Production Architecture

SCRIMED OS Implementation Plan

Healthcare Intelligence Operating System roadmap for agents, events, registries, clinical workflows, and governed deployment.

SCRIMED OS is designed to securely orchestrate frontier models, zero-trust agents, FHIR/EHR and imaging workflows, governed MCP tools, CodeMode runtimes, auditability, outcome learning, observability, and enterprise deployment.

Statusscrimed-os-implementation-plan-ready-no-phi
Capabilities25
Phases7
Domains15
Agents8
Validationpass
Upgrade batchpassed
Runtime savings30%
Cost metrics5

GO / NO-GO

SCRIMED OS is an operating system plan, not live clinical authority.

SCRIMED OS implementation plan is a no-PHI, architecture-and-roadmap control. It does not authorize live PHI, autonomous diagnosis, treatment, prescribing, patient outreach, payer submission, EHR writeback, production connector use, Kubernetes mutation, remediation execution, clinical validation, certification, or customer go-live.

GO for no-PHI architecture planning, synthetic workflow design, registry contracts, event contracts, and investor/buyer technical diligence.

NO-GO for live PHI, autonomous clinical care, direct LLM database access, patient outreach, payer submission, EHR writeback, production connector use, cluster mutation, clinical validation, certification, or customer go-live.

SCRIMED OS Upgrade Batch

Runtime, prompt, judge, oversight, economics, knowledge, model, and research readiness stay synthetic and metadata-only.

SCRIMED OS upgrade batch is synthetic and metadata-only. It does not call live models, process PHI, generate clinical recommendations, diagnose, treat, prescribe, interpret imaging, mutate EHRs, submit payer transactions, contact patients, activate production connectors, claim certification, validate clinical performance, or approve customer go-live.

runtime-optimizer-metadata-ready

Runtime Optimizer

Simulated cost savings: 30%. Guardrail state: blocked.

  • Prompt compression: interactive; low; synthetic-only
  • Context compression: standard; balanced; human-review-required
  • Semantic caching: interactive; low; synthetic-only
  • Dynamic model routing: batch; premium-controlled; blocked-for-production
prompt-evolution-lab-only

Prompt Evolution Engine

Prompt versions track baseline score, optimized score, clinician review, and blocked deployment status before promotion.

  • clinical-summary-draft-synthetic: review_ready; 72 to 84
  • prior-auth-packet-draft: lab_only; 69 to 81
  • diagnosis-finalizer: blocked; 0 to 0
judge-ensemble-pre-screen-only

Clinical Judge Ensemble

AI can pre-screen; clinician remains final authority.

  • clinical_quality_judge: scores-and-rationale-hashes-only
  • evidence_judge: scores-and-rationale-hashes-only
  • safety_judge: scores-and-rationale-hashes-only
  • payer_policy_judge: scores-and-rationale-hashes-only
  • specialty_judge: scores-and-rationale-hashes-only
  • patient_readability_judge: scores-and-rationale-hashes-only

Oversight and Agent Lab

High-risk clinical-like tasks block until human review, and every lab agent has owner, risk tier, allowed data class, blocked actions, and audit hash.

blocked

clinical-summary-draft

high-risk clinical-like output requires human review before use

  • Risk tier: high
  • Reviewer: licensed clinician reviewer
  • Execution allowed: false
in_review

prior-auth-evidence-packet

submission remains blocked; evidence packet only

  • Risk tier: medium
  • Reviewer: payer operations reviewer
  • Execution allowed: false
human_reviewed

token-economics-review

metadata-only economics review

  • Risk tier: low
  • Reviewer: operations owner
  • Execution allowed: true
high

clinical-intake-agent

Owner: Clinical Ops

  • Allowed data: synthetic
  • Audit hash: c5cd26ff60de665a
  • Blocked: live PHI access, diagnosis, treatment, prescribing, patient outreach, payer submission, EHR writeback
low

prior-auth-agent

Owner: Payer Ops

  • Allowed data: synthetic
  • Audit hash: 95f296155c0ce983
  • Blocked: live PHI access, diagnosis, treatment, prescribing, patient outreach, payer submission, EHR writeback
low

rcm-denials-agent

Owner: Revenue Cycle

  • Allowed data: synthetic
  • Audit hash: 72599f299ce737a4
  • Blocked: live PHI access, diagnosis, treatment, prescribing, patient outreach, payer submission, EHR writeback
high

population-health-agent

Owner: Population Health

  • Allowed data: synthetic
  • Audit hash: d584071dc46ccfce
  • Blocked: live PHI access, diagnosis, treatment, prescribing, patient outreach, payer submission, EHR writeback
medium

trust-verifier-agent

Owner: Trust/Safety

  • Allowed data: metadata
  • Audit hash: d53d6762986048d9
  • Blocked: live PHI access, diagnosis, treatment, prescribing, patient outreach, payer submission, EHR writeback

Cost per Outcome

SCRIMED tracks outcome economics instead of token vanity metrics.

