QA Evidence

Manual AAL2 QA Run Control

SCRIMED now has a no-secret mission-control layer for the first human AAL2 QA run.

Run Control translates execution readiness into workflow-specific dispatch inputs, preflight commands, smoke commands, safe evidence templates, abort conditions, and buyer-proof promotion rules while keeping clinical, PHI, security, reimbursement, and production authority blocked.

Statusmanual-aal2-qa-run-control-ready
Decisionoperator-control-ready-human-aal2-required
Claim statusoperator-brief-ready-not-retained-authenticated-proof
Workflows2
Gates7
Hard stops1
Commands4
Rejected fields16

Boundary

Operator-ready does not mean authenticated proof has been created or retained.

SCRIMED Manual AAL2 QA Run Control creates a no-secret operator mission-control layer for human-run synthetic QA. It does not execute AAL2 ceremonies, mint tokens, store credentials, run unattended authenticated CI, process PHI, authorize clinical care, certify security or compliance, guarantee reimbursement, approve production connectors, or claim retained authenticated proof before protected no-secret evidence is persisted.

01Allowed now: SCRIMED has operator-ready AAL2 QA run-control briefs and workflow-specific safe evidence templates.
02Allowed now: SCRIMED can tell an operator exactly what to run, what to copy, what to reject, and when buyer proof can be promoted.
03Not allowed yet: SCRIMED has retained authenticated AAL2 QA proof for these workflows.
04Not allowed yet: SCRIMED is authorized for live clinical care, PHI processing, payer submission, production connectors, security certification, reimbursement certainty, or regional clinical deployment.

Run gates

Every run has explicit pass signals, fail signals, owners, and retained boundaries.

required-before-run

Fresh human AAL2 session

AAL2 confirms operator context only; it is not clinical, legal, security, or reimbursement authority.

Tenant-admin or pilot-lead operator
  • Pass: Operator confirms AAL2 session and scoped role in the protected workspace.
  • Fail: No AAL2 session, stale session, ambiguous role, or shared account.
required-before-run

Synthetic target selected

Targets must remain synthetic business workflow metadata.

Workflow owner
  • Pass: Exactly one synthetic intake ID or workspace slug is selected before dispatch.
  • Fail: Target is missing, broad, production-linked, or contains regulated data.
required-before-run

Short-lived token preflight

Preflight is not signature verification; protected APIs remain the authority.

Release engineering
  • Pass: Preflight passes with AAL2, session_id, expiry, and minimum remaining lifetime checks.
  • Fail: Weak token shape, missing AAL2, missing session, expired token, or excessive lifetime.
required-during-run

Manual workflow dispatch

Passing smoke proves only the synthetic protected route under review-gated conditions.

Human operator
  • Pass: Manual GitHub workflow passes against the explicit synthetic target.
  • Fail: Workflow is scheduled, target is implicit, or authenticated path is optional.
required-after-run

Secret disposal

The token is never evidence and must not be retained.

Security owner and human operator
  • Pass: Temporary masked secret is deleted or rotated immediately after completion.
  • Fail: Token remains in GitHub, Vercel, source, docs, logs, packets, screenshots, or chat.
required-after-run

No-secret packet persistence

Retained proof is limited to synthetic workflow metadata and packet hash.

Tenant governance operator
  • Pass: Only safe metadata is persisted through the protected Manual QA Evidence route.
  • Fail: Packet contains secrets, PHI, approvals, reports, clinical records, or unsupported identifiers.
hard-stop

Buyer proof promotion

Buyer proof can reference retained QA evidence only after protected persistence.

Sales engineering and trust reviewer
  • Pass: Buyer Diligence is exported after packet hash and audit event are visible.
  • Fail: Buyer material claims authenticated proof before no-secret metadata is persisted.

Workflow controls

Each workflow gives operators the exact no-secret fields needed before, during, and after the run.

ready-for-operator-control-human-aal2-required

Sales Demo Session QA activation

Do not promote this workflow into Buyer Diligence until the protected workspace shows a retained packet SHA-256 and append-only audit event.

Dispatch

.github/workflows/sales-demo-session-qa-smoke.yml

{
  "base_url": "https://app.scrimedsolutions.com",
  "intake_id": "<synthetic-sales-opportunity-intake-id>",
  "require_authenticated_path": true
}
Preflight

SCRIMED_SALES_QA_BEARER_TOKEN

SCRIMED_REQUIRE_SALES_QA=1 SCRIMED_SALES_QA_INTAKE_ID=<synthetic-intake-id> SCRIMED_SALES_QA_BEARER_TOKEN=<short-lived-aal2-token> node scripts/sales-demo-session-qa-token-preflight.mjs
Smoke

/api/qa-evidence/manual-run-packet

SCRIMED_REQUIRE_SALES_QA=1 SCRIMED_BASE_URL=https://app.scrimedsolutions.com SCRIMED_SALES_QA_INTAKE_ID=<synthetic-intake-id> SCRIMED_SALES_QA_BEARER_TOKEN=<short-lived-aal2-token> node scripts/sales-demo-session-qa-smoke.mjs
Evidence template

sales-demo-session-qa

{
  "workflowKind": "sales-demo-session-qa",
  "workflowRunId": "<numeric-scrimed-manual-run-id>",
  "workflowRunUrl": "https://app.scrimedsolutions.com/qa-run-control?runId=<numeric-scrimed-manual-run-id>",
  "executedAt": "<iso-8601-run-timestamp>",
  "baseUrl": "https://app.scrimedsolutions.com",
  "intakeId": "<synthetic-sales-opportunity-intake-id>",
  "createdSessionId": "<created-demo-session-uuid>",
  "packetAuditEventId": "<demo-session-packet-audit-event-uuid>",
  "qaOutcome": "pass",
  "operatorAttestation": "no-secrets-no-phi-aal2-human-run",
  "tokenDisposalAttestation": "temporary-token-deleted-or-rotated",
  "dataBoundary": "synthetic-business-workflow-only"
}
Operator sequence

