Product Console

Protected Pilot Workspace

Tenant-isolated pilot evidence, durable audit trails, and buyer-ready proof packets.

SCRIMED protected pilot workspaces turn governed synthetic evaluations into durable enterprise evidence while identity, authorization, rate limits, human review, and product boundaries stay explicit.

Statusprotected-pilot-infrastructure-configured
Identityconnected
Durable storeconnected
Tenant isolationPostgres row-level security
Distributed limitconnected
Product boundarysynthetic only

Enterprise control plane

Protected mutations fail closed until production identity and storage are connected.

Protected pilot workspaces retain governed synthetic evaluation evidence only. They do not accept live PHI, execute clinical care, submit payer transactions, contact patients, or authorize autonomous diagnosis or treatment.

01Tenant-authenticated workspace discovery
02Tenant-isolated durable synthetic evaluation sessions
03Append-only audit events
04Human-review and Trust Card evidence
05Downloadable single-session enterprise proof packets
06Tenant-admin aggregate enterprise proof packet spanning sessions, work orders, incidents, access controls, and audit evidence
07AAL2-protected append-only TrustOS Decision Ledger
08Governed reviewer dispositions, overrides, and outcome-learning signals
09Downloadable audited TrustOS governance packets
10AAL2-protected tenant membership visibility and audited role administration
11Governed invitation records with existing-auth-user activation
12Audited tenant-admin onboarding packet downloads for manual pilot delivery
13AAL2-protected activation governance pack seed with retention, legal-review, incident-export, and blocked-claims metadata
14Guided tenant-admin activation runbook with buyer-ready evidence status
15Audited tenant activation proof packet for buyer and investor diligence
16SMTP delivery readiness metadata with direct-send gate retained
17Protected Buyer Pilot Room with one-click Buyer Diligence Export for competitive edge, readiness, QA evidence, pricing path, limitations, legal/privacy/security/safety boundaries, workarounds, and write-before-release audit
18Protected SCRIMED Command Intelligence Hub for Agent Commander posture, Trust Engine outputs, continuous evaluation, MCP/tool access architecture, observability, buyer diligence readiness, safe-mode controls, limitations, workarounds, next actions, durable AAL2-reviewed snapshots, and audited command packets
19AAL2-protected no-PHI operator metric capture for Public Market Readiness, workflow cost discipline, proof-packet coverage, and finance-review preparation
20Browser-session manual QA evidence capture without copying bearer tokens into scripts
21Tenant offboarding, reactivation, and final-admin protection
22Periodic access review attestation
23SSO-readiness metadata and identity lifecycle evidence
24Rate-limited public intake and protected mutations
25Authenticated Agent Workspace dashboard for work-order creation, governed transitions, outcome metrics, reviewer queues, retry queues, packet export, governance export, and event-trail review
26Persistent Agent Workspace work-order creation, state transitions, retry tracking, reviewer assignment, closure, dashboard filters, proof-packet export, and append-only event trails

Activation workflow

Tenant-admins can move from invitation to buyer-ready lifecycle proof.

The flow is authenticated, AAL2-governed, rate-limited, and synthetic-only. It supports enterprise diligence without creating users, sending email, ingesting PHI, or authorizing clinical execution.

step 01

Record activation governance pack

Tenant-admin. Selected governance workflow pack is committed to the append-only Agent Workspace governance ledger with retention horizon, approvals, release gates, and blocked claims.

Metadata-only activation seed; no PHI, no live connector execution, and no compliance certification claim.
step 02

Create controlled invitation record

Tenant-admin. Metadata-only invitation with proposed role, expiration, and governance note.

No user creation, no PHI, and no email send.
step 03

Download audited onboarding packet

Tenant-admin. Markdown onboarding packet with recipient, role, workspace, access route, and delivery evidence.

Packet supports manual enterprise delivery only.
step 04

Prepare external delivery

Tenant-admin. Lifecycle event records delivery preparation, delivery note, attempt count, and direct-send status.