$0.38

cost_per_note

Measures clerical drafting cost per human-reviewed artifact.

  • Outcome: reviewable draft note
  • Avoids vanity metric: tokens generated
$0.22

cost_per_claim_review

Measures denial-risk review cost before any payer action.

  • Outcome: reviewable claim issue summary
  • Avoids vanity metric: raw prompt count
$0.44

cost_per_prior_auth_draft

Measures evidence preparation cost while payer submission remains blocked.

  • Outcome: draft evidence packet
  • Avoids vanity metric: model call volume
$0.31

cost_per_patient_summary

Measures reviewable summary cost without live patient use.

  • Outcome: synthetic summary for review
  • Avoids vanity metric: context window size
$0.57

cost_per_agent_run

Measures governed agent run cost with traceability.

  • Outcome: audited synthetic run
  • Avoids vanity metric: agent step count

Long-Horizon Agent Registry

Future care-journey agents are lab-only, synthetic, expiring, and human-override required.

lab_only

Diabetes Coach

Synthetic memory only; no live patient memory or cross-tenant recall.

  • Escalate clinical, patient-facing, payer, or operational-risk outputs to a human owner.
  • Synthetic memories expire after the lab run or explicit reviewer refresh.
lab_only

Heart Failure Monitor

Synthetic memory only; no live patient memory or cross-tenant recall.

  • Escalate clinical, patient-facing, payer, or operational-risk outputs to a human owner.
  • Synthetic memories expire after the lab run or explicit reviewer refresh.
lab_only

Oncology Navigator

Synthetic memory only; no live patient memory or cross-tenant recall.

  • Escalate clinical, patient-facing, payer, or operational-risk outputs to a human owner.
  • Synthetic memories expire after the lab run or explicit reviewer refresh.
lab_only

Population Health Agent

Synthetic memory only; no live patient memory or cross-tenant recall.

  • Escalate clinical, patient-facing, payer, or operational-risk outputs to a human owner.
  • Synthetic memories expire after the lab run or explicit reviewer refresh.
lab_only

Hospital Operations Agent

Synthetic memory only; no live patient memory or cross-tenant recall.

  • Escalate clinical, patient-facing, payer, or operational-risk outputs to a human owner.
  • Synthetic memories expire after the lab run or explicit reviewer refresh.

Knowledge Fabric and Regression Watch

Ontology mapping, model regression, and life-sciences research shells remain governed metadata.

mapped

FHIR

Resource/profile metadata, provenance, audit, and source-contract mapping.

Customer SMART/FHIR scopes and profile validation required before live use.
requires_review

SNOMED

Clinical concept normalization metadata.

Terminology licensing and clinician terminology review required.
partially_mapped

LOINC

Lab and observation concept metadata with unit awareness.

Lab feed mapping and UCUM/unit validation required.
requires_review

RxNorm

Medication concept metadata for reconciliation workflows.

Pharmacist/clinician governance required before medication use.
partially_mapped

ICD-10

Diagnosis and claims-aware metadata.

Coding compliance review required before billing or quality use.
requires_review

CPT

Procedure and service metadata for RCM workflows.

Coding and payer-policy review required.
blocked

payer policy

Policy evidence metadata only.

No payer submission or coverage determination authority.
requires_review

clinical guidelines

Guideline grounding metadata and version capture.

Clinical governance, licensing, and source currency review required.
rollback-ready

synthetic-fast-router

Version 2026-07-lab; regression score 4; eval hash 05a3c8ce7246f976.

Auto-promote to clinical authority: false
rollback-ready

enterprise-reasoning-synthetic

Version 2026-07-review; regression score 7; eval hash 53c06967de5dbbcd.

Auto-promote to clinical authority: false
rollback-ready

future-clinical-model

Version candidate-blocked; regression score 100; eval hash c2579bb405f507e3.

Auto-promote to clinical authority: false
safe copy

healthcare-native AI

SCRIMED is built around healthcare workflows, evidence, reviewer gates, audit trails, and interoperability metadata rather than a generic chatbot surface.

  • Blocked claims: clinical validation, FDA clearance, live clinical authority
safe copy

clinician-governed intelligence

SCRIMED can organize and pre-screen synthetic workflow evidence while qualified humans remain accountable for clinical, payer, and customer decisions.

  • Blocked claims: autonomous care, diagnosis, treatment, prescribing
safe copy

measurable outcomes

SCRIMED tracks cost per outcome, review readiness, evidence completeness, and workflow friction so buyers can evaluate operational value before production risk.

  • Blocked claims: ROI guarantee, reimbursement guarantee, customer revenue guarantee
safe copy

model-agnostic infrastructure

SCRIMED separates model routing, prompt registry, evaluation, governance, and fallback metadata so the platform is not hard-coded to one provider.

  • Blocked claims: production model routing for PHI, provider certification
safe copy

privacy-first deployment

SCRIMED's current public and lab capabilities stay synthetic and metadata-only, with live PHI, raw connector payloads, and production connectors blocked by default.

