SCRIMED OS Implementation Plan
Healthcare Intelligence Operating System roadmap for agents, events, registries, clinical workflows, and governed deployment.
SCRIMED OS is designed to securely orchestrate frontier models, zero-trust agents, FHIR/EHR and imaging workflows, governed MCP tools, CodeMode runtimes, auditability, outcome learning, observability, and enterprise deployment.
GO / NO-GO
SCRIMED OS is an operating system plan, not live clinical authority.
SCRIMED OS implementation plan is a no-PHI, architecture-and-roadmap control. It does not authorize live PHI, autonomous diagnosis, treatment, prescribing, patient outreach, payer submission, EHR writeback, production connector use, Kubernetes mutation, remediation execution, clinical validation, certification, or customer go-live.
GO for no-PHI architecture planning, synthetic workflow design, registry contracts, event contracts, and investor/buyer technical diligence.
NO-GO for live PHI, autonomous clinical care, direct LLM database access, patient outreach, payer submission, EHR writeback, production connector use, cluster mutation, clinical validation, certification, or customer go-live.
SCRIMED OS Upgrade Batch
Runtime, prompt, judge, oversight, economics, knowledge, model, and research readiness stay synthetic and metadata-only.
SCRIMED OS upgrade batch is synthetic and metadata-only. It does not call live models, process PHI, generate clinical recommendations, diagnose, treat, prescribe, interpret imaging, mutate EHRs, submit payer transactions, contact patients, activate production connectors, claim certification, validate clinical performance, or approve customer go-live.
Runtime Optimizer
Simulated cost savings: 30%. Guardrail state: blocked.
- Prompt compression: interactive; low; synthetic-only
- Context compression: standard; balanced; human-review-required
- Semantic caching: interactive; low; synthetic-only
- Dynamic model routing: batch; premium-controlled; blocked-for-production
Prompt Evolution Engine
Prompt versions track baseline score, optimized score, clinician review, and blocked deployment status before promotion.
- clinical-summary-draft-synthetic: review_ready; 72 to 84
- prior-auth-packet-draft: lab_only; 69 to 81
- diagnosis-finalizer: blocked; 0 to 0
Clinical Judge Ensemble
AI can pre-screen; clinician remains final authority.
- clinical_quality_judge: scores-and-rationale-hashes-only
- evidence_judge: scores-and-rationale-hashes-only
- safety_judge: scores-and-rationale-hashes-only
- payer_policy_judge: scores-and-rationale-hashes-only
- specialty_judge: scores-and-rationale-hashes-only
- patient_readability_judge: scores-and-rationale-hashes-only
Oversight and Agent Lab
High-risk clinical-like tasks block until human review, and every lab agent has owner, risk tier, allowed data class, blocked actions, and audit hash.
clinical-summary-draft
high-risk clinical-like output requires human review before use
- Risk tier: high
- Reviewer: licensed clinician reviewer
- Execution allowed: false
prior-auth-evidence-packet
submission remains blocked; evidence packet only
- Risk tier: medium
- Reviewer: payer operations reviewer
- Execution allowed: false
token-economics-review
metadata-only economics review
- Risk tier: low
- Reviewer: operations owner
- Execution allowed: true
clinical-intake-agent
Owner: Clinical Ops
- Allowed data: synthetic
- Audit hash: c5cd26ff60de665a
- Blocked: live PHI access, diagnosis, treatment, prescribing, patient outreach, payer submission, EHR writeback
prior-auth-agent
Owner: Payer Ops
- Allowed data: synthetic
- Audit hash: 95f296155c0ce983
- Blocked: live PHI access, diagnosis, treatment, prescribing, patient outreach, payer submission, EHR writeback
rcm-denials-agent
Owner: Revenue Cycle
- Allowed data: synthetic
- Audit hash: 72599f299ce737a4
- Blocked: live PHI access, diagnosis, treatment, prescribing, patient outreach, payer submission, EHR writeback
population-health-agent
Owner: Population Health
- Allowed data: synthetic
- Audit hash: d584071dc46ccfce
- Blocked: live PHI access, diagnosis, treatment, prescribing, patient outreach, payer submission, EHR writeback
trust-verifier-agent
Owner: Trust/Safety
- Allowed data: metadata
- Audit hash: d53d6762986048d9
- Blocked: live PHI access, diagnosis, treatment, prescribing, patient outreach, payer submission, EHR writeback
Cost per Outcome
SCRIMED tracks outcome economics instead of token vanity metrics.
cost_per_note
Measures clerical drafting cost per human-reviewed artifact.