SMTP direct send remains gated until custom sender controls are approved.
step 05

Activate enrolled user

Tenant-admin + Identity provider. Activation succeeds only after the invited email has completed SCRIMED pilot authentication enrollment.

No activation for unknown identities and no bypass of AAL2 governance.
step 06

Download activation proof packet

Tenant-admin. Audited packet summarizes invitations, onboarding packets, delivery readiness, memberships, reviews, and lifecycle evidence.

Diligence artifact only; no production clinical or payer authorization.

Infrastructure

Selected production controls and their current activation state.

configured

Supabase Auth

Server-side bearer-token verification uses the provider user record; user-editable metadata is never used for authorization.

configured

Supabase Postgres

Synthetic sessions and audit events persist in tenant-scoped tables; no service-role key is used by runtime APIs.

configured

Postgres row-level security

Every workspace, session, and audit query is constrained by authenticated membership policies.

configured

Upstash Redis

A bounded in-process limiter is retained for temporary distributed-provider outages.

Protected API contracts

Tenant membership and row-level security constrain every durable workspace operation.

GET

/api/pilot-workspaces

Bearer token + tenant membership

List only the pilot workspaces visible to the authenticated tenant member.
GET

/api/pilot-workspaces/{workspaceSlug}/sessions

Bearer token + workspace membership

List durable synthetic demo sessions through tenant-isolated row-level security.
POST

/api/pilot-workspaces/{workspaceSlug}/sessions

AAL2 bearer token + authorized role + server-held runtime authorization + rate limit

Run and durably retain a governed synthetic AgentOS evaluation with an append-only audit event.
GET

/api/pilot-workspaces/{workspaceSlug}/audit

Bearer token + workspace membership

Inspect the tenant-isolated append-only audit trail for workspace evidence activity.
GET / POST

/api/pilot-workspaces/{workspaceSlug}/demo-readiness

GET: AAL2 bearer token + workspace membership. POST: AAL2 bearer token + tenant-admin or pilot-lead role + server-held runtime authorization + rate limit

Inspect or persist buyer-demo readiness snapshots from durable synthetic sessions, audit events, proof-packet evidence, and tenant-session verification.
GET

/api/pilot-workspaces/{workspaceSlug}/demo-readiness/{snapshotId}/packet

AAL2 bearer token + authorized tenant role + server-held runtime authorization + rate limit + append-only packet-download audit

Download an audited Markdown Demo Readiness Packet for a retained synthetic buyer-demo readiness snapshot.
GET

/api/pilot-workspaces/{workspaceSlug}/buyer-room

AAL2 bearer token + workspace membership

Inspect a tenant-scoped Buyer Pilot Room that bundles synthetic evidence counts, readiness state, competitive edge, premium commercial path, known limitations, and workarounds.
GET / POST

/api/pilot-workspaces/{workspaceSlug}/command-intelligence

GET: AAL2 bearer token + workspace membership + rate limit. POST: AAL2 bearer token + tenant-admin or pilot-lead role + fixed human-review attestation + server-held runtime authorization + rate limit

Inspect the protected SCRIMED Command Intelligence Hub or persist an AAL2 human-reviewed command snapshot that unifies Agent Commander posture, buyer-room readiness, Trust Engine outputs, continuous evaluation gates, MCP/tool-access plans, observability, safe-mode boundaries, limitations, and next actions.
GET

/api/pilot-workspaces/{workspaceSlug}/command-intelligence/{snapshotId}/packet

AAL2 bearer token + authorized tenant role + server-held runtime authorization + rate limit + append-only packet-download audit

Download an audited Markdown Command Intelligence Packet for a retained synthetic command-posture snapshot.
GET

/api/pilot-workspaces/{workspaceSlug}/buyer-room/packet

AAL2 bearer token + authorized tenant role + server-held runtime authorization + rate limit + append-only packet-download audit