  • Blocked claims: HIPAA certification, SOC 2 certification, PHI processing approval
principle

Event-driven by default.

principle

Zero-trust agent identity.

principle

Human-in-the-loop clinical decisions.

principle

No direct LLM-to-database access.

principle

Governed MCP middleware between AI and systems of record.

principle

Every agent has identity, permissions, version, trust score, audit log, and allowed tools.

principle

Every model output is evaluated, logged, and traceable.

principle

Every clinical recommendation-like draft includes confidence, source evidence, limitations, and escalation criteria.

principle

All infrastructure is reproducible through IaC.

principle

All workflows are observable, testable, versioned, and rollback-capable.

principle

Prefer orchestrating best frontier models over training proprietary healthcare models unless justified.

principle

Use CodeMode agents for structured reasoning, calculations, SQL generation, FHIR transformations, and workflow automation.

principle

Preserve document structure during RAG ingestion: pages, tables, labels, values, units, citations, images, and references.

Roadmap

Seven phases move SCRIMED from architecture contracts to governed enterprise deployment.

phase-0-safety-contract

Safety and architecture contract

Freeze the operating boundary, no-PHI posture, protected-action denials, and starter contracts before implementation expands.

0 capabilities
  • Capabilities:
  • Exit criteria: Central policy gate is referenced by sensitive APIs., NO-GO boundaries are visible in docs and APIs., No direct LLM-to-database access is encoded as an invariant., Starter registries and event names are versioned.
  • Blocked until: No customer PHI, production connector, or clinical action can enter this phase.
phase-1-governance-backbone

Governance backbone

Build the event mesh, identity registry, audit ledger, policy registry, and core agent/model/prompt/eval registries.

8 capabilities
  • Capabilities: SCRIMED Event Mesh, Agent Identity Registry, Agent Registry, Prompt Registry, Policy Registry, Model Registry, Evaluation Registry, Zero-Trust Audit Ledger
  • Exit criteria: Every agent and model route has an identity, owner, version, policy, and audit event., Event envelopes are deterministic and replayable., Registry changes require approval records.
  • Blocked until: Registry mutation APIs have RBAC, AAL2, audit, and rollback controls.
phase-2-tool-runtime-plane

Tool and runtime plane

Introduce Secure MCP Gateway, CodeMode Runtime, query validation middleware, and secure RAG/data ingestion.

4 capabilities
  • Capabilities: Secure MCP Gateway, CodeMode Runtime for agents, SQL/FHIR Query Validation Middleware, Secure RAG/Data Ingestion Pipeline
  • Exit criteria: All tool calls require scoped identity and policy checks., CodeMode runs in sandboxed, time-limited, network-restricted execution., SQL and FHIR queries are validated before execution., RAG ingestion preserves document structure and evidence links.
  • Blocked until: No production system of record receives writes or unreviewed tool calls.
phase-3-clinical-data-workflows

Clinical and data workflows

Build the clinical orchestrator, FHIR validation, imaging integration, clinical QA, and safety sandbox.

5 capabilities
  • Capabilities: Clinical Workflow Orchestrator, FHIR Validation Agent, Imaging Integration Layer, Clinical QA Engine, Human-in-the-loop Clinical Safety Sandbox
  • Exit criteria: Clinical outputs carry evidence, confidence, limitations, and escalation criteria., FHIR validation rejects unsafe or profile-invalid payloads., Imaging is metadata/report-first and no-PHI until approved., Human review remains mandatory for protected clinical workflows.
  • Blocked until: Clinical governance approves reviewer roles, escalation criteria, and workflow-specific risk rubrics.
phase-4-ops-intelligence

Operations intelligence

Add configuration drift, AI cost intelligence, observability, and suggestion-only remediation loops.

4 capabilities
  • Capabilities: Configuration Drift Agent, AI Cost Intelligence Agent, Observability Platform, Autonomous Remediation Agent
  • Exit criteria: SLOs, traces, model costs, registry drift, and deployment drift are observable., Autonomous remediation creates reviewed proposals, not live mutations., Cost and provider anomaly events are routed to human owners.
  • Blocked until: No remediation action can mutate production without deployment approval pipeline signoff.
phase-5-deployment-platform

Deployment platform

Implement IaC, Kubernetes deployment contracts, canaries, approvals, rollback, and environment drift controls.

3 capabilities
  • Capabilities: Infrastructure-as-Code Engine, Kubernetes Deployment Engine, Deployment Approval Pipeline
  • Exit criteria: Terraform or equivalent IaC can reproduce approved environments., Kubernetes manifests are signed, scanned, policy-checked, and rollback-ready., Deployment approval pipeline blocks unsafe releases.
  • Blocked until: Secrets, PHI stores, live connectors, and production clusters have separate approval tracks.
phase-6-outcome-learning

Outcome learning

Build continuous outcome learning with synthetic or approved de-identified feedback, reviewer labels, and regression gates.

