{"service":"scrimed-qa-evidence-ledger","route":"/qa-evidence","apiRoute":"/api/qa-evidence","briefRoute":"/api/qa-evidence/brief","status":"qa-evidence-ledger-active","proofStackStatus":"dated-qa-evidence-ledger-with-manual-aal2-gate","boundary":"SCRIMED QA Evidence Ledger records synthetic-only release, smoke, token-policy, fail-closed, and operator-gate evidence. It is not a clinical validation report, security certification, legal opinion, SOC report, HIPAA attestation, or authorization for live healthcare execution.","currentDeployment":{"environment":"production","commitSha":"7bf596c25bed03d6148923e4ab939a2abbfb2fff","commitRef":"main","deploymentUrl":"https://scrimed-site-2jx6xfd2i-temitayo-dahunsis-projects.vercel.app"},"recordedEvidenceCount":20,"passed":4,"failClosed":1,"manualGates":2,"workaroundActive":13,"unresolvedHardGateCount":2,"salesDemoSessionQaStatus":"aal2-operator-buyer-demo-session-qa-short-lived-token-compatible","salesDemoSessionQaBoundary":"The Sales Demo Session QA harness is an AAL2 tenant-admin control that writes synthetic buyer-demo verification records only. It verifies session persistence and packet audit creation without storing PHI, patient identifiers, live clinical records, payer member identifiers, credentials, secrets, source contracts, autonomous clinical decisions, or production healthcare execution authorization.","salesDemoSessionQaControls":["AAL2 tenant-admin session required","Optional automation uses externally supplied short-lived bearer token only","Selected opportunity is explicit from UI or SCRIMED_SALES_QA_INTAKE_ID","Synthetic business workflow metadata only","Existing guarded demo-session RPC records the session","Existing guarded packet RPC commits the packet audit event","No secrets, credentials, source contracts, or regulated healthcare files are accepted"],"tokenPolicy":{"status":"short-lived-aal2-token-preflight-and-manual-ci-policy","runbookPath":"docs/operator-token-rotation.md","workflowPath":".github/workflows/sales-demo-session-qa-smoke.yml","selfTestScript":"scripts/sales-demo-session-qa-token-policy-selftest.mjs","preflightScript":"scripts/sales-demo-session-qa-token-preflight.mjs","smokeScript":"scripts/sales-demo-session-qa-smoke.mjs","requiredEnvironment":["SCRIMED_SALES_QA_BEARER_TOKEN","SCRIMED_SALES_QA_INTAKE_ID","SCRIMED_REQUIRE_SALES_QA"],"requiredClaims":["aal=aal2","session_id","exp","iat"],"maxTokenLifetimeSeconds":3900,"minRemainingSeconds":60,"ciMode":"manual workflow_dispatch only; token must be minted immediately before the run, masked as an Actions secret, and removed after the run","noLongLivedSecretBoundary":true},"qaBuyerProofReleaseStatus":"manual-aal2-qa-buyer-proof-release-gate-ready","qaManualExecutionConsoleStatus":"manual-aal2-qa-execution-console-ready","qaAal2RunEvidenceStatus":"protected-aal2-synthetic-qa-evidence-package-ready","qaAal2RunEvidence":{"route":"/qa-aal2-run-evidence","apiRoute":"/api/qa-evidence/aal2-run-evidence","briefRoute":"/api/qa-evidence/aal2-run-evidence/brief","protectedRoute":"/api/pilot-workspaces/{workspaceSlug}/qa-evidence/aal2-run-evidence","status":"protected-aal2-synthetic-qa-evidence-package-ready","proofStackStatus":"protected-aal2-synthetic-qa-evidence-package-no-release","briefProofStackStatus":"protected-aal2-synthetic-qa-evidence-brief-no-proof-approval","boundary":"SCRIMED AAL2 Synthetic QA Run Evidence records the first protected human-reviewed AAL2 synthetic QA evidence posture. It does not bypass human AAL2, store credentials, store PHI, touch production systems, trigger live patient workflows, perform autonomous clinical action, certify HIPAA/SOC/FDA/security status, guarantee reimbursement, approve connectors, approve buyer proof release, or authorize live clinical care."},"qaManualExecutionConsole":{"route":"/qa-manual-execution-console","apiRoute":"/api/qa-evidence/manual-execution-console","briefRoute":"/api/qa-evidence/manual-execution-console/brief","protectedRoute":"/api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-execution-console","status":"manual-aal2-qa-execution-console-ready","boundary":"The console coordinates human AAL2 synthetic QA, retained packet visibility, and Buyer Proof Release checks without storing tokens, PHI, production credentials, or clinical authority."},"activationPlan":{"service":"scrimed-qa-evidence-activation-plan","status":"manual-aal2-qa-evidence-activation-plan-ready","route":"/api/qa-evidence/activation-plan","briefRoute":"/api/qa-evidence/activation-plan/brief","boundary":"The QA Evidence Activation Plan is a no-secret operator runbook for governed synthetic AAL2 QA only. It does not store or reveal bearer tokens, execute passkey ceremonies, authorize PHI processing, certify compliance, or grant live clinical authority.","activationPrinciple":"Human AAL2 session plus short-lived token plus explicit synthetic target plus no-secret evidence persistence.","workflowCount":2,"workflows":[{"workflowKind":"sales-demo-session-qa","name":"Sales Demo Session QA activation","status":"ready-for-human-aal2-run","workflowPath":".github/workflows/sales-demo-session-qa-smoke.yml","preflightScript":"scripts/sales-demo-session-qa-token-preflight.mjs","smokeScript":"scripts/sales-demo-session-qa-smoke.mjs","targetInput":"intake_id","requiredSecretName":"SCRIMED_SALES_QA_BEARER_TOKEN","protectedRoutes":["/api/sales-operations/qa/buyer-demo-sessions","/sales-operations","/pilot-deal-room"],"safeEvidenceFields":["workflowKind=sales-demo-session-qa","workflowRunId","workflowRunUrl","executedAt","baseUrl","intakeId","createdSessionId","packetAuditEventId","packetSha256 