Skip to content

Software Verification and Validation Plan (SVVP)

Status: Final draft prepared for handoff (pending review)
Version: 0.9
Owner: BionicLoop engineering Prepared by: BionicLoop engineering Reviewer: ____
Approver: ____
Decision date: ____
Effective date: ____
Baseline freeze SHA: ____
Last updated: 2026-04-06 17:20 EDT

Revision History

Version Date Author Summary of Changes
0.1 2026-04-05 Engineering Initial controlled verification draft
0.9 2026-04-06 BionicLoop engineering Added handoff-ready metadata, software-handoff disposition language, and clarified the in-scope local security verification row

1. Test Document Acronyms

Common structure used here:

  • SVVP: Software Verification and Validation Plan
  • STP: Software Test Protocol (test procedures and expected results)
  • STR: Software Test Report (actual execution evidence)

2. Verification Strategy

Verification is split into:

  • Unit tests (core logic, algorithm mapping, policy gates)
  • Integration tests (runtime + adapters + persistence)
  • System/manual tests (real-device behavior, BLE reconnection, onboarding flows)

Initial STP draft set:

Submission-scope note:

  • Device-to-cloud / BionicScout verification is not included in the current submission-scope STP draft set and should be treated as deferred/out-of-scope unless submission scope is explicitly revised.
  • For the current engineering software handoff package, TV-SEC-001 remains the only in-scope security verification row; TV-SEC-002..008 are deferred from claimed closure in this pass.

3. Test Environments

  • iOS Simulator for deterministic unit/integration tests.
  • Physical iPhone + Dexcom G7 + OmniPod DASH for connection/cadence and delivery behavior.

4. Entry and Exit Criteria

Entry:

  • SRS and SDD IDs updated for proposed change.
  • Risk impacts reviewed for affected paths.

Exit:

  • All planned TV-* tests pass or deviations documented.
  • Traceability matrix updated with evidence links (STR-* artifacts, logs, screenshots).
  • No unresolved High severity regressions.

