R-TF-012-034 Software Test Description
Document Information
| Field | Value |
|---|---|
| Product / System | Legit.Health Plus |
| Release version | 1.1.0.0 |
| Commit SHA | 5f8549e02f3f362db8930906cf6dfdedf232119a |
| Test management system | TestRail — Project “Medical Device”, Suite “Master” |
| Prepared by | Gerardo Fernández Moreno (JD-007) |
| Date | 2026-01-02 |
| Reviewed/Approved by | Alejandro Carmena |
| Review/Approval date | 2026-01-10 |
Purpose
This document provides the controlled test case inventory (“what tests exist”) used to verify the software requirements for the release identified above.
This document is intentionally non-duplicative:
- The verification strategy, governance, execution rules, evidence expectations, environments, and retention are defined in R-TF-012-033 — Software Test Plan.
- The test specifications (preconditions, expected results, required evidence, requirement mapping, etc.) are maintained as controlled records in TestRail.
Scope
In scope for this Test Description:
- Automated Unit and Integration test suites maintained in the source code repository, providing low-level verification of software units and internal service interfaces.
- Verification test cases for Legit.Health Plus (all TestRail sections used for requirements verification).
- Commissioning (operational readiness) test cases executed for the deployed release, aligned with the commissioning records set (R-TF-029-001/002/003).
- Verification of container image integrity for images built directly on the production host, utilizing local Image IDs for traceability.
Out of scope:
- Test execution results (those are captured in TestRail runs and in the evidence pack).
- Defect reports (tracked separately as defined in the Test Plan).
- Intentional failure mode testing (e.g., downstream timeouts, partial expert failures), which is addressed in separate verification activities.
Terms and Definitions
- Test case: A controlled specification of verification steps and objective pass/fail criteria, including required evidence and requirement linkage.
- Test run: An execution instance of a selected set of test cases for a specific purpose and environment, producing execution results and evidence.
- Test plan (TestRail object): A container grouping multiple runs for the same
{release_version}and environment, supporting a structured verification campaign. - Commissioning: Operational readiness verification of the deployed release prior to enabling/confirming clinical use in the target environment, executed under controlled conditions and recorded in R-TF-029-00X.
- Audit Record: An immutable log entry in DynamoDB (table
legit_health_plus_api_gateway_calls) containing a unique Request ID and execution timestamp used to prove clinical workflow traversal. - Automated Test Suite: A collection of programmatic test scripts (Unit/Integration) executed within the development or CI environment to verify granular software logic and internal component communication.
Test Case Inventory and Control Method
Verification Test Cases (TestRail)
Authoritative source: The authoritative test specifications for system-level and commissioning verification are the TestRail test cases in Project "Medical Device".
Controlled inventory snapshot: For each release verification campaign, the test case inventory is captured as a controlled export (CSV) and stored alongside the Software Test Plan annexes and/or the release evidence pack. This document is considered complete only when its annexes (listed below) are stored together with it in the QMS record set.
Automated Test Suites (Source Repository)
Authoritative source: Unit and integration test cases are maintained as pytest test modules within each software component's tests/unit/ and tests/integration/ directories in the source code repository.
Software components under automated test:
| Component | Unit Tests | Integration Tests |
|---|---|---|
api_gateway | ✓ | ✓ |
control_plane | ✓ | ✓ |
report_builder | ✓ | ✓ |
orchestrator | ✓ | ✓ |
condition_classifier | ✓ | ✓ |
essentials | ✓ | — |
expert_core | ✓ | ✓ |
Controlled inventory: The test case inventory for each release is established by the git commit under test. Test execution produces JUnit XML reports that enumerate all executed test cases, stored alongside coverage reports in the S3 evidence location referenced in R-TF-012-035.
Coverage statement
- Completeness of requirements coverage is demonstrated through the Traceability Matrix (Annex A) and its linkage to the TestRail test case identifiers and requirement IDs.
