QA Evidence

Manual AAL2 QA Execution Readiness

SCRIMED is ready for a human-run AAL2 QA workflow without storing secrets or crossing clinical boundaries.

This layer converts the remaining authenticated QA boundary into an operator go/no-go path: human session, explicit synthetic target, token preflight, manual workflow dispatch, secret disposal, no-secret evidence persistence, and Buyer Diligence export.

Statusmanual-aal2-qa-execution-readiness-ready
Decisionready-for-human-run-not-code-bypass
Claim statusactivation-ready-not-retained-authenticated-proof
Workflows2
Stages7
Human gates2
Post-run gates3
Manual QA gates2

Boundary

Ready for human execution does not mean authenticated proof has been retained.

SCRIMED Manual AAL2 QA Execution Readiness coordinates human-run authenticated synthetic QA. It does not mint bearer tokens, execute passkey ceremonies, store secrets, run unattended authenticated CI, process PHI, authorize clinical care, certify compliance, grant reimbursement certainty, approve production connectors, or claim authenticated proof before retained no-secret evidence exists.

01Allowed now: SCRIMED has a controlled human-run AAL2 QA execution path.
02Allowed now: SCRIMED has no-secret packet generation and protected persistence contracts.
03Allowed now: public smoke verifies fail-closed protected routes and activation readiness.
04Not allowed yet: SCRIMED has retained authenticated AAL2 QA proof for these workflows.
05Not allowed yet: SCRIMED is authorized for live clinical care, PHI processing, payer submission, production connectors, security certification, or reimbursement certainty.

Dispatch workflows

Each workflow has a target input, preflight, temporary secret, accepted evidence fields, and hard stops.

ready-for-human-aal2-run-not-executed

Sales Demo Session QA activation

Adds tenant-scoped evidence that SCRIMED can create and audit a governed synthetic buyer demo session under human AAL2 control.

.github/workflows/sales-demo-session-qa-smoke.yml
  • Target: intake_id
  • Preflight: scripts/sales-demo-session-qa-token-preflight.mjs
  • Smoke: scripts/sales-demo-session-qa-smoke.mjs
  • Temporary secret: SCRIMED_SALES_QA_BEARER_TOKEN
  • Safe fields: workflowKind=sales-demo-session-qa, workflowRunId, workflowRunUrl, executedAt, baseUrl, intakeId, createdSessionId, packetAuditEventId, packetSha256 after protected persistence
ready-for-human-aal2-run-not-executed

Authority Reference QA activation

Adds tenant-scoped evidence that SCRIMED can record and audit no-PHI authority-reference readiness metadata under human AAL2 control.

.github/workflows/authority-reference-qa-smoke.yml
  • Target: workspace_slug
  • Preflight: scripts/authority-artifact-reference-qa-token-preflight.mjs
  • Smoke: scripts/authority-artifact-reference-qa-smoke.mjs
  • Temporary secret: SCRIMED_BEARER_TOKEN
  • Safe fields: workflowKind=authority-reference-qa, workflowRunId, workflowRunUrl, executedAt, baseUrl, workspace slug as intakeId, created authority reference UUID as createdSessionId, authority packet audit event UUID as packetAuditEventId, packetSha256 after protected persistence

Run-control bridge

The next operator step is controlled dispatch, not a code bypass.

SCRIMED Manual AAL2 QA Run Control creates a no-secret operator mission-control layer for human-run synthetic QA. It does not execute AAL2 ceremonies, mint tokens, store credentials, run unattended authenticated CI, process PHI, authorize clinical care, certify security or compliance, guarantee reimbursement, approve production connectors, or claim retained authenticated proof before protected no-secret evidence is persisted.

required-before-run

Fresh human AAL2 session

Operator confirms AAL2 session and scoped role in the protected workspace.

No AAL2 session, stale session, ambiguous role, or shared account.
required-before-run

Synthetic target selected

Exactly one synthetic intake ID or workspace slug is selected before dispatch.

Target is missing, broad, production-linked, or contains regulated data.
required-before-run

Short-lived token preflight

Preflight passes with AAL2, session_id, expiry, and minimum remaining lifetime checks.

Weak token shape, missing AAL2, missing session, expired token, or excessive lifetime.
required-during-run

Manual workflow dispatch

Manual GitHub workflow passes against the explicit synthetic target.

Workflow is scheduled, target is implicit, or authenticated path is optional.

Execution stages

The path is intentionally human-run, narrow, auditable, and synthetic-only.

human-required

1. Human AAL2 session

Open the protected workspace in a fresh browser session and confirm AAL2 governance before minting any short-lived token.

