SW
CMS EDE run console
Agentic evidence run control

MarketLink audit evidence swarm, mapped to CMS EDE requirements.

This is the project-level operating room: configure personas, dispatch deterministic browser/API agents, watch source-native collection, review blocker and redaction gates, then package only approved audit-readiness evidence.

CMS EDEaudit-readiness onlysource-native IDs preservedblocked
Open Run BuilderPrivate runnerPackage gate
control planeprivate runnerhuman-approved export

Agents do the collection work. CMS-native source rows decide what counts.

Modeled after the MarketLink CMS EDE testing module pattern: persona browser flows, API interception, screenshot metadata sidecars, source-row indexes, CSV/HTML reports, redaction manifests, checksums, and learning hints. No MarketLink generated evidence is copied.

Run sets
10
Agents
9
Personas
5
Native IDs
201
Preflight
61%
package posture
Blocked for review
Agentic readiness61%
Latest evidence run
cms-ede-marketlink-application-preview-3c-2026-04-30T13-47-48-116Z
Latest launcher run
succeeded
Active jobs
0
Preflight verdict
blocked
01
review
Access

Resolve target URL, broker/agent/consumer/admin personas, MFA, and credential vault bindings inside the private runner.

02
available
Scenario

Run deterministic CMS EDE scenario actions that already carry sourceRefs and CMS-native IDs.

03
available
Capture

Collect screenshots, text, API JSON, metadata, and checksums in the prescribed output shape.

04
available
Map

Map artifacts back to CMS toolkit files, native IDs, source rows, data elements, and expected evidence.

05
review
Review

Review sensitive data, blocker state, row-level evidence sufficiency, and package eligibility.

06
blocked
Package

Export auditor-ready packages only after source, redaction, manual evidence, and blocker gates clear.

Pre-dry-run gate

Resolve this board before pointing agents at the target site

5
pass / ready
2
operator review
3
blocked
26
runtime inputs
CMS source-native contract
source
pass

30 scenarios, 41 sourceRefs, 292 capture mappings, 0 errors.

Operator: Run npm run cms-ede:validate before every dry run and block collection if errors appear.
Toolkit and workbook reconciliation
source
pass

1155 workbook-native ID candidates; 0 pending sourceRef(s).

Operator: Open workbook-native IDs and reconciliation before expanding or approving coverage.
Runnable scenario registry
runtime
ready

3 ready, 24 blocked, 3 placeholder scenarios.

Operator: Start with ready scenarios only; use include-blocked/include-placeholder for inspection, not evidence.
Target application URL
runtime
ready

MarketLink: https://uat-marketlink.helpline.com

Operator: Supply the approved environment URL to the private runner; do not put embedded credentials in URLs.
Persona and credential bindings
access
blocked

5 persona roles; 3 still needed or placeholder.

Operator: Bind broker, agent, consumer, agency admin, and auditor roles through the vault/env/browser profile boundary.
Private runner boundary
runtime
ready

Control plane is ready; raw browser traces, screenshots, API calls, and secrets stay in the customer-controlled runtime.

Operator: Use desktop runner, on-prem VM, private cloud container, or air-gapped transfer according to customer policy.
Manual / connector evidence slots
evidence
blocked

0 approved, 0 needs review, 27 missing.

Operator: Register SSPP, SAR, POA&M, IDM/Okta, CMS UAT, policy, and scanner artifacts by checksum before export.
Evidence run ledger
evidence
needs review

1 run folder(s); latest cms-ede-marketlink-application-preview-3c-2026-04-30T13-47-48-116Z with 87 artifacts.

Operator: After the dry run, review run-manifest, evidence-index, source-row index, screenshots, JSON, and blockers.
Redaction review queue
review
needs review

Run artifacts are waiting for screenshot/API/text redaction review.

Operator: Approve redaction only after reviewing PII/sensitive data in screenshots, text extracts, and API JSON.
Auditor package gate
package
blocked

2 blocked gate(s), 2 review gate(s).

Operator: Export only after source, fresh evidence, manual evidence, blocker, and redaction gates pass.
Dispatch matrix

CMS EDE run sets by prescribed component

1
ready
4
credential gated
4
manual / connector
41
source refs

Application UI Toolkit

ready to run

The applicable phase Application UI Toolkit is reviewed in full; auditors need a methodology that evaluates each UI element, not only test-case-covered questions.