Download an audited Markdown Buyer Diligence Export that bundles readiness, QA evidence, pricing posture, competitive edge, legal/privacy/security/safety boundaries, and production hard gates.
GET / POST

/api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-run-packets

GET: AAL2 bearer token + workspace membership. POST: AAL2 bearer token + tenant-admin or pilot-lead role + server-held runtime authorization + rate limit

Inspect or persist no-secret manual Sales Demo Session QA evidence packets so human-run AAL2 proof appears in tenant-scoped Buyer Pilot Room diligence.
GET / PATCH

/api/pilot-workspaces/{workspaceSlug}/tenant-access

AAL2 bearer token + tenant-admin role + server-held runtime authorization + rate limit

Inspect memberships, record governed invitations, activate existing auth users, offboard/reactivate access, attest access reviews, maintain SSO-readiness metadata, and prepare audited manual delivery without email delivery or user creation.
GET

/api/pilot-workspaces/{workspaceSlug}/tenant-access/invitations/{invitationId}/onboarding-packet

AAL2 bearer token + tenant-admin role + server-held runtime authorization + rate limit

Download an audited protected-pilot onboarding packet for manual external delivery while SMTP send remains gated.
GET

/api/pilot-workspaces/{workspaceSlug}/tenant-access/activation-proof-packet

AAL2 bearer token + tenant-admin role + server-held runtime authorization + rate limit

Download an audited activation proof packet summarizing protected-pilot invitations, onboarding packets, delivery readiness, membership state, identity posture, and lifecycle evidence.
GET / POST

/api/pilot-workspaces/{workspaceSlug}/activation-governance

GET: bearer token + workspace membership. POST: AAL2 bearer token + authorized tenant role + server-held runtime authorization + rate limit

Inspect or record the selected governance workflow pack as the first activation ledger seed for retention, legal-review, incident-export, and proof controls.
GET

/api/pilot-workspaces/{workspaceSlug}/sessions/{sessionId}/proof-packet

AAL2 bearer token + authorized tenant role + server-held runtime authorization + rate limit

Download a buyer-ready Markdown proof packet generated from tenant-isolated session evidence.
GET

/api/pilot-workspaces/{workspaceSlug}/enterprise-proof-packet

AAL2 bearer token + tenant-admin or pilot-lead role + server-held runtime authorization + rate limit + append-only packet-download audit

Download an aggregate Markdown enterprise proof packet spanning sessions, audit events, TrustOS decisions, Agent Workspace work orders, TrustOps incidents, tenant access posture, and governance ledger evidence.
GET / POST

/api/pilot-workspaces/{workspaceSlug}/clinical-activation-approvals

GET: AAL2 bearer token + workspace membership + rate limit. POST: AAL2 bearer token + tenant-admin, pilot-lead, or reviewer role + fixed no-PHI attestation + server-held runtime authorization + rate limit

Inspect or append no-PHI clinical activation readiness attestations for regulatory, clinical governance, privacy/security, interoperability, legal/commercial, and go-live domains while live care remains blocked.
GET / POST

/api/pilot-workspaces/{workspaceSlug}/operator-metrics

GET: AAL2 bearer token + workspace membership + rate limit. POST: AAL2 bearer token + tenant-admin, pilot-lead, or reviewer role + fixed no-PHI finance-readiness attestation + rate limit

Inspect or append tenant-scoped no-PHI Public Market Readiness operator metrics for model cost, review time, delivery hours, proof-packet count, workflow volume, and unit-economics discipline without storing audited financials, securities material, PHI, patient identifiers, payer member data, source contracts, secrets, or clinical validation.
GET / POST

/api/pilot-workspaces/{workspaceSlug}/metric-rollups

GET: AAL2 bearer token + workspace membership + rate limit. POST: AAL2 bearer token + tenant-admin, pilot-lead, or reviewer role + fixed finance-reviewed no-PHI rollup attestation + rate limit