after protected persistence"],"prohibitedInputs":["bearer tokens","refresh tokens","passwords","patient identifiers","payer member identifiers","source contracts","clinical records","legal conclusions"],"operatorSteps":["Open Sales Operations with an approved AAL2 tenant-admin session.","Select one explicit synthetic buyer opportunity and capture its intake ID.","Create a temporary masked GitHub secret only for the short-lived AAL2 token.","Dispatch the Sales Demo Session QA workflow with require_authenticated_path enabled.","Confirm preflight and smoke pass; copy only safe IDs from workflow output.","Delete or rotate the temporary secret immediately after the workflow finishes.","Persist the safe metadata through /pilot-workspace/access -> Manual QA Evidence.","Export Buyer Diligence so the retained packet hash and audit trail appear in buyer proof."],"persistenceTarget":"/api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-run-packets","buyerDiligenceImpact":"Adds tenant-scoped evidence that SCRIMED can create and audit a governed synthetic buyer demo session under human AAL2 control.","currentBoundary":"No authenticated sales-demo CI evidence can be claimed until a human runs the workflow with a fresh short-lived AAL2 token.","workaround":"All surrounding controls remain verified by public smoke and fail-closed checks; the activation plan prevents token material from becoming evidence.","nextAction":"Run the manual workflow once a fresh AAL2 tenant-admin token and safe synthetic intake target are available."},{"workflowKind":"authority-reference-qa","name":"Authority Reference QA activation","status":"ready-for-human-aal2-run","workflowPath":".github/workflows/authority-reference-qa-smoke.yml","preflightScript":"scripts/authority-artifact-reference-qa-token-preflight.mjs","smokeScript":"scripts/authority-artifact-reference-qa-smoke.mjs","targetInput":"workspace_slug","requiredSecretName":"SCRIMED_BEARER_TOKEN","protectedRoutes":["/api/pilot-workspaces/{workspaceSlug}/authority-artifact-references","/api/pilot-workspaces/{workspaceSlug}/authority-artifact-references/renewal-queue","/api/pilot-workspaces/{workspaceSlug}/authority-artifact-references/packet"],"safeEvidenceFields":["workflowKind=authority-reference-qa","workflowRunId","workflowRunUrl","executedAt","baseUrl","workspace slug as intakeId","created authority reference UUID as createdSessionId","authority packet audit event UUID as packetAuditEventId","packetSha256 after protected persistence"],"prohibitedInputs":["bearer tokens","refresh tokens","artifact URLs","signed approvals","legal opinions","security reports","reimbursement determinations","PHI","production credentials"],"operatorSteps":["Open /pilot-workspace/access with an approved AAL2 tenant governance session.","Use the protected workspace slug as the explicit workflow target.","Create a temporary masked GitHub secret only for the short-lived AAL2 token.","Dispatch the Authority Reference QA workflow with require_authenticated_path enabled.","Confirm the workflow records one synthetic metadata-only reference, verifies the renewal queue, and downloads the audited packet.","Copy only the printed safe evidence fields: workflow kind, workspace target, reference UUID, and packet audit event UUID.","Delete or rotate the temporary secret immediately after the workflow finishes.","Persist the safe metadata through /pilot-workspace/access -> Manual QA Evidence in authority-reference mode.","Export Buyer Diligence so authority-reference QA evidence appears with the retained hard-gate boundaries."],"persistenceTarget":"/api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-run-packets","buyerDiligenceImpact":"Adds tenant-scoped evidence that SCRIMED can record and audit no-PHI authority-reference readiness metadata under human AAL2 control.","currentBoundary":"No authenticated authority-reference CI evidence can be claimed until a human runs the workflow with a fresh short-lived AAL2 token.","workaround":"The renewal queue, fail-closed protected routes, stateless packet generation, and no-secret persistence bridge are already verified without storing credentials.","nextAction":"Run the manual workflow once a fresh AAL2 tenant governance token and synthetic workspace target are available."