- Automated test suites provide additional depth of verification at the unit and integration level, complementing the requirements-based verification recorded in TestRail.
References
- R-TF-012-033 — Software Test Plan (verification strategy, governance, environments, evidence packs, retention).
- R-TF-029-001 Deployment and Configuration Commissioning Record
- R-TF-029-002 Functional and Interface Commissioning Record
- R-TF-029-003 Clinical Workflow and Operational Readiness Commissioning Record
- Test case inventory sources (controlled exports):
- Annex A: Traceability matrix
- Annex B: Verification Test Cases Export
- Annex C: Commissioning Test Cases Export
Signature meaning
The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:
- Author: Team members involved
- Reviewer: JD-003 Design & Development Manager, JD-004 Quality Manager & PRRC
- Approver: JD-001 General Manager
Annexes
Annex A: Traceability matrix
| SRS Id | SRS Name | Test Case Id | Test Case Title | Reviewer | Review Status | Test Case URL |
|---|---|---|---|---|---|---|
| SRS-7PJ | Network Service Exposure | C50 | Verify the API service accepts incoming HTTP requests on the designated network port | Gerardo Fernández | Approved | View |
| SRS-AQM | Standard HTTP Status Code Usage | C62 | Verify API returns 200 HTTP status codes for successful requests | Gerardo Fernández | Approved | View |
| SRS-BYJ | JSON Data Interchange Format | C68 | Verify API processes JSON requests and returns JSON responses with correct Content-Type headers | Gerardo Fernández | Approved | View |
| SRS-DW0 | User Authentication Endpoint Implementation | C77 | Verify successful user authentication and token generation via the POST /auth/login endpoint | Gerardo Fernández | Approved | View |
| SRS-D3N | Provision of Clinical Parameter Endpoints | C73 | Verify retrieval and filtering of clinical signs data via /clinical/severity-experts endpoint | Gerardo Fernández | Approved | View |
| SRS-LBS | URL-Based API Versioning | C106 | Verify API endpoints are accessible via URL paths prefixed with the major and minor version identifier | Gerardo Fernández | Approved | View |
| SRS-MZC | Request Body Size Limitation | C110 | Verify the API returns HTTP 413 when the request body exceeds the configured maximum size | Gerardo Fernández | Approved | View |
| SRS-Q9M | Clinical Signs Analysis Endpoint Implementation | C124 | Verify POST /clinical/severity-assessment returns quantified results for valid image and sign list | Gerardo Fernández | Approved | View |
| SRS-RXK | Diagnostic Support Endpoint Implementation | C128 | Verify the diagnosis-support endpoint accepts valid images and returns diagnostic analysis | Gerardo Fernández | Approved | View |
| SRS-ZQO | Concurrent API Version Support | C162 | Verify simultaneous availability and processing of requests across distinct API versions | Gerardo Fernández | Approved | View |
| SRS-ID7 | Input Data Validation | C330 | Verify API rejects malformed inputs with standardized 422 Unprocessable Entity responses | Gerardo Fernández | Approved | View |
| SRS-EH4 | Security-Safe Error Handling | C331 | Verify API returns sanitized error responses with appropriate HTTP status codes and no internal details | Gerardo Fernández | Approved | View |
| SRS-AQM | Standard HTTP Status Code Usage | C454 | Verify API returns 401 HTTP status codes for wrong login requests | Gerardo Fernández | Approved | View |
| SRS-AQM | Standard HTTP Status Code Usage | C455 | Verify API returns 422 HTTP status code when invalid data is submitted | Gerardo Fernández | Approved | View |
| SRS-GER | System Behavior on Internal Component Failure. | C456 | Verification of controlled 503 response and graceful degradation during downstream service failure. | Gerardo Fernández | Approved | View |
| SRS-6KE | API Health Check Endpoint | C169 | Verify health check endpoint returns unhealthy when some service is unavailable | Gerardo Fernández | Approved | View |