- Outcome: reviewable draft note
- Avoids vanity metric: tokens generated
cost_per_claim_review
Measures denial-risk review cost before any payer action.
- Outcome: reviewable claim issue summary
- Avoids vanity metric: raw prompt count
cost_per_prior_auth_draft
Measures evidence preparation cost while payer submission remains blocked.
- Outcome: draft evidence packet
- Avoids vanity metric: model call volume
cost_per_patient_summary
Measures reviewable summary cost without live patient use.
- Outcome: synthetic summary for review
- Avoids vanity metric: context window size
cost_per_agent_run
Measures governed agent run cost with traceability.
- Outcome: audited synthetic run
- Avoids vanity metric: agent step count
Long-Horizon Agent Registry
Future care-journey agents are lab-only, synthetic, expiring, and human-override required.
Diabetes Coach
Synthetic memory only; no live patient memory or cross-tenant recall.
- Escalate clinical, patient-facing, payer, or operational-risk outputs to a human owner.
- Synthetic memories expire after the lab run or explicit reviewer refresh.
Heart Failure Monitor
Synthetic memory only; no live patient memory or cross-tenant recall.
- Escalate clinical, patient-facing, payer, or operational-risk outputs to a human owner.
- Synthetic memories expire after the lab run or explicit reviewer refresh.
Oncology Navigator
Synthetic memory only; no live patient memory or cross-tenant recall.
- Escalate clinical, patient-facing, payer, or operational-risk outputs to a human owner.
- Synthetic memories expire after the lab run or explicit reviewer refresh.
Population Health Agent
Synthetic memory only; no live patient memory or cross-tenant recall.
- Escalate clinical, patient-facing, payer, or operational-risk outputs to a human owner.
- Synthetic memories expire after the lab run or explicit reviewer refresh.
Hospital Operations Agent
Synthetic memory only; no live patient memory or cross-tenant recall.
- Escalate clinical, patient-facing, payer, or operational-risk outputs to a human owner.
- Synthetic memories expire after the lab run or explicit reviewer refresh.
Knowledge Fabric and Regression Watch
Ontology mapping, model regression, and life-sciences research shells remain governed metadata.
FHIR
Resource/profile metadata, provenance, audit, and source-contract mapping.
Customer SMART/FHIR scopes and profile validation required before live use.SNOMED
Clinical concept normalization metadata.
Terminology licensing and clinician terminology review required.LOINC
Lab and observation concept metadata with unit awareness.
Lab feed mapping and UCUM/unit validation required.RxNorm
Medication concept metadata for reconciliation workflows.
Pharmacist/clinician governance required before medication use.ICD-10
Diagnosis and claims-aware metadata.
Coding compliance review required before billing or quality use.CPT
Procedure and service metadata for RCM workflows.
Coding and payer-policy review required.payer policy
Policy evidence metadata only.
No payer submission or coverage determination authority.clinical guidelines
Guideline grounding metadata and version capture.
Clinical governance, licensing, and source currency review required.synthetic-fast-router
Version 2026-07-lab; regression score 4; eval hash 05a3c8ce7246f976.
Auto-promote to clinical authority: falseenterprise-reasoning-synthetic
Version 2026-07-review; regression score 7; eval hash 53c06967de5dbbcd.
Auto-promote to clinical authority: falsefuture-clinical-model
Version candidate-blocked; regression score 100; eval hash c2579bb405f507e3.
Auto-promote to clinical authority: falsehealthcare-native AI
SCRIMED is built around healthcare workflows, evidence, reviewer gates, audit trails, and interoperability metadata rather than a generic chatbot surface.
- Blocked claims: clinical validation, FDA clearance, live clinical authority
clinician-governed intelligence
SCRIMED can organize and pre-screen synthetic workflow evidence while qualified humans remain accountable for clinical, payer, and customer decisions.
- Blocked claims: autonomous care, diagnosis, treatment, prescribing
measurable outcomes
SCRIMED tracks cost per outcome, review readiness, evidence completeness, and workflow friction so buyers can evaluate operational value before production risk.
- Blocked claims: ROI guarantee, reimbursement guarantee, customer revenue guarantee
model-agnostic infrastructure
SCRIMED separates model routing, prompt registry, evaluation, governance, and fallback metadata so the platform is not hard-coded to one provider.