}],"sharedControls":["Use only fresh short-lived AAL2 tokens.","Keep workflows manual-only; do not schedule authenticated mutation checks.","Target exactly one explicit synthetic opportunity or protected workspace.","Run preflight before any authenticated request.","Copy only safe evidence IDs into SCRIMED.","Use GitHub Actions when temporary secret placement is available; use SCRIMED Run Control as the local human AAL2 witness when browser or CI secret placement is blocked.","Delete or rotate temporary GitHub secrets or local clipboard token material immediately after the run.","Persist evidence only through the protected Manual QA Evidence route.","Export Buyer Diligence only after safe metadata is retained and packet hashes are visible."],"forbiddenContent":"Never paste bearer tokens, refresh tokens, passwords, API keys, PHI, patient identifiers, payer member identifiers, artifact URLs, signed approvals, legal opinions, security reports, reimbursement determinations, source contracts, production credentials, or clinical records into QA evidence fields.","completionCriteria":["Preflight passed for the short-lived AAL2 token.","Authenticated smoke passed against the explicit synthetic target.","Temporary secret was deleted or rotated after run completion.","Manual QA Evidence packet was persisted through the protected workspace session.","Packet hash and append-only audit event are visible in Buyer Pilot Room.","Buyer Diligence Export was generated after persistence."],"unresolvedBoundary":"Authenticated QA evidence remains pending until a human operator performs the AAL2 run; code must not bypass this with committed credentials or long-lived secrets.","nextAction":"Use this activation plan to run Sales Demo Session QA and Authority Reference QA with fresh AAL2 tokens, persist only safe metadata, then export Buyer Diligence.","updated":"2026-06-22"},"manualRunEvidenceCapture":{"route":"/api/qa-evidence/manual-run-packet","protectedPersistenceRoute":"/api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-run-packets","status":"manual-aal2-run-evidence-packet-ready","authorityReferenceBridgeStatus":"authority-reference-qa-evidence-bridge-ready","supportedWorkflowKinds":["sales-demo-session-qa","authority-reference-qa"],"persistenceStatus":"tenant-scoped-aal2-manual-qa-evidence-ledger","requiredFields":["workflowKind","workflowRunId","workflowRunUrl","executedAt","baseUrl","intakeId","createdSessionId","packetAuditEventId","qaOutcome","operatorAttestation","tokenDisposalAttestation","dataBoundary"],"acceptedAttestations":{"qaOutcome":"pass","operatorAttestation":"no-secrets-no-phi-aal2-human-run","tokenDisposalAttestation":"temporary-token-deleted-or-rotated","dataBoundary":"synthetic-business-workflow-only"},"forbiddenContent":"Do not submit bearer tokens, refresh tokens, passwords, API keys, PHI, patient identifiers, payer member identifiers, source contracts, credentials, or legal/security conclusions.","acceptedRunSources":["SCRIMED GitHub Actions manual workflow run","SCRIMED Run Control local human AAL2 execution witness"],"workflowRunUrlPolicy":"workflowRunUrl must point to either a SCRIMED GitHub Actions run or https://app.scrimedsolutions.com/qa-run-control?runId={numericRunId}.","persistenceBoundary":"The public route validates and returns a Markdown evidence packet without storing data. The protected workspace route persists the same sanitized metadata only after AAL2 tenant governance authorization and server-side storage controls.","authorityReferencePersistence":"For authority-reference QA, createdSessionId carries the created authority reference UUID and packetAuditEventId carries the authority reference packet audit event UUID. The packet labels these fields explicitly; the database column names remain generic legacy storage."},"manualRunEvidencePersistence":{"route":"/api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-run-packets","status":"tenant-scoped-aal2-manual-qa-evidence-ledger","boundary":"Tenant-scoped durable storage requires AAL2 governance authorization, server-held runtime authorization, RLS membership checks, append-only audit events, no-secret validation, and synthetic-only metadata."},"entries":[{"id":"public-production-smoke","name":"Public production smoke","status":"passed","owner":"Release engineering","recordedAt":"2026-06-18","artifact":"scripts/public-production-smoke.mjs","routes":["/pilot-workspace/access","/sales-operations","/competitive-edge","/pilot-deal-room","/api/product/console","/api/pilot-workspaces/readiness"],"evidence":"Production smoke verified public HTML, product console proof-stack posture, readiness APIs, and protected-route fail-closed behavior on app.scrimedsolutions.com.","limitation":"Does not authenticate or mutate tenant-admin records.","workaround":"Protected routes must return a fail-closed response without credentials; authenticated mutation evidence is isolated behind AAL2 operator-token QA.","nextAction":"Run after each release and keep the product proof-stack assertion current."},{"id":"local-production-build-smoke","name":"Local production build and smoke","status":"passed","owner":"Engineering","recordedAt":"2026-06-18","artifact":"next build --webpack plus local production smoke","routes":["/quality","/pilot-evidence","/qa-evidence","/api/qa-evidence"],"evidence":"TypeScript, ESLint, generated integrity, production build, and local production smoke passed using the bundled Node runtime when the managed shell omitted node/npm from PATH.","limitation":"The local Codex shell may not expose npm or node on PATH consistently.","workaround":"Use the bundled Node absolute path for local verification; GitHub Actions and Vercel continue to run standard Node 22 commands.","nextAction":"Restore normal local package-manager PATH when convenient; keep absolute-Node fallback documented."