SCRIMED Intelligence & Safety Stack
Project SENTINEL turns agent ambition into governed, observable, deny-by-default execution.
This stack binds zero-trust agent identity, policy decisions, scoped tool access, flight recording, clinical correctness safeguards, local-first de-identification, outcome review, state-aware orchestration, and compliance guardrails into one metadata-only control surface.
Safety Boundary
Metadata can move. Protected healthcare actions cannot.
SCRIMED Intelligence & Safety Stack is a synthetic and metadata-only governance layer. It does not process live PHI, execute autonomous clinical care, diagnose, treat, prescribe, submit payer transactions, write to EHRs, rotate real credentials, change cloud IAM, execute payments, deploy production, send external communications, claim certification, or approve customer go-live.
Sentinel remains deny-by-default. Human approval is required for database deletion, schema changes, PHI export, credential rotation, cloud IAM changes, production deploys, payment execution, encryption-key generation, and external communications.
Project SENTINEL
Every agent action must pass through identity, policy, permission, scoped tool access, execution, and audit logging.
sentinel-allow-synthetic-read
Identity, policy, permission, scoped tool access, execution boundary, and audit logging all passed for metadata-only use.
- Agent: sentinel-security-supervisor
- Tool: synthetic_registry
- Human approval: not required
- Kill switch: none
- Audit hash: scrimed-intel-d219bc77
sentinel-human-approval-production-deploy
Irreversible or sensitive action requires explicit human approval and remains blocked until approved.
- Agent: sentinel-security-supervisor
- Tool: synthetic_registry
- Human approval: required
- Kill switch: none
- Audit hash: scrimed-intel-b1d2afbf
sentinel-kill-switch-cloud-iam
Sentinel kill switch stopped abnormal, runaway, retry, or privilege-escalation behavior.
- Agent: fhir-data-integration-reviewer
- Tool: cloud_iam
- Human approval: required
- Kill switch: retry_storm, suspicious_access_pattern, privilege_escalation_attempt, abnormal_tool_calls
- Audit hash: scrimed-intel-f57200b2
Review Packets
Blocked and approval-required actions become reviewer packets, not execution permission.
Protected persistence remains blocked until fresh AAL2 evidence and boundary-release approval are available.
sentinel-review-packet-sentinel-human-approval-production-deploy
Collect human approval disposition and reviewer notes before any future protected operator workflow.
- Reviewer: security_reviewer
- Trace: flight-trace-sentinel-human-approval-production-deploy
- Regression candidate: yes
- Missing evidence: explicit human approval disposition
- Allowed disposition: pass, fail, needs_more_evidence
- Blocked disposition: execute production action, bypass human approval, persist protected evidence without AAL2, send external communication, store secrets or PHI
- Hash: scrimed-intel-bb376e86
sentinel-review-packet-sentinel-kill-switch-cloud-iam
Review kill-switch evidence, classify root cause, and promote the trace into the regression dataset if confirmed.
- Reviewer: compliance_reviewer
- Trace: flight-trace-sentinel-kill-switch-cloud-iam
- Regression candidate: yes
- Missing evidence: explicit human approval disposition, kill-switch investigation notes, root-cause classification
- Allowed disposition: pass, fail, needs_more_evidence
- Blocked disposition: execute production action, bypass human approval, persist protected evidence without AAL2, send external communication, store secrets or PHI
- Hash: scrimed-intel-efb364c8
Regression Manifest
Failed or blocked traces become nonsecret regression candidates after human review.
candidate_manifest_ready_review_only; protected persistence remains blocked_until_aal2_and_boundary_release.
sentinel-regression-case-sentinel-review-packet-sentinel-human-approval-production-deploy
Replay flight-trace-sentinel-human-approval-production-deploy as a metadata-only regression case for human_approval_required.