5. Seed Test Inventory

Test ID Level Purpose SRS Link
TV-RUN-001 Unit Expected step math anchored to first successful run SRS-RUN-001, SRS-RUN-002
TV-RUN-002 Integration Duplicate step prevention (stepNotDue) SRS-RUN-002
TV-RUN-003 Unit/Integration Runtime doWork dispatch is constrained to allowed wake causes (cgmUpdate, bgCheck, mealAnnounce, guarded pumpReconnect) SRS-RUN-003
TV-RUN-004 Unit/Integration Reconnect fallback executes only after an anchored session exists and only when accepted CGM receipt age exceeds the approved fallback freshness limit SRS-RUN-004, SRS-CGM-005
TV-RUN-005 Unit/Integration Reconnect fallback does not execute step 0, does not re-anchor cadence, and does not replay multiple missed slots SRS-RUN-001, SRS-RUN-002, SRS-RUN-005
TV-RUN-006 Unit/Integration Fresh accepted CGM receipt suppresses reconnect fallback and same-slot CGM/reconnect triggers coalesce to one execution SRS-RUN-002, SRS-RUN-004, SRS-RUN-005
TV-RUN-007 System/Hardware Real-device reconnect fallback validates current-due-step execution after CGM interruption without duplicate command application SRS-RUN-004, SRS-RUN-005, SRS-CGM-005
TV-ALG-001 Unit (Bridge) Bridge null-pointer guards and edge-state reset behavior SRS-ALG-003
TV-ALG-002 Unit (Bridge) Input mapping and sentinel behavior (requestTime, pump availability, subject-id boundaries) SRS-ALG-003
TV-ALG-003 Unit (Bridge) Output/state handoff and step increment continuity at bridge boundary SRS-ALG-003, SRS-ALG-004
TV-ALG-004 Unit (Algorithm) Deterministic nominal golden-vector replay SRS-ALG-001
TV-ALG-005 Unit (Algorithm) Degraded/unavailable-input golden-vector replay SRS-ALG-001, SRS-ALG-003
TV-ALG-006 Unit (Algorithm) Meal/BG/intervention golden-vector replay SRS-ALG-001, SRS-ALG-005
TV-ALG-007 Unit/Integration Stateful continuity across persistence/reload/reset boundaries SRS-ALG-004
TV-ALG-008 Unit (Algorithm) Boundary/sentinel cases (CGM, BG, pump) remain deterministic and safe SRS-ALG-003, SRS-ALG-004
TV-ALG-009 Differential Pregnancy config differential replay (target, upfront, TMAX) vs baseline SRS-ALG-005
TV-ALG-010 Coverage Structural coverage report generation and threshold compliance for Algo2015 + bridge SRS-ALG-002
TV-ALG-011 Toolchain/Process Static-analysis quality lane execution, and MISRA policy evidence closure as either linked report+deviations or explicit not-applicable decision rationale SRS-ALG-006, SRS-ALG-007
TV-CGM-001 Unit Out-of-range CGM -> unavailable (-1) mapping SRS-CGM-001
TV-CGM-002 Unit Step-0 fresh/in-range gating SRS-CGM-002
TV-CGM-003 Unit Step>0 degraded run with unavailable CGM SRS-CGM-003
TV-CGM-004 Unit/UI Step-0 blocked-for-CGM path exposes explicit reason/state messaging to user surfaces SRS-CGM-004, SRS-UI-002
TV-CGM-005 Integration/System Armed-loop absence of successful step execution beyond the approved interruption threshold is detected as a stalled-step condition using last-success/session-start timing SRS-CGM-005
TV-BG-001 Unit/Integration bgCheck creates/uses a single pending BG candidate without borrowing future slots beyond immediate next-step policy SRS-BG-002
TV-BG-002 Unit/Integration Submit after due-step execution rolls BG candidate to immediate next step and uses it there SRS-BG-003
TV-BG-003 Unit/Integration BG value maps to algorithm BGval while CGM mapping remains independent SRS-BG-004
TV-BG-004 Unit/Integration Pump unavailable during bgCheck blocks command application without overriding degraded policy SRS-BG-005, SRS-PUMP-001
TV-BG-005 Unit/UI Stale manual BG is rejected with explicit user-visible reason SRS-BG-006
TV-BG-006 Unit/Integration Telemetry records manualBG source, value, timestamps, and execution outcome SRS-BG-007, SRS-LOG-001
TV-BG-007 Unit/Integration Deferred from current software handoff baseline. If step-0 BG rescue is enabled in a future accepted baseline, verify it executes only when policy gates pass. SRS-BG-008
TV-BG-008 Unit/UI Manual BG entry rejects values outside 20...600 mg/dL with explicit validation messaging SRS-BG-001
TV-BG-009 Unit/Integration Pending BG candidate expires if not consumed on the immediate next target step SRS-BG-009
TV-BG-010 Unit/Integration New BG submission replaces existing pending candidate before execution SRS-BG-010
TV-BG-011 Unit/Integration Manual BG submit while loop is disarmed does not dispatch runtime execution (bgCheck) SRS-BG-011