1 capabilities
  • Capabilities: Continuous Outcome Learning Engine
  • Exit criteria: Outcome signals are consented, de-identified or approved, and evidence-linked., Learning updates create evaluation tasks, not automatic clinical behavior changes., Regression and bias checks pass before policy or prompt promotion.
  • Blocked until: No live patient outcome learning can run without legal, privacy, clinical, and customer approval.

Capability architecture

Each capability has events, interfaces, controls, human gates, blocked autonomy, deliverables, and acceptance criteria.

starter-build-ready

SCRIMED Event Mesh

Create the append-only event backbone for agent runs, registry changes, workflow state, model routing, evaluations, approvals, and audit evidence.

eventing; phase-1-governance-backbone
  • Interfaces: publishEvent(envelope), subscribe(topic, consumer), replay(correlationId), deadLetter(eventId)
  • Events: event.mesh.event.accepted, event.mesh.event.replayed, event.mesh.dead_letter.created
  • Controls: schema validation, idempotency, tenant boundary, immutable hash, dead-letter owner
  • Human gate: Human review required before event replay can trigger any protected workflow.
  • Blocked autonomy: protected side effects from replay, cross-tenant event reuse, PHI-bearing public events
starter-build-ready

Agent Identity Registry

Give every agent persistent identity, owner, version, trust score, scopes, allowed tools, denied tools, and audit history.

identity; phase-1-governance-backbone
  • Interfaces: registerAgent(), issueAgentRunIdentity(), revokeAgentIdentity(), getAgentTrustScore()
  • Events: agent.identity.registered, agent.identity.versioned, agent.identity.revoked, agent.identity.trust_score.updated
  • Controls: least privilege, AAL2 operator approval, version pinning, revocation, audit trail
  • Human gate: Security owner approval required for new protected-tool scopes.
  • Blocked autonomy: anonymous agent runs, unversioned tools, self-granted permissions
requires-protected-pilot

Secure MCP Gateway

Place governed MCP middleware between agents and systems of record, with OAuth, scoped tokens, tool-level authorization, and audit.

tooling; phase-2-tool-runtime-plane
  • Interfaces: listTools(identity), authorizeToolCall(), executeTool(), revokeToolGrant()
  • Events: mcp.tool.requested, mcp.tool.authorized, mcp.tool.denied, mcp.tool.result_recorded
  • Controls: OAuth/OIDC, scoped tokens, tool allowlist, revocation, prompt-injection filter, result redaction
  • Human gate: Human approval required for protected tools, connector writes, patient-facing actions, and payer actions.
  • Blocked autonomy: unpermissioned tools, EHR writeback, payer submission, patient outreach
requires-protected-pilot

CodeMode Runtime for agents

Run structured reasoning, calculations, SQL generation, FHIR transformations, validation, and workflow automation inside sandboxed CodeMode sessions.

runtime; phase-2-tool-runtime-plane
  • Interfaces: createCodeRun(), validateArtifact(), approveArtifact(), discardRun()
  • Events: codemode.run.started, codemode.artifact.created, codemode.artifact.validated, codemode.run.quarantined
  • Controls: sandbox isolation, no secret injection, artifact hash, malware scan placeholder, human approval
  • Human gate: Human owner approval required before generated code, SQL, or FHIR transforms affect any workflow.
  • Blocked autonomy: direct database execution, network egress by default, secret access, production mutation
requires-protected-pilot

Clinical Workflow Orchestrator

Coordinate deterministic clinical workflows across intake, evidence, FHIR validation, QA, review queues, and safe handoff states.

clinical-workflow; phase-3-clinical-data-workflows
  • Interfaces: startWorkflow(), advanceState(), requestReview(), rollbackWorkflow()
  • Events: clinical.workflow.started, clinical.workflow.review_required, clinical.workflow.blocked, clinical.workflow.rollback_requested
  • Controls: state machine, human clinical review, evidence cards, rollback, no live-care authority
  • Human gate: Human owner review is required; this capability cannot create diagnosis, treatment, prescribing, outreach, payer, EHR, or production connector authority.
  • Blocked autonomy: diagnosis, treatment, prescribing, triage replacement, patient instructions
starter-build-ready

Agent Registry

Maintain approved agent definitions, versions, scopes, owners, eval requirements, tool policies, and deployment status.

registry; phase-1-governance-backbone
  • Interfaces: registerAgentVersion(), approveAgentVersion(), deprecateAgentVersion(), listApprovedAgents()
  • Events: registry.agent.created, registry.agent.approved, registry.agent.deprecated
  • Controls: owner approval, version pinning, tool scope validation, eval gate
  • Human gate: Platform and domain owner approval required before agent promotion.
  • Blocked autonomy: self-promotion, unapproved tools, unreviewed clinical agent release
starter-build-ready