Inspect or create protected no-PHI metric rollup snapshots that aggregate operator metrics into internal board operating evidence without becoming audited financial reporting, securities offering material, valuation assurance, clinical validation, reimbursement assurance, or live care authority.
GET

/api/pilot-workspaces/{workspaceSlug}/metric-rollups/{snapshotId}/packet

AAL2 bearer token + authorized tenant role + rate limit + append-only packet-download audit

Download an audited internal board metric packet from a persisted no-PHI rollup snapshot after committing the packet release event.
GET / POST

/api/pilot-workspaces/{workspaceSlug}/metric-trends

GET: AAL2 bearer token + workspace membership + rate limit. POST: AAL2 bearer token + tenant-admin, pilot-lead, or reviewer role + fixed finance-reviewed no-PHI trend attestation + rate limit

Inspect or create protected no-PHI metric trend reviews that compare rollup snapshots for monthly variance review, reach expansion planning, competitive advantage tracking, and agent improvement loops without becoming audited financial reporting, securities offering material, clinical validation, reimbursement assurance, or live care authority.
GET

/api/pilot-workspaces/{workspaceSlug}/metric-trends/{reviewId}/packet

AAL2 bearer token + authorized tenant role + rate limit + append-only packet-download audit

Download an audited internal board trend packet from a persisted no-PHI trend review after committing the packet release event.
GET / POST

/api/pilot-workspaces/{workspaceSlug}/board-scorecards

GET: AAL2 bearer token + workspace membership + rate limit. POST: AAL2 bearer token + tenant-admin, pilot-lead, or reviewer role + fixed finance-methodology-pending no-PHI scorecard attestation + rate limit

Inspect or create protected no-PHI rolling-quarter board scorecards that convert trend reviews into finance-allocation readiness, buyer-segment cohort signals, competitive advantage tracking, and agent improvement priorities without becoming audited financial reporting, securities offering material, valuation assurance, clinical validation, reimbursement assurance, or live care authority.
GET

/api/pilot-workspaces/{workspaceSlug}/board-scorecards/{scorecardId}/packet

AAL2 bearer token + authorized tenant role + rate limit + append-only packet-download audit

Download an audited internal board scorecard packet from a persisted no-PHI scorecard after committing the packet release event.
GET / POST

/api/pilot-workspaces/{workspaceSlug}/finance-methodology

GET: AAL2 bearer token + workspace membership + rate limit. POST: AAL2 bearer token + tenant-admin, pilot-lead, or reviewer role + fixed no-PHI finance external-use attestation + rate limit

Inspect or record protected no-PHI finance methodology and external-use gate attestations for cost allocation, counsel review, executive release, privacy/security, clinical-governance boundary, marketing claims, and buyer permission without becoming audited financial reporting, securities offering material, advertising substantiation, reimbursement assurance, clinical validation, or live care authority.
GET

/api/pilot-workspaces/{workspaceSlug}/finance-methodology/packet

AAL2 bearer token + authorized tenant role + rate limit + append-only packet-download audit

Download an audited protected finance methodology gate packet after committing the packet release event while retaining all external-use approval blockers.
GET / POST

/api/pilot-workspaces/{workspaceSlug}/external-approval-evidence

GET: AAL2 bearer token + workspace membership + rate limit. POST: AAL2 bearer token + tenant-admin, pilot-lead, or reviewer role + fixed no-PHI external approval evidence metadata attestation + rate limit

Inspect or record bounded no-PHI metadata references to externally retained approval artifacts for finance, counsel, executive, privacy/security, clinical-governance, marketing-claims, and buyer-permission review without storing sensitive documents or creating legal, finance, security, clinical, customer, advertising, reimbursement, compliance, production, or release authority.
GET

/api/pilot-workspaces/{workspaceSlug}/external-approval-evidence/packet

AAL2 bearer token + authorized tenant role + rate limit + append-only packet-download audit

