Manual AAL2 QA Run Control
SCRIMED now has a no-secret mission-control layer for the first human AAL2 QA run.
Run Control translates execution readiness into workflow-specific dispatch inputs, preflight commands, smoke commands, safe evidence templates, abort conditions, and buyer-proof promotion rules while keeping clinical, PHI, security, reimbursement, and production authority blocked.
Boundary
Operator-ready does not mean authenticated proof has been created or retained.
SCRIMED Manual AAL2 QA Run Control creates a no-secret operator mission-control layer for human-run synthetic QA. It does not execute AAL2 ceremonies, mint tokens, store credentials, run unattended authenticated CI, process PHI, authorize clinical care, certify security or compliance, guarantee reimbursement, approve production connectors, or claim retained authenticated proof before protected no-secret evidence is persisted.
Run gates
Every run has explicit pass signals, fail signals, owners, and retained boundaries.
Fresh human AAL2 session
AAL2 confirms operator context only; it is not clinical, legal, security, or reimbursement authority.
- Pass: Operator confirms AAL2 session and scoped role in the protected workspace.
- Fail: No AAL2 session, stale session, ambiguous role, or shared account.
Synthetic target selected
Targets must remain synthetic business workflow metadata.
- Pass: Exactly one synthetic intake ID or workspace slug is selected before dispatch.
- Fail: Target is missing, broad, production-linked, or contains regulated data.
Short-lived token preflight
Preflight is not signature verification; protected APIs remain the authority.
- Pass: Preflight passes with AAL2, session_id, expiry, and minimum remaining lifetime checks.
- Fail: Weak token shape, missing AAL2, missing session, expired token, or excessive lifetime.
Manual workflow dispatch
Passing smoke proves only the synthetic protected route under review-gated conditions.
- Pass: Manual GitHub workflow passes against the explicit synthetic target.
- Fail: Workflow is scheduled, target is implicit, or authenticated path is optional.
Secret disposal
The token is never evidence and must not be retained.
- Pass: Temporary masked secret is deleted or rotated immediately after completion.
- Fail: Token remains in GitHub, Vercel, source, docs, logs, packets, screenshots, or chat.
No-secret packet persistence
Retained proof is limited to synthetic workflow metadata and packet hash.
- Pass: Only safe metadata is persisted through the protected Manual QA Evidence route.
- Fail: Packet contains secrets, PHI, approvals, reports, clinical records, or unsupported identifiers.
Buyer proof promotion
Buyer proof can reference retained QA evidence only after protected persistence.
- Pass: Buyer Diligence is exported after packet hash and audit event are visible.
- Fail: Buyer material claims authenticated proof before no-secret metadata is persisted.
Workflow controls
Each workflow gives operators the exact no-secret fields needed before, during, and after the run.
Sales Demo Session QA activation
Do not promote this workflow into Buyer Diligence until the protected workspace shows a retained packet SHA-256 and append-only audit event.
.github/workflows/sales-demo-session-qa-smoke.yml
{
"base_url": "https://app.scrimedsolutions.com",
"intake_id": "<synthetic-sales-opportunity-intake-id>",
"require_authenticated_path": true
}SCRIMED_SALES_QA_BEARER_TOKEN
SCRIMED_REQUIRE_SALES_QA=1 SCRIMED_SALES_QA_INTAKE_ID=<synthetic-intake-id> SCRIMED_SALES_QA_BEARER_TOKEN=<short-lived-aal2-token> node scripts/sales-demo-session-qa-token-preflight.mjs
/api/qa-evidence/manual-run-packet
SCRIMED_REQUIRE_SALES_QA=1 SCRIMED_BASE_URL=https://app.scrimedsolutions.com SCRIMED_SALES_QA_INTAKE_ID=<synthetic-intake-id> SCRIMED_SALES_QA_BEARER_TOKEN=<short-lived-aal2-token> node scripts/sales-demo-session-qa-smoke.mjs
sales-demo-session-qa
{
"workflowKind": "sales-demo-session-qa",
"workflowRunId": "<numeric-scrimed-manual-run-id>",
"workflowRunUrl": "https://app.scrimedsolutions.com/qa-run-control?runId=<numeric-scrimed-manual-run-id>",
"executedAt": "<iso-8601-run-timestamp>",
"baseUrl": "https://app.scrimedsolutions.com",
"intakeId": "<synthetic-sales-opportunity-intake-id>",
"createdSessionId": "<created-demo-session-uuid>",
"packetAuditEventId": "<demo-session-packet-audit-event-uuid>",
"qaOutcome": "pass",
"operatorAttestation": "no-secrets-no-phi-aal2-human-run",
"tokenDisposalAttestation": "temporary-token-deleted-or-rotated",
"dataBoundary": "synthetic-business-workflow-only"
}9 steps
- Open the protected workspace in a fresh browser session and confirm AAL2 posture.