},{"id":"sales-demo-session-token-policy","name":"Sales demo session token policy","status":"passed","owner":"Trust engineering","recordedAt":"2026-06-18","artifact":"scripts/sales-demo-session-qa-token-preflight.mjs","routes":[".github/workflows/sales-demo-session-qa-smoke.yml","docs/operator-token-rotation.md","/api/sales-operations/qa/buyer-demo-sessions"],"evidence":"Short-lived AAL2 JWT preflight, no-secret safe skip, policy self-test, explicit intake targeting, and manual-only GitHub workflow are implemented.","limitation":"Static preflight decodes claims but does not verify JWT signature; protected SCRIMED APIs and Supabase Auth remain the verification authority.","workaround":"Preflight blocks weak token shape before network access; authenticated route verification still happens inside the protected API.","nextAction":"Mint a fresh AAL2 operator token only for a deliberate manual QA workflow run."},{"id":"sales-demo-session-authenticated-ci","name":"First authenticated Sales Demo Session QA CI run","status":"manual-gate","owner":"SCRIMED operator","recordedAt":"2026-06-18","artifact":".github/workflows/sales-demo-session-qa-smoke.yml","routes":["/api/sales-operations/qa/buyer-demo-sessions","/sales-operations","/pilot-deal-room"],"evidence":"The runnable workflow, token preflight, smoke harness, and protected API path are present; the first live authenticated CI run still requires a fresh AAL2 operator session and explicit buyer-opportunity target.","limitation":"No long-lived bearer token should be stored in repo, docs, runtime config, or unattended CI.","workaround":"Keep the workflow manual, store the token only as a temporary masked GitHub Actions secret, run against one explicit intake ID, then delete or rotate the secret immediately after evidence capture.","nextAction":"Run the manual workflow once a fresh AAL2 token and safe synthetic intake target are available."},{"id":"authority-reference-authenticated-ci","name":"Authenticated Authority Reference QA run","status":"manual-gate","owner":"SCRIMED operator","recordedAt":"2026-06-21","artifact":".github/workflows/authority-reference-qa-smoke.yml","routes":["/api/pilot-workspaces/{workspaceSlug}/authority-artifact-references","/api/pilot-workspaces/{workspaceSlug}/authority-artifact-references/renewal-queue","/api/pilot-workspaces/{workspaceSlug}/authority-artifact-references/packet"],"evidence":"The protected authority-reference QA script, renewal queue, packet audit path, and manual workflow wrapper are present; the first authenticated run still requires a fresh short-lived AAL2 tenant token.","limitation":"No long-lived bearer token should be stored in source, runtime config, docs, or unattended CI.","workaround":"Run the manual workflow with a temporary masked GitHub Actions secret, capture only the workflow run ID, created authority reference ID, packet audit event ID, and packet hash, then delete or rotate the secret.","nextAction":"Run the authority-reference QA workflow once a fresh AAL2 token is available, then persist the safe metadata through the Manual QA Evidence panel in authority-reference mode."},{"id":"manual-aal2-qa-activation-plan","name":"Manual AAL2 QA evidence activation plan","status":"workaround-active","owner":"Release engineering","recordedAt":"2026-06-21","artifact":"/api/qa-evidence/activation-plan","routes":["/api/qa-evidence/activation-plan","/api/qa-evidence/activation-plan/brief",".github/workflows/sales-demo-session-qa-smoke.yml",".github/workflows/authority-reference-qa-smoke.yml"],"evidence":"A no-secret activation plan now gives operators workflow-specific target inputs, token preflight paths, safe evidence fields, prohibited content, persistence route, Buyer Diligence impact, and retained boundaries before any AAL2 run.","limitation":"The activation plan coordinates the human run; it does not mint tokens, execute passkey ceremonies, or create authenticated proof by itself.","workaround":"Use the plan as the mandatory bridge between manual GitHub workflow execution, secret disposal, protected Manual QA Evidence persistence, and Buyer Diligence export.","nextAction":"Run each manual AAL2 QA workflow from the plan, persist only safe metadata, then export Buyer Diligence after packet hashes appear."},{"id":"manual-aal2-qa-run-control","name":"Manual AAL2 QA run control","status":"workaround-active","owner":"Release engineering and TrustOS","recordedAt":"2026-06-21","artifact":"/api/qa-evidence/run-control","routes":["/qa-run-control","/api/qa-evidence/run-control","/api/qa-evidence/run-control/brief","/api/qa-evidence/manual-run-packet","/api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-run-packets"],"evidence":"A no-secret run-control layer gives operators workflow-specific dispatch inputs, preflight command templates, smoke command templates, safe evidence payloads, abort conditions, and buyer-proof promotion rules before any human AAL2 token is used.","limitation":"Run Control prepares the first authenticated synthetic QA run; it still does not execute passkey ceremonies, mint tokens, store credentials, or claim retained authenticated evidence.","workaround":"Use Run Control as the mandatory mission brief before the human workflow dispatch, then persist only safe packet metadata after token disposal.","nextAction":"Use /qa-run-control during the first Sales Demo Session QA or Authority Reference QA human AAL2 run, then persist the packet hash through Manual QA Evidence."