Download an audited protected external approval evidence linkage packet after committing the packet release event while retaining no-PHI metadata-only storage and all qualified external release blockers.
GET / POST

/api/pilot-workspaces/{workspaceSlug}/release-decisions

GET: AAL2 bearer token + workspace membership + rate limit. POST: AAL2 bearer token + tenant-admin, pilot-lead, or reviewer role + fixed no-PHI claim registry attestation + rate limit

Inspect or record bounded no-PHI versioned claim registry release decisions that require external approval evidence references before a claim can become ready for qualified release review. This does not approve public distribution, legal claims, advertising substantiation, securities claims, customer references, clinical validation, production authorization, or live clinical execution.
GET

/api/pilot-workspaces/{workspaceSlug}/release-decisions/packet

AAL2 bearer token + authorized tenant role + rate limit + append-only packet-download audit

Download an audited protected release decision claim registry packet after committing the packet release event while retaining all public-release, legal, finance, advertising, customer, compliance, production, and clinical execution blockers.
GET / POST

/api/pilot-workspaces/{workspaceSlug}/reviewer-signoffs

GET: AAL2 bearer token + workspace membership + rate limit. POST: AAL2 bearer token + tenant-admin, pilot-lead, or reviewer role + fixed no-PHI named reviewer sign-off metadata attestation + rate limit

Inspect or record bounded no-PHI metadata references to externally retained named reviewer sign-offs for finance, counsel, executive, privacy/security, clinical-governance, marketing-claims, and buyer-permission roles. This can prepare controlled distribution review, but does not create public-release, legal, finance, advertising, customer, compliance, production, or clinical execution authority.
GET

/api/pilot-workspaces/{workspaceSlug}/reviewer-signoffs/packet

AAL2 bearer token + authorized tenant role + rate limit + append-only packet-download audit

Download an audited protected named reviewer sign-off packet after committing the packet release event while retaining metadata-only storage and all public-release, external distribution, legal, finance, customer, compliance, production, and clinical execution blockers.
GET / POST

/api/pilot-workspaces/{workspaceSlug}/distribution-lockbox

GET: AAL2 bearer token + workspace membership + rate limit. POST: AAL2 bearer token + tenant-admin, pilot-lead, or reviewer role + fixed no-PHI disabled distribution lockbox attestation + rate limit

Inspect or record bounded no-PHI disabled-by-default distribution lockbox metadata linked to externally retained named reviewer sign-offs, customer permission references, counsel review references, and artifact manifest locators. This does not enable public release, external distribution, legal claims, advertising substantiation, customer proof, compliance certification, production authorization, or clinical execution.
GET

/api/pilot-workspaces/{workspaceSlug}/distribution-lockbox/packet

AAL2 bearer token + authorized tenant role + rate limit + append-only packet-download audit

Download an audited protected distribution lockbox packet after committing the packet release event while preserving disabled distribution, metadata-only storage, and all public-release, external distribution, legal, finance, customer, compliance, production, and clinical execution blockers.
GET / POST

/api/pilot-workspaces/{workspaceSlug}/release-authority-attestations

GET: AAL2 bearer token + workspace membership + rate limit. POST: AAL2 bearer token + tenant-admin, pilot-lead, or reviewer role + fixed no-PHI release authority metadata attestation + rate limit

Inspect or record bounded no-PHI metadata references to externally retained release authority across counsel, customer permission, executive, privacy/security, finance, clinical governance, and marketing claims owners. This does not enable public release, external distribution, legal approval, finance reporting, customer proof, advertising substantiation, compliance certification, production authorization, or clinical execution.
GET

/api/pilot-workspaces/{workspaceSlug}/release-authority-attestations/packet

AAL2 bearer token + authorized tenant role + rate limit + append-only packet-download audit

Download an audited protected release authority attestation packet after committing the packet release event while preserving release-disabled posture, metadata-only storage, and all public-release, external distribution, legal, finance, customer, compliance, production, reimbursement, and clinical execution blockers.
GET / POST

