QA Completion Bridge
SCRIMED now has a no-secret bridge from human AAL2 run completion to protected proof.
The bridge validates candidate post-run metadata, generates a preview hash, and keeps buyer proof blocked until the same no-secret metadata is persisted through the protected workspace and cleared by Proof Promotion plus Buyer Proof Release.
Boundary
The bridge validates readiness; it does not become the retained proof system.
SCRIMED QA Completion Bridge validates no-secret candidate metadata after a human AAL2 synthetic QA run and before protected persistence. It does not execute passkey ceremonies, mint or store tokens, persist evidence, store PHI, authorize live clinical care, certify security or compliance, guarantee reimbursement, approve production connectors, or allow buyer proof promotion before protected packet hashes are visible.
Completion checkpoints
Each transition from run output to buyer proof has a pass signal and a fail-closed condition.
Human AAL2 workflow run
One explicit synthetic workflow run ID, run URL, timestamp, target ID, created object UUID, and packet audit event UUID.
- Pass: The candidate payload references exactly one completed human-run synthetic workflow.
- Fail closed: The run did not happen, was scheduled/unattended, used a broad target, or references regulated data.
No-secret candidate validation
Safe metadata only, accepted attestations, valid GitHub Actions or SCRIMED Run Control URL, ISO timestamp, and UUID evidence object IDs.
- Pass: The public bridge returns ready-for-protected-persistence and a packet preview SHA-256.
- Fail closed: The payload contains bearer/JWT-like material, PHI, payer member data, credentials, invalid attestations, or unsupported workflow kind.
Protected packet persistence
AAL2 protected workspace session and POST to the tenant-scoped manual QA evidence route.
- Pass: The protected workspace returns a retained packet hash and append-only audit event.
- Fail closed: The operator lacks AAL2 governance authorization or the protected write rejects the payload.
Proof Promotion decision
Visible retained packet SHA-256, workflow run ID, audit event reference, and blocked production claims.
- Pass: Proof Promotion moves buyer language from activation-ready to retained no-secret QA evidence.
- Fail closed: Buyer material claims authenticated proof before protected packet hash visibility.
Clinical and production authority
Separate signed customer/legal/security/privacy/clinical/regional/reimbursement/connector approvals.
- Pass: Authority remains explicitly blocked unless external approvals exist.
- Fail closed: Anyone treats QA completion evidence as PHI, live-care, payer, connector, security-certification, or reimbursement authorization.
No-secret payload examples
Operators can validate the post-run candidate before protected persistence.
These examples are shape references only. Replace IDs after the human AAL2 workflow completes, then POST the candidate to /api/qa-evidence/completion-bridge. The bridge never accepts tokens, PHI, payer data, approvals, reports, or production credentials.
Candidate payload
{
"workflowKind": "sales-demo-session-qa",
"workflowRunId": "1234567890",
"workflowRunUrl": "https://github.com/temitayodahunsi777/scrimed-site/actions/runs/1234567890",
"executedAt": "2026-07-16T03:50:20.626Z",
"baseUrl": "https://app.scrimedsolutions.com",
"intakeId": "synthetic-intake-001",
"createdSessionId": "11111111-1111-4111-8111-111111111111",
"packetAuditEventId": "22222222-2222-4222-8222-222222222222",
"evidenceTargetLabel": "Target intake ID",
"evidenceObjectLabel": "Created session ID",
"packetAuditEventLabel": "Packet audit event ID",
"evidenceRoute": "/api/sales-operations/qa/buyer-demo-sessions",
"packetRoute": "/api/sales-operations/opportunities/{intakeId}/demo-sessions/{sessionId}/packet",
"operatorRunbook": "/docs/operator-token-rotation.md",
"qaOutcome": "pass",
"operatorAttestation": "no-secrets-no-phi-aal2-human-run",
"tokenDisposalAttestation": "temporary-token-deleted-or-rotated",
"dataBoundary": "synthetic-business-workflow-only"
}Candidate payload
{
"workflowKind": "authority-reference-qa",
"workflowRunId": "1234567890",
"workflowRunUrl": "https://github.com/temitayodahunsi777/scrimed-site/actions/runs/1234567890",
"executedAt": "2026-07-16T03:50:20.626Z",
"baseUrl": "https://app.scrimedsolutions.com",
"intakeId": "atlas-synthetic-evaluation",
"createdSessionId": "11111111-1111-4111-8111-111111111111",
"packetAuditEventId": "22222222-2222-4222-8222-222222222222",
"evidenceTargetLabel": "Workspace target",
"evidenceObjectLabel": "Created authority reference ID",
"packetAuditEventLabel": "Authority packet audit event ID",
"evidenceRoute": "/api/pilot-workspaces/{workspaceSlug}/authority-artifact-references",
"packetRoute": "/api/pilot-workspaces/{workspaceSlug}/authority-artifact-references/packet",
"operatorRunbook": "/docs/protected-authority-artifact-references.md",
"qaOutcome": "pass",
"operatorAttestation": "no-secrets-no-phi-aal2-human-run",
"tokenDisposalAttestation": "temporary-token-deleted-or-rotated",
"dataBoundary": "synthetic-business-workflow-only"
}Blocked claims