| SRS-6KE | API Health Check Endpoint | C46 | Verify the public health endpoint returns HTTP 200 and status OK when operational | Gerardo Fernández | Approved | View |
| SRS-BA6 | Display the legal information about this medical device | C66 | Verify retrieval of mandatory legal information, UDI, and regulatory metadata via API | Gerardo Fernández | Approved | View |
| SRS-Z24 | API Documentation Endpoint | C159 | Verify availability of OpenAPI specification and interactive documentation endpoints | Gerardo Fernández | Approved | View |
| SRS-Q3Q | Generate an aggregated ICD probability distribution from a set of images | C255 | Verify API returns aggregated ICD probability distribution with structured code details in studyAggregate array | Gerardo Fernández | Approved | View |
| SRS-0AB | Generate per-image ICD analysis with explainability heat map | C256 | Verify response includes per-image ICD probabilities and heat maps for the top five categories | Gerardo Fernández | Approved | View |
| SRS-58W | Include entropy score in report | C258 | Verify response includes normalized entropy score between 0 and 1 in findings | Gerardo Fernández | Approved | View |
| SRS-71I | Include the indicator of needing a high priority referral in the report | C260 | Verify report response includes highPriorityReferral score within riskMetrics object | Gerardo Fernández | Approved | View |
| SRS-8HY | Include the indicator of malignancy in the report | C261 | Verify report response includes malignantConditionProbability score within riskMetrics object | Gerardo Fernández | Approved | View |
| SRS-D08 | Include the indicator of the image presenting a pigmented lesion in the report | C262 | Verify report response includes pigmentedLesion score within riskMetrics object | Gerardo Fernández | Approved | View |
| SRS-JLM | Include the indicator of the presence of a condition in the report | C263 | Verify report response includes anyConditionProbability score within riskMetrics object | Gerardo Fernández | Approved | View |
| SRS-KAS | Include the indicator of needing an urgent referral in the report | C264 | Verify report response includes urgentReferral score within riskMetrics object | Gerardo Fernández | Approved | View |
| SRS-K7M | Orchestrate diagnosis support workflow | C265 | Verify diagnosis workflow returns ranked ICD-11 codes, binary indicators, and explainability maps for valid images | Gerardo Fernández | Approved | View |
| SRS-A9F | Wound Bed Tissue - Epithelial | C266 | Verify epithelial tissue classification returns right presence prediction and confidence score | Gerardo Fernández | Approved | View |
| SRS-B3Z | Inflammatory Pattern Identification | C267 | Verify API returns Hurley stage and inflammatory status with associated probabilities for valid image input | Gerardo Fernández | Approved | View |
| SRS-B6L | Wound Bed Tissue - Necrotic | C268 | Verify tissue wound bed necrotic classification returns right presence prediction and confidence score | Gerardo Fernández | Approved | View |
| SRS-B8N | Pustule Intensity Quantification | C269 | Verify pustule classification returns right intensity and confidence | Gerardo Fernández | Approved | View |
| SRS-A4W | Inflammatory Nodular Lesion Quantification | C270 | Verify inflammatory nodular lesion detector return correct counts and bounding boxes for drainning tunnels | Gerardo Fernández | Approved | View |
| SRS-A6T | Delimited Wound Edges Assessment | C271 | Verify wound borders delimited classification returns right presence prediction and confidence score | Gerardo Fernández | Approved | View |
| SRS-C1R | Serous Exudate Assessment | C272 | Verify wound exudation serous classification returns right presence prediction and confidence score | Gerardo Fernández | Approved | View |
| SRS-D7N | Purulent Exudate Assessment | C274 | Verify wound exudation purulent classification returns right presence prediction and confidence score | Gerardo Fernández | Approved | View |