CMS source
Application_UI_Toolkit_02-03-2026.xlsx
Native reference
Application UI Toolkit UI Questions Item #
Application UI Toolkit UI Questions Item #1Application UI Toolkit UI Questions Item #2Application UI Toolkit UI Questions Item #3Application UI Toolkit UI Questions Item #4+14 more native refs
Runnable scenario coverage75%
4
scripts
3
ready
1
blocked
0
future
npm run cms-ede:collect -- --project=project-hps-marketlink-cms-ede-2026 --lane=application-ui-toolkit --dry-run

Gate: Target URL and approved broker/agent/consumer personas must be configured before live collection.

Eligibility Results Toolkit

credential gated

Phase-specific required test cases must be completed according to the User Guide tab, with screenshots through eligibility results and consistency between the results page and EDN.

CMS source
EDE_Eligibility_Results_Toolkit_Phase 3_PY2026_V3.xlsx
Native reference
Phase-specific Eligibility Results Toolkit scenario / row
Eligibility Results Toolkit Test Case 3.AEligibility Results Toolkit Test Case 3.A.2Eligibility Results Toolkit Test Case 3.CEligibility Results Toolkit Test Case 3.D+6 more native refs
Runnable scenario coverage0%
11
scripts
0
ready
11
blocked
0
future
npm run cms-ede:collect -- --project=project-hps-marketlink-cms-ede-2026 --lane=eligibility-results-toolkit --dry-run

Gate: Requires final CMS UAT/API access, approved toolkit cases, and target application personas.

EDE Partner Test Case Suite

credential gated

Supplemental partner test cases increase approval readiness and should not replace required toolkit cases.

CMS source
2026 EDE _CMS - EDE - Partner Test Case Suite - V11.0 - Final - 2026.03.31.xlsx
Native reference
Partner Test Case Suite case ID and step
Partner Test Case Suite Test Case 3.CPartner Test Case Suite Test Case 3.A/3.BPartner Test Case Suite Test Case 3.EPartner Test Case Suite Test Case 3.F+2 more native refs
Runnable scenario coverage0%
7
scripts
0
ready
7
blocked
0
future
npm run cms-ede:collect -- --project=project-hps-marketlink-cms-ede-2026 --lane=partner-test-case-suite --dry-run

Gate: Requires final CMS UAT credentials, certificates, and test data.

API Functional Integration Toolkit

credential gated

Each required API test case needs correct results and complete required evidence, including complete request/response headers and body where required; raw JSON/XML must remain unmodified.

CMS source
API_Functional_Integration_Toolkit_04042025.xlsx
Native reference
FIT case ID and step / Required Evidence Column H
API Functional Integration Toolkit MTST_EDE_E2E_ F001 Step 1API Functional Integration Toolkit MTST_EDE_E2E_ F001 Step 2API Functional Integration Toolkit MTST_EDE_E2E_ F001 Step 3API Functional Integration Toolkit MTST_EDE_E2E_ F001 Step 4+13 more native refs
Runnable scenario coverage0%
1
scripts
0
ready
1
blocked
0
future
npm run cms-ede:collect -- --project=project-hps-marketlink-cms-ede-2026 --lane=api-functional-integration-toolkit --dry-run

Gate: Requires API base URLs, mTLS/certificates, CMS test accounts, and vault-backed private runner execution.

EDE Communications Toolkit

dry run ready

Required consumer communications, notices, disclaimers, language access, and associated critical communications must be evidenced in the applicable pathway.

CMS source
EDE_Communications_Toolkit_Year 9_02112026.xlsx
Native reference
Communications Toolkit requirement / disclaimer row
Communications Toolkit Requirement #1Communications Toolkit Requirement #7Communications Toolkit Requirement #9Communications Toolkit Requirement #16+8 more native refs
Runnable scenario coverage0%
2
scripts
0
ready
2
blocked
0
future
npm run cms-ede:collect -- --project=project-hps-marketlink-cms-ede-2026 --lane=communications-toolkit --dry-run

Gate: Generated notices and non-English critical communications may require CMS/API access or manual evidence registration.

