# SCRIMED Manual AAL2 QA Evidence Activation Plan

Status: manual-aal2-qa-evidence-activation-plan-ready
Boundary: The QA Evidence Activation Plan is a no-secret operator runbook for governed synthetic AAL2 QA only. It does not store or reveal bearer tokens, execute passkey ceremonies, authorize PHI processing, certify compliance, or grant live clinical authority.
Activation principle: Human AAL2 session plus short-lived token plus explicit synthetic target plus no-secret evidence persistence.

## Shared Controls
- Use only fresh short-lived AAL2 tokens.
- Keep workflows manual-only; do not schedule authenticated mutation checks.
- Target exactly one explicit synthetic opportunity or protected workspace.
- Run preflight before any authenticated request.
- Copy only safe evidence IDs into SCRIMED.
- Use GitHub Actions when temporary secret placement is available; use SCRIMED Run Control as the local human AAL2 witness when browser or CI secret placement is blocked.
- Delete or rotate temporary GitHub secrets or local clipboard token material immediately after the run.
- Persist evidence only through the protected Manual QA Evidence route.
- Export Buyer Diligence only after safe metadata is retained and packet hashes are visible.

## Forbidden Content
Never paste bearer tokens, refresh tokens, passwords, API keys, PHI, patient identifiers, payer member identifiers, artifact URLs, signed approvals, legal opinions, security reports, reimbursement determinations, source contracts, production credentials, or clinical records into QA evidence fields.

## Workflows
### Sales Demo Session QA activation
- Workflow kind: sales-demo-session-qa
- Status: ready-for-human-aal2-run
- GitHub workflow: .github/workflows/sales-demo-session-qa-smoke.yml
- Preflight script: scripts/sales-demo-session-qa-token-preflight.mjs
- Smoke script: scripts/sales-demo-session-qa-smoke.mjs
- Target input: intake_id
- Required temporary secret: SCRIMED_SALES_QA_BEARER_TOKEN
- Persistence target: /api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-run-packets
- Buyer Diligence impact: Adds tenant-scoped evidence that SCRIMED can create and audit a governed synthetic buyer demo session under human AAL2 control.
- Current boundary: No authenticated sales-demo CI evidence can be claimed until a human runs the workflow with a fresh short-lived AAL2 token.
- Workaround: All surrounding controls remain verified by public smoke and fail-closed checks; the activation plan prevents token material from becoming evidence.
- Next action: Run the manual workflow once a fresh AAL2 tenant-admin token and safe synthetic intake target are available.

Protected routes:
- /api/sales-operations/qa/buyer-demo-sessions
- /sales-operations
- /pilot-deal-room

Safe evidence fields:
- workflowKind=sales-demo-session-qa
- workflowRunId
- workflowRunUrl
- executedAt
- baseUrl
- intakeId
- createdSessionId
- packetAuditEventId
- packetSha256 after protected persistence

Prohibited inputs:
- bearer tokens
- refresh tokens
- passwords
- patient identifiers
- payer member identifiers
- source contracts
- clinical records
- legal conclusions

Operator steps:
1. Open Sales Operations with an approved AAL2 tenant-admin session.
2. Select one explicit synthetic buyer opportunity and capture its intake ID.
3. Create a temporary masked GitHub secret only for the short-lived AAL2 token.
4. Dispatch the Sales Demo Session QA workflow with require_authenticated_path enabled.
5. Confirm preflight and smoke pass; copy only safe IDs from workflow output.
6. Delete or rotate the temporary secret immediately after the workflow finishes.
7. Persist the safe metadata through /pilot-workspace/access -> Manual QA Evidence.
8. Export Buyer Diligence so the retained packet hash and audit trail appear in buyer proof.

### Authority Reference QA activation
- Workflow kind: authority-reference-qa
- Status: ready-for-human-aal2-run
- GitHub workflow: .github/workflows/authority-reference-qa-smoke.yml
- Preflight script: scripts/authority-artifact-reference-qa-token-preflight.mjs
- Smoke script: scripts/authority-artifact-reference-qa-smoke.mjs
- Target input: workspace_slug
- Required temporary secret: SCRIMED_BEARER_TOKEN
- Persistence target: /api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-run-packets
- Buyer Diligence impact: Adds tenant-scoped evidence that SCRIMED can record and audit no-PHI authority-reference readiness metadata under human AAL2 control.
- Current boundary: No authenticated authority-reference CI evidence can be claimed until a human runs the workflow with a fresh short-lived AAL2 token.
- Workaround: The renewal queue, fail-closed protected routes, stateless packet generation, and no-secret persistence bridge are already verified without storing credentials.
- Next action: Run the manual workflow once a fresh AAL2 tenant governance token and synthetic workspace target are available.

Protected routes:
- /api/pilot-workspaces/{workspaceSlug}/authority-artifact-references
- /api/pilot-workspaces/{workspaceSlug}/authority-artifact-references/renewal-queue
- /api/pilot-workspaces/{workspaceSlug}/authority-artifact-references/packet

Safe evidence fields:
- workflowKind=authority-reference-qa
- workflowRunId
- workflowRunUrl
- executedAt
- baseUrl
- workspace slug as intakeId
- created authority reference UUID as createdSessionId
- authority packet audit event UUID as packetAuditEventId
- packetSha256 after protected persistence

Prohibited inputs:
- bearer tokens
- refresh tokens
- artifact URLs
- signed approvals
- legal opinions
- security reports
- reimbursement determinations
- PHI
- production credentials

Operator steps:
1. Open /pilot-workspace/access with an approved AAL2 tenant governance session.
2. Use the protected workspace slug as the explicit workflow target.
3. Create a temporary masked GitHub secret only for the short-lived AAL2 token.
4. Dispatch the Authority Reference QA workflow with require_authenticated_path enabled.
5. Confirm the workflow records one synthetic metadata-only reference, verifies the renewal queue, and downloads the audited packet.
6. Copy only the printed safe evidence fields: workflow kind, workspace target, reference UUID, and packet audit event UUID.
7. Delete or rotate the temporary secret immediately after the workflow finishes.
8. Persist the safe metadata through /pilot-workspace/access -> Manual QA Evidence in authority-reference mode.
9. Export Buyer Diligence so authority-reference QA evidence appears with the retained hard-gate boundaries.

## Completion Criteria
- Preflight passed for the short-lived AAL2 token.
- Authenticated smoke passed against the explicit synthetic target.
- Temporary secret was deleted or rotated after run completion.
- Manual QA Evidence packet was persisted through the protected workspace session.
- Packet hash and append-only audit event are visible in Buyer Pilot Room.
- Buyer Diligence Export was generated after persistence.

## Remaining Boundary
Authenticated QA evidence remains pending until a human operator performs the AAL2 run; code must not bypass this with committed credentials or long-lived secrets.

## Next Action
Use this activation plan to run Sales Demo Session QA and Authority Reference QA with fresh AAL2 tokens, persist only safe metadata, then export Buyer Diligence.