Prompt Registry

Version prompts, system instructions, few-shot examples, safety clauses, expected outputs, owners, and eval bindings.

registry; phase-1-governance-backbone
  • Interfaces: registerPrompt(), promotePrompt(), rollbackPrompt(), bindPromptEval()
  • Events: registry.prompt.created, registry.prompt.promoted, registry.prompt.rollback
  • Controls: template validation, injection checks, reviewer signoff, rollback
  • Human gate: Prompt promotion requires domain owner review for clinical, payer, or security workflows.
  • Blocked autonomy: silent prompt edits, unreviewed clinical prompts, prompt bypassing policy
starter-build-ready

Policy Registry

Centralize safety, PHI, tool, model, workflow, data-residency, cost, and deployment policies with versioned decisions.

registry; phase-1-governance-backbone
  • Interfaces: evaluatePolicy(), registerPolicy(), promotePolicy(), explainDecision()
  • Events: registry.policy.created, policy.decision.allowed, policy.decision.denied, policy.decision.review_required
  • Controls: versioning, decision logging, least privilege, most restrictive rule, appeal path
  • Human gate: Policy changes require security, clinical, or operations owner approval based on scope.
  • Blocked autonomy: policy self-modification, unlogged allow decisions, policy bypass
starter-build-ready

Model Registry

Track providers, model versions, tasks, risk tiers, cost, latency, quality, data policy, fallback, and approval state.

registry; phase-1-governance-backbone
  • Interfaces: registerModel(), approveModelRoute(), selectModelRoute(), rollbackModelVersion()
  • Events: registry.model.created, model.route.selected, model.route.blocked, model.version.rollback
  • Controls: provider contract, data-use policy, cost guardrail, fallback, eval baseline
  • Human gate: Model approval requires privacy, security, and domain owner review.
  • Blocked autonomy: unlogged external model calls, PHI routing without approval, single-provider hard dependency
starter-build-ready

Evaluation Registry

Store evaluation datasets, synthetic scenarios, reviewer labels, scorecards, regression checks, adversarial cases, and release gates.

registry; phase-1-governance-backbone
  • Interfaces: registerEvalSuite(), runEval(), recordReviewerOutcome(), blockReleaseOnFailure()
  • Events: registry.eval.created, eval.run.started, eval.run.completed, eval.release_block.created
  • Controls: no PHI fixtures, regression threshold, human reviewer labels, bias checks, drift checks
  • Human gate: Clinical-risk eval changes require clinical governance review.
  • Blocked autonomy: leaderboard-only approval, unreviewed clinical eval promotion, PHI in fixtures
requires-protected-pilot

FHIR Validation Agent

Validate FHIR resources, profiles, terminology, references, consent, purpose-of-use, and transformation safety before workflow use.

interoperability; phase-3-clinical-data-workflows
  • Interfaces: validateFhirResource(), explainFhirError(), proposeFhirTransform(), createInteroperabilityReview()
  • Events: fhir.validation.requested, fhir.validation.passed, fhir.validation.failed, fhir.transform.proposed
  • Controls: FHIR profile validation, terminology validation, consent/purpose check, LLM output cannot execute direct SQL or direct system-of-record queries; all access must pass through validation middleware, MCP policy, scoped identity, and audit.
  • Human gate: Interoperability owner review required before production FHIR transforms or connector activation.
  • Blocked autonomy: FHIR writeback, profile bypass, terminology guessing, live patient mutation
blocked-before-production

Imaging Integration Layer

Prepare DICOM/DICOMweb/PACS, imaging reports, metadata, AI imaging inference, and reviewer workflows without enabling live imaging authority.

imaging; phase-3-clinical-data-workflows
  • Interfaces: validateDicomMetadata(), ingestSyntheticImagingReport(), queueImagingReview(), recordImagingEvidence()
  • Events: imaging.metadata.validated, imaging.report.ingested, imaging.review.required, imaging.inference.blocked
  • Controls: DICOM tag minimization, no pixel PHI by default, specialist review, GPU job policy, model card
  • Human gate: Radiology or domain specialist review required before any imaging interpretation is released.
  • Blocked autonomy: diagnostic imaging interpretation, PACS writeback, pixel data ingestion without approval, unreviewed inference
starter-build-ready

Configuration Drift Agent

Detect drift across policies, registries, environment variables, IaC, Kubernetes manifests, deployment settings, and security headers.

ops; phase-4-ops-intelligence
  • Interfaces: captureConfigSnapshot(), compareDesiredState(), openDriftReview(), blockUnsafeDeployment()
  • Events: drift.snapshot.created, drift.detected, drift.review_required, drift.deployment_blocked
  • Controls: read-only collection, secret redaction, severity scoring, owner routing
  • Human gate: Platform owner approval required before drift remediation applies.
  • Blocked autonomy: automatic production config changes, secret logging, unreviewed policy mutation
starter-build-ready

AI Cost Intelligence Agent

Track model/tool cost, token use, latency, provider usage, budget thresholds, anomaly detection, and cost-aware routing recommendations.