| SRS-D9T | Maceration Surface Quantification | C275 | Verify wound maceration segmentation analysis returns segmentation masks and the right percentage of surface affected | Gerardo Fernández | Approved | View |
| SRS-E4R | Erythema Intensity Quantification | C276 | Verify erythema classification returns right intensity and confidence | Gerardo Fernández | Approved | View |
| SRS-Y6F | Crusting Intensity Quantification | C277 | Verify crusting classification returns right intensity and confidence | Gerardo Fernández | Approved | View |
| SRS-F2K | Thickened Wound Edges Assessment | C278 | Verify thickened wound borders classification returns right presence prediction and confidence score | Gerardo Fernández | Approved | View |
| SRS-T3K | Induration Intensity Quantification | C279 | Verify induration classification returns right intensity and confidence | Gerardo Fernández | Approved | View |
| SRS-F6J | Hair Loss Surface Quantification | C280 | Verify hair loss segmentation analysis returns segmentation masks and the right percentage of surface affected | Gerardo Fernández | Approved | View |
| SRS-G3P | Wound Perilesional Erythema Assessment | C281 | Verify wound perilesional erythema classification returns right presence prediction and confidence score | Gerardo Fernández | Approved | View |
| SRS-G9R | Wound Stage Classification | C282 | Verify wound stage classification returns right score and confidence metrics from a valid wound image | Gerardo Fernández | Approved | View |
| SRS-H5K | Erythema Surface Quantification | C283 | Verify erythema segmentation analysis returns segmentation masks and the right percentage of surface affected | Gerardo Fernández | Approved | View |
| SRS-H9X | Lichenification Intensity Quantification | C284 | Verify lichenification classification returns right intensity and confidence | Gerardo Fernández | Approved | View |
| SRS-I7T | Wound Affected Tissue - Intact Skin | C285 | Verify wound affected tissues intact classification returns right presence prediction and confidence score | Gerardo Fernández | Approved | View |
| SRS-J5P | Hair Follicle Quantification | C286 | Verify API returns follicle count, bounding boxes, and confidence scores for a valid scalp image | Gerardo Fernández | Approved | View |
| SRS-J9V | Indistinguishable Wound Edges Assessment | C287 | Verify wound borders indistinguishable classification returns right presence prediction and confidence score | Gerardo Fernández | Approved | View |
| SRS-K3H | Wound Affected Tissue - Subcutaneous | C288 | Verify wound affected tissues subcutaneous classification returns right presence prediction and confidence score | Gerardo Fernández | Approved | View |
| SRS-K4U | Orthopedic Material Surface Quantification | C289 | Verify wound orthopedic material segmentation analysis returns segmentation masks and the right percentage of surface affected | Gerardo Fernández | Approved | View |
| SRS-L4W | Damaged Wound Edges Assessment | C290 | Verify wound borders damaged classification returns right presence prediction and confidence score | Gerardo Fernández | Approved | View |
| SRS-L8Y | Biofilm and Slough Surface Quantification | C291 | Verify wound biofilm material segmentation analysis returns segmentation masks and the right percentage of surface affected | Gerardo Fernández | Approved | View |
| SRS-M2L | Xerosis Intensity Quantification | C292 | Verify xerosis classification returns right intensity and confidence | Gerardo Fernández | Approved | View |
| SRS-M6P | Granulation Tissue Surface Quantification | C293 | Verify wound granulation segmentation analysis returns segmentation masks and the right percentage of surface affected | Gerardo Fernández | Approved | View |
| SRS-N2C | Bone Surface Segmentation | C294 | Verify wound bone segmentation analysis returns segmentation masks and the right percentage of surface affected | Gerardo Fernández | Approved | View |
| SRS-N5Q | Swelling Intensity Quantification | C295 | Verify swelling classification returns right intensity and confidence | Gerardo Fernández | Approved | View |