- Blocked claims: production model routing for PHI, provider certification
privacy-first deployment
SCRIMED's current public and lab capabilities stay synthetic and metadata-only, with live PHI, raw connector payloads, and production connectors blocked by default.
- Blocked claims: HIPAA certification, SOC 2 certification, PHI processing approval
Event-driven by default.
Zero-trust agent identity.
Human-in-the-loop clinical decisions.
No direct LLM-to-database access.
Governed MCP middleware between AI and systems of record.
Every agent has identity, permissions, version, trust score, audit log, and allowed tools.
Every model output is evaluated, logged, and traceable.
Every clinical recommendation-like draft includes confidence, source evidence, limitations, and escalation criteria.
All infrastructure is reproducible through IaC.
All workflows are observable, testable, versioned, and rollback-capable.
Prefer orchestrating best frontier models over training proprietary healthcare models unless justified.
Use CodeMode agents for structured reasoning, calculations, SQL generation, FHIR transformations, and workflow automation.
Preserve document structure during RAG ingestion: pages, tables, labels, values, units, citations, images, and references.
Roadmap
Seven phases move SCRIMED from architecture contracts to governed enterprise deployment.
Safety and architecture contract
Freeze the operating boundary, no-PHI posture, protected-action denials, and starter contracts before implementation expands.
- Capabilities:
- Exit criteria: Central policy gate is referenced by sensitive APIs., NO-GO boundaries are visible in docs and APIs., No direct LLM-to-database access is encoded as an invariant., Starter registries and event names are versioned.
- Blocked until: No customer PHI, production connector, or clinical action can enter this phase.
Governance backbone
Build the event mesh, identity registry, audit ledger, policy registry, and core agent/model/prompt/eval registries.
- Capabilities: SCRIMED Event Mesh, Agent Identity Registry, Agent Registry, Prompt Registry, Policy Registry, Model Registry, Evaluation Registry, Zero-Trust Audit Ledger
- Exit criteria: Every agent and model route has an identity, owner, version, policy, and audit event., Event envelopes are deterministic and replayable., Registry changes require approval records.
- Blocked until: Registry mutation APIs have RBAC, AAL2, audit, and rollback controls.
Tool and runtime plane
Introduce Secure MCP Gateway, CodeMode Runtime, query validation middleware, and secure RAG/data ingestion.
- Capabilities: Secure MCP Gateway, CodeMode Runtime for agents, SQL/FHIR Query Validation Middleware, Secure RAG/Data Ingestion Pipeline
- Exit criteria: All tool calls require scoped identity and policy checks., CodeMode runs in sandboxed, time-limited, network-restricted execution., SQL and FHIR queries are validated before execution., RAG ingestion preserves document structure and evidence links.
- Blocked until: No production system of record receives writes or unreviewed tool calls.
Clinical and data workflows
Build the clinical orchestrator, FHIR validation, imaging integration, clinical QA, and safety sandbox.
- Capabilities: Clinical Workflow Orchestrator, FHIR Validation Agent, Imaging Integration Layer, Clinical QA Engine, Human-in-the-loop Clinical Safety Sandbox
- Exit criteria: Clinical outputs carry evidence, confidence, limitations, and escalation criteria., FHIR validation rejects unsafe or profile-invalid payloads., Imaging is metadata/report-first and no-PHI until approved., Human review remains mandatory for protected clinical workflows.
- Blocked until: Clinical governance approves reviewer roles, escalation criteria, and workflow-specific risk rubrics.
Operations intelligence
Add configuration drift, AI cost intelligence, observability, and suggestion-only remediation loops.
- Capabilities: Configuration Drift Agent, AI Cost Intelligence Agent, Observability Platform, Autonomous Remediation Agent
- Exit criteria: SLOs, traces, model costs, registry drift, and deployment drift are observable., Autonomous remediation creates reviewed proposals, not live mutations., Cost and provider anomaly events are routed to human owners.
- Blocked until: No remediation action can mutate production without deployment approval pipeline signoff.
Deployment platform
Implement IaC, Kubernetes deployment contracts, canaries, approvals, rollback, and environment drift controls.
- Capabilities: Infrastructure-as-Code Engine, Kubernetes Deployment Engine, Deployment Approval Pipeline
- Exit criteria: Terraform or equivalent IaC can reproduce approved environments., Kubernetes manifests are signed, scanned, policy-checked, and rollback-ready., Deployment approval pipeline blocks unsafe releases.