/api/pilot-workspaces/{workspaceSlug}/evidence-room-recipient-attestations

GET: AAL2 bearer token + workspace membership + rate limit. POST: AAL2 bearer token + tenant-admin, pilot-lead, or reviewer role + fixed no-PHI recipient attestation metadata + rate limit

Inspect or record bounded no-PHI metadata for intended evidence-room recipient segments, access windows, packet references, and revocation posture linked to completed release authority attestations. This does not store exact recipient lists, emails, access grants, legal approvals, customer permission artifacts, public release approval, external distribution approval, compliance certification, production authorization, or clinical execution authority.
GET

/api/pilot-workspaces/{workspaceSlug}/evidence-room-recipient-attestations/packet

AAL2 bearer token + authorized tenant role + rate limit + append-only packet-download audit

Download an audited protected evidence-room recipient attestation packet after committing the packet release event while preserving export-disabled posture, recipient-metadata-only storage, and all public-release, external distribution, legal, finance, customer, compliance, production, reimbursement, and clinical execution blockers.
GET / POST

/api/pilot-workspaces/{workspaceSlug}/evidence-room-access-log-reconciliation

GET: AAL2 bearer token + workspace membership + rate limit. POST: AAL2 bearer token + tenant-admin, pilot-lead, or reviewer role + fixed no-PHI access-log reconciliation metadata + rate limit

Inspect or record bounded no-PHI metadata for externally retained evidence-room access-log references, reconciliation windows, event-count summaries, anomaly posture, and revocation review linked to completed recipient attestations. This does not store raw logs, recipient identifiers, IP addresses, device identifiers, access grants, legal approvals, customer permission artifacts, public release approval, external distribution approval, compliance certification, production authorization, or clinical execution authority.
GET

/api/pilot-workspaces/{workspaceSlug}/evidence-room-access-log-reconciliation/packet

AAL2 bearer token + authorized tenant role + rate limit + append-only packet-download audit

Download an audited protected evidence-room access-log reconciliation packet after committing the packet release event while preserving export-disabled posture, access-log-metadata-only storage, and all public-release, external distribution, legal, finance, customer, compliance, production, reimbursement, and clinical execution blockers.
GET / POST

/api/pilot-workspaces/{workspaceSlug}/evidence-room-provider-adapters

GET: AAL2 bearer token + workspace membership + rate limit. POST: AAL2 bearer token + tenant-admin, pilot-lead, or reviewer role + fixed no-PHI provider adapter contract metadata + rate limit

Inspect or record bounded no-PHI metadata for externally retained evidence-room provider contracts, adapter design references, and audit-log import stubs linked to completed access-log reconciliation. This does not store provider credentials, URLs, access tokens, raw logs, recipient identifiers, signed legal artifacts, customer permission artifacts, public release approval, external distribution approval, live integration approval, compliance certification, production authorization, or clinical execution authority.
GET

/api/pilot-workspaces/{workspaceSlug}/evidence-room-provider-adapters/packet

AAL2 bearer token + authorized tenant role + rate limit + append-only packet-download audit

Download an audited protected evidence-room provider adapter packet after committing the packet release event while preserving integration-disabled posture, provider-adapter-metadata-only storage, and all public-release, external distribution, legal, finance, customer, compliance, production, reimbursement, live integration, and clinical execution blockers.
GET

/api/pilot-workspaces/{workspaceSlug}/clinical-activation-approvals/packet

AAL2 bearer token + authorized tenant role + server-held runtime authorization + rate limit + append-only packet-download audit

Download an audited Markdown Clinical Activation Approval Workflow packet summarizing signed no-PHI readiness attestations, retained blockers, safe workarounds, and unavailable sections.
GET