| SRS-N8W | Wound Affected Tissue - Dermis-Epidermis | C296 | Verify wound exudation serous classification returns right presence prediction and confidence score | Gerardo Fernández | Approved | View |
| SRS-O5M | Wound Affected Tissue - Muscle | C297 | Verify wound affected tissues muscle classification returns right presence prediction and confidence score | Gerardo Fernández | Approved | View |
| SRS-L3X | Skin Surface Segmentation | C298 | Verify skin segmentation analysis returns segmentation masks and the right percentage of surface affected | Gerardo Fernández | Approved | View |
| SRS-Z5N | Hive Lesion Quantification | C299 | Verify hive detector return correct counts and bounding boxes for hives | Gerardo Fernández | Approved | View |
| SRS-Z8P | Biofilm-Compatible Tissue Assessment | C300 | Verify wound biofilm tissue classification returns right presence prediction and confidence score | Gerardo Fernández | Approved | View |
| SRS-P4X | Wound Bed Tissue - Slough | C302 | Verify tissue wound bed slough classification returns right presence prediction and confidence score | Gerardo Fernández | Approved | View |
| SRS-P9W | Desquamation Intensity Quantification | C303 | Verify desquamation classification returns right intensity and confidence | Gerardo Fernández | Approved | View |
| SRS-Q1L | Hypopigmentation or Depigmentation Surface Quantification | C304 | Verify hypopigmentation segmentation analysis returns segmentation masks and the right percentage of surface affected | Gerardo Fernández | Approved | View |
| SRS-Q8Z | Diffuse Wound Edges Assessment | C305 | Verify wound borders diffused classification returns right presence prediction and confidence score | Gerardo Fernández | Approved | View |
| SRS-R3W | Wound Bed Surface Quantification | C306 | Verify wound bed segmentation analysis returns segmentation masks and the right percentage of surface affected | Gerardo Fernández | Approved | View |
| SRS-R7C | Oozing Intensity Quantification | C307 | Verify oozing classification returns right intensity and confidence | Gerardo Fernández | Approved | View |
| SRS-S2V | Wound Affected Tissue - Bone | C308 | Verify wound affected tissues bone classification returns right presence prediction and confidence score | Gerardo Fernández | Approved | View |
| SRS-S8M | Acneiform Lesion Type Quantification | C309 | Verify acneiform detector return correct counts and bounding boxes for papules, pustules, spots | Gerardo Fernández | Approved | View |
| SRS-T6H | Wound AWOSI Score Quantification | C310 | Verify AWOSI classification returns right score and confidence metrics from a valid wound image | Gerardo Fernández | Approved | View |
| SRS-T9U | Wound Bed Tissue - Closed | C311 | Verify tissue wound bed closed classification returns right presence prediction and confidence score | Gerardo Fernández | Approved | View |
| SRS-U4M | Perilesional Maceration Assessment | C312 | Verify wound perilesional maceration classification returns right presence prediction and confidence score | Gerardo Fernández | Approved | View |
| SRS-U8Z | Nail Lesion Surface Quantification | C313 | Verify nail lesion segmentation analysis returns segmentation masks and the right percentage of surface affected | Gerardo Fernández | Approved | View |
| SRS-V1D | Excoriation Intensity Quantification | C314 | Verify excoriation classification returns right intensity and confidence | Gerardo Fernández | Approved | View |
| SRS-V7Q | Necrosis Surface Quantification | C315 | Verify wound necrosis segmentation analysis returns segmentation masks and the right percentage of surface affected | Gerardo Fernández | Approved | View |
| SRS-W3R | Hyperpigmentation Surface Quantification | C316 | Verify hyperpigmentation segmentation analysis returns segmentation masks and the right percentage of surface affected | Gerardo Fernández | Approved | View |