},{"id":"manual-aal2-qa-launch-kit","name":"Manual AAL2 QA launch kit","status":"workaround-active","owner":"Release engineering, TrustOS, security, and tenant governance","recordedAt":"2026-06-22","artifact":"/api/qa-evidence/launch-kit","routes":["/qa-launch-kit","/api/qa-evidence/launch-kit","/api/qa-evidence/launch-kit/brief","/qa-run-control","/qa-proof-promotion","/api/qa-evidence/manual-run-packet","/api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-run-packets"],"evidence":"A no-secret Launch Kit now packages the approved human AAL2 handoff with workflow dispatch inputs, command templates, safe-copy fields, secret-disposal checks, packet persistence steps, and Proof Promotion checks before any buyer proof claim.","limitation":"The Launch Kit does not execute passkey ceremonies, mint tokens, store credentials, run the workflow, persist packet hashes, or authorize clinical, PHI, reimbursement, security-certification, connector, or production claims.","workaround":"Use the Launch Kit as the final operator handoff before the human run so the only remaining gate is the out-of-band short-lived AAL2 workflow execution and protected packet persistence.","nextAction":"Have an approved operator use /qa-launch-kit, complete one human AAL2 workflow, persist only safe metadata, then confirm /qa-proof-promotion before exporting Buyer Diligence."},{"id":"manual-aal2-qa-human-run-packet","name":"Manual AAL2 QA human run packet","status":"workaround-active","owner":"Release engineering, TrustOS, security, tenant governance, and Buyer Diligence","recordedAt":"2026-06-22","artifact":"/api/qa-evidence/human-run-packet","routes":["/qa-human-run-packet","/api/qa-evidence/human-run-packet","/api/qa-evidence/human-run-packet/brief","/qa-launch-kit","/qa-completion-bridge","/qa-activation-seal","/qa-proof-promotion","/qa-claim-guard","/api/qa-evidence/manual-run-packet","/api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-run-packets"],"evidence":"A no-secret Human Run Packet now converts Launch Kit readiness into a bounded dispatch artifact with operator role, synthetic target, AAL2/no-code-bypass attestation, proof-blocked attestation, post-run route chain, controls, hard stops, and blocked claims.","limitation":"The Human Run Packet still does not execute passkey ceremonies, mint tokens, run workflows, persist packet hashes, authorize production data, or claim retained authenticated proof.","workaround":"Use the packet to make the first human AAL2 run deterministic and auditable while protected Manual QA Evidence remains the only source of retained proof.","nextAction":"Have an approved tenant-admin or pilot-lead use /qa-human-run-packet for exactly one synthetic workflow, validate through /qa-completion-bridge, persist protected metadata, then confirm /qa-activation-seal, /qa-proof-promotion, and /qa-claim-guard."},{"id":"manual-aal2-qa-execution-console","name":"Manual AAL2 QA execution console","status":"workaround-active","owner":"Release engineering, TrustOS, tenant governance, security, and Buyer Diligence","recordedAt":"2026-06-22","artifact":"/api/qa-evidence/manual-execution-console","routes":["/qa-manual-execution-console","/api/qa-evidence/manual-execution-console","/api/qa-evidence/manual-execution-console/brief","/api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-execution-console","/pilot-workspace/access#manual-qa-execution-console","/qa-human-run-packet","/qa-completion-bridge","/api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-run-packets","/api/pilot-workspaces/{workspaceSlug}/qa-evidence/buyer-proof-release"],"evidence":"A protected Manual QA Execution Console now unifies human AAL2 run readiness, manual workflow dispatch, no-secret metadata capture, retained packet visibility, audit signals, and Buyer Proof Release readiness in one operator lane.","limitation":"The console coordinates execution but does not mint tokens, execute passkey ceremonies, run authenticated CI unattended, store secrets, process PHI, create retained packets by itself, or authorize production healthcare activity.","workaround":"Use the public route for the no-secret runbook and the protected workspace panel to read retained packet and audit visibility before any Buyer Diligence proof language is released.","nextAction":"Use /pilot-workspace/access#manual-qa-execution-console during the first human AAL2 synthetic QA workflow, persist safe metadata through Manual QA Evidence, then refresh Buyer Proof Release."},{"id":"protected-aal2-synthetic-qa-run-evidence","name":"Protected AAL2 synthetic QA run evidence package","status":"workaround-active","owner":"Release engineering, TrustOS, tenant governance, security, and Buyer Diligence","recordedAt":"2026-06-22","artifact":"/api/qa-evidence/aal2-run-evidence","routes":["/qa-aal2-run-evidence","/api/qa-evidence/aal2-run-evidence","/api/qa-evidence/aal2-run-evidence/brief","/api/pilot-workspaces/{workspaceSlug}/qa-evidence/aal2-run-evidence","/qa-manual-execution-console","/api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-execution-console","/api/pilot-workspaces/{workspaceSlug}/qa-evidence/buyer-proof-release"],"evidence":"A dated buyer-safe evidence package now maps the first protected AAL2 synthetic QA run to required categories, retained packet visibility, audit signals, boundary checks, remaining blockers, and a go/no-go release recommendation.","limitation":"The package truthfully records current evidence posture; it does not itself execute the human AAL2 workflow, create retained packet hashes, or approve buyer proof release.","workaround":"Use the package as the formal NO-GO/GO evidence summary around the protected Manual QA Execution Console and Buyer Proof Release gate.","nextAction":"Complete one approved human AAL2 synthetic workflow, persist no-secret metadata, attach reviewer notes for all required QA categories, then rerun the protected AAL2 evidence package before release."