- Blocked until: Secrets, PHI stores, live connectors, and production clusters have separate approval tracks.
Outcome learning
Build continuous outcome learning with synthetic or approved de-identified feedback, reviewer labels, and regression gates.
- Capabilities: Continuous Outcome Learning Engine
- Exit criteria: Outcome signals are consented, de-identified or approved, and evidence-linked., Learning updates create evaluation tasks, not automatic clinical behavior changes., Regression and bias checks pass before policy or prompt promotion.
- Blocked until: No live patient outcome learning can run without legal, privacy, clinical, and customer approval.
Capability architecture
Each capability has events, interfaces, controls, human gates, blocked autonomy, deliverables, and acceptance criteria.
SCRIMED Event Mesh
Create the append-only event backbone for agent runs, registry changes, workflow state, model routing, evaluations, approvals, and audit evidence.
- Interfaces: publishEvent(envelope), subscribe(topic, consumer), replay(correlationId), deadLetter(eventId)
- Events: event.mesh.event.accepted, event.mesh.event.replayed, event.mesh.dead_letter.created
- Controls: schema validation, idempotency, tenant boundary, immutable hash, dead-letter owner
- Human gate: Human review required before event replay can trigger any protected workflow.
- Blocked autonomy: protected side effects from replay, cross-tenant event reuse, PHI-bearing public events
Agent Identity Registry
Give every agent persistent identity, owner, version, trust score, scopes, allowed tools, denied tools, and audit history.
- Interfaces: registerAgent(), issueAgentRunIdentity(), revokeAgentIdentity(), getAgentTrustScore()
- Events: agent.identity.registered, agent.identity.versioned, agent.identity.revoked, agent.identity.trust_score.updated
- Controls: least privilege, AAL2 operator approval, version pinning, revocation, audit trail
- Human gate: Security owner approval required for new protected-tool scopes.
- Blocked autonomy: anonymous agent runs, unversioned tools, self-granted permissions
Secure MCP Gateway
Place governed MCP middleware between agents and systems of record, with OAuth, scoped tokens, tool-level authorization, and audit.
- Interfaces: listTools(identity), authorizeToolCall(), executeTool(), revokeToolGrant()
- Events: mcp.tool.requested, mcp.tool.authorized, mcp.tool.denied, mcp.tool.result_recorded
- Controls: OAuth/OIDC, scoped tokens, tool allowlist, revocation, prompt-injection filter, result redaction
- Human gate: Human approval required for protected tools, connector writes, patient-facing actions, and payer actions.
- Blocked autonomy: unpermissioned tools, EHR writeback, payer submission, patient outreach
CodeMode Runtime for agents
Run structured reasoning, calculations, SQL generation, FHIR transformations, validation, and workflow automation inside sandboxed CodeMode sessions.
- Interfaces: createCodeRun(), validateArtifact(), approveArtifact(), discardRun()
- Events: codemode.run.started, codemode.artifact.created, codemode.artifact.validated, codemode.run.quarantined
- Controls: sandbox isolation, no secret injection, artifact hash, malware scan placeholder, human approval
- Human gate: Human owner approval required before generated code, SQL, or FHIR transforms affect any workflow.
- Blocked autonomy: direct database execution, network egress by default, secret access, production mutation
Clinical Workflow Orchestrator
Coordinate deterministic clinical workflows across intake, evidence, FHIR validation, QA, review queues, and safe handoff states.
- Interfaces: startWorkflow(), advanceState(), requestReview(), rollbackWorkflow()
- Events: clinical.workflow.started, clinical.workflow.review_required, clinical.workflow.blocked, clinical.workflow.rollback_requested
- Controls: state machine, human clinical review, evidence cards, rollback, no live-care authority
- Human gate: Human owner review is required; this capability cannot create diagnosis, treatment, prescribing, outreach, payer, EHR, or production connector authority.
- Blocked autonomy: diagnosis, treatment, prescribing, triage replacement, patient instructions
Agent Registry
Maintain approved agent definitions, versions, scopes, owners, eval requirements, tool policies, and deployment status.
- Interfaces: registerAgentVersion(), approveAgentVersion(), deprecateAgentVersion(), listApprovedAgents()
- Events: registry.agent.created, registry.agent.approved, registry.agent.deprecated
- Controls: owner approval, version pinning, tool scope validation, eval gate
- Human gate: Platform and domain owner approval required before agent promotion.
