Run Control

Manual AAL2 QA Launch Kit

SCRIMED now has a single no-secret launch packet for the first human AAL2 QA run.

The Launch Kit packages dispatch inputs, command templates, safe evidence fields, secret-disposal checks, packet persistence, and Proof Promotion into one operator handoff while keeping clinical, PHI, security, reimbursement, connector, and production authority blocked.

Statusmanual-aal2-qa-launch-kit-ready
Decisionready-for-human-launch-not-code-execution
Workflows2
Phases9
Hard stops1
Safe fields12
Blocked claims10
Proof statepending-retained-packet

Boundary

Operator-ready still means human-required, no-token-storage, and not-retained-proof.

SCRIMED Manual AAL2 QA Launch Kit packages the human-run workflow handoff for synthetic QA only. It does not execute passkey ceremonies, mint tokens, store credentials, store PHI, run unattended authenticated CI, certify security or compliance, authorize live clinical care, guarantee reimbursement, approve production connectors, or claim retained authenticated QA proof before protected no-secret packet hashes are visible.

01Allowed now: SCRIMED can hand an approved operator an exact no-secret launch packet.
02Allowed now: SCRIMED can predefine dispatch inputs, command templates, safe evidence fields, abort conditions, and post-run promotion checks.
03Not allowed yet: SCRIMED has completed the human AAL2 run or retained authenticated QA proof.
04Never allowed from this launch kit: clinical care authority, PHI processing authority, payer submission authority, security certification, reimbursement certainty, production connector approval, or autonomous clinical action.

Launch phases

Every phase has an owner, pass signal, and fail-closed condition.

prepare

Confirm human AAL2 session

Sign in through the protected pilot workspace and confirm the browser session is fresh, scoped, and AAL2-capable.

Tenant-admin or pilot-lead operator
  • Pass: The operator has an approved tenant role and current AAL2 browser session.
  • Fail closed: The session is stale, shared, missing AAL2, or scoped to the wrong tenant.
prepare

Select exactly one synthetic target

Choose one synthetic sales intake ID or one synthetic protected workspace slug before dispatch.

Workflow owner
  • Pass: The target is explicit, synthetic, and contains no PHI, payer member data, or production data.
  • Fail closed: The target is missing, broad, production-linked, or contains regulated data.
prepare

Create temporary masked workflow secret

Place the short-lived AAL2 token only in the manual GitHub Actions secret required for the selected workflow.

Security owner and operator
  • Pass: The token is short-lived, masked, workflow-specific, and never pasted into source, docs, chat, or packets.
  • Fail closed: The token is long-lived, copied into evidence, or stored anywhere outside the temporary secret path.
execute-human-run

Run preflight and dispatch

Run the workflow-specific preflight, then dispatch the manual workflow with require_authenticated_path=true.

Release engineering
  • Pass: Preflight passes and the manual workflow completes against the explicit synthetic target.
  • Fail closed: Preflight fails, authenticated path is optional, the target changes, or the workflow is scheduled.
retain-evidence

Copy safe metadata only

Copy only the workflow run ID, run URL, execution timestamp, synthetic target ID, created safe object UUID, and packet audit event UUID.

TrustOS and tenant governance
  • Pass: No token, credential, PHI, artifact URL, source contract, clinical record, or approval artifact enters SCRIMED evidence.
  • Fail closed: Any evidence field contains secret-like material or regulated identifiers.
retain-evidence

Delete or rotate temporary secret

Delete or rotate the temporary GitHub Actions secret immediately after the workflow completes.

Security owner and operator
  • Pass: Secret disposal attestation is true before packet generation or persistence.
  • Fail closed: The temporary token remains available after the run.
retain-evidence

Persist no-secret packet

Generate the no-secret packet, then persist the same metadata through the protected Manual QA Evidence panel.

Tenant governance operator
  • Pass: The protected workspace shows packet SHA-256 and append-only audit visibility.
  • Fail closed: Packet persistence is attempted without AAL2 tenant governance authorization.
promote-proof

Check Proof Promotion

Open Proof Promotion and confirm buyer-diligence-ready status before citing retained authenticated QA evidence.

Sales engineering and trust reviewer
  • Pass: Proof Promotion allows only retained packet metadata and blocked production claims remain visible.
  • Fail closed: Buyer material references retained authenticated QA proof before packet hash visibility.
hard-stop

Keep production authority blocked

Keep live clinical care, PHI, payer submission, production connector, reimbursement, security-certification, and compliance claims blocked.

Clinical, legal, security, privacy, and compliance owners
  • Pass: Buyer proof remains limited to governed synthetic QA evidence.
  • Fail closed: Any stakeholder attempts to convert retained QA proof into live-care or production authorization.

Workflow launch packets

Operators get exact dispatch inputs, command templates, and safe evidence payloads.

sales-demo-session-qa

Sales Demo Session QA activation

Do not promote this workflow into Buyer Diligence until the protected workspace shows a retained packet SHA-256 and append-only audit event.