},{"id":"manual-aal2-qa-completion-bridge","name":"Manual AAL2 QA completion bridge","status":"workaround-active","owner":"Release engineering, TrustOS, tenant governance, and Buyer Diligence","recordedAt":"2026-06-22","artifact":"/api/qa-evidence/completion-bridge","routes":["/qa-completion-bridge","/api/qa-evidence/completion-bridge","/api/qa-evidence/completion-bridge/brief","/api/qa-evidence/manual-run-packet","/api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-run-packets","/qa-proof-promotion"],"evidence":"A no-secret Completion Bridge now validates candidate post-run QA metadata, generates a packet preview hash, and keeps buyer proof blocked until protected packet persistence and Proof Promotion succeed.","limitation":"The bridge does not execute the human AAL2 run, store evidence, store tokens, create protected packet hashes, or authorize clinical, PHI, reimbursement, security-certification, connector, or production claims.","workaround":"Use the bridge immediately after the human Launch Kit workflow to reject unsafe candidate metadata before submitting the same no-secret payload through protected Manual QA Evidence persistence.","nextAction":"After the approved operator completes one Launch Kit workflow, POST the no-secret candidate metadata to /api/qa-evidence/completion-bridge, persist only if the bridge returns ready-for-protected-persistence, then confirm /qa-proof-promotion before Buyer Diligence export."},{"id":"manual-aal2-qa-claim-guard","name":"Manual AAL2 QA claim guard","status":"workaround-active","owner":"TrustOS, legal, sales engineering, buyer diligence, and marketing governance","recordedAt":"2026-06-22","artifact":"/api/qa-evidence/claim-guard","routes":["/qa-claim-guard","/api/qa-evidence/claim-guard","/api/qa-evidence/claim-guard/brief","/qa-launch-kit","/qa-completion-bridge","/qa-activation-seal","/qa-proof-promotion","/api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-run-packets"],"evidence":"A no-secret Claim Guard now classifies buyer, investor, sales, PR, and operator language into current-safe, retained-packet-required, blocked-authority, or qualified-review states so claims do not outrun evidence.","limitation":"The Claim Guard provides current-state guidance only; it does not replace counsel, certify security or compliance, create retained QA proof, authorize PHI processing, authorize live clinical care, guarantee reimbursement, or approve production connectors.","workaround":"Use Claim Guard before Buyer Diligence, public materials, investor updates, sales language, PR, advertising, and operator summaries while protected packet proof and qualified approvals are pending.","nextAction":"Route every QA-related buyer or external claim through /qa-claim-guard until a protected manual QA packet hash is retained and /qa-proof-promotion allows packet-backed language."},{"id":"manual-aal2-qa-activation-seal","name":"Manual AAL2 QA activation seal","status":"workaround-active","owner":"TrustOS, release engineering, tenant governance, buyer diligence, and claims governance","recordedAt":"2026-06-22","artifact":"/api/qa-evidence/activation-seal","routes":["/qa-activation-seal","/api/qa-evidence/activation-seal","/api/qa-evidence/activation-seal/brief","/qa-launch-kit","/qa-completion-bridge","/qa-claim-guard","/qa-proof-promotion","/api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-run-packets"],"evidence":"A no-secret Activation Seal now distinguishes public candidate completeness from protected packet visibility and blocks packet-backed buyer proof language until retained QA evidence is visible.","limitation":"The Activation Seal does not execute AAL2 workflows, create protected packet hashes, store tokens, store PHI, certify security or compliance, authorize live clinical care, guarantee reimbursement, approve production connectors, or create public release authority.","workaround":"Use Activation Seal after protected Manual QA Evidence persistence and before Buyer Diligence export so retained packet hash, audit event, Proof Promotion, Claim Guard, and blocked production-authority language are checked together.","nextAction":"After the first human AAL2 workflow is persisted, verify /qa-activation-seal, /qa-proof-promotion, and /qa-claim-guard before using packet-backed buyer proof language."