewer role.

Packet route

/api/pilot-workspaces/{workspaceSlug}/reviewer-signoffs/packet

reviewer-signoff packet audit event

Prerequisite

reviewer-signoff-packet

A release decision candidate exists and remains disabled.

Safe payload template

named-reviewer-signoffs

{
  "releaseDecisionRecordIds": [
    "<ready-release-decision-record-id>"
  ],
  "reviewerRole": "<required-reviewer-role>",
  "reviewerLabel": "qualified reviewer label",
  "reviewerReferenceLocator": "external-review:metadata-only",
  "externalSignoffRetained": true,
  "releaseDisabled": true,
  "attestation": "protected-named-reviewer-signoff-no-phi-no-public-approval",
  "dataBoundary": "synthetic-business-workflow-only",
  "reviewNote": "metadata-only reviewer signoff no phi"
}
Hard stops

5 checks

  • Fresh human AAL2 tenant-admin session is unavailable.
  • Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.
  • The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.
  • The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.
  • The protected workspace rejects the request or does not emit an audited packet reference.
metadata-only-ready

4. Record disabled distribution lockbox

The lockbox records distribution controls and disabled state; it does not send files or grant access.

Protected route

/api/pilot-workspaces/{workspaceSlug}/distribution-lockbox

Create a disabled lockbox manifest that points to external controlled-room artifacts without distributing them.

Packet route

/api/pilot-workspaces/{workspaceSlug}/distribution-lockbox/packet

disabled lockbox packet audit event

Prerequisite

distribution-lockbox-packet

Named reviewer metadata is complete for the intended release audience.

Safe payload template

distribution-lockbox

{
  "releaseDecisionRecordIds": [
    "<ready-release-decision-record-id>"
  ],
  "reviewerSignoffRecordIds": [
    "<ready-reviewer-signoff-record-id>"
  ],
  "distributionAudience": "buyer-diligence-room",
  "channelControl": "counsel-reviewed-room",
  "manifestVersion": "distribution-v1.0.0",
  "manifestTitle": "SCRIMED controlled buyer diligence packet",
  "artifactLocator": "external-lockbox:controlled-manifest",
  "customerPermissionReference": "external-permission:metadata-only",
  "counselReviewReference": "external-counsel-review:metadata-only",
  "distributionDisabled": true,
  "attestation": "protected-distribution-lockbox-no-phi-no-distribution",
  "dataBoundary": "synthetic-business-workflow-only",
  "reviewNote": "metadata-only distribution lockbox no phi"
}
Hard stops

5 checks

  • Fresh human AAL2 tenant-admin session is unavailable.
  • Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.
  • The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.
  • The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.
  • The protected workspace rejects the request or does not emit an audited packet reference.
protected-aal2-required

5. Record release-authority attestations

Authority attestations describe retained external authority metadata; they do not make SCRIMED the authority.

Protected route

/api/pilot-workspaces/{workspaceSlug}/release-authority-attestations

Record metadata-only authority attestations for each required release authority domain.

Packet route

/api/pilot-workspaces/{workspaceSlug}/release-authority-attestations/packet

release-authority packet audit event

Prerequisite

release-authority-attestation-packet

A disabled distribution lockbox exists and every external authority remains retained.

Safe payload template

release-authority-attestations

{
  "distributionLockboxRecordIds": [
    "<ready-distribution-lockbox-record-id>"
  ],
  "authorityDomain": "<required-release-authority-domain>",
  "distributionAudience": "buyer-diligence-room",
  "authorityReferenceLabel": "external release authority reference",
  "authorityReferenceLocator": "external-authority:metadata-only",
  "externalAuthorityRetained": true,
  "releaseDisabled": true,
  "attestation": "protected-release-authority-attestation-no-phi-no-release-approval",
  "dataBoundary": "synthetic-business-workflow-only",
  "reviewNote": "metadata-only release authority no phi"
}
Hard stops

5 checks

  • Fresh human AAL2 tenant-admin session is unavailable.
  • Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.
  • The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.
  • The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.
  • The protected workspace rejects the request or does not emit an audited packet reference.
protected-aal2-required

6. Record evidence-room recipient controls

Recipient controls are segment metadata only; SCRIMED does not store emails, recipient rosters, or access credentials.

Protected route

/api/pilot-workspaces/{workspaceSlug}/evidence-room-recipient-attestations

Record intended recipient segment, access window, revocation posture, and packet reference without storing recipient identifiers.

Packet route

/api/pilot-workspaces/{workspaceSlug}/evidence-room-recipient-attestations/packet

recipient-control packet audit event

Prerequisite

recipient-attestation-packet

Release-authority metadata is complete and release remains disabled.