- Reviewer gate: security_reviewer
- Dataset: sentinel-regression-synthetic-v1
- Fixture boundary: synthetic_metadata_only
- Assertions: policy decision remains human_approval_required, no tool execution performed, no external call performed, no PHI or secret fixture allowed, audit hash remains deterministic, human approval remains required before protected operator workflow
- Blocked from: production execution, protected persistence without AAL2, PHI fixtures, secret fixtures, external communications, autonomous clinical or payer action
- Hash: scrimed-intel-f0344dcb
sentinel-regression-case-sentinel-review-packet-sentinel-kill-switch-cloud-iam
Replay flight-trace-sentinel-kill-switch-cloud-iam as a metadata-only regression case for kill_switch_triggered.
- Reviewer gate: compliance_reviewer
- Dataset: sentinel-regression-synthetic-v1
- Fixture boundary: synthetic_metadata_only
- Assertions: policy decision remains kill_switch_triggered, no tool execution performed, no external call performed, no PHI or secret fixture allowed, audit hash remains deterministic, human approval remains required before protected operator workflow, kill-switch trigger remains active until reviewed
- Blocked from: production execution, protected persistence without AAL2, PHI fixtures, secret fixtures, external communications, autonomous clinical or payer action
- Hash: scrimed-intel-315ace3e
Promotion Gate
Regression candidates need human pass disposition before becoming nonsecret test metadata.
promotion_gate_ready_review_only; no execution authority is granted by this gate.
sentinel-regression-promotion-sentinel-regression-case-sentinel-review-packet-sentinel-human-approval-production-deploy
Review status is pending. Allowed promotion target is nonsecret_pytest_regression_metadata.
- Reviewer gate: security_reviewer
- Required: human reviewer pass disposition, reviewer notes retained as metadata, nonsecret fixture check, PHI fixture check, policy assertion check, deterministic audit hash check
- Blocked reasons: human reviewer has not passed this failed trace as a regression candidate
- Disallowed targets: production execution, clinical authority, payer submission, EHR writeback, protected evidence persistence without AAL2, external communication, secret or PHI fixture
- Hash: scrimed-intel-f1d903d5
sentinel-regression-promotion-sentinel-regression-case-sentinel-review-packet-sentinel-kill-switch-cloud-iam
Review status is pending. Allowed promotion target is nonsecret_pytest_regression_metadata.
- Reviewer gate: compliance_reviewer
- Required: human reviewer pass disposition, reviewer notes retained as metadata, nonsecret fixture check, PHI fixture check, policy assertion check, deterministic audit hash check
- Blocked reasons: human reviewer has not passed this failed trace as a regression candidate
- Disallowed targets: production execution, clinical authority, payer submission, EHR writeback, protected evidence persistence without AAL2, external communication, secret or PHI fixture
- Hash: scrimed-intel-45fcf99f
Disposition Preview
Reviewer dispositions can be validated as metadata before any protected persistence exists.
The preview route rejects token-like fields, PHI-like notes, role mismatches, unsupported dispositions, and oversized evidence references.
sentinel-regression-case-sentinel-review-packet-sentinel-human-approval-production-deploy
Synthetic metadata review requires root-cause notes before promotion.
- Evidence refs: sentinel-regression-promotion-sentinel-regression-case-sentinel-review-packet-sentinel-human-approval-production-deploy, flight-trace-sentinel-human-approval-production-deploy
- No persistence: true
- No execution authority: true
- Allowed output: preview metadata only
sentinel-regression-case-sentinel-review-packet-sentinel-kill-switch-cloud-iam
Synthetic metadata review requires root-cause notes before promotion.
- Evidence refs: sentinel-regression-promotion-sentinel-regression-case-sentinel-review-packet-sentinel-kill-switch-cloud-iam, flight-trace-sentinel-kill-switch-cloud-iam
- No persistence: true
- No execution authority: true
- Allowed output: preview metadata only
Trace every step
Steps capture agent id, input/output metadata, tool call, latency, failure, retry, policy decision, and final outcome.
local_write_ahead_log_then_sync
.scrimed-runtime/agent-wal/*.jsonl with metadata-only no-secret/no-PHI redaction.
sentinel-regression-synthetic-v1
Failed traces can be promoted into pytest-compatible AI regression tests after human review.