},{"id":"manual-aal2-qa-proof-promotion","name":"Manual QA proof promotion gate","status":"workaround-active","owner":"Release engineering, TrustOS, and Buyer Diligence","recordedAt":"2026-06-21","artifact":"/api/qa-evidence/proof-promotion","routes":["/qa-proof-promotion","/api/qa-evidence/proof-promotion","/api/qa-evidence/proof-promotion/brief","/qa-run-control","/qa-activation-seal","/api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-run-packets"],"evidence":"A retained-packet promotion gate now decides whether manual AAL2 synthetic QA evidence may be referenced in Buyer Diligence, requiring visible no-secret packet metadata before authenticated-proof language is allowed.","limitation":"Proof Promotion does not execute the human AAL2 run, create packet hashes, store credentials, or authorize clinical, PHI, reimbursement, security-certification, connector, or production claims.","workaround":"Use Proof Promotion to keep buyer-facing language in activation-ready posture until protected packet hashes are visible, then reference only safe workflow run metadata and packet SHA-256.","nextAction":"After the first manual AAL2 workflow passes and the no-secret packet is persisted, confirm /qa-proof-promotion moves from pending to buyer-diligence-ready before exporting proof."},{"id":"manual-aal2-qa-buyer-proof-release","name":"Manual QA buyer proof release gate","status":"workaround-active","owner":"TrustOS, release engineering, tenant governance, buyer diligence, and claims governance","recordedAt":"2026-06-22","artifact":"/api/qa-evidence/buyer-proof-release","routes":["/qa-buyer-proof-release","/api/qa-evidence/buyer-proof-release","/api/qa-evidence/buyer-proof-release/brief","/api/pilot-workspaces/{workspaceSlug}/qa-evidence/buyer-proof-release","/qa-human-run-packet","/qa-completion-bridge","/qa-activation-seal","/qa-proof-promotion","/qa-claim-guard","/api/pilot-workspaces/{workspaceSlug}/buyer-room/packet"],"evidence":"A protected Buyer Proof Release gate now consolidates retained Manual QA Evidence, Proof Promotion, Activation Seal, Claim Guard, and hard authority boundaries into one no-go/go decision before Buyer Diligence references retained QA proof.","limitation":"The release gate does not execute the human AAL2 run, create retained packets, store tokens, store PHI, authorize public distribution, certify security or compliance, authorize clinical care, guarantee reimbursement, approve connectors, or grant production authority.","workaround":"Use the public route for no-secret candidate validation, then require the protected workspace route to read retained packet and audit evidence before packet-backed Buyer Diligence language is allowed.","nextAction":"After protected Manual QA Evidence persistence, run the protected Buyer Proof Release gate and export Buyer Diligence only if it returns ready-for-protected-buyer-diligence-export."},{"id":"manual-run-evidence-capture","name":"Manual AAL2 run evidence capture","status":"workaround-active","owner":"Release engineering","recordedAt":"2026-06-18","artifact":"/api/qa-evidence/manual-run-packet","routes":["/api/qa-evidence/manual-run-packet","/qa-evidence","/api/sales-operations/qa/buyer-demo-sessions","/api/pilot-workspaces/{workspaceSlug}/authority-artifact-references/renewal-queue"],"evidence":"A stateless evidence packet generator validates non-secret workflow run metadata, created evidence object ID, packet audit event ID, operator attestation, token-disposal attestation, and workflow kind after the manual QA workflow completes.","limitation":"The packet generator does not execute the authenticated QA run by itself.","workaround":"Use it immediately after the manual workflow run to produce a sanitized packet, then persist the same non-secret run metadata through the protected tenant-scoped evidence route.","nextAction":"After the first manual workflow pass for Sales Demo Session QA or Authority Reference QA, POST the non-secret run metadata to the packet route, then persist it through the workspace evidence route for buyer-room visibility."},{"id":"manual-run-evidence-persistence","name":"Tenant-scoped manual QA evidence persistence","status":"workaround-active","owner":"Trust engineering","recordedAt":"2026-06-18","artifact":"/api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-run-packets","routes":["/api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-run-packets","/api/pilot-workspaces/{workspaceSlug}/buyer-room"],"evidence":"A protected AAL2 workspace route can persist sanitized manual QA evidence packets into tenant-scoped audit storage and surface the resulting packet/audit signal inside Buyer Pilot Rooms.","limitation":"Persistence is intentionally unavailable without a verified AAL2 tenant governance session and server-held runtime authorization.","workaround":"Keep the public packet generator stateless for no-secret packet creation; use the protected persistence route only after human AAL2 QA has completed.","nextAction":"Run the first AAL2 Sales Demo Session QA workflow, persist the evidence packet, then export a Buyer Diligence Export with the manual QA evidence signal included."},{"id":"protected-routes-fail-closed","name":"Protected route fail-closed coverage","status":"fail-closed","owner":"TrustOS","recordedAt":"2026-06-18","artifact":"scripts/public-production-smoke.mjs","routes":["/api/sales-operations/qa/buyer-demo-sessions","/api/pilot-workspaces/{workspaceSlug}/buyer-room","/api/agent-workspaces/{workspaceSlug}/work-orders"],"evidence":"Unauthenticated protected APIs return 401 or dependency-safe 503 responses with data-boundary headers instead of silently mutating records.","limitation":"Fail-closed evidence proves containment, not successful authenticated workflow execution.","workaround":"Pair fail-closed checks with manual AAL2 QA runs and packet-level audit evidence before customer-facing proof release.","nextAction":"Add dated authenticated proof entries after the first short-lived-token QA workflow passes."