Manual AAL2 QA Launch Kit
SCRIMED now has a single no-secret launch packet for the first human AAL2 QA run.
The Launch Kit packages dispatch inputs, command templates, safe evidence fields, secret-disposal checks, packet persistence, and Proof Promotion into one operator handoff while keeping clinical, PHI, security, reimbursement, connector, and production authority blocked.
Boundary
Operator-ready still means human-required, no-token-storage, and not-retained-proof.
SCRIMED Manual AAL2 QA Launch Kit packages the human-run workflow handoff for synthetic QA only. It does not execute passkey ceremonies, mint tokens, store credentials, store PHI, run unattended authenticated CI, certify security or compliance, authorize live clinical care, guarantee reimbursement, approve production connectors, or claim retained authenticated QA proof before protected no-secret packet hashes are visible.
Launch phases
Every phase has an owner, pass signal, and fail-closed condition.
Confirm human AAL2 session
Sign in through the protected pilot workspace and confirm the browser session is fresh, scoped, and AAL2-capable.
- Pass: The operator has an approved tenant role and current AAL2 browser session.
- Fail closed: The session is stale, shared, missing AAL2, or scoped to the wrong tenant.
Select exactly one synthetic target
Choose one synthetic sales intake ID or one synthetic protected workspace slug before dispatch.
- Pass: The target is explicit, synthetic, and contains no PHI, payer member data, or production data.
- Fail closed: The target is missing, broad, production-linked, or contains regulated data.
Create temporary masked workflow secret
Place the short-lived AAL2 token only in the manual GitHub Actions secret required for the selected workflow.
- Pass: The token is short-lived, masked, workflow-specific, and never pasted into source, docs, chat, or packets.
- Fail closed: The token is long-lived, copied into evidence, or stored anywhere outside the temporary secret path.
Run preflight and dispatch
Run the workflow-specific preflight, then dispatch the manual workflow with require_authenticated_path=true.
- Pass: Preflight passes and the manual workflow completes against the explicit synthetic target.
- Fail closed: Preflight fails, authenticated path is optional, the target changes, or the workflow is scheduled.
Copy safe metadata only
Copy only the workflow run ID, run URL, execution timestamp, synthetic target ID, created safe object UUID, and packet audit event UUID.
- Pass: No token, credential, PHI, artifact URL, source contract, clinical record, or approval artifact enters SCRIMED evidence.
- Fail closed: Any evidence field contains secret-like material or regulated identifiers.
Delete or rotate temporary secret
Delete or rotate the temporary GitHub Actions secret immediately after the workflow completes.
- Pass: Secret disposal attestation is true before packet generation or persistence.
- Fail closed: The temporary token remains available after the run.
Persist no-secret packet
Generate the no-secret packet, then persist the same metadata through the protected Manual QA Evidence panel.
- Pass: The protected workspace shows packet SHA-256 and append-only audit visibility.
- Fail closed: Packet persistence is attempted without AAL2 tenant governance authorization.
Check Proof Promotion
Open Proof Promotion and confirm buyer-diligence-ready status before citing retained authenticated QA evidence.
- Pass: Proof Promotion allows only retained packet metadata and blocked production claims remain visible.
- Fail closed: Buyer material references retained authenticated QA proof before packet hash visibility.
Keep production authority blocked
Keep live clinical care, PHI, payer submission, production connector, reimbursement, security-certification, and compliance claims blocked.
- Pass: Buyer proof remains limited to governed synthetic QA evidence.
- Fail closed: Any stakeholder attempts to convert retained QA proof into live-care or production authorization.
Workflow launch packets
Operators get exact dispatch inputs, command templates, and safe evidence payloads.
Sales Demo Session QA activation
Do not promote this workflow into Buyer Diligence until the protected workspace shows a retained packet SHA-256 and append-only audit event.