Eligibility Determination Notices / Notice Retrieval

credential gated

The consumer must be able to access the most recent EDN; EDN and raw Get App API JSON requirements apply across required toolkit cases.

CMS source
EDE-Notice-Retrieval-20250911.HTML / EDE_Metadata_Search_20250428.html
Native reference
EDN / Notice Retrieval / Metadata Search requirement
Notice Retrieval API GET /{version}/documents/{id}Metadata Search API POST /{apiVersion}/search-metadataAPI Functional Integration Toolkit MTST_EDE_E2E_ F001 Step 13API Functional Integration Toolkit MTST_EDE_E2E_ F002 Step 6+7 more native refs
Runnable scenario coverage0%
1
scripts
0
ready
1
blocked
0
future
npm run cms-ede:collect -- --project=project-hps-marketlink-cms-ede-2026 --lane=edn-notices --dry-run

Gate: Requires generated EDNs, CMS API access, and approved notice retrieval path.

Identity Proofing / RIDP-RBA / FARS

manual or connector

Identity proofing, RBA outcomes, acceptable documentation, IDM, Okta, and MFA gates must be evidenced or explicitly blocked until authorized access exists.

CMS source
H139_RIDP Test Harness Data.xlsx / H140_FARS Test Harness Data.xlsx
Native reference
RIDP/RBA/FARS test harness case or fallback path
RIDP TC01/TH10001 ACCRIDP TC07/TH10007 RF1RIDP TC08/TH10008 RF2RIDP TC09/TH10009 RF3+14 more native refs
Runnable scenario coverage0%
1
scripts
0
ready
1
blocked
0
future
npm run cms-ede:manual-evidence -- --register

Gate: Requires RIDP/FARS, IDM, Okta, MFA, and production/test credential access.

Business Audit Instructions / DE Entity Documentation

manual or connector

Auditors must provide complete descriptions of each requirement and must not exclude required review-standard criteria; the DE Entity Documentation Package must be complete at submission.

CMS source
EDE Business Audit Instructions and Report Template_Year 9_final.docx
Native reference
Business requirement / review standard / DE Entity Documentation Package item
manual source mapping required
Runnable scenario coverage0%
0
scripts
0
ready
0
blocked
0
future
npm run cms-ede:manual-evidence -- --register

Gate: Requires GRC/document repository access or manually registered approved documentation.

Registration, Onboarding, and Mini-Audit Access

manual or connector

Testing credentials must be valid and all APIs/components accessible during CMS mini audit; post-submission changes must follow the applicable change process.

CMS source
Year 9 auditor guidelines / Web-broker ORR guidance
Native reference
Onboarding requirement / testing credential / EICR or readiness item
Onboarding Section IX Required Auditor and EDE Entity TrainingOnboarding Section X EDE Entity Document SubmissionOnboarding Section XI.A Pre-Audit Notification to CMSOnboarding Section XI.B Audit Submission+11 more native refs
Runnable scenario coverage0%
1
scripts
0
ready
0
blocked
1
future
npm run cms-ede:manual-evidence -- --register

Gate: Requires CMS Enterprise Portal, registration, and auditor/CMS access paths.

Security and Privacy Audit - ARC-AMPE / MARS-E

manual or connector

The security/privacy audit package needs SAP, ARC-AMPE SSPP, SAR, and POA&M completeness; SAR findings include documentation review, control testing, scanning, penetration testing, and interviews.

CMS source
ARC-AMPE Volume 2 SSPP / SAP / SAR / POA&M templates
Native reference
ARC-AMPE, MARS-E, NIST, SAP, SSPP, SAR, POA&M identifier
ARC-AMPE AC-02ARC-AMPE AC-02(03)ARC-AMPE AC-02(07)ARC-AMPE AC-07+14 more native refs
Runnable scenario coverage0%
2
scripts
0
ready
0
blocked
2
future
npm run cms-ede:manual-evidence -- --register

Gate: Requires security package repository, scanner/pen-test output, GRC evidence, and reviewer acceptance.