ops; phase-4-ops-intelligence
  • Interfaces: recordUsage(), evaluateBudget(), forecastCost(), recommendRouteChange()
  • Events: cost.usage.recorded, cost.threshold.warning, cost.threshold.blocked, cost.route_recommendation.created
  • Controls: provider kill switch, budget thresholds, tenant quotas, safe error messages, usage anomaly detection
  • Human gate: Finance/platform owner approval required before budget or provider-route changes.
  • Blocked autonomy: uncapped provider calls, silent provider changes, budget bypass
starter-build-ready

Observability Platform

Trace requests, events, agents, model calls, tool calls, policy decisions, evaluations, workflows, costs, and safety escalations.

observability; phase-4-ops-intelligence
  • Interfaces: recordTrace(), recordMetric(), recordLogEvent(), openIncident()
  • Events: observability.trace.recorded, observability.metric.recorded, observability.alert.opened
  • Controls: PHI redaction, trace correlation, SLOs, alert routing, retention policy
  • Human gate: Incident owner review required for safety or production-impacting alerts.
  • Blocked autonomy: PHI log retention, unreviewed alert suppression, blind production changes
blocked-before-production

Autonomous Remediation Agent

Generate remediation proposals for drift, failed deployments, cost spikes, degraded SLOs, and eval regressions while keeping execution human-approved.

ops; phase-4-ops-intelligence
  • Interfaces: draftRemediationPlan(), estimateBlastRadius(), requestApproval(), recordRemediationOutcome()
  • Events: remediation.plan.created, remediation.approval_requested, remediation.execution_blocked, remediation.outcome.recorded
  • Controls: human approval, blast-radius analysis, rollback plan, change window, no autonomous production mutation
  • Human gate: Deployment owner approval required before any remediation executes.
  • Blocked autonomy: self-healing production mutation, security policy changes, clinical workflow changes
requires-protected-pilot

Clinical QA Engine

Evaluate clinical drafts for evidence quality, hallucination, missing data, bias, guideline grounding, safety boundaries, and reviewer requirements.

qa; phase-3-clinical-data-workflows
  • Interfaces: runClinicalQA(), scoreClinicalDraft(), createReviewTask(), recordReviewerDisposition()
  • Events: clinical.qa.started, clinical.qa.failed, clinical.qa.passed_review_gated, clinical.qa.review_required
  • Controls: citation checks, missing-data checks, bias checks, human review, clinical risk rubric
  • Human gate: Human owner review is required; this capability cannot create diagnosis, treatment, prescribing, outreach, payer, EHR, or production connector authority.
  • Blocked autonomy: final clinical decision, patient advice, uncited medical claims, review bypass
blocked-before-production

Continuous Outcome Learning Engine

Learn from approved outcomes, reviewer labels, incidents, eval regressions, and workflow results without automatic clinical behavior changes.

learning; phase-6-outcome-learning
  • Interfaces: recordOutcomeSignal(), detectOutcomePattern(), proposeEvalUpdate(), requestPolicyOrPromptReview()
  • Events: outcome.signal.recorded, outcome.pattern.detected, outcome.eval_update.proposed, outcome.learning_blocked
  • Controls: consent/data-use approval, de-identification, bias monitoring, human review, release gates
  • Human gate: Clinical governance approval required before outcome-derived changes affect workflows.
  • Blocked autonomy: automatic clinical learning, PHI outcome ingestion without approval, unreviewed prompt/model promotion
requires-protected-pilot

Infrastructure-as-Code Engine

Make SCRIMED environments reproducible through IaC with policy checks, secrets separation, state locking, drift detection, and rollback.

infrastructure; phase-5-deployment-platform
  • Interfaces: planInfrastructure(), scanIaCPlan(), approveIaCChange(), applyIaCChange()
  • Events: iac.plan.created, iac.plan.scanned, iac.approval_required, iac.apply.blocked
  • Controls: state locking, secret separation, policy-as-code, approval, rollback
  • Human gate: Infrastructure owner approval required before apply.
  • Blocked autonomy: unapproved apply, secret hardcoding, production drift mutation
blocked-before-production

Kubernetes Deployment Engine

Prepare Kubernetes deployment, canary, rollback, policy, runtime security, GPU scheduling, and service health contracts.

infrastructure; phase-5-deployment-platform
  • Interfaces: renderManifests(), scanImage(), runCanary(), rollbackDeployment()
  • Events: k8s.manifest.rendered, k8s.image.scanned, k8s.canary.started, k8s.rollback.requested
  • Controls: image signing, SBOM, resource limits, network policy, admission control, rollback
  • Human gate: Deployment owner approval required before cluster mutation.
  • Blocked autonomy: unapproved cluster mutation, unsigned images, unbounded GPU jobs, PHI workload without approval
starter-build-ready

Zero-Trust Audit Ledger

Create immutable, tamper-evident audit evidence for identity, policy, model, tool, workflow, evaluation, deployment, and review actions.