Dispatch

.github/workflows/sales-demo-session-qa-smoke.yml

{
  "base_url": "https://app.scrimedsolutions.com",
  "intake_id": "<synthetic-sales-opportunity-intake-id>",
  "require_authenticated_path": true
}
Preflight

SCRIMED_SALES_QA_BEARER_TOKEN

SCRIMED_REQUIRE_SALES_QA=1 SCRIMED_SALES_QA_INTAKE_ID=<synthetic-intake-id> SCRIMED_SALES_QA_BEARER_TOKEN=<short-lived-aal2-token> node scripts/sales-demo-session-qa-token-preflight.mjs
Smoke

/api/qa-evidence/manual-run-packet

SCRIMED_REQUIRE_SALES_QA=1 SCRIMED_BASE_URL=https://app.scrimedsolutions.com SCRIMED_SALES_QA_INTAKE_ID=<synthetic-intake-id> SCRIMED_SALES_QA_BEARER_TOKEN=<short-lived-aal2-token> node scripts/sales-demo-session-qa-smoke.mjs
Safe packet

/api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-run-packets

{
  "workflowKind": "sales-demo-session-qa",
  "workflowRunId": "<numeric-scrimed-manual-run-id>",
  "workflowRunUrl": "https://app.scrimedsolutions.com/qa-run-control?runId=<numeric-scrimed-manual-run-id>",
  "executedAt": "<iso-8601-run-timestamp>",
  "baseUrl": "https://app.scrimedsolutions.com",
  "intakeId": "<synthetic-sales-opportunity-intake-id>",
  "createdSessionId": "<created-demo-session-uuid>",
  "packetAuditEventId": "<demo-session-packet-audit-event-uuid>",
  "qaOutcome": "pass",
  "operatorAttestation": "no-secrets-no-phi-aal2-human-run",
  "tokenDisposalAttestation": "temporary-token-deleted-or-rotated",
  "dataBoundary": "synthetic-business-workflow-only"
}
Safe copy fields

12 fields

  • workflowKind
  • workflowRunId
  • workflowRunUrl
  • executedAt
  • baseUrl
  • intakeId or workspaceSlug
  • createdSessionId or created authority reference UUID
  • packetAuditEventId
  • qaOutcome=pass
  • operatorAttestation=no-secrets-no-phi-aal2-human-run
  • tokenDisposalAttestation=temporary-token-deleted-or-rotated
  • dataBoundary=synthetic-business-workflow-only
Abort if

7 hard stops

  • No fresh human AAL2 session is available.
  • The target is not synthetic or metadata-only.
  • The token preflight fails or the token lifetime is too long.
  • The workflow requires a long-lived or committed credential.
  • Any evidence field contains a token, credential, PHI, patient identifier, payer member identifier, artifact URL, legal approval, security report, reimbursement determination, or production clinical record.
  • The operator cannot delete or rotate the temporary secret after the run.
  • Buyer Diligence is requested before no-secret evidence metadata is retained.
authority-reference-qa

Authority Reference QA activation

Do not promote this workflow into Buyer Diligence until the protected workspace shows a retained packet SHA-256 and append-only audit event.

Dispatch

.github/workflows/authority-reference-qa-smoke.yml

{
  "base_url": "https://app.scrimedsolutions.com",
  "workspace_slug": "atlas-synthetic-evaluation",
  "require_authenticated_path": true
}
Preflight

SCRIMED_BEARER_TOKEN

SCRIMED_REQUIRE_AUTHORITY_REFERENCE_QA=1 SCRIMED_WORKSPACE_SLUG=<synthetic-workspace-slug> SCRIMED_BEARER_TOKEN=<short-lived-aal2-token> node scripts/authority-artifact-reference-qa-token-preflight.mjs
Smoke

/api/qa-evidence/manual-run-packet

SCRIMED_REQUIRE_AUTHORITY_REFERENCE_QA=1 SCRIMED_BASE_URL=https://app.scrimedsolutions.com SCRIMED_WORKSPACE_SLUG=<synthetic-workspace-slug> SCRIMED_BEARER_TOKEN=<short-lived-aal2-token> node scripts/authority-artifact-reference-qa-smoke.mjs
Safe packet

/api/pilot-workspaces/{workspaceSlug}/qa-evidence/manual-run-packets

{
  "workflowKind": "authority-reference-qa",
  "workflowRunId": "<numeric-scrimed-manual-run-id>",
  "workflowRunUrl": "https://app.scrimedsolutions.com/qa-run-control?runId=<numeric-scrimed-manual-run-id>",
  "executedAt": "<iso-8601-run-timestamp>",
  "baseUrl": "https://app.scrimedsolutions.com",
  "intakeId": "atlas-synthetic-evaluation",
  "createdSessionId": "<created-authority-reference-uuid>",
  "packetAuditEventId": "<authority-reference-packet-audit-event-uuid>",
  "qaOutcome": "pass",
  "operatorAttestation": "no-secrets-no-phi-aal2-human-run",
  "tokenDisposalAttestation": "temporary-token-deleted-or-rotated",
  "dataBoundary": "synthetic-business-workflow-only"
}
Safe copy fields

12 fields

  • workflowKind
  • workflowRunId
  • workflowRunUrl
  • executedAt
  • baseUrl
  • intakeId or workspaceSlug
  • createdSessionId or created authority reference UUID
  • packetAuditEventId
  • qaOutcome=pass
  • operatorAttestation=no-secrets-no-phi-aal2-human-run
  • tokenDisposalAttestation=temporary-token-deleted-or-rotated
  • dataBoundary=synthetic-business-workflow-only
Abort if

7 hard stops

  • No fresh human AAL2 session is available.
  • The target is not synthetic or metadata-only.
  • The token preflight fails or the token lifetime is too long.
  • The workflow requires a long-lived or committed credential.
  • Any evidence field contains a token, credential, PHI, patient identifier, payer member identifier, artifact URL, legal approval, security report, reimbursement determination, or production clinical record.
  • The operator cannot delete or rotate the temporary secret after the run.
  • Buyer Diligence is requested before no-secret evidence metadata is retained.

Blocked claims

The launch kit improves execution readiness; it does not create clinical or production authority.

01human AAL2 workflow completed by code
02bearer token retained as evidence
03authenticated QA proof retained before packet hash visibility
04PHI processed or validated
05live clinical care authorized
06security certification completed
07compliance certification completed
08reimbursement outcome guaranteed
09production connector approved
10autonomous diagnosis or treatment authorized