| SRS-W9K | Bloody Exudate Assessment | C317 | Verify wound bloody exudation classification returns right presence prediction and confidence score | Gerardo Fernández | Approved | View |
| SRS-X5B | Fibrinous Exudate Assessment | C318 | Verify wound exudation fibrinous classification returns right presence prediction and confidence score | Gerardo Fernández | Approved | View |
| SRS-X8Q | Follicular and Inflammatory Pattern Identification | C319 | Verify follicular and inflammatory pattern identification returns right result | Gerardo Fernández | Approved | View |
| SRS-Y2E | Wound Bed Tissue - Granulation | C320 | Verify wound tissue wound bed granulation classification returns right presence prediction and confidence score | Gerardo Fernández | Approved | View |
| SRS-W6T | Orchestrate Clinical Signs Analysis Workflow | C321 | Verify generation of structured clinical assessment report with quantified results for requested signs via API | Gerardo Fernández | Approved | View |
| SRS-E1V | Body Surface Segmentation | C325 | Verify body surface segmentation analysis returns segmentation masks and the right percentage of surface affected | Gerardo Fernández | Approved | View |
| SRS-S8M | Acneiform Lesion Type Quantification | C446 | Verify acneiform detector return correct counts and bounding boxes for nodules, pustules and scabs | Gerardo Fernández | Approved | View |
| SRS-S8M | Acneiform Lesion Type Quantification | C447 | Verify acneiform detector return correct counts and bounding boxes for scabs, comedones, papules and pustules | Gerardo Fernández | Approved | View |
| SRS-Z5N | Hive Lesion Quantification | C448 | Verify hive detector return correct counts and bounding boxes for hives (second image) | Gerardo Fernández | Approved | View |
| SRS-A4W | Inflammatory Nodular Lesion Quantification | C449 | Verify inflammatory nodular lesion detector return correct counts and bounding boxes for non drainning tunnels | Gerardo Fernández | Approved | View |
| SRS-A4W | Inflammatory Nodular Lesion Quantification | C450 | Verify inflammatory nodular lesion detector return correct counts and bounding boxes for nodules | Gerardo Fernández | Approved | View |
| SRS-H2V | Head Detection | C323 | Verify head detection returns right bounding boxes and heads count inside an image | Gerardo Fernández | Approved | View |
| SRS-9ZT | The product classifies the image's modality | C327 | Verify API returns ""clinical"" for image modality category when a skin image is provided | Gerardo Fernández | Approved | View |
| SRS-O93 | The product checks the image's clinical domain | C328 | Verify API returns image domain category equals to ""dermatological"" and confidence score for a skin image | Gerardo Fernández | Approved | View |
| SRS-Y5W | The product checks the image quality with the Dermatological Image Quality Assessment (DIQA) algorithm | C329 | Verify API returns dermatological image quality score, interpretation, and acquisition feedback | Gerardo Fernández | Approved | View |
| SRS-9ZT | The product classifies the image's modality | C451 | Verify API returns ""dermoscopic"" for image modality category when a skin image is provided | Gerardo Fernández | Approved | View |
| SRS-O93 | The product checks the image's clinical domain | C452 | Verify API returns image domain category equals to ""non_dermatological"" and confidence score for a dog image | Gerardo Fernández | Approved | View |
| SRS-F05 | Generate FHIR DiagnosticReport Base Structure | C453 | Verify FHIR DiagnosticReport base structure for a segmenter | Gerardo Fernández | Approved | View |
| SRS-1KW | Secure Communication Protocol Enforcement | C332 | Verify API accepts requests over HTTPS using TLS 1.2 or 1.3 | Gerardo Fernández | Approved | View |
| SRS-1KW | Secure Communication Protocol Enforcement | C333 | Verify API rejects or redirects unencrypted HTTP requests | Gerardo Fernández | Approved | View |
| SRS-28X | Implement progressive delays between failed login attempts | C335 | Verify progressive increase in enforced delay across consecutive failed authentication attempts | Gerardo Fernández | Approved | View |