Agent mesh

Specialized agents and human gates

Persona Session Agent
deterministic
requires vault

Opens the approved browser session for broker, agent, consumer, admin, or auditor personas without storing secrets in ControlFrame fixtures.

Guardrail: Credentials stay in the private runtime, vault, browser profile, or operator session.
Scenario Navigator Agent
deterministic
ready

Executes prescribed CMS EDE scenario actions from the source-backed scenario registry and keeps route/selector behavior repeatable.

Guardrail: A scenario cannot become evidence unless the registry maps it to CMS-native source references.
Evidence Capture Agent
deterministic
ready

Captures full-page screenshots, text extracts, viewport metadata, source-native IDs, source rows, and checksums.

Guardrail: Screenshots remain needs-review until PII/redaction and source-row mapping are approved.
API Observer Agent
deterministic
requires vault

Captures CMS-relevant API JSON responses during browser flows or direct API runs and separates raw evidence from redacted review copies.

Guardrail: Final CMS UAT API evidence stays blocked until approved endpoints, mTLS/certs, and credentials exist.
Source Map Agent
agent-assisted
ready

Classifies collected artifacts against source documents, native framework identifiers, toolkit rows, evidence targets, and required evidence text.

Guardrail: Auditor-facing IDs remain the framework-native CMS IDs, not invented ControlFrame control numbers.
Redaction Review Agent
human-approved
manual gated

Flags screenshots, text, and JSON that need PII/sensitive-data review before they move into an auditor package.

Guardrail: The agent can propose redaction state; a reviewer must approve export readiness.
Package Builder Agent
deterministic
ready

Builds checksummed auditor packages only from approved artifacts, source-row indexes, reports, blockers, and manifests.

Guardrail: The package uses audit-readiness language and never claims final CMS certification.
Learning Loop Agent
agent-assisted
ready

Writes selector candidates and flow-recovery hints when a scenario fails, then proposes registry improvements for human approval.

Guardrail: Learning improves repeatability only; it does not fabricate evidence or bypass CMS/source blockers.
Manual / Connector Intake Agent
human-approved
manual gated

Registers GRC, policy, SSPP, SAR, POA&M, scanner, and repository artifacts by checksum and source-native mapping.

Guardrail: Manual or connector evidence must be source-backed and reviewer-approved before package export.
Artifact contract

What the agents produce for auditor review

Full-page screenshot + metadata sidecar
redaction review required

CMS Application UI, eligibility, communication, EDN, identity, and onboarding visual evidence.

screenshots/<suite>/*.png + screenshots/<suite>/*.meta.json
produced: Evidence Capture Agent
mapped: Source Map Agent
API request/response JSON
credential or access required

CMS API FIT, eligibility response, EDN retrieval, metadata search, and hub transaction evidence.

json-responses/<suite>/*.json
produced: API Observer Agent
mapped: Source Map Agent
Text extract
redaction review required

Consumer communications, disclaimers, language assistance, and page-text corroboration.

text-extracts/<suite>/*.txt
produced: Evidence Capture Agent
mapped: Source Map Agent
Source-row evidence index
source native map required

Auditor traceability from CMS toolkit rows/native IDs to each collected artifact.

source-row-evidence-index.json + reports/source-row-evidence-map.csv
produced: Source Map Agent
mapped: Source Map Agent
Artifact, checksum, and redaction manifests
manual review required

Reviewable inventory of all screenshots, JSON, extracts, hashes, redaction status, and export gates.

artifact-manifest.json + checksums.json + redaction-manifest.json
produced: Redaction Review Agent
mapped: Package Builder Agent
Auditor review report
package ready after approval

Human-readable CMS-native evidence map for auditor walkthroughs and package review.

reports/latest-report.html
produced: Package Builder Agent
mapped: Source Map Agent
Open blocker register
manual review required

Explicit CMS UAT, IDM, Okta, credential, source-row, manual evidence, or production access gaps.

open-blockers.json
produced: Package Builder Agent
mapped: Source Map Agent
Agent learning hints
manual review required

Selector candidates and recovery notes for improving the next approved collector run.

agent-learning/*.json
produced: Learning Loop Agent
mapped: Scenario Navigator Agent
Agentic Evidence Run Control | ControlFrame