# SCRIMED QA Completion Bridge Brief

Status: manual-aal2-qa-completion-bridge-ready
Decision state: waiting-for-human-aal2-run
Buyer claim status: completion-bridge-ready-not-retained-authenticated-proof

## Boundary
SCRIMED QA Completion Bridge validates no-secret candidate metadata after a human AAL2 synthetic QA run and before protected persistence. It does not execute passkey ceremonies, mint or store tokens, persist evidence, store PHI, authorize live clinical care, certify security or compliance, guarantee reimbursement, approve production connectors, or allow buyer proof promotion before protected packet hashes are visible.

## Routes
- Launch Kit: /qa-launch-kit
- Human Run Packet: /qa-human-run-packet
- Completion Bridge: /qa-completion-bridge
- Completion Bridge API: /api/qa-evidence/completion-bridge
- Manual packet route: /api/qa-evidence/manual-run-packet
- Protected persistence route: /api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-run-packets
- Proof Promotion: /qa-proof-promotion

## Bridge Rules
- Allowed now: validate a no-secret candidate packet after a human AAL2 synthetic run.
- Allowed now: generate a packet preview hash for operator comparison before protected persistence.
- Not allowed here: persist evidence, store tokens, claim retained proof, or promote buyer diligence.
- Required next: use the protected AAL2 workspace persistence route, then Proof Promotion.

## Checkpoints
- Human AAL2 workflow run (required-before-bridge): One explicit synthetic workflow run ID, run URL, timestamp, target ID, created object UUID, and packet audit event UUID. Pass: The candidate payload references exactly one completed human-run synthetic workflow. Fail closed if: The run did not happen, was scheduled/unattended, used a broad target, or references regulated data.
- No-secret candidate validation (validated-by-bridge): Safe metadata only, accepted attestations, valid GitHub Actions or SCRIMED Run Control URL, ISO timestamp, and UUID evidence object IDs. Pass: The public bridge returns ready-for-protected-persistence and a packet preview SHA-256. Fail closed if: The payload contains bearer/JWT-like material, PHI, payer member data, credentials, invalid attestations, or unsupported workflow kind.
- Protected packet persistence (protected-only): AAL2 protected workspace session and POST to the tenant-scoped manual QA evidence route. Pass: The protected workspace returns a retained packet hash and append-only audit event. Fail closed if: The operator lacks AAL2 governance authorization or the protected write rejects the payload.
- Proof Promotion decision (hard-stop): Visible retained packet SHA-256, workflow run ID, audit event reference, and blocked production claims. Pass: Proof Promotion moves buyer language from activation-ready to retained no-secret QA evidence. Fail closed if: Buyer material claims authenticated proof before protected packet hash visibility.
- Clinical and production authority (hard-stop): Separate signed customer/legal/security/privacy/clinical/regional/reimbursement/connector approvals. Pass: Authority remains explicitly blocked unless external approvals exist. Fail closed if: Anyone treats QA completion evidence as PHI, live-care, payer, connector, security-certification, or reimbursement authorization.

## Safe Field Examples
- workflowKind
- workflowRunId
- workflowRunUrl
- executedAt
- baseUrl
- intakeId or workspaceSlug
- createdSessionId or authority reference UUID
- packetAuditEventId
- qaOutcome=pass
- operatorAttestation=no-secrets-no-phi-aal2-human-run
- tokenDisposalAttestation=temporary-token-deleted-or-rotated
- dataBoundary=synthetic-business-workflow-only

## Blocked Claims
- human AAL2 workflow executed by this bridge
- token, credential, or bearer material stored as evidence
- protected packet persisted by the public bridge
- buyer proof promoted before retained packet hash visibility
- PHI or payer member data processed
- live clinical care authorized
- security or compliance certification completed
- reimbursement outcome guaranteed
- production connector approved
- autonomous diagnosis or treatment authorized

## Next Recommended Build Step
After the approved operator uses /qa-human-run-packet and completes one synthetic workflow, run the no-secret metadata through QA Completion Bridge, persist it through the protected Manual QA Evidence route, then confirm Claim Guard, Activation Seal, and Proof Promotion before exporting Buyer Diligence.

## Ledger Boundary
SCRIMED QA Evidence Ledger records synthetic-only release, smoke, token-policy, fail-closed, and operator-gate evidence. It is not a clinical validation report, security certification, legal opinion, SOC report, HIPAA attestation, or authorization for live healthcare execution.