TV-BG-012 Unit/Integration Manual BG submit before first successful anchored step is rejected and does not create pending BG state SRS-BG-012
TV-CLIN-001 UI/Integration Clinical settings access is gated by passcode prompt; incorrect passcode blocks entry; correct passcode unlocks settings SRS-CLIN-001, SRS-CLIN-002
TV-CLIN-002 UI/Smoke Subject ID, Weight, Start Algo, and Reset Algo are presented in Clinical Settings and not in participant-facing settings sections SRS-CLIN-003
TV-CLIN-003 Unit/UI Target selector enforces allowed values (90, 100, 110, 120, 130 mg/dL) and rejects out-of-set values SRS-CLIN-004
TV-CLIN-004 Unit/UI Meal upfront selector enforces two-option set (75%, 90%) and maps selected value into runtime config SRS-CLIN-005
TV-CLIN-005 Unit/UI TMAX selector enforces 40...70 inclusive with 5-minute increments SRS-CLIN-006
TV-CLIN-006 Unit/Integration Clinical settings persistence restores values across relaunch with deterministic default/migration behavior SRS-CLIN-007
TV-CLIN-007 Unit/Integration Start Algo and Reset Algo behavior remains unchanged after relocation into Clinical Settings SRS-CLIN-008
TV-CLIN-008 Unit Weight conversion and validation path stores kg from integer lbs UI input SRS-VAL-001, SRS-CLIN-003
TV-CLIN-009 Unit/Integration Clinical save-review semantics hold: no persisted/runtime config mutation before Save+OK, cancel keeps prior applied config, and persisted update appears in next step telemetry snapshot SRS-CLIN-007, SRS-CLIN-008, SRS-LOG-001
TV-CLIN-010 Unit/UI Participant-facing settings and the clinician target selector expose only the target set enabled by the clinician-selected target-access profile (Pregnancy vs Standard) SRS-CLIN-009, SRS-CLIN-010
TV-CLIN-011 Unit/UI Participant target change requires approval capture and blocks apply until approving staff name and approximate approval time are both recorded SRS-CLIN-011
TV-CLIN-012 Unit/UI Clinical Settings normalizes the draft target to an allowed profile value when the clinician changes the target-access profile SRS-CLIN-012, SRS-CLIN-010
TV-CLIN-013 Unit/Integration Target-access profile persists across save/relaunch/migration and is reflected consistently in both participant and clinician settings views SRS-CLIN-007, SRS-CLIN-009, SRS-CLIN-010
TV-PUMP-001 Unit Pump unavailable -> run step, block command application SRS-PUMP-001
TV-PUMP-002 Integration Signal-loss policy persistence and clear behavior SRS-PUMP-001, SRS-UI-002
TV-PUMP-003 Integration Delivery reconciliation and min-dose quantization behavior SRS-PUMP-003
TV-PUMP-004 System Home pod card updates on connect/disconnect without entering settings SRS-PUMP-004
TV-PUMP-005 Integration/System Delivery-state clears from delivering via auto-refresh without opening Pump settings SRS-PUMP-005
TV-PUMP-006 UI/Integration Closed-loop surfaces do not expose manual bolus command paths SRS-PUMP-002
TV-MEAL-001 Unit Meal announce borrow-window gating SRS-MEAL-001
TV-MEAL-002 Unit Meal announce blocked when pump delivering/unknown SRS-MEAL-002
TV-MEAL-003 Unit/Integration Meal announce executes on current due step when slot is already due/missed SRS-MEAL-004
TV-MEAL-004 Unit Meal announce rejected before first successful anchored step SRS-MEAL-005
TV-MEAL-005 Unit Meal unavailable reason precedence reports noPump before signalLoss when no active pod is present SRS-MEAL-002, SRS-UI-002
TV-MEAL-006 Unit/UI Meal unavailable messaging includes explicit actionable reason and retry timing when blocked SRS-MEAL-003, SRS-UI-002
TV-MEAL-007 Unit/UI Meal composer revalidates availability on foreground refresh and immediately before submit so stale available state cannot dispatch an invalid meal request SRS-MEAL-006, SRS-UI-002
TV-MEAL-008 Unit/UI/Integration Meal submit does not present success until runtime result is known; blocked/rejected and uncertain outcomes surface explicit user-facing recovery messaging SRS-MEAL-007, SRS-UI-002
TV-MEAL-009 Integration Pending or uncertain meal request state, including correlated flow ID, persists across relaunch and prevents duplicate meal entry until resolved SRS-MEAL-008, SRS-MEAL-009, SRS-STATE-001
TV-MEAL-010 Integration/System Command-outcome uncertainty (timeout/error with unresolved delivery state) blocks repeat meal announce and surfaces explicit operator guidance until reconciliation; immediate-success and reconciled meal lifecycle closure remain replayable across terminate/relaunch windows until resolved telemetry is emitted SRS-MEAL-008, SRS-MEAL-009, SRS-PUMP-001
