QA Evidence

QA Buyer Proof Release

SCRIMED now has a single protected go/no-go gate before retained QA proof enters Buyer Diligence.

Buyer Proof Release ties retained Manual QA Evidence, Proof Promotion, Activation Seal, and Claim Guard into one decision. Public checks remain candidate-only; protected workspace verification is required before Buyer Diligence references retained manual AAL2 synthetic QA proof.

Statusmanual-aal2-qa-buyer-proof-release-gate-ready
Decisionlocked-retained-packet-required
Buyer exportblocked
Protected checkrequired
Rules5
Evidence fields12
Hard stops10
Blocked claims8

Current decision

SCRIMED remains activation-ready; retained manual AAL2 QA proof cannot be used in buyer diligence until the protected release gate passes.

Complete the human AAL2 run, persist no-secret metadata, then verify Proof Promotion, Activation Seal, Claim Guard, and this release gate before Buyer Diligence export.

SCRIMED QA Buyer Proof Release decides whether protected buyer diligence may reference retained no-secret manual AAL2 synthetic QA evidence. Public checks validate candidate metadata only. Protected release requires tenant-governed AAL2 access, visible retained packet metadata, Proof Promotion, Activation Seal, Claim Guard, and unchanged clinical/PHI/security/reimbursement boundaries.

protected/api/pilot-workspaces/{workspaceSlug}/qa-evidence/buyer-proof-release
packet/api/pilot-workspaces/{workspaceSlug}/buyer-room/packet
publiccandidate validation only

Release criteria

Buyer proof release stays locked until protected retained evidence and language gates align.

blocked

Retained protected packet visible

No protected packet SHA-256 is visible to the release gate.

Persist safe metadata through protected Manual QA Evidence after the human AAL2 run.
blocked

Proof Promotion permits buyer diligence

Proof Promotion state: pending-retained-packet.

Use /qa-run-control, complete one human AAL2 synthetic QA workflow, persist the no-secret packet, then promote after packet hash visibility.
blocked

Activation Seal allows buyer use

Activation Seal state: unsealed-human-aal2-required.

Complete Launch Kit, validate dispatch through Human Run Packet, validate through Completion Bridge, persist protected no-secret metadata, confirm Proof Promotion, then run Claim Guard before buyer use.
passed

Claim Guard keeps language bounded

Claim Guard state: requires-retained-packet.

Complete Launch Kit, validate dispatch through Human Run Packet, validate through Completion Bridge, persist protected metadata, then confirm Proof Promotion before using this claim.
passed

External authority remains separately gated

External distribution, public claims, live clinical care, PHI processing, reimbursement, certification, connector, and production authority remain false.

Route external-use claims through qualified release, legal, privacy, security, clinical, reimbursement, regional, connector, and customer go-live controls.

Required evidence

The release packet can carry safe retained metadata, not secrets, PHI, or authority claims.

01

protected Manual QA Evidence packet SHA-256

Required before packet-backed QA proof appears in protected Buyer Diligence.

Public release, live care, PHI, reimbursement, certification, connector, and production authority stay separately gated.
02

protected packet audit event UUID

Required before packet-backed QA proof appears in protected Buyer Diligence.

Public release, live care, PHI, reimbursement, certification, connector, and production authority stay separately gated.
03

workflow run ID and run URL

Required before packet-backed QA proof appears in protected Buyer Diligence.

Public release, live care, PHI, reimbursement, certification, connector, and production authority stay separately gated.
04

synthetic target or workspace label

Required before packet-backed QA proof appears in protected Buyer Diligence.

Public release, live care, PHI, reimbursement, certification, connector, and production authority stay separately gated.
05

human AAL2 no-secret operator attestation

Required before packet-backed QA proof appears in protected Buyer Diligence.

Public release, live care, PHI, reimbursement, certification, connector, and production authority stay separately gated.
06

temporary token deleted or rotated

Required before packet-backed QA proof appears in protected Buyer Diligence.

Public release, live care, PHI, reimbursement, certification, connector, and production authority stay separately gated.
07

Proof Promotion ready-for-buyer-diligence decision

Required before packet-backed QA proof appears in protected Buyer Diligence.

Public release, live care, PHI, reimbursement, certification, connector, and production authority stay separately gated.
08

Activation Seal sealed-for-buyer-diligence decision

Required before packet-backed QA proof appears in protected Buyer Diligence.

Public release, live care, PHI, reimbursement, certification, connector, and production authority stay separately gated.
09

Claim Guard safe or retained-packet-gated language result

Required before packet-backed QA proof appears in protected Buyer Diligence.

Public release, live care, PHI, reimbursement, certification, connector, and production authority stay separately gated.
10

protected Buyer Diligence packet route

Required before packet-backed QA proof appears in protected Buyer Diligence.

Public release, live care, PHI, reimbursement, certification, connector, and production authority stay separately gated.
11

external distribution remains separately gated

Required before packet-backed QA proof appears in protected Buyer Diligence.

Public release, live care, PHI, reimbursement, certification, connector, and production authority stay separately gated.
12

clinical, PHI, reimbursement, certification, connector, and production authority remain blocked

Required before packet-backed QA proof appears in protected Buyer Diligence.

Public release, live care, PHI, reimbursement, certification, connector, and production authority stay separately gated.

Hard stops

These signals keep buyer proof release blocked even when a retained packet exists.

01bearer token or refresh token submitted
02API key, password, credential, or production secret submitted
03PHI, patient identifier, payer member identifier, medical record, claim, image, or regulated clinical content submitted
04public release requested without qualified approval
05live clinical care authorization claimed
06PHI processing authorization claimed
07HIPAA, SOC 2, security, FDA, regional, or legal approval claimed
08reimbursement certainty or payer submission authority claimed
09production connector approval claimed
10autonomous diagnosis, treatment, patient outreach, or clinical execution claimed