9 steps

  • Open the protected workspace in a fresh browser session and confirm AAL2 posture.
  • Use one explicit synthetic Sales Operations intake ID as the target.
  • Create a temporary masked GitHub Actions secret for the short-lived AAL2 token.
  • Dispatch the manual workflow with require_authenticated_path=true.
  • Verify preflight passed before the authenticated smoke runs.
  • Copy only the workflow run ID, run URL, created safe object ID, packet audit event ID, and timestamp.
  • Delete or rotate the temporary secret immediately after the workflow completes.
  • Persist the safe metadata through /pilot-workspace/access -> Manual QA Evidence.
  • Export Buyer Diligence only after the packet hash and audit event are visible.
Abort if

7 hard stops

  • No fresh human AAL2 session is available.
  • The target is not synthetic or metadata-only.
  • The token preflight fails or the token lifetime is too long.
  • The workflow requires a long-lived or committed credential.
  • Any evidence field contains a token, credential, PHI, patient identifier, payer member identifier, artifact URL, legal approval, security report, reimbursement determination, or production clinical record.
  • The operator cannot delete or rotate the temporary secret after the run.
  • Buyer Diligence is requested before no-secret evidence metadata is retained.
ready-for-operator-control-human-aal2-required

Authority Reference QA activation

Do not promote this workflow into Buyer Diligence until the protected workspace shows a retained packet SHA-256 and append-only audit event.

Dispatch

.github/workflows/authority-reference-qa-smoke.yml

{
  "base_url": "https://app.scrimedsolutions.com",
  "workspace_slug": "atlas-synthetic-evaluation",
  "require_authenticated_path": true
}
Preflight

SCRIMED_BEARER_TOKEN

SCRIMED_REQUIRE_AUTHORITY_REFERENCE_QA=1 SCRIMED_WORKSPACE_SLUG=<synthetic-workspace-slug> SCRIMED_BEARER_TOKEN=<short-lived-aal2-token> node scripts/authority-artifact-reference-qa-token-preflight.mjs
Smoke

/api/qa-evidence/manual-run-packet

SCRIMED_REQUIRE_AUTHORITY_REFERENCE_QA=1 SCRIMED_BASE_URL=https://app.scrimedsolutions.com SCRIMED_WORKSPACE_SLUG=<synthetic-workspace-slug> SCRIMED_BEARER_TOKEN=<short-lived-aal2-token> node scripts/authority-artifact-reference-qa-smoke.mjs
Evidence template

authority-reference-qa

{
  "workflowKind": "authority-reference-qa",
  "workflowRunId": "<numeric-scrimed-manual-run-id>",
  "workflowRunUrl": "https://app.scrimedsolutions.com/qa-run-control?runId=<numeric-scrimed-manual-run-id>",
  "executedAt": "<iso-8601-run-timestamp>",
  "baseUrl": "https://app.scrimedsolutions.com",
  "intakeId": "atlas-synthetic-evaluation",
  "createdSessionId": "<created-authority-reference-uuid>",
  "packetAuditEventId": "<authority-reference-packet-audit-event-uuid>",
  "qaOutcome": "pass",
  "operatorAttestation": "no-secrets-no-phi-aal2-human-run",
  "tokenDisposalAttestation": "temporary-token-deleted-or-rotated",
  "dataBoundary": "synthetic-business-workflow-only"
}
Operator sequence

9 steps

  • Open the protected workspace in a fresh browser session and confirm AAL2 posture.
  • Use the protected synthetic workspace slug as the explicit target.
  • Create a temporary masked GitHub Actions secret for the short-lived AAL2 token.
  • Dispatch the manual workflow with require_authenticated_path=true.
  • Verify preflight passed before the authenticated smoke runs.
  • Copy only the workflow run ID, run URL, created safe object ID, packet audit event ID, and timestamp.
  • Delete or rotate the temporary secret immediately after the workflow completes.
  • Persist the safe metadata through /pilot-workspace/access -> Manual QA Evidence.
  • Export Buyer Diligence only after the packet hash and audit event are visible.
Abort if

7 hard stops

  • No fresh human AAL2 session is available.
  • The target is not synthetic or metadata-only.
  • The token preflight fails or the token lifetime is too long.
  • The workflow requires a long-lived or committed credential.
  • Any evidence field contains a token, credential, PHI, patient identifier, payer member identifier, artifact URL, legal approval, security report, reimbursement determination, or production clinical record.
  • The operator cannot delete or rotate the temporary secret after the run.
  • Buyer Diligence is requested before no-secret evidence metadata is retained.

Operator packet path

Use these brief routes before touching a short-lived AAL2 token.

01/api/qa-evidence/run-control/brief
02/api/qa-evidence/execution-readiness/brief
03/api/qa-evidence/activation-plan/brief