TV-MEAL-011 Integration/System Competing-trigger slot conflict does not silently lose or reinterpret meal intent; user receives explicit slot-conflict blocked/retry feedback and no hidden reassignment to a different borrowed step SRS-MEAL-010, SRS-RUN-002, SRS-UI-002
TV-MEAL-012 Unit/UI/Integration When meal entry is opened during active bolus delivery, the app presents a destructive Home inline cancel-delivery flow, keeps that flow visible while active meal delivery remains in progress, reports actual delivered insulin after cancellation in the Home summary region, retains that summary until both the next later algorithm step and a 5-minute minimum display window have passed, renders active in-progress meal delivery in the normal meal-dose color while reserving caution color for actual interrupted delivery, and preserves the delivered amount for subsequent algorithm-step accounting SRS-MEAL-011, SRS-PUMP-003, SRS-UI-002
TV-STATE-001 Integration Relaunch restores cadence and algorithm state SRS-STATE-001
TV-STATE-002 Integration Reset clears all session state and starts fresh SRS-STATE-002
TV-STATE-003 Integration/System Pump and CGM manager state persistence supports reconnect without forced re-pairing on relaunch SRS-STATE-003
TV-LOG-001 Unit Step telemetry contains explicit step_executed_at plus input/output/command fields SRS-LOG-001
TV-LOG-002 Integration CSV export schema and row append behavior SRS-LOG-002
TV-LOG-003 Unit/Integration Async export avoids main-actor blocking SRS-LOG-003
TV-LOG-004 Unit/UI Debug-only cloud-log threshold control persists selected level and upload filter remains inclusive (selected level and higher severities) with default fallback to Error SRS-LOG-004
TV-LOG-005 Unit Clinical Settings save flow emits deterministic ui.critical telemetry (state_viewed, submit, cancel, blocked) with stable element IDs and old/new value details SRS-LOG-005
TV-LOG-006 Unit/Integration App lifecycle telemetry includes timezone and clock-check context fields with correct trigger semantics (launch, foreground >24h gate, timezone_or_time_changed) SRS-LOG-006
TV-LOG-007 Unit/Integration Meal-request telemetry exposes the implemented lifecycle transitions (submitted, accepted, success, blocked, uncertain, resolved) without optimistic-success duplication, with replay durability across terminate/relaunch windows, and loop-command telemetry preserves explicit command outcome semantics (applied, blocked, uncertain) SRS-LOG-007, SRS-MEAL-007
TV-LOG-008 Unit/UI Target-access-profile and participant approval-capture telemetry emit stable ui.critical events with required detail fields (target_range_profile, requested/applied target, approval metadata, and blocked/cancelled reason) SRS-LOG-008
TV-UI-001 UI/System Home loop-state precedence rendering and cadence-phase age classification (nextDueAt-based Active/Aging/Stale) SRS-UI-001
TV-UI-002 UI/System Availability messaging matches runtime outcomes SRS-UI-002
TV-UI-003 UI/System CGM/Pod setup modal Cancel dismisses directly and does not force settings on no-active-pod startup SRS-UI-003
TV-UI-004 Unit/UI Meal announcement composer auto-cancels on app background transition SRS-UI-004
TV-UI-005 UI/Smoke Home primary controls are present and actionable in deterministic launch mode (settings, manual BG, Let's Eat) SRS-UI-002
TV-UI-006 UI/Smoke Home settings and manual-BG sheets can be opened and dismissed without dead-end navigation SRS-UI-002, SRS-BG-001
TV-UI-007 Unit/UI CGM display masks stale (>11m) or unreliable (hasReliableGlucose == false) readings as -- and hides trend arrow SRS-UI-005
TV-UI-008 Unit/Integration UTC clock-drift warning behavior: >600s skew emits non-blocking actionable warning with 24h rate limit, <=600s shows no warning, and unavailable checks do not spam warnings SRS-UI-006
TV-UI-009 Unit/UI CGM value formatting maps boundaries to textual LOW/HIGH across display surfaces and suppresses unit suffix for those states SRS-UI-007
TV-UI-010 Unit/UI Home CGM chart uses bounded dynamic y-axis maxima (300/350/400) based on displayed peak values SRS-UI-008
TV-ALERT-001 Unit Alert normalization maps Omni/G7/runtime events to canonical model fields SRS-ALERT-001, SRS-ALERT-002
TV-ALERT-002 Unit/Integration Alert precedence keeps critical alert visible when lower-severity alerts coexist SRS-ALERT-003