.github/workflows/sales-demo-session-qa-smoke.yml
{
"base_url": "https://app.scrimedsolutions.com",
"intake_id": "<synthetic-sales-opportunity-intake-id>",
"require_authenticated_path": true
}SCRIMED_SALES_QA_BEARER_TOKEN
SCRIMED_REQUIRE_SALES_QA=1 SCRIMED_SALES_QA_INTAKE_ID=<synthetic-intake-id> SCRIMED_SALES_QA_BEARER_TOKEN=<short-lived-aal2-token> node scripts/sales-demo-session-qa-token-preflight.mjs
/api/qa-evidence/manual-run-packet
SCRIMED_REQUIRE_SALES_QA=1 SCRIMED_BASE_URL=https://app.scrimedsolutions.com SCRIMED_SALES_QA_INTAKE_ID=<synthetic-intake-id> SCRIMED_SALES_QA_BEARER_TOKEN=<short-lived-aal2-token> node scripts/sales-demo-session-qa-smoke.mjs
/api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-run-packets
{
"workflowKind": "sales-demo-session-qa",
"workflowRunId": "<numeric-scrimed-manual-run-id>",
"workflowRunUrl": "https://app.scrimedsolutions.com/qa-run-control?runId=<numeric-scrimed-manual-run-id>",
"executedAt": "<iso-8601-run-timestamp>",
"baseUrl": "https://app.scrimedsolutions.com",
"intakeId": "<synthetic-sales-opportunity-intake-id>",
"createdSessionId": "<created-demo-session-uuid>",
"packetAuditEventId": "<demo-session-packet-audit-event-uuid>",
"qaOutcome": "pass",
"operatorAttestation": "no-secrets-no-phi-aal2-human-run",
"tokenDisposalAttestation": "temporary-token-deleted-or-rotated",
"dataBoundary": "synthetic-business-workflow-only"
}12 fields
- workflowKind
- workflowRunId
- workflowRunUrl
- executedAt
- baseUrl
- intakeId or workspaceSlug
- createdSessionId or created authority reference UUID
- packetAuditEventId
- qaOutcome=pass
- operatorAttestation=no-secrets-no-phi-aal2-human-run
- tokenDisposalAttestation=temporary-token-deleted-or-rotated
- dataBoundary=synthetic-business-workflow-only
7 hard stops
- No fresh human AAL2 session is available.
- The target is not synthetic or metadata-only.
- The token preflight fails or the token lifetime is too long.
- The workflow requires a long-lived or committed credential.
- Any evidence field contains a token, credential, PHI, patient identifier, payer member identifier, artifact URL, legal approval, security report, reimbursement determination, or production clinical record.
- The operator cannot delete or rotate the temporary secret after the run.
- Buyer Diligence is requested before no-secret evidence metadata is retained.
Authority Reference QA activation
Do not promote this workflow into Buyer Diligence until the protected workspace shows a retained packet SHA-256 and append-only audit event.
.github/workflows/authority-reference-qa-smoke.yml
{
"base_url": "https://app.scrimedsolutions.com",
"workspace_slug": "atlas-synthetic-evaluation",
"require_authenticated_path": true
}SCRIMED_BEARER_TOKEN
SCRIMED_REQUIRE_AUTHORITY_REFERENCE_QA=1 SCRIMED_WORKSPACE_SLUG=<synthetic-workspace-slug> SCRIMED_BEARER_TOKEN=<short-lived-aal2-token> node scripts/authority-artifact-reference-qa-token-preflight.mjs
/api/qa-evidence/manual-run-packet
SCRIMED_REQUIRE_AUTHORITY_REFERENCE_QA=1 SCRIMED_BASE_URL=https://app.scrimedsolutions.com SCRIMED_WORKSPACE_SLUG=<synthetic-workspace-slug> SCRIMED_BEARER_TOKEN=<short-lived-aal2-token> node scripts/authority-artifact-reference-qa-smoke.mjs
/api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-run-packets
{
"workflowKind": "authority-reference-qa",
"workflowRunId": "<numeric-scrimed-manual-run-id>",
"workflowRunUrl": "https://app.scrimedsolutions.com/qa-run-control?runId=<numeric-scrimed-manual-run-id>",
"executedAt": "<iso-8601-run-timestamp>",
"baseUrl": "https://app.scrimedsolutions.com",
"intakeId": "atlas-synthetic-evaluation",
"createdSessionId": "<created-authority-reference-uuid>",
"packetAuditEventId": "<authority-reference-packet-audit-event-uuid>",
"qaOutcome": "pass",
"operatorAttestation": "no-secrets-no-phi-aal2-human-run",
"tokenDisposalAttestation": "temporary-token-deleted-or-rotated",
"dataBoundary": "synthetic-business-workflow-only"
}12 fields
- workflowKind
- workflowRunId
- workflowRunUrl
- executedAt
- baseUrl
- intakeId or workspaceSlug
- createdSessionId or created authority reference UUID
- packetAuditEventId
- qaOutcome=pass
- operatorAttestation=no-secrets-no-phi-aal2-human-run
- tokenDisposalAttestation=temporary-token-deleted-or-rotated
- dataBoundary=synthetic-business-workflow-only
7 hard stops
- No fresh human AAL2 session is available.
- The target is not synthetic or metadata-only.
- The token preflight fails or the token lifetime is too long.
- The workflow requires a long-lived or committed credential.
- Any evidence field contains a token, credential, PHI, patient identifier, payer member identifier, artifact URL, legal approval, security report, reimbursement determination, or production clinical record.
- The operator cannot delete or rotate the temporary secret after the run.
- Buyer Diligence is requested before no-secret evidence metadata is retained.
Blocked claims