# SCRIMED Manual QA Proof Promotion Brief

Status: manual-aal2-qa-proof-promotion-gate-ready
Promotion state: pending-retained-packet
Promotion allowed: no

## Boundary
SCRIMED Manual QA Proof Promotion decides when retained no-secret human AAL2 QA packet metadata can be referenced in buyer diligence. It does not execute AAL2 workflows, store tokens, store PHI, certify security or compliance, authorize live clinical care, guarantee reimbursement, approve production connectors, or allow authenticated-proof claims before a protected packet hash is visible.

## Current Decision
- Buyer-safe claim: SCRIMED has an operator-ready manual AAL2 QA path, but retained authenticated QA proof is still pending.
- Buyer proof language: Buyer-facing proof may reference activation readiness, Run Control, and fail-closed checks, but not retained authenticated QA proof.
- Next action: Use /qa-run-control, complete one human AAL2 synthetic QA workflow, persist the no-secret packet, then promote after packet hash visibility.

## Promotion Rules
- Retained packet hash required (hard-stop): before Describe the workflow as activation-ready or operator-ready only. After Reference the retained packet hash and workflow run ID in buyer diligence. Boundary: No hash means no retained authenticated QA proof claim.
- No-secret evidence only (hard-stop): before Reject bearer tokens, refresh tokens, credentials, PHI, payer data, artifacts, URLs, legal opinions, and security reports. After Use only safe metadata fields and the packet SHA-256. Boundary: The token itself is never evidence.
- Human AAL2 provenance required (active): before Use Run Control and Manual QA Evidence capture under a fresh human AAL2 session. After State that the packet records a human-run synthetic QA workflow. Boundary: AAL2 provenance is not clinical, legal, reimbursement, or production authorization.
- Buyer Diligence export after persistence (active): before Keep Buyer Diligence language in pending activation posture. After Allow Buyer Diligence to include retained packet count, run ID, packet hash, and audit event reference. Boundary: Buyer proof is limited to governed synthetic QA evidence.
- Clinical and production claims remain blocked (hard-stop): before Do not imply live care, PHI processing, payer submission, or connector approval. After Continue blocking live clinical, PHI, payer, reimbursement, security-certification, and production-launch claims. Boundary: Retained QA proof improves diligence; it does not unlock production clinical execution.

## Required Evidence
- workflow kind
- workflow run ID
- workflow run URL
- execution timestamp
- synthetic target ID
- created safe object UUID
- packet audit event UUID
- token disposal attestation
- packet SHA-256
- protected workspace audit visibility

## Blocked Claims
- authenticated QA completed without a retained protected packet hash
- bearer token retained as evidence
- PHI processed or validated
- live clinical care authorized
- security certification completed
- compliance certification completed
- reimbursement outcome guaranteed
- production connector approved
- autonomous diagnosis or treatment authorized

## Claim Rules
- Allowed now: SCRIMED can explain exactly when manual AAL2 QA evidence may be promoted into buyer diligence.
- Allowed now: SCRIMED can keep buyer proof in activation-ready posture until packet hashes are retained.
- Allowed after retained packet: SCRIMED can cite no-secret workflow run metadata and packet SHA-256 for a synthetic QA workflow.
- Never allowed from this gate alone: live clinical care, PHI processing, payer submission, production connector approval, security certification, reimbursement certainty, or autonomous clinical action.

## Next Recommended Build Step
Run one human AAL2 workflow from /qa-run-control, persist the no-secret packet, then let Buyer Pilot Room export reference the retained packet hash through this promotion gate.