Safe payload template

recipient-attestations

{
  "releaseAuthorityAttestationRecordIds": [
    "<ready-release-authority-attestation-record-id>"
  ],
  "distributionAudience": "buyer-diligence-room",
  "recipientSegment": "named-buyer-reviewers",
  "recipientScopeLabel": "named buyer diligence reviewer group",
  "evidenceRoomReferenceLabel": "external evidence room recipient control",
  "evidenceRoomReferenceLocator": "evidence-room:recipient-control",
  "packetReferenceLabel": "controlled recipient proof packet",
  "packetReferenceLocator": "evidence-room:packet-reference",
  "accessWindowStart": "<iso-8601-date>",
  "accessWindowEnd": "<iso-8601-date>",
  "revocationState": "access-not-issued",
  "revocationTrigger": "revoke and re-review evidence room access if scope changes",
  "externalRecipientAuthorityRetained": true,
  "exportDisabled": true,
  "attestation": "protected-evidence-room-recipient-attestation-no-phi",
  "dataBoundary": "synthetic-business-workflow-only",
  "reviewNote": "metadata-only recipient attestation no phi"
}
Hard stops

5 checks

  • Fresh human AAL2 tenant-admin session is unavailable.
  • Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.
  • The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.
  • The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.
  • The protected workspace rejects the request or does not emit an audited packet reference.
protected-aal2-required

7. Reconcile external evidence-room access logs

SCRIMED records reconciliation metadata only; raw logs, device identifiers, IP addresses, and recipient identifiers stay out of SCRIMED.

Protected route

/api/pilot-workspaces/{workspaceSlug}/evidence-room-access-log-reconciliation

Record metadata-only access-log reconciliation, anomaly posture, and revocation state without copying raw logs.

Packet route

/api/pilot-workspaces/{workspaceSlug}/evidence-room-access-log-reconciliation/packet

access-log reconciliation packet audit event

Prerequisite

access-log-reconciliation-packet

Recipient attestations exist and the external evidence room retains access logs.

Safe payload template

access-log-reconciliation

{
  "recipientAttestationRecordIds": [
    "<ready-recipient-attestation-record-id>"
  ],
  "distributionAudience": "buyer-diligence-room",
  "reconciliationScope": "pre-release-access-log-review",
  "externalLogSystemLabel": "external evidence room access ledger",
  "accessLogReferenceLabel": "metadata access log reconciliation",
  "accessLogReferenceLocator": "evidence-room:access-log-ledger",
  "reconciliationWindowStart": "<iso-8601-date>",
  "reconciliationWindowEnd": "<iso-8601-date>",
  "observedAccessEventCount": 0,
  "expectedRecipientSegmentCount": 1,
  "anomalyState": "none-observed",
  "revocationExerciseState": "not-issued",
  "anomalyEscalationPath": "escalate to governance owner and keep export disabled",
  "externalLogAuthorityRetained": true,
  "exportDisabled": true,
  "attestation": "protected-evidence-room-access-log-reconciliation-no-phi",
  "dataBoundary": "synthetic-business-workflow-only",
  "reviewNote": "metadata-only access log reconciliation no phi"
}
Hard stops

5 checks

  • Fresh human AAL2 tenant-admin session is unavailable.
  • Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.
  • The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.
  • The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.
  • The protected workspace rejects the request or does not emit an audited packet reference.
hard-stop

8. Refresh Buyer Diligence packet after controls are retained

A refreshed packet can support controlled diligence only; external sharing remains blocked until qualified release-chain evidence is retained.

Protected route

/api/pilot-workspaces/{workspaceSlug}/buyer-room

Refresh the protected Buyer Pilot Room and export the Buyer Diligence packet only for internal controlled diligence unless external share readiness is complete.

Packet route

/api/pilot-workspaces/{workspaceSlug}/buyer-room/packet

buyer-room packet-download audit event

Prerequisite

buyer-diligence-export-packet

Every prior release-control packet is visible, externally retained artifacts are confirmed, and qualified humans approve continued internal diligence use.

Safe payload template

buyer-diligence-export-refresh

{
  "action": "download-buyer-diligence-packet",
  "workspaceSlug": "{workspaceSlug}",
  "shareScope": "internal-protected-diligence-only",
  "requiredState": "release-control-chain-retained",
  "dataBoundary": "synthetic-business-workflow-only"
}
Hard stops

7 checks

  • Fresh human AAL2 tenant-admin session is unavailable.
  • Any payload includes PHI, patient identifiers, payer member identifiers, clinical records, raw recipient lists, raw access logs, credentials, tokens, signed approvals, legal opinions, security reports, reimbursement determinations, or production connector data.
  • The operator attempts to treat metadata references as legal, privacy, security, clinical, reimbursement, customer, public-release, or production authority.
  • The external system of record cannot retain the real approval, reviewer, lockbox, recipient, or access-log artifact.
  • The protected workspace rejects the request or does not emit an audited packet reference.
  • Any stakeholder asks to send the packet externally before recipient and access-log controls are reconciled.
  • Any claim expands beyond retained synthetic QA, governance posture, buyer diligence readiness, or explicit limitations.

Safe workarounds

Known operational limits are routed through safer evidence processes.

Run the protected buyer-release chain in /pilot-workspace/access#buyer-release-control-verifier with a fresh AAL2 human session, review the release-readiness timeline, retain the audited chain packet, then refresh the Buyer Diligence Export while keeping external distribution disabled until qualified release authority is complete.

01If a bearer token is not available in the current Codex session, use the runbook and browser-protected workspace instead of copying tokens into scripts.
02If GitHub Actions cannot safely receive a short-lived secret, execute the protected browser workflow and retain only no-secret packet IDs, hashes, timestamps, and audit-event IDs.
03If an approval artifact is confidential, store only a metadata reference label, external system label, owner, and validation timestamp in SCRIMED.
04If a buyer asks for external sharing before controls are retained, provide a controlled live review of the protected workspace and keep export distribution disabled.
05If a public or investor claim depends on legal, privacy, security, clinical, finance, marketing, customer, or release authority, route it through the release-control chain before use.