Clinical Safety
Capability is separated from correctness; high-risk outputs stay clinician-in-the-loop.
clinical-correctness-envelope-001
Can pre-screen synthetic clinical text for evidence gaps and unsafe unsupported recommendations.
- Evidence: moderate
- Source quality: synthetic
- Clinician review: required
- Red flags: unsupported recommendation, missing citation, high-risk clinical output
Healthcare Data Infrastructure
Adapters normalize healthcare inputs into semantic metadata while blocking raw payload logs.
DocLang-style representation preserves structure, layout, semantics, tables, images, geometry, labels, values, units, citations with page_block_line_token_coordinates.
adapter-fhir
canonical_semantic_metadata
- schema validation
- PHI scan
- provenance binding
- audit hash
adapter-hl7-v2
canonical_semantic_metadata
- schema validation
- PHI scan
- provenance binding
- audit hash
adapter-cda-ccda
canonical_semantic_metadata
- schema validation
- PHI scan
- provenance binding
- audit hash
adapter-dicom-metadata
canonical_semantic_metadata
- schema validation
- PHI scan
- provenance binding
- audit hash
adapter-csv
canonical_semantic_metadata
- schema validation
- PHI scan
- provenance binding
- audit hash
adapter-jsonl
canonical_semantic_metadata
- schema validation
- PHI scan
- provenance binding
- audit hash
adapter-scanned-document-ocr
canonical_semantic_metadata
- schema validation
- PHI scan
- provenance binding
- audit hash
adapter-free-text-clinical-notes
canonical_semantic_metadata
- schema validation
- PHI scan
- provenance binding
- audit hash
Outcomes
Dashboards prioritize meaningful outcomes over vanity metrics.
Run outcomes review after first 100-200 patients per approved pilot.
documentation_time_saved
minutes saved per signed human-reviewed workflow
synthetic_pilot_metadata
denial_reduction
avoidable denial rate after documentation completeness review
synthetic_pilot_metadata
readmission_reduction
human-reviewed care-transition gap closure rate
synthetic_pilot_metadata
referral_completion
closed-loop referral completion with documented owner
synthetic_pilot_metadata
medication_availability
availability issue routed to human medication support owner
synthetic_pilot_metadata
patient_comprehension
teach-back comprehension checkpoint completion
synthetic_pilot_metadata
State-Aware Orchestration
Agents expose plan, state, history, remaining work, budget, and risk before any workflow advancement.
clinical-safety-reviewer
load synthetic metadata -> validate sources -> score evidence quality -> queue clinician review
- Tool history: synthetic_registry, policy_engine, flight_recorder, review_queue
- Remaining: reviewer pass/fail, promote failed trace to regression dataset
- Budget: 8 tool calls, 2 retries
- Approvals: clinician review, security review for protected operations
Compliance & Governance
Policy scaffolds prepare SCRIMED for qualified review without claiming certification.
HIPAA
minimum necessary, PHI access gate, BAA before live PHI, audit trail
Certification claims blocked: yes
GDPR
data minimization, purpose limitation, data subject rights, residency review
Certification claims blocked: yes
EU_AI_ACT
risk classification, human oversight, logging, transparency
Certification claims blocked: yes
FDA_SAMD_READINESS
intended use, clinical risk analysis, validation plan, change control
Certification claims blocked: yes
MODEL_RISK_MANAGEMENT
model card, evaluation registry, drift monitoring, rollback criteria
Certification claims blocked: yes
CLINICAL_SAFETY
clinician review, red flags, escalation, no autonomous clinical authority
Certification claims blocked: yes