| SRS-28X | Implement progressive delays between failed login attempts | C336 | Verify delay resets upon successful authentication | Gerardo Fernández | Approved | View |
| SRS-A25 | Role-Based Access Control (RBAC) with Least Privilege Principle to restrict users to essential functions | C337 | Verify successful access to permitted endpoints for an authorized role | Gerardo Fernández | Approved | View |
| SRS-A25 | Role-Based Access Control (RBAC) with Least Privilege Principle to restrict users to essential functions | C338 | Verify access denial for endpoints outside the assigned role scope | Gerardo Fernández | Approved | View |
| SRS-A2B | API Rate Limiting | C339 | Verify HTTP 403 response when request volume exceeds defined threshold | Gerardo Fernández | Approved | View |
| SRS-A2B | API Rate Limiting | C340 | Verify request acceptance after rate limit time window expiration | Gerardo Fernández | Approved | View |
| SRS-MM8 | Generated JWTs must have an expiration date | C341 | Verify generated authentication tokens include the expiration claim | Gerardo Fernández | Approved | View |
| SRS-MM8 | Generated JWTs must have an expiration date | C342 | Verify access denial for requests using an expired JWT | Gerardo Fernández | Approved | View |
| SRS-SDZ | Use hashed and salted passwords | C343 | Verify generation of authentication token using valid credentials | Gerardo Fernández | Approved | View |
| SRS-SDZ | Use hashed and salted passwords | C344 | Verify rejection of authentication requests with invalid credentials | Gerardo Fernández | Approved | View |
| SRS-SDZ | Use hashed and salted passwords | C345 | Verify password update functionality and subsequent authentication | Gerardo Fernández | Approved | View |
| SRS-TPK | Lock accounts after five failed attempts | C346 | Verify account lockout enforcement after threshold reached | Gerardo Fernández | Approved | View |
| SRS-TPK | Lock accounts after five failed attempts | C347 | Verify failed attempt counter reset on successful login | Gerardo Fernández | Approved | View |
| SRS-TPK | Lock accounts after five failed attempts | C348 | Verify administrative manual account unlock capability | Gerardo Fernández | Approved | View |
| SRS-U8M | Enforce strong password policies (min. 12 characters, complexity rules, expiration policies) | C349 | Verify enforcement of password complexity and length constraints | Gerardo Fernández | Approved | View |
| SRS-U8M | Enforce strong password policies (min. 12 characters, complexity rules, expiration policies) | C350 | Verify authentication behavior for expired passwords | Gerardo Fernández | Approved | View |
| SRS-WER | Endpoint Access Control | C351 | Verify protected endpoints allow access with a valid OAuth 2.0 Bearer token | Gerardo Fernández | Approved | View |
| SRS-WER | Endpoint Access Control | C352 | Verify protected endpoints reject requests lacking a valid token with 401 Unauthorized | Gerardo Fernández | Approved | View |
| SRS-WER | Endpoint Access Control | C353 | Verify public endpoints are accessible without an Authorization header | Gerardo Fernández | Approved | View |
| SRS-WGF | AES-256 encryption for data at rest | C354 | Verify AES-256 encryption configuration for data storage | Gerardo Fernández | Approved | View |
| SRS-X9J | Conduct periodic access reviews to verify permissions align with job functions | C355 | Verify authorized administrator can retrieve current user information for review | Gerardo Fernández | Approved | View |
| SRS-X9J | Conduct periodic access reviews to verify permissions align with job functions | C356 | Verify authorized administrator can revoke permissions during access review | Gerardo Fernández | Approved | View |
| SRS-IC4 | Software and Configuration Integrity Verification | C357 | Verify successful execution and audit logging of system integrity checks | Gerardo Fernández | Approved | View |