- Use one explicit synthetic Sales Operations intake ID as the target.
- Create a temporary masked GitHub Actions secret for the short-lived AAL2 token.
- Dispatch the manual workflow with require_authenticated_path=true.
- Verify preflight passed before the authenticated smoke runs.
- Copy only the workflow run ID, run URL, created safe object ID, packet audit event ID, and timestamp.
- Delete or rotate the temporary secret immediately after the workflow completes.
- Persist the safe metadata through /pilot-workspace/access -> Manual QA Evidence.
- Export Buyer Diligence only after the packet hash and audit event are visible.
7 hard stops
- No fresh human AAL2 session is available.
- The target is not synthetic or metadata-only.
- The token preflight fails or the token lifetime is too long.
- The workflow requires a long-lived or committed credential.
- Any evidence field contains a token, credential, PHI, patient identifier, payer member identifier, artifact URL, legal approval, security report, reimbursement determination, or production clinical record.
- The operator cannot delete or rotate the temporary secret after the run.
- Buyer Diligence is requested before no-secret evidence metadata is retained.
Authority Reference QA activation
Do not promote this workflow into Buyer Diligence until the protected workspace shows a retained packet SHA-256 and append-only audit event.
.github/workflows/authority-reference-qa-smoke.yml
{
"base_url": "https://app.scrimedsolutions.com",
"workspace_slug": "atlas-synthetic-evaluation",
"require_authenticated_path": true
}SCRIMED_BEARER_TOKEN
SCRIMED_REQUIRE_AUTHORITY_REFERENCE_QA=1 SCRIMED_WORKSPACE_SLUG=<synthetic-workspace-slug> SCRIMED_BEARER_TOKEN=<short-lived-aal2-token> node scripts/authority-artifact-reference-qa-token-preflight.mjs
/api/qa-evidence/manual-run-packet
SCRIMED_REQUIRE_AUTHORITY_REFERENCE_QA=1 SCRIMED_BASE_URL=https://app.scrimedsolutions.com SCRIMED_WORKSPACE_SLUG=<synthetic-workspace-slug> SCRIMED_BEARER_TOKEN=<short-lived-aal2-token> node scripts/authority-artifact-reference-qa-smoke.mjs
authority-reference-qa
{
"workflowKind": "authority-reference-qa",
"workflowRunId": "<numeric-scrimed-manual-run-id>",
"workflowRunUrl": "https://app.scrimedsolutions.com/qa-run-control?runId=<numeric-scrimed-manual-run-id>",
"executedAt": "<iso-8601-run-timestamp>",
"baseUrl": "https://app.scrimedsolutions.com",
"intakeId": "atlas-synthetic-evaluation",
"createdSessionId": "<created-authority-reference-uuid>",
"packetAuditEventId": "<authority-reference-packet-audit-event-uuid>",
"qaOutcome": "pass",
"operatorAttestation": "no-secrets-no-phi-aal2-human-run",
"tokenDisposalAttestation": "temporary-token-deleted-or-rotated",
"dataBoundary": "synthetic-business-workflow-only"
}9 steps
- Open the protected workspace in a fresh browser session and confirm AAL2 posture.
- Use the protected synthetic workspace slug as the explicit target.
- Create a temporary masked GitHub Actions secret for the short-lived AAL2 token.
- Dispatch the manual workflow with require_authenticated_path=true.
- Verify preflight passed before the authenticated smoke runs.
- Copy only the workflow run ID, run URL, created safe object ID, packet audit event ID, and timestamp.
- Delete or rotate the temporary secret immediately after the workflow completes.
- Persist the safe metadata through /pilot-workspace/access -> Manual QA Evidence.
- Export Buyer Diligence only after the packet hash and audit event are visible.
7 hard stops
- No fresh human AAL2 session is available.
- The target is not synthetic or metadata-only.
- The token preflight fails or the token lifetime is too long.
- The workflow requires a long-lived or committed credential.
- Any evidence field contains a token, credential, PHI, patient identifier, payer member identifier, artifact URL, legal approval, security report, reimbursement determination, or production clinical record.
- The operator cannot delete or rotate the temporary secret after the run.
- Buyer Diligence is requested before no-secret evidence metadata is retained.
Operator packet path