audit; phase-1-governance-backbone
  • Interfaces: appendAuditEvent(), verifyAuditChain(), exportAuditPacket(), quarantineAuditGap()
  • Events: audit.event.appended, audit.chain.verified, audit.gap.detected, audit.packet.exported
  • Controls: append-only, hash chain, tenant boundary, retention, export redaction
  • Human gate: Compliance/security owner review required for audit gaps or export packets.
  • Blocked autonomy: audit deletion, raw PHI audit payloads, unaudited protected action
requires-protected-pilot

SQL/FHIR Query Validation Middleware

Validate generated SQL, FHIR search, and transformation requests before any database or system-of-record access.

security; phase-2-tool-runtime-plane
  • Interfaces: validateSql(), validateFhirSearch(), explainQueryRisk(), denyUnsafeQuery()
  • Events: query.validation.requested, query.validation.passed, query.validation.denied, query.validation.review_required
  • Controls: LLM output cannot execute direct SQL or direct system-of-record queries; all access must pass through validation middleware, MCP policy, scoped identity, and audit., parameterization, read/write classification, row/tenant policy, rate limit
  • Human gate: Data owner approval required before high-risk queries or any write-like operation.
  • Blocked autonomy: direct SQL execution, cross-tenant query, write query, PHI extraction without approval
starter-build-ready

Deployment Approval Pipeline

Gate deployments through tests, security scans, evals, drift checks, human approvals, canaries, blast-radius controls, and rollback.

infrastructure; phase-5-deployment-platform
  • Interfaces: createReleaseCandidate(), evaluateReleaseGate(), approveDeployment(), rollbackRelease()
  • Events: deployment.candidate.created, deployment.gate.failed, deployment.approved, deployment.rollback.started
  • Controls: CI checks, secret scanning, SBOM, eval gates, manual approval, rollback
  • Human gate: Release owner approval required before protected environment promotion.
  • Blocked autonomy: unapproved production deploy, failed eval promotion, missing rollback
requires-protected-pilot

Secure RAG/Data Ingestion Pipeline

Ingest documents and data for retrieval while preserving structure, provenance, citations, redaction, malware checks, and policy boundaries.

security; phase-2-tool-runtime-plane
  • Interfaces: ingestDocument(), extractStructure(), redactSensitiveData(), indexEvidenceChunk(), verifyCitation()
  • Events: rag.ingestion.started, rag.structure.extracted, rag.redaction.applied, rag.indexing.blocked
  • Controls: PHI detection, malware scan placeholder, prompt-injection detection, source provenance, citation verification
  • Human gate: Data owner approval required before indexing customer or clinical corpora.
  • Blocked autonomy: unapproved PHI indexing, structure-stripping ingestion, citationless retrieval, RAG poisoning
starter-build-ready

Human-in-the-loop Clinical Safety Sandbox

Create a sandbox where clinical workflows, agents, prompts, models, FHIR transforms, and QA findings can be reviewed before any protected use.

clinical-workflow; phase-3-clinical-data-workflows
  • Interfaces: createSandboxCase(), requestClinicalReview(), recordReviewerDecision(), promoteSandboxFindingToEval()
  • Events: sandbox.case.created, sandbox.review.requested, sandbox.decision.recorded, sandbox.finding.promoted_to_eval
  • Controls: no-PHI fixtures, reviewer identity, clinical risk label, evidence card, escalation criteria
  • Human gate: Human owner review is required; this capability cannot create diagnosis, treatment, prescribing, outreach, payer, EHR, or production connector authority.
  • Blocked autonomy: live patient care, diagnosis, treatment, prescribing, patient outreach

Agents to build

Agents are scoped identities with allowed tools, denied tools, evidence requirements, and escalation paths.

clinical-intake:read-synthetic-context:write-review-packet

Clinical Intake Agent

Collect synthetic or approved intake context, classify missing evidence, and create reviewer-ready intake packets.

Synthetic intake packet with evidence, limitations, confidence, and escalation criteria.
  • Allowed tools: synthetic-context-reader, evidence-card-builder, review-queue-writer
  • Denied tools: ehr-writeback, patient-messaging, diagnosis-finalizer
  • Evidence: source references, missing-data checklist, risk label, reviewer queue
  • Escalation: Escalate any clinical ambiguity, PHI-like input, or protected action to clinical review.
fhir-validation:read-fixture:write-validation-report

FHIR Validation Agent

Explain deterministic FHIR validation results, propose safe transformations, and route invalid resources to interoperability review.

No-PHI FHIR validation report with errors, severity, and remediation proposal.
  • Allowed tools: fhir-profile-validator, terminology-checker, validation-report-writer
  • Denied tools: fhir-writeback, production-ehr-search, patient-merge
  • Evidence: resource type, profile, terminology result, validation errors
  • Escalation: Escalate profile conflicts, live connector requests, or write-like operations to interoperability owner.
imaging-integration:read-synthetic-report:write-review-packet

Imaging Integration Agent

Validate synthetic imaging metadata/report evidence and route imaging tasks to specialist review without diagnostic authority.