TV-ALERT-003 Integration Transient reconnect events are debounced/coalesced without suppressing persistent faults SRS-ALERT-004
TV-ALERT-004 Integration/System Alert clear/ack rules behave per alert type and update UI state correctly SRS-ALERT-005
TV-ALERT-005 System/Manual Protocol-required alerts and wording are present and actionable in app flows SRS-ALERT-006
TV-ALERT-006 Unit/Integration High-priority non-CGM alerts emit background local notifications with dedupe/cooldown, while CGM alerts and informational alerts do not SRS-ALERT-007
TV-ALERT-007 Unit/UI Alert Center shows active and recently-cleared alerts with deterministic sorting and acknowledge path for required-ack alerts SRS-ALERT-008, SRS-ALERT-005
TV-ALERT-008 Integration Pump/CGM persisted-alert lifecycle hooks preserve issued/unretracted/retracted state across relaunch and restore active alert visibility SRS-ALERT-009
TV-ALERT-009 Unit/Integration Time-sensitive alert countdown text refreshes at minute cadence while active without notification spam SRS-ALERT-010, SRS-ALERT-007
TV-ALERT-010 Unit/UI Home active-alert vertical carousel preserves severity/recency ordering, shows multiplicity, and allows deterministic navigation through active alerts SRS-ALERT-003, SRS-ALERT-011
TV-ALERT-011 Unit/Integration No-active-pod cleanup retracts only non-critical pod-tied alerts while retaining ALERT-PUMP-FAULT and ALERT-PUMP-INCOMPATIBLE until explicit closure SRS-ALERT-005, SRS-ALERT-012
TV-ALERT-012 Integration/System Algorithm Stepping Interrupted issues an actionable alert, clears on resumed successful stepping or loop disarm, and remains distinct from informational G7 unavailable/failed status surfaces SRS-ALERT-013, SRS-ALERT-003, SRS-ALERT-004, SRS-ALERT-005
TV-ALERT-013 Unit/Integration/System Algorithm Stepping Interrupted issues after >15 minutes without successful step execution while armed, carries blocker/root-cause detail, clears on next successful step or loop disarm, and preserves stronger pump/source-native alert precedence while leaving CGM state as informational context SRS-ALERT-014, SRS-ALERT-003, SRS-ALERT-004, SRS-ALERT-005, SRS-UI-002
TV-ALERT-014 Unit/Integration CGM availability/failure normalized alerts remain informational in-app status only, do not expose required-ack behavior, and never schedule background local notifications SRS-ALERT-015
TV-ALERT-015 Unit/Integration App-derived CGM urgent-low review alert issues only for trustworthy G7 readings <55 mg/dL, preserves reviewed state while active, auto-clears on trustworthy recovery >=55 mg/dL, persists acknowledged active state across reset/reattach, and never schedules background local notifications SRS-ALERT-016, SRS-ALERT-005, SRS-ALERT-007
TV-SEC-001 Integration Local export controls and file handling behavior, including development-only CSV export and the current file-sharing / open-in-place surface SRS-SEC-002
TV-SEC-002 Integration/System Deferred from current software handoff package. If secure cloud upload primary-path closure is re-entered into scope, verify cloud telemetry upload control behavior and failure handling. SRS-SEC-001
TV-SEC-003 Integration/System Deferred from current software handoff package. If protected cloud API access is re-entered into scope, verify it requires valid authenticated session. SRS-SEC-003, SRS-SEC-006
TV-SEC-004 UI/Integration Deferred from current software handoff package. If multi-provider onboarding is re-entered into scope, verify allowed sign-in entry points and failure states. SRS-SEC-004, SRS-SEC-006
TV-SEC-005 Integration/System Deferred from current software handoff package. If authorization-role enforcement is re-entered into scope, verify unauthorized telemetry/dashboard actions are denied. SRS-SEC-005, SRS-SEC-006
TV-SEC-006 Unit/Integration Deferred from current software handoff package. If password-recovery workflow is re-entered into scope, verify reset-code request and confirm-reset success/failure handling. SRS-SEC-007, SRS-SEC-006
TV-SEC-007 Unit/Integration Deferred from current software handoff package. If launch session restore is re-entered into scope, verify authenticated UX is preserved when token recovery succeeds. SRS-SEC-008, SRS-SEC-006
TV-SEC-008 Unit/UI Deferred from current software handoff package. If auth-failure Home-bypass continuity is re-entered into scope, verify the login-required alert and recovery action. SRS-SEC-009, SRS-SEC-006