},{"id":"runtime-error-watch","name":"Production runtime error watch","status":"passed","owner":"Operations","recordedAt":"2026-06-18","artifact":"Vercel production runtime logs","routes":["/observability","/operations","/trust-safety-operations"],"evidence":"Production runtime logs were checked after deployment with no error or fatal events returned for the verification window.","limitation":"Current check is operator-run evidence, not a contractual 24/7 managed SOC or customer-specific alerting program.","workaround":"Keep public proof bounded to release verification and target-operating-model language until monitoring ownership, notification policy, and support agreements are approved.","nextAction":"Add customer-specific alerting and incident response evidence before production customer deployment claims."}],"knownLimitations":[{"title":"First authenticated Sales Demo Session QA CI evidence is pending","impact":"SCRIMED has the workflow and token policy, but cannot claim an authenticated CI mutation run until a fresh AAL2 operator token is used deliberately.","currentControl":"Manual-only GitHub workflow, short-lived JWT preflight, explicit intake targeting, Run Control mission brief, Launch Kit handoff, Human Run Packet dispatch validation, protected Manual QA Execution Console, Completion Bridge candidate validation, Claim Guard overclaim prevention, Activation Seal final check, Proof Promotion gate, Buyer Proof Release gate, fail-closed public smoke, and no long-lived secret storage.","resolutionPath":"Use /pilot-workspace/access#manual-qa-execution-console, mint a fresh AAL2 token from the tenant-admin session, run the workflow once against a synthetic intake ID, archive only safe IDs, validate them through /qa-completion-bridge, persist the packet hash, delete or rotate the token secret, then use /qa-buyer-proof-release before buyer proof claims.","status":"manual-action-required"},{"title":"Authority Reference QA retained AAL2 evidence is captured","impact":"SCRIMED has one protected authority-reference synthetic QA run retained as no-secret AAL2 evidence through Run Control. GitHub-hosted CI evidence remains optional until browser secret placement is available.","currentControl":"Run Control witness, short-lived JWT preflight, workspace targeting, protected authority-reference smoke, Manual QA Evidence persistence, packet SHA-256 retention, append-only audit event, Claim Guard, Activation Seal, Proof Promotion, Buyer Proof Release, fail-closed public smoke, and no long-lived secret storage.","resolutionPath":"Use the retained packet hash and audit event only for bounded buyer diligence. Re-run through GitHub Actions later if a separate CI-hosted evidence trail is required.","status":"contained"},{"title":"First protected AAL2 synthetic category evidence is retained","impact":"The required buyer-proof QA categories now have one retained no-secret AAL2 packet, packet hash, and append-only audit signal. Category notes remain bounded to synthetic QA posture and do not create clinical validation, PHI authority, or live-care approval.","currentControl":"AAL2 Run Evidence Package, Manual QA Execution Console, Human Run Packet, Completion Bridge, Activation Seal, Proof Promotion, Claim Guard, Buyer Proof Release, synthetic-only headers, fail-closed protected routes, and no-secret packet validation.","resolutionPath":"Use the protected Buyer Proof Release output for buyer diligence, include only the workflow run ID, packet hash, audit event reference, synthetic boundary, and blocked authority language, and keep production authority gates closed.","status":"contained"},{"title":"Managed local shell may omit npm/node from PATH","impact":"Local package scripts can fail even when the repository, CI, and Vercel build path are healthy.","currentControl":"Bundled Node absolute path verifies TypeScript, ESLint, generated integrity, Next build, and smoke scripts without changing the product.","resolutionPath":"Restore PATH in the local Codex shell when available; keep CI and Vercel on standard Node 22.","status":"contained"},{"title":"Live clinical execution remains intentionally blocked","impact":"SCRIMED remains sellable as a governed synthetic pilot and enterprise evaluation product, not live diagnosis, treatment, payer submission, or autonomous care execution.","currentControl":"Synthetic-only evidence, human-review boundaries, protected route fail-closed behavior, claims controls, and clinical/legal/privacy/security review gates.","resolutionPath":"Complete customer-specific identity, privacy, BAA, connector, audit, clinical validation, risk, and human operating controls before any production healthcare workflow.","status":"external-review-required"}],"buyerSafeSummary":"SCRIMED verifies release health, protected-route containment, token-policy readiness, and no-secret evidence capture today; remaining authenticated QA evidence requires deliberate short-lived AAL2 operator runs against synthetic targets.","nextRecommendedBuildStep":"Use /pilot-workspace/access#manual-qa-execution-console to dispatch exactly one approved human AAL2 synthetic workflow, then validate through /qa-completion-bridge, persist through protected Manual QA Evidence, and confirm /qa-buyer-proof-release before Buyer Diligence export.","updated":"2026-06-22"}