| SRS-BK7 | Encrypted Backup and Integrity Verification | C363 | Verify backup generation | Gerardo Fernández | Approved | View |
| SRS-BK7 | Encrypted Backup and Integrity Verification | C364 | Verify automated backup generation | Gerardo Fernández | Approved | View |
| SRS-CCD | Intrusion Prevention and Malicious Traffic Detection | C366 | Verify blocking of anomalous high-frequency request bursts | Gerardo Fernández | Approved | View |
| SRS-F05 | Generate FHIR DiagnosticReport Base Structure | C368 | Verify FHIR DiagnosticReport base structure for a detector | Gerardo Fernández | Approved | View |
| SRS-FMG | Record Analysis Duration in Report | C369 | Verify analysisDuration field population in DiagnosticReport | Gerardo Fernández | Approved | View |
| SRS-JC6 | The product provides a final image validity summary | C370 | Verify isAssessable is true when domain and quality criteria are met | Gerardo Fernández | Approved | View |
| SRS-JC6 | The product provides a final image validity summary | C371 | Verify isAssessable is false when image quality is unacceptable | Gerardo Fernández | Approved | View |
| SRS-JC6 | The product provides a final image validity summary | C372 | Verify isAssessable is false when image is non-dermatological | Gerardo Fernández | Approved | View |
| SRS-K6N | Map Per-Image Analysis to a dedicated object in the report | C373 | Verify single image analysis maps to structured object in imageAnalyses array | Gerardo Fernández | Approved | View |
| SRS-K6N | Map Per-Image Analysis to a dedicated object in the report | C374 | Verify multiple image analyses map to distinct objects in imagingAnalysis array | Gerardo Fernández | Approved | View |
| SRS-H3J | Deterministic Response Schemas | C375 | Verify response structure compliance with OpenAPI success schema | Gerardo Fernández | Approved | View |
| SRS-H3J | Deterministic Response Schemas | C376 | Verify response structure compliance with OpenAPI error schema | Gerardo Fernández | Approved | View |
| SRS-W5Z | Assign DiagnosticReport Identifier | C377 | Verify Assignment of Official Identifier to DiagnosticReport | Gerardo Fernández | Approved | View |
| SRS-W5Z | Assign DiagnosticReport Identifier | C378 | Verify Uniqueness of Generated DiagnosticReport Identifiers | Gerardo Fernández | Approved | View |
| SRS-D6W | Accurate Time Synchronization | C382 | Verify System Timestamp Accuracy via API Response Headers | Gerardo Fernández | Approved | View |
| SRS-D6W | Accurate Time Synchronization | C383 | Verify System Time Synchronization and Accuracy Status | Gerardo Fernández | Approved | View |
| SRS-SI2 | Secure Audit Trail Access Interface | C388 | Verify Role-Based Access Control for Audit Trail Interface | Gerardo Fernández | Approved | View |
| SRS-SI2 | Secure Audit Trail Access Interface | C389 | Verify Audit Trail Search and Export Capabilities | Gerardo Fernández | Approved | View |
| SRS-T5P | Audit Record Integrity Protection | C391 | Verify audit records cannot be modified or deleted via API | Gerardo Fernández | Approved | View |
| SRS-PU2 | Comprehensive Event Auditing | C395 | Verify audit trail generation for authentication lifecycle and security anomalies | Gerardo Fernández | Approved | View |
| SRS-U2P | Consolidated Audit Record Content | C398 | Verify audit record completeness for successful API event | Gerardo Fernández | Approved | View |
| SRS-U2P | Consolidated Audit Record Content | C399 | Verify audit record completeness for failed API event | Gerardo Fernández | Approved | View |
| SRS-PU2 | Comprehensive Event Auditing | C410 | Verify audit trail generation for clinical data creation events | Gerardo Fernández | Approved | View |
| SRS-T95 | Audit System Failure Handling | C413 | Audit record preservation during database unavailability | Gerardo Fernández | Approved | View |
| SRS-BWB | Performance and Latency | C416 | Verify p95 API latency remains under 10 seconds during nominal load | Gerardo Fernández | Approved | View |