5.0 Algo2015 Structural-Coverage Campaign

The detailed campaign definition, thresholds, and required STR artifact set are maintained in Algo2015 Verification Plan. Execution progress and phase-level closure tracking are maintained in Algo2015 Execution Roadmap.

5.1 Proposed Simulation Campaign (Workstream H)

This campaign adds deterministic scenario replay (medium-fidelity mocks) as a required verification layer for runtime safety logic. It complements hardware-in-the-loop testing and does not replace real-device validation.

Test ID Level Purpose SRS Link
TV-SIM-001 Integration (deterministic sim) Reproduce anchored cadence across reconnect/relaunch windows and assert step index continuity (expected, executed, skipReason) SRS-RUN-001, SRS-RUN-002, SRS-STATE-001
TV-SIM-002 Integration (deterministic sim) Validate step-0 hard gate and step>0 degraded CGM execution (-1) across stale/out-of-range/noisy sensor sequences SRS-CGM-001, SRS-CGM-002, SRS-CGM-003
TV-SIM-003 Integration (deterministic sim) Validate pump-unknown/unavailable execution with command-block and no false delivery application SRS-PUMP-001, SRS-PUMP-005
TV-SIM-004 Integration (deterministic sim) Validate meal and BG trigger interplay under missed-step, reconnect, and degraded-input conditions SRS-MEAL-001, SRS-MEAL-002, SRS-BG-002, SRS-BG-003
TV-SIM-005 Integration (deterministic sim) Validate alert lifecycle, countdown refresh progression, dedupe, and clear behavior during state churn SRS-ALERT-003, SRS-ALERT-004, SRS-ALERT-010

Planned evidence: - STR-SIM-* scenario reports with script file, expected output snapshot, actual output snapshot, and pass/fail deltas. - Script baseline: /Users/jcostik/BionicLoop/Scripts/run_sim_harness_verification.sh (emits run-context, results, trace-map, and suite logs). - Merge-gate helper: /Users/jcostik/BionicLoop/Scripts/check_sim_merge_gate.sh (runs TV-SIM-* only when high-risk runtime paths are touched).

Future extension (high-fidelity): - After medium-fidelity stability, add BLE/session-level emulation cases for hardware-specific transport faults and timing jitter that mock services cannot represent.

Current implemented deterministic simulation coverage: - testTVSIM001_AnchoredCadenceAcrossReconnectAndRelaunch (TV-SIM-001) - testTVSIM002_StepZeroGateAndStepGreaterThanZeroDegradedCGMExecution (TV-SIM-002) - testTVSIM003_PumpUnavailableAndUnknownStatesBlockCommandApplication (TV-SIM-003) - testTVSIM004_MealAndBGInterplayAcrossMissedStepsAndReconnectChurn (TV-SIM-004) - testTVSIM005_AlertLifecycleChurnCountdownDedupeAndClearTransitions (TV-SIM-005)

Current implemented alert-test coverage: - testTopAlertPrefersHigherSeverityThenMostRecent and testSortedAlertsOrdersBySeverityRecencyAndStableDedupeKey cover deterministic alert ordering precedence (TV-ALERT-002 subset). - testHomeAlertCarouselNavigatorClampsAndWrapsIndexes covers Home vertical-carousel paging invariants (clamp + wrap) used for deterministic multi-alert navigation (TV-ALERT-010 subset). - testNoActivePodDebounceAddsAndClearsAlert and testHomeAlertSyncEvaluatorReflectsCombinedPumpConditions cover no-active-pod alert path and suppression of competing signal-loss state when no pod is present (TV-ALERT-003, TV-ALERT-004 subset). - testSignalLossDebounceAddsAndClearsAlert covers debounce + auto-clear behavior, actionable background notification cooldown/dedupe, and clear-on-retract notification cleanup (TV-ALERT-003, TV-ALERT-004, TV-ALERT-006 subset). - testSignalLossDebounceSuppressesTransientCondition covers transient suppression and notification authorization priming dedupe (TV-ALERT-003, TV-ALERT-006 subset). - testShowPreviewAlertsSupportsMultipleTypesAndPrecedence covers severity-filtered background notification routing (critical not informational), alert-category route mapping, and safety-critical acknowledge behavior (TV-ALERT-002, TV-ALERT-004, TV-ALERT-006 subset). - testCloudTelemetryReporterSurfacesSubjectIDConflictAndStopsRetryFor409Conflict, testHomeSettingsViewClearsResolvedSubjectIDConflictAlert, testSubjectIDConflictAutoResolutionPolicyRequiresActiveAlertNonEmptySubjectAndNoInFlightCheck, and testSubjectIDConflictAutoResolutionPolicyThrottlesSameSubjectAndAllowsChangedSubject cover the app-policy subject-ID conflict alert lifecycle: issue on permanent cloud claim conflict, explicit retract after successful corrected Clinical Settings save, and throttled Home auto-revalidation of the currently persisted subject ID when a stale conflict alert remains active (TV-ALERT-005 subset). - testCGMAlertsNeverScheduleBackgroundNotifications, testCGMAlertMapperFailedFromSensorFailedState, testCGMAlertMapperUnavailableFromWarmupState, and testCGMFailedAlertRestoresFromLiveStateAcrossAlertCenterResetUntilRecovery cover the CGM availability/failure policy: informational in-app status only, no required-ack path, and no background local notifications (TV-ALERT-014, TV-ALERT-006 subset). - testCGMUrgentLowAlertMapperIssuesForReliableReadingBelow55, testCGMUrgentLowAlertMapperClearsAt55OrAbove, testCGMUrgentLowAlertMapperSkipsUnreliableReading, testCGMUrgentLowAlertMapperSkipsStaleReading, testUrgentLowAcknowledgeMarksAlertReviewedWithoutClearingActiveState, testCGMUrgentLowAcknowledgePersistsAcrossAlertCenterResetUntilRecovery, and testCGMAlertsNeverScheduleBackgroundNotifications cover the app-derived urgent-low review alert trigger, trustworthy-data gate, reviewed-state retention, reset/reattach persistence, recovery auto-clear, and no-OS-notification policy (TV-ALERT-015, TV-ALERT-006 subset). - testAlertCenterTracksRecentlyClearedAlerts and testAlertCenterRestoresPersistedActiveAndClearedAlerts cover in-app Alert Center active/recent behavior and persistence restore path (TV-ALERT-007, TV-ALERT-008 subset). - testPumpAlertMapperExpiringIncludesCountdownDeadline, testPumpAlertMapperExpiredForPodExpiringAlert, and testTimeSensitivePumpExpiringAlertRefreshesMessageWithoutReschedulingNotification cover pod-expiration countdown mapping (expiring and expired paths) plus minute-refresh text updates without extra background notification scheduling (TV-ALERT-009, TV-ALERT-006 subset). - UI automation now covers Home-to-Alert-Center routing, acknowledge-to-recent flow, and relaunch persistence visibility (testUI007_HomeAlertCenterButtonOpensAlertCenter, testUI008_AlertCenterAcknowledgeMovesAlertToRecentlyCleared, testUI009_AlertCenterPersistsAcrossRelaunch) (TV-ALERT-007, TV-ALERT-008 subset). - testPumpPersistedAlertStoreReturnsIssuedAndRetractedAlerts and testCGMPersistedAlertStoreReturnsIssuedAndRetractedAlerts cover delegate PersistedAlertStore issue/retract lookup behavior (TV-ALERT-008 subset). - testPumpExpirationAlertSyncPlannerReturnsRetractsWhenNoExpirationAlertsApply covers no-active-pod retract-set safety boundary by excluding critical fault/incompatible alerts from auto-retract cleanup (TV-ALERT-011 subset). - testCGMAlertMapperPrioritizesUnavailableOverFailedKeywordCollision and testCGMAlertMapperDoesNotClassifyMessageOnlyFailedAsSensorFailure verify CGM fallback keyword mapping cannot escalate transient/message-only text into ALERT-CGM-FAILED-OR-EXPIRED (TV-ALERT-001 subset).

