Manual AAL2 QA Execution Readiness
SCRIMED is ready for a human-run AAL2 QA workflow without storing secrets or crossing clinical boundaries.
This layer converts the remaining authenticated QA boundary into an operator go/no-go path: human session, explicit synthetic target, token preflight, manual workflow dispatch, secret disposal, no-secret evidence persistence, and Buyer Diligence export.
Boundary
Ready for human execution does not mean authenticated proof has been retained.
SCRIMED Manual AAL2 QA Execution Readiness coordinates human-run authenticated synthetic QA. It does not mint bearer tokens, execute passkey ceremonies, store secrets, run unattended authenticated CI, process PHI, authorize clinical care, certify compliance, grant reimbursement certainty, approve production connectors, or claim authenticated proof before retained no-secret evidence exists.
Dispatch workflows
Each workflow has a target input, preflight, temporary secret, accepted evidence fields, and hard stops.
Sales Demo Session QA activation
Adds tenant-scoped evidence that SCRIMED can create and audit a governed synthetic buyer demo session under human AAL2 control.
- Target: intake_id
- Preflight: scripts/sales-demo-session-qa-token-preflight.mjs
- Smoke: scripts/sales-demo-session-qa-smoke.mjs
- Temporary secret: SCRIMED_SALES_QA_BEARER_TOKEN
- Safe fields: workflowKind=sales-demo-session-qa, workflowRunId, workflowRunUrl, executedAt, baseUrl, intakeId, createdSessionId, packetAuditEventId, packetSha256 after protected persistence
Authority Reference QA activation
Adds tenant-scoped evidence that SCRIMED can record and audit no-PHI authority-reference readiness metadata under human AAL2 control.
- Target: workspace_slug
- Preflight: scripts/authority-artifact-reference-qa-token-preflight.mjs
- Smoke: scripts/authority-artifact-reference-qa-smoke.mjs
- Temporary secret: SCRIMED_BEARER_TOKEN
- Safe fields: workflowKind=authority-reference-qa, workflowRunId, workflowRunUrl, executedAt, baseUrl, workspace slug as intakeId, created authority reference UUID as createdSessionId, authority packet audit event UUID as packetAuditEventId, packetSha256 after protected persistence
Run-control bridge
The next operator step is controlled dispatch, not a code bypass.
SCRIMED Manual AAL2 QA Run Control creates a no-secret operator mission-control layer for human-run synthetic QA. It does not execute AAL2 ceremonies, mint tokens, store credentials, run unattended authenticated CI, process PHI, authorize clinical care, certify security or compliance, guarantee reimbursement, approve production connectors, or claim retained authenticated proof before protected no-secret evidence is persisted.
Fresh human AAL2 session
Operator confirms AAL2 session and scoped role in the protected workspace.
No AAL2 session, stale session, ambiguous role, or shared account.Synthetic target selected
Exactly one synthetic intake ID or workspace slug is selected before dispatch.
Target is missing, broad, production-linked, or contains regulated data.Short-lived token preflight
Preflight passes with AAL2, session_id, expiry, and minimum remaining lifetime checks.
Weak token shape, missing AAL2, missing session, expired token, or excessive lifetime.Manual workflow dispatch
Manual GitHub workflow passes against the explicit synthetic target.
Workflow is scheduled, target is implicit, or authenticated path is optional.Execution stages
The path is intentionally human-run, narrow, auditable, and synthetic-only.
1. Human AAL2 session
Open the protected workspace in a fresh browser session and confirm AAL2 governance before minting any short-lived token.
- Accepted: operator role, workspace slug, AAL2 session timestamp
- Rejected: bearer tokens, refresh tokens, passwords, API keys, PHI, patient identifiers, payer member identifiers, artifact URLs, signed approvals, legal opinions, security reports, reimbursement determinations, production credentials, clinical records
- This confirms operator context only; it is not clinical, legal, security, reimbursement, or production authorization.