- Blocked autonomy: self-promotion, unapproved tools, unreviewed clinical agent release
Prompt Registry
Version prompts, system instructions, few-shot examples, safety clauses, expected outputs, owners, and eval bindings.
- Interfaces: registerPrompt(), promotePrompt(), rollbackPrompt(), bindPromptEval()
- Events: registry.prompt.created, registry.prompt.promoted, registry.prompt.rollback
- Controls: template validation, injection checks, reviewer signoff, rollback
- Human gate: Prompt promotion requires domain owner review for clinical, payer, or security workflows.
- Blocked autonomy: silent prompt edits, unreviewed clinical prompts, prompt bypassing policy
Policy Registry
Centralize safety, PHI, tool, model, workflow, data-residency, cost, and deployment policies with versioned decisions.
- Interfaces: evaluatePolicy(), registerPolicy(), promotePolicy(), explainDecision()
- Events: registry.policy.created, policy.decision.allowed, policy.decision.denied, policy.decision.review_required
- Controls: versioning, decision logging, least privilege, most restrictive rule, appeal path
- Human gate: Policy changes require security, clinical, or operations owner approval based on scope.
- Blocked autonomy: policy self-modification, unlogged allow decisions, policy bypass
Model Registry
Track providers, model versions, tasks, risk tiers, cost, latency, quality, data policy, fallback, and approval state.
- Interfaces: registerModel(), approveModelRoute(), selectModelRoute(), rollbackModelVersion()
- Events: registry.model.created, model.route.selected, model.route.blocked, model.version.rollback
- Controls: provider contract, data-use policy, cost guardrail, fallback, eval baseline
- Human gate: Model approval requires privacy, security, and domain owner review.
- Blocked autonomy: unlogged external model calls, PHI routing without approval, single-provider hard dependency
Evaluation Registry
Store evaluation datasets, synthetic scenarios, reviewer labels, scorecards, regression checks, adversarial cases, and release gates.
- Interfaces: registerEvalSuite(), runEval(), recordReviewerOutcome(), blockReleaseOnFailure()
- Events: registry.eval.created, eval.run.started, eval.run.completed, eval.release_block.created
- Controls: no PHI fixtures, regression threshold, human reviewer labels, bias checks, drift checks
- Human gate: Clinical-risk eval changes require clinical governance review.
- Blocked autonomy: leaderboard-only approval, unreviewed clinical eval promotion, PHI in fixtures
FHIR Validation Agent
Validate FHIR resources, profiles, terminology, references, consent, purpose-of-use, and transformation safety before workflow use.
- Interfaces: validateFhirResource(), explainFhirError(), proposeFhirTransform(), createInteroperabilityReview()
- Events: fhir.validation.requested, fhir.validation.passed, fhir.validation.failed, fhir.transform.proposed
- Controls: FHIR profile validation, terminology validation, consent/purpose check, LLM output cannot execute direct SQL or direct system-of-record queries; all access must pass through validation middleware, MCP policy, scoped identity, and audit.
- Human gate: Interoperability owner review required before production FHIR transforms or connector activation.
- Blocked autonomy: FHIR writeback, profile bypass, terminology guessing, live patient mutation
Imaging Integration Layer
Prepare DICOM/DICOMweb/PACS, imaging reports, metadata, AI imaging inference, and reviewer workflows without enabling live imaging authority.
- Interfaces: validateDicomMetadata(), ingestSyntheticImagingReport(), queueImagingReview(), recordImagingEvidence()
- Events: imaging.metadata.validated, imaging.report.ingested, imaging.review.required, imaging.inference.blocked
- Controls: DICOM tag minimization, no pixel PHI by default, specialist review, GPU job policy, model card
- Human gate: Radiology or domain specialist review required before any imaging interpretation is released.
- Blocked autonomy: diagnostic imaging interpretation, PACS writeback, pixel data ingestion without approval, unreviewed inference
Configuration Drift Agent
Detect drift across policies, registries, environment variables, IaC, Kubernetes manifests, deployment settings, and security headers.
- Interfaces: captureConfigSnapshot(), compareDesiredState(), openDriftReview(), blockUnsafeDeployment()
- Events: drift.snapshot.created, drift.detected, drift.review_required, drift.deployment_blocked
- Controls: read-only collection, secret redaction, severity scoring, owner routing
- Human gate: Platform owner approval required before drift remediation applies.