Current implemented runtime-refactor regression coverage: - testMealPumpUnavailableReasonMapping verifies meal-unavailable reason precedence (noPump over signalLoss when no active pod exists) (TV-MEAL-005 subset). - testMealAnnouncementSheetLifecycleRevalidatesOnlyOnForeground and testHomeRuntimeActionCoordinatorMealComposerContinuationDecision verify the foreground revalidation gate and stale-composer availability remapping used before meal submit dispatch (TV-MEAL-007 subset). - testMealAnnouncementAvailabilityBlocksPersistedPendingMealRequestAcrossRelaunch, testMealAnnouncementAvailabilityReconcilesResolvedPendingMealRequestOnLaunch, testMealAnnouncementAvailabilityConsumesPersistedResolvedTelemetryReplayStateOnLaunch, testReconciledPendingMealAnnouncementStateClearsWhenTargetStepAlreadyExecuted, testMealAnnouncementResolutionEventUsesPersistedFlowIDForResolvedPendingState, and testMealAnnouncementResolvedEventUsesPersistedResolvedTelemetryReplayState verify persisted pending meal-request durability, relaunch duplicate blocking, replay-token consumption, target-step reconciliation, and correlated flow-ID closure for resolved lifecycle telemetry (TV-MEAL-009 subset, TV-LOG-007 subset). - LoopRuntimeCoordinatorMealAnnouncementTests.testMealAnnouncePersistsPendingMealOnlyAfterExecutionStepAccepted and LoopRuntimeCoordinatorMealAnnouncementTests.testMealAnnounceRejectedBeforeAcceptanceDoesNotPersistPendingMealState verify that pending meal state is written only after the coordinator has accepted a concrete execution step and is not left behind for rejected meal attempts (TV-MEAL-009 subset). - testAnnounceMealReturnsBlockedWhenLoopIsOff, testAnnounceMealReturnsBlockedWhenPersistedPendingMealExists, testReconciledUncertainPendingMealAnnouncementStateClearsWhenPumpDeliveryMatchesTargetStep, testMealAnnouncementResolutionEventUsesReconciledAfterUncertainForUncertainClear, testMealAnnouncePersistsPendingMealOnlyAfterExecutionStepAccepted, testMealAnnounceRejectedBeforeAcceptanceDoesNotPersistPendingMealState, testMealAnnounceUncertainDeliveryRetainsPendingMealState, and testHomeMealAnnouncementSubmitPolicyEventsAndBlockedContent verify that meal submit no longer reports optimistic success, that blocked runtime outcomes map to explicit blocked results, and that Home/runtime expose deterministic submitted/accepted/success/uncertain/resolved telemetry closure with explicit uncertain reconciliation semantics (TV-MEAL-008, TV-MEAL-010, TV-LOG-007 subset). - testHomeRuntimeActionCoordinatorRoutesPumpDeliveringToCancelDeliveryFlow, testMealAnnouncementCancelledDeliverySummaryUsesPartialDeliveryCopy, testMealAnnouncementCancelledDeliverySummaryHandlesNoDeliveredInsulin, testMealAnnouncementCancelledDeliverySummaryIncludesCancelDetails, testMealAnnouncementCancelledDeliveryPolicyRequiresFiveMinutesAndNextStep, testMealAnnouncementCancelledDeliveryPolicyUsesNextStepThreshold, testMealAnnouncementDisplaySupportMapsMealContext, testPumpServiceAdapterCancellationDeliveryStatusUsesRequestedAndDeliveredUnits, testPumpServiceAdapterResolvedBolusDeliveredUnitsPrefersPodCompletionWhenEventHistoryLags, testPumpServiceAdapterResolvedBolusDeliveredUnitsUsesBestAvailableProgressWhileBolusing, testPumpServiceAdapterAuthoritativeCompletedDeliveryPrefersCanceledUnitsWhenIdle, testRecordDoWorkResultMarksSuccessfulBolusAsDeliveringBeforePumpRefresh, testReconcilePumpStatusUpdatesInterruptedDeliveryToCompletedAfterLaterRefresh, testReconcileCanceledDeliveryUsesDeliveredUnitsForInterruptedMealBar, testPumpStatusObserverRefreshReconcilesSharedTelemetryStoreUntilDeliveryCompletes, testPumpStatusObserverApplyCanceledBolusDeliveryReconcilesSharedTelemetry, testInsulinChartPointFlagsInterruptedDeliveryWhenDeliveredLessThanRequested, testInsulinChartPointDoesNotFlagActiveDeliveryAsInterrupted, testInlineInsulinChartStylingUsesCautionColorForInterruptedDelivery, testInlineInsulinPointCompactorPreservesDeliveringStateWhenCollapsingPoints, testHomeViewStateBuilderActiveMealDeliveryCancellationContextUsesOnlyDeliveringMealStep, and testUI002b_MealCancelDeliveryFlowShowsPartialDeliverySummaryAndComposer verify the meal cancel-delivery path: active-delivery routing into a destructive Home inline cancel flow, automatic visibility of the cancel control while a meal bolus is still actively delivering, requested/delivered-unit reporting after cancellation, orange partial-delivery context in Home's alert-summary region above the chart, cancel-time plus meal-context summary detail, optimistic active-delivery chart state immediately after a successful bolus command, explicit canceled-delivery reconciliation into shared step telemetry so interrupted bar height matches actual delivered insulin, normal meal-color chart rendering while delivery is still active, compactor preservation of delivering state when bars visually collapse, caution-color rendering only for actual interrupted delivery derived from requested-vs-delivered telemetry, later pump-refresh reconciliation back to completed delivery when the bolus finishes normally, pod-status flooring when event-history delivery lags, and preservation of delivered insulin accounting for the next algorithm step when the operator later reopens meal announce (TV-MEAL-012 subset, TV-PUMP-003 supporting coverage). - testLoopRuntimeEngineResetAlgorithmSessionKeepsClinicalSettings also confirms session reset clears runtime carry-over while preserving unrelated clinical settings; pending meal-request fields are included in that cleared runtime state (TV-MEAL-009 supporting coverage). - testDoWorkFeedsBackRequestedAndDeliveredWhenBelowDashMinimumQuantum verifies delivery reconciliation preserves requested-vs-delivered values across steps when request is below DASH minimum deliverable quantum (TV-PUMP-003). - testLoopRuntimeWorkExecutorRecordsLatestReadingBeforeOperation, testLoopRuntimeWorkExecutorSkipsRecordReadingWhenNoLatestReading, and testLoopRuntimeWorkExecutorReturnsOperationResultWithoutMutation verify behavior-preserving extraction for doWork execution snapshot sequencing. - testLoopSessionStorePersistsAlgorithmArmedAndRuntimeState and testLoopSessionStoreClearRuntimeStateReturnsEmptyState verify session persistence boundaries. - testLoopWorkSchedulerOnlyTriggersForNewTimestampWhileArmed verifies CGM timestamp dedupe/arm/reset behavior. - testLoopAlertMediatorReportsSignalLossUntilKnownRefresh and testLoopAlertMediatorKeepsSignalLossForUnknownRefresh verify signal-loss policy mediation behavior.