/api/pilot-workspaces/{workspaceSlug}/clinical-authority-evidence-room

AAL2 bearer token + workspace membership + rate limit

Inspect a protected no-PHI Clinical Authority Evidence Room that unifies live-care, PHI, legal, regional, reimbursement, security, connector, and production authority gates from existing protected workspace evidence without granting approval.
GET

/api/pilot-workspaces/{workspaceSlug}/clinical-authority-evidence-room/packet

AAL2 bearer token + authorized tenant role + rate limit + append-only packet-download audit

Download an audited Markdown Clinical Authority Evidence Room packet with reviewer owners, evidence links, expiration posture, retained gates, audit history, and explicit no-PHI/no-live-care authority boundaries.
GET

/api/pilot-workspaces/{workspaceSlug}/clinical-authority-owner-matrix

AAL2 bearer token + workspace membership + rate limit

Inspect a protected no-PHI Clinical Authority Owner Matrix that maps every live-care, PHI, legal, regional, reimbursement, security, connector, and production hard gate to customer, SCRIMED, and qualified external approver roles without granting authority.
GET

/api/pilot-workspaces/{workspaceSlug}/clinical-authority-owner-matrix/packet

AAL2 bearer token + authorized tenant role + rate limit + append-only packet-download audit

Download an audited Markdown Clinical Authority Owner Matrix packet with required approver roles, metadata-only owner labels, retained gates, external artifact policies, and no-PHI/no-live-care authority boundaries.
GET

/api/pilot-workspaces/{workspaceSlug}/clinical-authority-artifact-intake

AAL2 bearer token + workspace membership + rate limit

Inspect a protected no-PHI Clinical Authority Artifact Intake Checklist that maps owner assignments to required external systems of record, qualified reviewer roles, validation timestamps, expiration cadences, prohibited content, and acceptance criteria without storing artifacts or granting authority.
GET

/api/pilot-workspaces/{workspaceSlug}/clinical-authority-artifact-intake/packet

AAL2 bearer token + authorized tenant role + rate limit + append-only packet-download audit

Download an audited Markdown Clinical Authority Artifact Intake Checklist packet with external artifact reference requirements, metadata-only system-of-record policies, prohibited-content rules, retained gates, and no-PHI/no-live-care authority boundaries.
GET / POST

/api/pilot-workspaces/{workspaceSlug}/authority-artifact-references

GET: AAL2 bearer token + workspace membership + rate limit. POST: AAL2 bearer token + authorized tenant role + guarded RPC + rate limit

Inspect or record protected metadata-only external authority artifact references with reviewer labels, validation timestamps, expiration dates, renewal alerts, and status flags without storing artifacts, PHI, URLs, credentials, signed approvals, or granting authority.
GET

/api/pilot-workspaces/{workspaceSlug}/authority-artifact-references/packet

AAL2 bearer token + authorized tenant role + rate limit + append-only packet-download audit

Download an audited Markdown Authority Artifact Reference packet with no-PHI metadata status, renewal queue, retained blockers, storage restrictions, and explicit no-live-care/no-production authority boundaries.
GET / POST

/api/pilot-workspaces/{workspaceSlug}/trust-safety-incidents

GET: AAL2 bearer token + workspace membership. POST: AAL2 bearer token + tenant-admin or pilot-lead role + server-held runtime authorization + rate limit

Inspect or create tenant-scoped TrustOps incident evidence for synthetic-pilot and enterprise-readiness review.
GET / PATCH

/api/pilot-workspaces/{workspaceSlug}/trust-safety-incidents/{incidentId}

GET: AAL2 bearer token + workspace membership. PATCH: AAL2 bearer token + tenant-admin or pilot-lead role + server-held runtime authorization + rate limit

Inspect or update TrustOps incident status, legal-hold posture, notification review posture, containment, remediation, and post-incident review evidence.
GET

/api/pilot-workspaces/{workspaceSlug}/trust-safety-incidents/{incidentId}/review-packet

AAL2 bearer token + authorized tenant role + server-held runtime authorization + append-only packet-download audit

