{"service":"scrimed-aal2-smoke-readiness","status":"aal2-smoke-readiness-preflight-ready-no-secret","generatedAt":"static-no-secret-operator-readiness","runState":"preflight-ready-strict-smoke-token-required","strictAttemptReady":false,"protectedHumanRunRequired":true,"syntheticDataOnly":true,"noPhiConfirmed":true,"tokenMaterialStored":false,"tokenMaterialPrinted":false,"protectedWritesEnabledByDefault":false,"operatorTokenRequired":true,"targetFeatureFlagRequired":true,"targetProtectedApiVerifiesToken":true,"routes":{"api":"/api/qa-evidence/aal2-smoke-readiness","brief":"/api/qa-evidence/aal2-smoke-readiness/brief","qaEvidence":"/api/qa-evidence/aal2-run-evidence","durableStore":"/api/workflows/execution-attempts/durable-store","storedVectorRpcSmoke":"/api/scrimed-build-roadmap/stored-vector-rpc-smoke","protectedWorkspace":"/pilot-workspace/access"},"commands":["npm run smoke:aal2:readiness","npm run smoke:aal2:token -- --prompt-token --write-env-local","npm run smoke:aal2:durable-store:strict","npm run smoke:scrimed-stored-vector-rpc:strict"],"gates":[{"id":"workspace-slug","name":"Workspace slug","status":"ready","evidence":"The operator flow supports SCRIMED_WORKSPACE_SLUG and defaults to atlas-synthetic-evaluation for synthetic smoke testing.","nextAction":"Set SCRIMED_WORKSPACE_SLUG only when running against a different authorized synthetic tenant."},{"id":"aal2-bearer-token","name":"Short-lived AAL2 bearer token","status":"blocked-until-human-aal2","evidence":"The app never prints or embeds token material. The local helper accepts clipboard, prompt, or session-file input and writes only to gitignored local environment when requested.","nextAction":"Generate a fresh authorized tenant-admin, pilot-lead, or reviewer session token and run the token helper immediately before strict smoke."},{"id":"role-verification","name":"Role verification","status":"target-runtime-required","evidence":"Protected APIs verify tenant role and AAL2 state at runtime; this readiness packet does not assert operator authorization.","nextAction":"Run the strict smoke against the protected target so Supabase/Auth/RLS can verify the token and role."},{"id":"durable-store-feature-flag","name":"Durable-store feature flag","status":"operator-action-required","evidence":"Protected writes intentionally stay disabled unless SCRIMED_EXECUTION_ATTEMPT_DURABLE_STORE_ENABLED is true on the target app.","nextAction":"Enable SCRIMED_EXECUTION_ATTEMPT_DURABLE_STORE_ENABLED=true only for the authorized synthetic smoke target."},{"id":"protected-supabase-runtime","name":"Protected Supabase runtime","status":"target-runtime-required","evidence":"Durable-store record, replay, and review disposition depend on protected Supabase RPCs and deny-by-default RLS.","nextAction":"Verify the target deployment has the durable-store migrations applied before strict smoke."},{"id":"stored-vector-registration-role","name":"Stored-vector registration role","status":"target-runtime-required","evidence":"Stored-vector RPC smoke requires authenticated registration through the protected target and must not run as public anonymous code.","nextAction":"Run npm run smoke:scrimed-stored-vector-rpc:strict after the same short-lived AAL2 token is accepted."},{"id":"no-secret-output","name":"No-secret output","status":"validated","evidence":"Readiness APIs, briefs, docs, and contract checks must not include JWT-like strings, bearer-token material, Supabase service role keys, PHI, or credential fragments.","nextAction":"Keep all token movement limited to local environment variables, .env.local, secure prompt input, or clipboard handoff."},{"id":"strict-smoke-commands","name":"Strict smoke commands","status":"ready","evidence":"Nonsecret preflight and strict durable-store/stored-vector commands are present as npm scripts and are covered by the nonsecret contract suite.","nextAction":"Run the readiness preflight before strict smoke and keep failed protected writes fail-closed."}],"guardrails":["No PHI, patient identifiers, payer member identifiers, imaging, claims, or live records are accepted.","No autonomous diagnosis, treatment, prescribing, patient outreach, payer submission, billing submission, or EHR writeback is authorized.","The preflight does not weaken AAL2, tenant role checks, Supabase RLS, durable-store authorization, or protected API verification.","Token-like values must be redacted in logs and never committed to source, docs, tests, or chat output.","A failed or missing token keeps strict smoke blocked instead of falling back to public execution."],"remainingOperatorActions":["Create or confirm an authorized tenant-admin, pilot-lead, or reviewer account for the synthetic workspace.","Generate a fresh short-lived AAL2 session token immediately before smoke execution.","Store the token only through a secure local environment path such as .env.local with mode 0600.","Ensure SCRIMED_EXECUTION_ATTEMPT_DURABLE_STORE_ENABLED=true is configured on the target app before strict durable-store writes.","Run strict durable-store and stored-vector RPC smoke, then rotate or clear temporary token material."],"failureModes":["Missing SCRIMED_BEARER_TOKEN fails closed before authenticated strict smoke.","Expired, malformed, or non-JWT token material fails closed during local preflight or protected API verification.","Valid token with an unauthorized role is rejected by protected role checks.","Disabled durable-store target returns disabled/fail-safe status instead of accepting protected writes.","Unauthenticated public requests to protected record/replay/review paths remain fail-closed."],"boundary":"SCRIMED AAL2 Smoke Readiness is a no-secret operator preflight for synthetic AAL2 durable-store and stored-vector RPC smoke tests. It does not mint, expose, retain, validate, or bypass bearer tokens; protected APIs remain the source of truth for role, AAL2, feature flag, tenant, and RLS verification."}