- Blocked autonomy: automatic production config changes, secret logging, unreviewed policy mutation
AI Cost Intelligence Agent
Track model/tool cost, token use, latency, provider usage, budget thresholds, anomaly detection, and cost-aware routing recommendations.
- Interfaces: recordUsage(), evaluateBudget(), forecastCost(), recommendRouteChange()
- Events: cost.usage.recorded, cost.threshold.warning, cost.threshold.blocked, cost.route_recommendation.created
- Controls: provider kill switch, budget thresholds, tenant quotas, safe error messages, usage anomaly detection
- Human gate: Finance/platform owner approval required before budget or provider-route changes.
- Blocked autonomy: uncapped provider calls, silent provider changes, budget bypass
Observability Platform
Trace requests, events, agents, model calls, tool calls, policy decisions, evaluations, workflows, costs, and safety escalations.
- Interfaces: recordTrace(), recordMetric(), recordLogEvent(), openIncident()
- Events: observability.trace.recorded, observability.metric.recorded, observability.alert.opened
- Controls: PHI redaction, trace correlation, SLOs, alert routing, retention policy
- Human gate: Incident owner review required for safety or production-impacting alerts.
- Blocked autonomy: PHI log retention, unreviewed alert suppression, blind production changes
Autonomous Remediation Agent
Generate remediation proposals for drift, failed deployments, cost spikes, degraded SLOs, and eval regressions while keeping execution human-approved.
- Interfaces: draftRemediationPlan(), estimateBlastRadius(), requestApproval(), recordRemediationOutcome()
- Events: remediation.plan.created, remediation.approval_requested, remediation.execution_blocked, remediation.outcome.recorded
- Controls: human approval, blast-radius analysis, rollback plan, change window, no autonomous production mutation
- Human gate: Deployment owner approval required before any remediation executes.
- Blocked autonomy: self-healing production mutation, security policy changes, clinical workflow changes
Clinical QA Engine
Evaluate clinical drafts for evidence quality, hallucination, missing data, bias, guideline grounding, safety boundaries, and reviewer requirements.
- Interfaces: runClinicalQA(), scoreClinicalDraft(), createReviewTask(), recordReviewerDisposition()
- Events: clinical.qa.started, clinical.qa.failed, clinical.qa.passed_review_gated, clinical.qa.review_required
- Controls: citation checks, missing-data checks, bias checks, human review, clinical risk rubric
- Human gate: Human owner review is required; this capability cannot create diagnosis, treatment, prescribing, outreach, payer, EHR, or production connector authority.
- Blocked autonomy: final clinical decision, patient advice, uncited medical claims, review bypass
Continuous Outcome Learning Engine
Learn from approved outcomes, reviewer labels, incidents, eval regressions, and workflow results without automatic clinical behavior changes.
- Interfaces: recordOutcomeSignal(), detectOutcomePattern(), proposeEvalUpdate(), requestPolicyOrPromptReview()
- Events: outcome.signal.recorded, outcome.pattern.detected, outcome.eval_update.proposed, outcome.learning_blocked
- Controls: consent/data-use approval, de-identification, bias monitoring, human review, release gates
- Human gate: Clinical governance approval required before outcome-derived changes affect workflows.
- Blocked autonomy: automatic clinical learning, PHI outcome ingestion without approval, unreviewed prompt/model promotion
Infrastructure-as-Code Engine
Make SCRIMED environments reproducible through IaC with policy checks, secrets separation, state locking, drift detection, and rollback.
- Interfaces: planInfrastructure(), scanIaCPlan(), approveIaCChange(), applyIaCChange()
- Events: iac.plan.created, iac.plan.scanned, iac.approval_required, iac.apply.blocked
- Controls: state locking, secret separation, policy-as-code, approval, rollback
- Human gate: Infrastructure owner approval required before apply.
- Blocked autonomy: unapproved apply, secret hardcoding, production drift mutation
Kubernetes Deployment Engine
Prepare Kubernetes deployment, canary, rollback, policy, runtime security, GPU scheduling, and service health contracts.
- Interfaces: renderManifests(), scanImage(), runCanary(), rollbackDeployment()
- Events: k8s.manifest.rendered, k8s.image.scanned, k8s.canary.started, k8s.rollback.requested
- Controls: image signing, SBOM, resource limits, network policy, admission control, rollback
- Human gate: Deployment owner approval required before cluster mutation.
