These runbooks are designed for teams already using broad intelligence platforms. RootFetch provides the run-scoped structural evidence layer that keeps published claims reproducible and auditable.

• Trigger: a vendor trend or ranking view shows a sudden namespace concentration or dispersion shift.
• Action: open RootFetch /compare for the same period using consecutive immutable runs.
• Validate: check DVI, regime, top10 share, and manifest verification for both runs.
• Output: publish a structural note with compare URL and run IDs only.
• Guardrail: do not label a structural shift without a run-paired artifact delta.

• Trigger: SOC sees elevated suspicious activity linked to one namespace segment.
• Action: investigate entities in existing suite; in parallel fetch RootFetch rootfetch.run_bundle.
• Validate: confirm whether anomaly rows and concentration metrics shifted at namespace level.
• Output: incident note that separates entity-level risk from structural namespace movement.
• Guardrail: no regime claim unless artifacts show regime or DVI-band transition.

• Trigger: scheduled weekly or monthly publication window.
• Action: summarize top movers and concentration changes from latest vs prior run.
• Validate: verify run manifests and include model version transition disclosure when applicable.
• Output: publish brief with one structural citation block per major claim.
• Guardrail: do not aggregate cross-model metrics without explicit model transition disclosure.

RootFetch Structural Evidence
run_id: <run_id>
snapshot_ts_utc: <snapshot_ts_utc>
model_version: <model_version>
dvi: <old> -> <new>
regime: <old> -> <new>
top10_share_pct: <old> -> <new>
manifest_hash_left: <sha256>
manifest_hash_right: <sha256>
evidence_links:
  - https://rootfetch.com/runs/<run_id>
  - https://rootfetch.com/compare?left=<left_run_id>&right=<right_run_id>