Runtime safety readiness
Governed execution stays locked until abuse throttles and emergency shutdown controls are explicit.
SCRIMED keeps executable requests disabled while the platform defines runtime safety envelopes, throttles, abuse signals, connector containment, shutdown authority, Watchtower escalation, restoration protocol, and synthetic safety drills.
Active replacement
runtime-acceptance-disabled
Deny-by-default governed execution endpoints remain the active replacement until throttle policy, emergency shutdown, abuse detection, regional safety policy, Watchtower escalation, override rules, restoration protocol, and synthetic safety drills are approved.
01Governed execution must not accept executable requests until runtime safety readiness is approved.
02emergency-shutdown-not-enabled
Runtime envelope
Every future executable request needs safety context before it can run.
01workflow slug
02tenant reference
03caller identity reference
04service credential reference
05patient-context authorization reference
06region
07workflow risk tier
08runtime policy version
09request trace id
10idempotency key
11rate-limit decision
12shutdown flag
13abuse signal references
14audit event link
state
locked
runtime safety lifecycle
Current production behavior rejects governed execution before body parsing, attempt creation, connector access, workflow mutation, or patient-facing action.state
preflight-watch
runtime safety lifecycle
Future authenticated requests can be evaluated for throttle, region, tenant, identity, service, and workflow risk without executing work.state
throttled
runtime safety lifecycle
Requests exceeding approved limits must be rejected or delayed with deterministic audit evidence and no connector side effects.state
suspended
runtime safety lifecycle
Tenant, service, user, workflow, or region suspension blocks execution while preserving operator review and incident context.state
shutdown-active
runtime safety lifecycle
Emergency shutdown prevents all governed execution attempts from being accepted until restoration is approved.state
incident-review
runtime safety lifecycle
Runtime safety events require owner, severity, evidence, containment, corrective action, and restoration decision.state
restored-after-approval
runtime safety lifecycle
Execution can only resume after approved review, policy version update, audit linkage, and Watchtower confirmation.defined
Runtime safety envelope
Trust infrastructure
Require workflow slug, tenant reference, caller identity reference, service credential reference, patient-context authorization reference, region, workflow risk tier, runtime policy version, request trace id, idempotency key, rate-limit decision, shutdown flag, abuse signal references, and audit event link before execution can be accepted.decision-required
Throttle policy
Security operations
Approve limits for tenant, user, service credential, workflow slug, patient-context authorization, region, and burst behavior before accepting executable requests.decision-required
Emergency shutdown switch
Trust operations
Define who can trigger global, regional, tenant, service, workflow, or connector shutdown, how long shutdown lasts, and which evidence is required to restore service.defined
Abuse signal taxonomy
Watchtower
Classify suspicious request bursts, replay anomalies, identity mismatches, policy violations, connector-risk signals, prompt-injection indicators, and repeated denied attempts as runtime safety signals.defined
Connector containment boundary
Interoperability
Keep runtime safety checks upstream of FHIR, HL7, claims, pricing, research, device, and workflow connectors so denied or throttled requests never create connector side effects.decision-required
Rate-limit persistence
Platform reliability
Select storage for rate-limit counters, cooldown windows, suspension records, shutdown flags, policy versions, and restoration evidence.decision-required
Regional safety policy
Global compliance
Map runtime limits, incident escalation, retention, data residency, local operator authority, and restoration process for the United States, UAE, Saudi Arabia, Kuwait, Nigeria, Kenya, Rwanda, Ghana, and Europe.decision-required
Watchtower escalation
Watchtower
Define dashboards, thresholds, alert routing, on-call ownership, severity model, and operator acknowledgement for runtime safety events.decision-required
Break-glass safety override
Compliance
Approve whether emergency human overrides can bypass throttles, which roles can request them, justification requirements, expiration, retrospective review, and patient-context limits.defined
Runtime denial evidence
Trust infrastructure
Return deterministic runtime-safety, shutdown, throttle, guard, audit-event, workflow, body-handling, execution-mode, and idempotency evidence headers when governed execution is denied.decision-required
Restoration protocol
Trust operations
Define who approves service restoration, what evidence is required, how policy versions change, and how restored execution is monitored after suspension or shutdown.decision-required
Synthetic runtime safety drills
Quality
Create synthetic tests for throttle exhaustion, replay bursts, service suspension, regional shutdown, connector containment, operator restoration, and audit evidence completeness.