- Blocked autonomy: unapproved cluster mutation, unsigned images, unbounded GPU jobs, PHI workload without approval
Zero-Trust Audit Ledger
Create immutable, tamper-evident audit evidence for identity, policy, model, tool, workflow, evaluation, deployment, and review actions.
- Interfaces: appendAuditEvent(), verifyAuditChain(), exportAuditPacket(), quarantineAuditGap()
- Events: audit.event.appended, audit.chain.verified, audit.gap.detected, audit.packet.exported
- Controls: append-only, hash chain, tenant boundary, retention, export redaction
- Human gate: Compliance/security owner review required for audit gaps or export packets.
- Blocked autonomy: audit deletion, raw PHI audit payloads, unaudited protected action
SQL/FHIR Query Validation Middleware
Validate generated SQL, FHIR search, and transformation requests before any database or system-of-record access.
- Interfaces: validateSql(), validateFhirSearch(), explainQueryRisk(), denyUnsafeQuery()
- Events: query.validation.requested, query.validation.passed, query.validation.denied, query.validation.review_required
- Controls: LLM output cannot execute direct SQL or direct system-of-record queries; all access must pass through validation middleware, MCP policy, scoped identity, and audit., parameterization, read/write classification, row/tenant policy, rate limit
- Human gate: Data owner approval required before high-risk queries or any write-like operation.
- Blocked autonomy: direct SQL execution, cross-tenant query, write query, PHI extraction without approval
Deployment Approval Pipeline
Gate deployments through tests, security scans, evals, drift checks, human approvals, canaries, blast-radius controls, and rollback.
- Interfaces: createReleaseCandidate(), evaluateReleaseGate(), approveDeployment(), rollbackRelease()
- Events: deployment.candidate.created, deployment.gate.failed, deployment.approved, deployment.rollback.started
- Controls: CI checks, secret scanning, SBOM, eval gates, manual approval, rollback
- Human gate: Release owner approval required before protected environment promotion.
- Blocked autonomy: unapproved production deploy, failed eval promotion, missing rollback
Secure RAG/Data Ingestion Pipeline
Ingest documents and data for retrieval while preserving structure, provenance, citations, redaction, malware checks, and policy boundaries.
- Interfaces: ingestDocument(), extractStructure(), redactSensitiveData(), indexEvidenceChunk(), verifyCitation()
- Events: rag.ingestion.started, rag.structure.extracted, rag.redaction.applied, rag.indexing.blocked
- Controls: PHI detection, malware scan placeholder, prompt-injection detection, source provenance, citation verification
- Human gate: Data owner approval required before indexing customer or clinical corpora.
- Blocked autonomy: unapproved PHI indexing, structure-stripping ingestion, citationless retrieval, RAG poisoning
Human-in-the-loop Clinical Safety Sandbox
Create a sandbox where clinical workflows, agents, prompts, models, FHIR transforms, and QA findings can be reviewed before any protected use.
- Interfaces: createSandboxCase(), requestClinicalReview(), recordReviewerDecision(), promoteSandboxFindingToEval()
- Events: sandbox.case.created, sandbox.review.requested, sandbox.decision.recorded, sandbox.finding.promoted_to_eval
- Controls: no-PHI fixtures, reviewer identity, clinical risk label, evidence card, escalation criteria
- Human gate: Human owner review is required; this capability cannot create diagnosis, treatment, prescribing, outreach, payer, EHR, or production connector authority.
- Blocked autonomy: live patient care, diagnosis, treatment, prescribing, patient outreach
Agents to build
Agents are scoped identities with allowed tools, denied tools, evidence requirements, and escalation paths.
Clinical Intake Agent
Collect synthetic or approved intake context, classify missing evidence, and create reviewer-ready intake packets.
- Allowed tools: synthetic-context-reader, evidence-card-builder, review-queue-writer
- Denied tools: ehr-writeback, patient-messaging, diagnosis-finalizer
- Evidence: source references, missing-data checklist, risk label, reviewer queue
- Escalation: Escalate any clinical ambiguity, PHI-like input, or protected action to clinical review.
FHIR Validation Agent
Explain deterministic FHIR validation results, propose safe transformations, and route invalid resources to interoperability review.