Synthetic imaging metadata and report validation packet.
  • Allowed tools: dicom-metadata-validator, imaging-report-parser, specialist-review-queue
  • Denied tools: pacs-writeback, diagnostic-finalizer, pixel-data-ingestion
  • Evidence: modality, report source, comparison status, specialist review requirement
  • Escalation: Escalate all interpretation-like findings to radiology or domain specialist review.
clinical-qa:read-draft:write-scorecard

Clinical QA Agent

Score clinical-like drafts for evidence, hallucination, missing-data, guideline, bias, freshness, and reviewer-gate quality.

Clinical QA scorecard bound to execution-attempt evidence.
  • Allowed tools: clinical-robustness-scorecard, citation-checker, risk-rubric-evaluator
  • Denied tools: clinical-finalizer, patient-facing-publisher, orders
  • Evidence: citations, limitations, confidence, review status, clinical risk level
  • Escalation: Escalate any failed or high-risk scorecard to clinical governance review.
patient-engagement:read-approved-education:write-draft

Patient Engagement Agent

Draft general education and engagement materials for review while blocking outreach and patient-specific advice.

Reviewed, general-education draft with no outreach authority.
  • Allowed tools: approved-education-library, plain-language-checker, review-queue-writer
  • Denied tools: patient-messaging, treatment-advice, appointment-scheduler
  • Evidence: general education label, source references, language level, reviewer signoff state
  • Escalation: Escalate patient-specific context, outreach requests, or treatment language to qualified human review.
config-drift:read-metadata:write-drift-finding

Configuration Drift Agent

Compare desired and observed platform configuration, redact secrets, and create owner-routed drift findings.

Read-only drift report with deployment block recommendation.
  • Allowed tools: config-snapshot-reader, drift-diff-engine, owner-router
  • Denied tools: secret-reader, production-mutator, policy-editor
  • Evidence: desired state hash, observed state hash, severity, owner
  • Escalation: Escalate high-severity drift to platform owner and deployment pipeline.
ai-cost:read-usage:write-cost-recommendation

AI Cost Intelligence Agent

Monitor model/tool usage, detect cost anomalies, and recommend budget-safe routing changes.

Cost anomaly event and route recommendation packet.
  • Allowed tools: usage-meter, budget-policy-evaluator, cost-dashboard-writer
  • Denied tools: provider-route-mutator, budget-overrider, secret-reader
  • Evidence: model route, tokens, estimated cost, tenant quota, threshold decision
  • Escalation: Escalate threshold breaches to finance/platform owner.
remediation:read-incident:write-plan

Autonomous Remediation Agent

Draft evidence-linked remediation plans while leaving execution blocked until human approval.

Suggestion-only remediation packet with blocked execution state.
  • Allowed tools: incident-reader, blast-radius-estimator, rollback-plan-builder
  • Denied tools: production-mutator, cluster-admin, policy-editor
  • Evidence: incident trace, blast radius, rollback, approval owner
  • Escalation: Escalate all execution requests to deployment approval pipeline.

Starter architecture

Repository layout to grow from Next app contract into multi-package operating system.

  • app/lib/scrimedOSImplementationPlan.ts for typed architecture contracts.
  • app/api/scrimed-os/implementation-plan/route.ts for machine-readable roadmap.
  • app/scrimed-os/page.tsx for executive, engineering, and investor review.
  • packages/event-mesh for future event envelope, outbox, broker adapters, and replay.
  • packages/agent-runtime for identity, scopes, CodeMode, MCP gateway clients, and traces.
  • packages/registries for agent, prompt, policy, model, and evaluation registry schemas.
  • packages/clinical-workflows for deterministic orchestrator, FHIR validation, imaging contracts, and clinical QA.
  • infra/ for IaC, Kubernetes, policy-as-code, canary, and rollback templates.
pass

all-requested-capabilities-mapped

All 25 requested SCRIMED OS capabilities must be represented in the roadmap.

pass

event-driven-by-default

Every capability must emit at least one auditable event.

pass

zero-trust-agent-identity

Agent identity, least privilege, revocation, scopes, and trust scores are first-class.

pass

no-direct-llm-database-access

Generated SQL/FHIR queries must pass validation middleware before access.

pass

registries-covered

Agent, prompt, policy, model, and evaluation registries are explicit.

pass

human-in-the-loop-clinical-safety

Clinical-like outputs remain review-gated and cannot become autonomous care.

pass

secure-rag-preserves-structure

RAG ingestion must preserve document structure and provenance.

pass

agent-backlog-includes-patient-safety-surface

The truncated Patient agent request is safely modeled as review-gated patient engagement with no outreach authority.

pass

production-mutation-blocked

Every capability names blocked autonomous behavior before production approval.