2. Explicit synthetic target
Select exactly one synthetic Sales Operations intake ID or protected workspace slug before dispatch.
- Accepted: workflow kind, intake ID or workspace slug, base URL
- Rejected: bearer tokens, refresh tokens, passwords, API keys, PHI, patient identifiers, payer member identifiers, artifact URLs, signed approvals, legal opinions, security reports, reimbursement determinations, production credentials, clinical records
- Targets must remain synthetic or no-PHI metadata-only. No patient, payer member, EHR, source contract, or production connector target is allowed.
3. Token preflight
Run the workflow preflight so weak token shape, expiry, missing AAL2, missing session, or wrong target fails before authenticated requests.
- Accepted: preflight pass/fail, token lifetime policy status, target confirmation
- Rejected: bearer tokens, refresh tokens, passwords, API keys, PHI, patient identifiers, payer member identifiers, artifact URLs, signed approvals, legal opinions, security reports, reimbursement determinations, production credentials, clinical records
- Preflight is only a local safety gate. Protected SCRIMED APIs and Supabase Auth remain the verification authority.
4. Authenticated smoke
Dispatch the manual workflow and allow it to create only synthetic/no-PHI metadata under the short-lived AAL2 session.
- Accepted: workflow run ID, workflow run URL, created synthetic object ID, packet audit event ID
- Rejected: bearer tokens, refresh tokens, passwords, API keys, PHI, patient identifiers, payer member identifiers, artifact URLs, signed approvals, legal opinions, security reports, reimbursement determinations, production credentials, clinical records
- A passing authenticated smoke proves the synthetic protected route only. It does not authorize live care or PHI workflows.
5. Secret disposal
Delete or rotate the temporary masked GitHub secret immediately after workflow completion.
- Accepted: token disposal attestation, temporary secret name, disposal timestamp
- Rejected: bearer tokens, refresh tokens, passwords, API keys, PHI, patient identifiers, payer member identifiers, artifact URLs, signed approvals, legal opinions, security reports, reimbursement determinations, production credentials, clinical records
- The token itself is never evidence and must never be copied into SCRIMED, source control, docs, logs, packets, or runtime configuration.
6. No-secret packet and protected persistence
Generate the no-secret manual QA packet, persist safe metadata through the protected workspace, and verify packet hash visibility.
- Accepted: packet SHA-256, append-only audit event, safe metadata fields, operator attestations
- Rejected: bearer tokens, refresh tokens, passwords, API keys, PHI, patient identifiers, payer member identifiers, artifact URLs, signed approvals, legal opinions, security reports, reimbursement determinations, production credentials, clinical records
- Persistence requires AAL2 tenant authorization and stores only synthetic business workflow metadata.
7. Buyer diligence export
Export Buyer Diligence only after retained packet hashes and audit evidence are visible.
- Accepted: Buyer Diligence export timestamp, manual QA packet hash, audit trail reference
- Rejected: bearer tokens, refresh tokens, passwords, API keys, PHI, patient identifiers, payer member identifiers, artifact URLs, signed approvals, legal opinions, security reports, reimbursement determinations, production credentials, clinical records
- Buyer export can claim retained manual QA evidence only after safe metadata is persisted.
Hard stops
These rules prevent the execution process from becoming a secret, PHI, or false-proof path.
Hard stop
Do not run authenticated QA without a fresh human AAL2 session.
Review boundary registerHard stop
Do not store long-lived tokens in GitHub, Vercel, source, docs, packets, logs, or runtime config.
Review boundary registerHard stop
Do not target PHI, payer member data, medical records, source contracts, production connectors, or live patient workflows.
Review boundary registerHard stop
Do not claim authenticated QA evidence until no-secret packet metadata is persisted and visible in Buyer Pilot Room.
Review boundary registerHard stop
Do not use this readiness layer as legal, security, clinical, reimbursement, or production authorization.
Review boundary registerBuyer diligence sequence