Download an audited TrustOps review packet after recording the packet release event.
GET / POST

/api/pilot-workspaces/{workspaceSlug}/trustos-decisions

AAL2 bearer token + authorized tenant role + server-held runtime authorization for writes + rate limit

Inspect or commit metadata-only TrustOS decisions to the tenant-isolated append-only governance ledger.
GET / POST

/api/pilot-workspaces/{workspaceSlug}/trustos-decisions/{decisionId}/reviews

AAL2 bearer token + authorized tenant role + server-held runtime authorization for writes + rate limit

Inspect or commit human reviewer dispositions, overrides, and controlled workflow outcome signals.
GET

/api/pilot-workspaces/{workspaceSlug}/trustos-decisions/{decisionId}/governance-packet

AAL2 bearer token + authorized tenant role + server-held runtime authorization + rate limit

Download an audited governance packet containing decision, control, trace, evidence, and human-review proof.
GET / POST

/api/agent-workspaces/{workspaceSlug}/work-orders

GET: bearer token + tenant membership. POST: AAL2 bearer token + authorized tenant role + rate limit

List, filter, summarize, or create persistent Agent Workspace work orders backed by tenant-scoped RLS tables and append-only events.
GET / PATCH

/api/agent-workspaces/{workspaceSlug}/work-orders/{workOrderId}

GET: bearer token + tenant membership. PATCH: AAL2 bearer token + authorized tenant role + rate limit

Inspect, transition, retry, review, block, or close a persistent Agent Workspace work order.
GET

/api/agent-workspaces/{workspaceSlug}/work-orders/{workOrderId}/proof-packet

AAL2 bearer token + authorized tenant role + rate limit + append-only download audit

Download an audited Markdown proof packet for a tenant-isolated synthetic Agent Workspace work order.

Role controls

Tenant roles grant the minimum pilot capability required.

tenant role

tenant-admin

  • Review tenant identity configuration
  • View all tenant pilot workspaces
  • Create and transition persistent agent work orders
  • Record TrustOps incident evidence
  • Commit TrustOS decisions
  • Record governed reviewer dispositions
  • Record no-PHI clinical activation readiness attestations
  • Record no-PHI Public Market Readiness operator metrics
  • Download proof and governance packets
  • Cannot enable live clinical execution
  • Cannot alter append-only audit events
  • Cannot create legal, breach, or compliance certification determinations
tenant role

pilot-lead

  • Run synthetic evaluations
  • Create and transition persistent agent work orders
  • Record TrustOps incident evidence
  • Commit TrustOS decisions
  • Record governed reviewer dispositions
  • Record no-PHI clinical activation readiness attestations
  • Record no-PHI Public Market Readiness operator metrics
  • View workspace sessions
  • Download proof and governance packets
  • Cannot manage tenant identity
  • Cannot alter append-only audit events
  • Cannot create legal, breach, or compliance certification determinations
tenant role

reviewer

  • View workspace sessions
  • Review Trust Cards, work orders, and TrustOps incidents
  • Record governed reviewer dispositions and outcome signals
  • Record no-PHI clinical activation readiness attestations
  • Record no-PHI Public Market Readiness operator metrics
  • Download proof and governance packets
  • Cannot create sessions or new work orders
  • Cannot manage tenant identity
  • Cannot mutate TrustOps incident records
tenant role

observer

  • View approved workspace evidence
  • Cannot create sessions
  • Cannot download restricted evidence
  • Cannot manage identity

Activation gates

Production activation remains a verified infrastructure and governance decision.

01Keep direct invitation send disabled until custom SMTP, legal copy, abuse controls, and delivery monitoring are approved.
02Extend the active passkey or magic-link sign-in, TOTP MFA, and session-lifetime policy into enforced enterprise SSO and multi-tenant identity operations.
03Complete legal, privacy, security, retention, incident response, and BAA review before any PHI-enabled scope.
04Keep live clinical execution denied until separate production promotion approval.