SCRIMED tenant-admin or pilot-lead operator
  • Accepted: operator role, workspace slug, AAL2 session timestamp
  • Rejected: bearer tokens, refresh tokens, passwords, API keys, PHI, patient identifiers, payer member identifiers, artifact URLs, signed approvals, legal opinions, security reports, reimbursement determinations, production credentials, clinical records
  • This confirms operator context only; it is not clinical, legal, security, reimbursement, or production authorization.
ready

2. Explicit synthetic target

Select exactly one synthetic Sales Operations intake ID or protected workspace slug before dispatch.

Release engineering and buyer-workflow owner
  • Accepted: workflow kind, intake ID or workspace slug, base URL
  • Rejected: bearer tokens, refresh tokens, passwords, API keys, PHI, patient identifiers, payer member identifiers, artifact URLs, signed approvals, legal opinions, security reports, reimbursement determinations, production credentials, clinical records
  • Targets must remain synthetic or no-PHI metadata-only. No patient, payer member, EHR, source contract, or production connector target is allowed.
human-required

3. Token preflight

Run the workflow preflight so weak token shape, expiry, missing AAL2, missing session, or wrong target fails before authenticated requests.

Release engineering
  • Accepted: preflight pass/fail, token lifetime policy status, target confirmation
  • Rejected: bearer tokens, refresh tokens, passwords, API keys, PHI, patient identifiers, payer member identifiers, artifact URLs, signed approvals, legal opinions, security reports, reimbursement determinations, production credentials, clinical records
  • Preflight is only a local safety gate. Protected SCRIMED APIs and Supabase Auth remain the verification authority.
blocked-until-run

4. Authenticated smoke

Dispatch the manual workflow and allow it to create only synthetic/no-PHI metadata under the short-lived AAL2 session.

Human operator
  • Accepted: workflow run ID, workflow run URL, created synthetic object ID, packet audit event ID
  • Rejected: bearer tokens, refresh tokens, passwords, API keys, PHI, patient identifiers, payer member identifiers, artifact URLs, signed approvals, legal opinions, security reports, reimbursement determinations, production credentials, clinical records
  • A passing authenticated smoke proves the synthetic protected route only. It does not authorize live care or PHI workflows.
post-run-required

5. Secret disposal

Delete or rotate the temporary masked GitHub secret immediately after workflow completion.

Human operator and security owner
  • Accepted: token disposal attestation, temporary secret name, disposal timestamp
  • Rejected: bearer tokens, refresh tokens, passwords, API keys, PHI, patient identifiers, payer member identifiers, artifact URLs, signed approvals, legal opinions, security reports, reimbursement determinations, production credentials, clinical records
  • The token itself is never evidence and must never be copied into SCRIMED, source control, docs, logs, packets, or runtime configuration.
post-run-required

6. No-secret packet and protected persistence

Generate the no-secret manual QA packet, persist safe metadata through the protected workspace, and verify packet hash visibility.

Tenant governance operator
  • Accepted: packet SHA-256, append-only audit event, safe metadata fields, operator attestations
  • Rejected: bearer tokens, refresh tokens, passwords, API keys, PHI, patient identifiers, payer member identifiers, artifact URLs, signed approvals, legal opinions, security reports, reimbursement determinations, production credentials, clinical records
  • Persistence requires AAL2 tenant authorization and stores only synthetic business workflow metadata.
post-run-required

7. Buyer diligence export

Export Buyer Diligence only after retained packet hashes and audit evidence are visible.

Sales engineering and trust reviewer
  • Accepted: Buyer Diligence export timestamp, manual QA packet hash, audit trail reference
  • Rejected: bearer tokens, refresh tokens, passwords, API keys, PHI, patient identifiers, payer member identifiers, artifact URLs, signed approvals, legal opinions, security reports, reimbursement determinations, production credentials, clinical records
  • Buyer export can claim retained manual QA evidence only after safe metadata is persisted.

Hard stops

These rules prevent the execution process from becoming a secret, PHI, or false-proof path.

02

Hard stop

Do not store long-lived tokens in GitHub, Vercel, source, docs, packets, logs, or runtime config.

Review boundary register
03

Hard stop

Do not target PHI, payer member data, medical records, source contracts, production connectors, or live patient workflows.

Review boundary register
04

Hard stop

Do not claim authenticated QA evidence until no-secret packet metadata is persisted and visible in Buyer Pilot Room.

Review boundary register
05

Hard stop

Do not use this readiness layer as legal, security, clinical, reimbursement, or production authorization.

Review boundary register

Buyer diligence sequence

Authenticated QA can appear in buyer proof only after safe packet metadata is retained.

01/api/qa-evidence/activation-plan/brief
02/qa-run-control
03/api/qa-evidence/manual-run-packet
04/api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-run-packets
05/pilot-workspace/access#buyer-pilot-room
06/api/pilot-workspaces/{workspaceSlug}/buyer-room/packet