- Allowed tools: fhir-profile-validator, terminology-checker, validation-report-writer
- Denied tools: fhir-writeback, production-ehr-search, patient-merge
- Evidence: resource type, profile, terminology result, validation errors
- Escalation: Escalate profile conflicts, live connector requests, or write-like operations to interoperability owner.
Imaging Integration Agent
Validate synthetic imaging metadata/report evidence and route imaging tasks to specialist review without diagnostic authority.
- Allowed tools: dicom-metadata-validator, imaging-report-parser, specialist-review-queue
- Denied tools: pacs-writeback, diagnostic-finalizer, pixel-data-ingestion
- Evidence: modality, report source, comparison status, specialist review requirement
- Escalation: Escalate all interpretation-like findings to radiology or domain specialist review.
Clinical QA Agent
Score clinical-like drafts for evidence, hallucination, missing-data, guideline, bias, freshness, and reviewer-gate quality.
- Allowed tools: clinical-robustness-scorecard, citation-checker, risk-rubric-evaluator
- Denied tools: clinical-finalizer, patient-facing-publisher, orders
- Evidence: citations, limitations, confidence, review status, clinical risk level
- Escalation: Escalate any failed or high-risk scorecard to clinical governance review.
Patient Engagement Agent
Draft general education and engagement materials for review while blocking outreach and patient-specific advice.
- Allowed tools: approved-education-library, plain-language-checker, review-queue-writer
- Denied tools: patient-messaging, treatment-advice, appointment-scheduler
- Evidence: general education label, source references, language level, reviewer signoff state
- Escalation: Escalate patient-specific context, outreach requests, or treatment language to qualified human review.
Configuration Drift Agent
Compare desired and observed platform configuration, redact secrets, and create owner-routed drift findings.
- Allowed tools: config-snapshot-reader, drift-diff-engine, owner-router
- Denied tools: secret-reader, production-mutator, policy-editor
- Evidence: desired state hash, observed state hash, severity, owner
- Escalation: Escalate high-severity drift to platform owner and deployment pipeline.
AI Cost Intelligence Agent
Monitor model/tool usage, detect cost anomalies, and recommend budget-safe routing changes.
- Allowed tools: usage-meter, budget-policy-evaluator, cost-dashboard-writer
- Denied tools: provider-route-mutator, budget-overrider, secret-reader
- Evidence: model route, tokens, estimated cost, tenant quota, threshold decision
- Escalation: Escalate threshold breaches to finance/platform owner.
Autonomous Remediation Agent
Draft evidence-linked remediation plans while leaving execution blocked until human approval.
- Allowed tools: incident-reader, blast-radius-estimator, rollback-plan-builder
- Denied tools: production-mutator, cluster-admin, policy-editor
- Evidence: incident trace, blast radius, rollback, approval owner
- Escalation: Escalate all execution requests to deployment approval pipeline.
Starter architecture
Repository layout to grow from Next app contract into multi-package operating system.
- app/lib/scrimedOSImplementationPlan.ts for typed architecture contracts.
- app/api/scrimed-os/implementation-plan/route.ts for machine-readable roadmap.
- app/scrimed-os/page.tsx for executive, engineering, and investor review.
- packages/event-mesh for future event envelope, outbox, broker adapters, and replay.
- packages/agent-runtime for identity, scopes, CodeMode, MCP gateway clients, and traces.
- packages/registries for agent, prompt, policy, model, and evaluation registry schemas.
- packages/clinical-workflows for deterministic orchestrator, FHIR validation, imaging contracts, and clinical QA.
- infra/ for IaC, Kubernetes, policy-as-code, canary, and rollback templates.
all-requested-capabilities-mapped
All 25 requested SCRIMED OS capabilities must be represented in the roadmap.
event-driven-by-default
Every capability must emit at least one auditable event.
zero-trust-agent-identity
Agent identity, least privilege, revocation, scopes, and trust scores are first-class.
no-direct-llm-database-access
Generated SQL/FHIR queries must pass validation middleware before access.
registries-covered
Agent, prompt, policy, model, and evaluation registries are explicit.
human-in-the-loop-clinical-safety
Clinical-like outputs remain review-gated and cannot become autonomous care.
secure-rag-preserves-structure
RAG ingestion must preserve document structure and provenance.
agent-backlog-includes-patient-safety-surface
The truncated Patient agent request is safely modeled as review-gated patient engagement with no outreach authority.
production-mutation-blocked
Every capability names blocked autonomous behavior before production approval.