Current implemented clock-sync telemetry safety coverage: - testDeviceClockSyncMonitorFlagsSkewAndPublishesWarningAtThresholdBreach verifies midpoint skew calculation and warning emission when absolute skew exceeds 600 seconds (TV-UI-008, TV-LOG-006 subset). - testDeviceClockSyncMonitorWithinThresholdReportsOKWithoutWarning verifies <=600s skew reports ok and does not emit warning alerts (TV-UI-008 subset). - testDeviceClockSyncMonitorForegroundCheckUses24HourSuccessfulCheckGate verifies foreground checks are gated by 24-hour successful-check interval (TV-LOG-006 subset). - testDeviceClockSyncMonitorTimezoneChangeForcesFreshCheckInsideForegroundGate verifies timezone/time-change trigger bypasses the foreground gate and performs a fresh UTC check (TV-LOG-006, TV-UI-008 subset). - testDeviceClockSyncMonitorRetriesAndReturnsUnavailableWithoutWarningOnNetworkFailures and testDeviceClockSyncMonitorLimitsSkewWarningsToOncePer24Hours verify retry/unavailable behavior and warning cooldown control (TV-UI-008 subset).

Current implemented CGM UI stale-display safety coverage: - testG7ViewModelMasksStaleReadingAndHidesTrendWhenTimestampOlderThanElevenMinutes verifies stale CGM masking to -- and hidden trend arrow when reading age exceeds 11 minutes (TV-UI-007). - testG7ViewModelMasksUnreliableCurrentReadingAndDoesNotFallbackToHistoryValue verifies unreliable current CGM readings are masked to --, trend is hidden, and UI does not fallback-display historical value while current state is unreliable (TV-UI-007). - testG7ViewModelMasksUnreliableCurrentReadingWithoutTimestampAndDoesNotFallback verifies unreliable current reading masking remains enforced when latestReadingTimestamp is missing (restore/partial-state edge), preventing fallback numeric display (TV-UI-007). - testG7ViewModelMasksStalePersistedHistoryWhenNoLiveReadingExists verifies stale persisted-history fallback is also masked to -- (TV-UI-007). - testG7ViewModelUsesFreshPersistedHistoryWhenLatestReadingIsUnavailable verifies non-stale persisted-history fallback still displays glucose value (control case for TV-UI-007 boundary behavior). - testG7ViewModelDisplayFormattingMapsExtremeValuesToHighLow verifies boundary formatting (<=39 -> LOW, >=401 -> HIGH) and unit-label suppression semantics for boundary text (TV-UI-009). - testInlineCGMChartDerivationDynamicYAxisMaximumAndValues verifies stepped CGM y-axis scaling behavior (300/350/400) and corresponding tick derivation (TV-UI-010).

Current implemented Algo2015 verification coverage: - Algo2015BridgeContractTests methods cover initial bridge contract behavior for null-guard paths, state-reset edge handling (stateData == nil && timeStep > 0), subject-id nil/long boundary handling, and state handoff continuity (TV-ALG-001, TV-ALG-002, TV-ALG-003 baseline subset). - Algo2015GoldenVectorTests.testNominalCGMSequenceMatchesGoldenOutputs locks a deterministic nominal replay vector for drift detection (TV-ALG-004 baseline subset). - Algo2015GoldenVectorTests.testUnavailableCGMSequenceProducesFiniteDeterministicOutputs adds degraded/unavailable-CGM replay coverage (TV-ALG-005 baseline subset). - Algo2015GoldenVectorTests.testMealAndManualBGInputsProduceDeterministicMealPathSignals adds meal/manual-BG intervention replay coverage (TV-ALG-006 baseline subset). - Algo2015GoldenVectorTests.testPersistedStateReloadMatchesContinuousExecution and Algo2015GoldenVectorTests.testResetToFreshStateProducesDeterministicStepZeroOutput add persistence/reload/reset continuity verification (TV-ALG-007). - Algo2015GoldenVectorTests.testCGMBoundaryValuesRemainFiniteAndBounded adds CGM boundary/sentinel replay coverage (TV-ALG-008 baseline subset). - Algo2015GoldenVectorTests.testHigherTargetProducesLessInsulinForSameHyperglycemicSequence adds differential target-behavior verification (TV-ALG-009 baseline subset). - Algo2015OracleSupport now provides a reusable oracle framework for deterministic replay, snapshot assertions, and continuity checks across Algo2015 test suites (TV-ALG-004, TV-ALG-005, TV-ALG-006, TV-ALG-007, TV-ALG-008). - Algo2015MetamorphicTests adds property/metamorphic checks for deterministic replay identity and monotonic sensitivity to target/CGM transforms (TV-ALG-004, TV-ALG-009 supporting evidence). - Algo2015DifferentialReplayTests adds staged differential replay with JSON report output (differential-report.json) and now asserts all pregnancy parameters are consumed (targetMgDL, mealUpfrontPercent, tmaxMinutes) with deterministic checks for target monotonicity, applied meal-upfront profile, and TMAX-driven output variation (TV-ALG-009). - Algo2015DifferentialReplayTests.testPregnancyDifferentialReplayProducesDeterministicReport now additionally asserts that 90% upfront meal profile front-loads more meal insulin than 75% at meal step and in immediate post-meal cumulative window (TV-ALG-009). - Evidence artifact path: Docs/Quality/Evidence/STR-ALG-001/2026-02-18-tv-alg-001-004/. - Additional evidence artifact path: Docs/Quality/Evidence/STR-ALG-001/2026-02-18-tv-alg-005-006-008/. - Continuity evidence artifact path: Docs/Quality/Evidence/STR-ALG-001/2026-02-18-tv-alg-007/. - Scripts/run_algo2015_coverage.sh now generates llvm-profdata/llvm-cov artifacts for Algo2015/Algorithm_2015_10_13.cpp and bridge sources (TV-ALG-010 baseline subset), with focused branch-closure scenarios for Adapt_MB_Rs, Meal_Bolus, Highs_Lows, Set_Target, SaveData, Trim_Arrays, Pumps_CGM_UI_Fields, Extract_CGM_Adapt, and MB history save/load loops. - Coverage script now supports explicit exception-package signoff metadata (reviewerName, reviewerRole, decisionDate, decisionStatus, decisionNotes) via CLI flags or environment variables for formal STR runs. - Coverage packaging now includes hardened branch exception artifacts: - branch-exception-package.md with reviewer sign-off section - branch-exception-package.json with machine-readable sign-off fields and per-symbol rationale/safety/mitigation/disposition records - Scripts/run_algo2015_verification.sh provides staged deterministic orchestration (prepare, coverage, run, evaluate, package, all) with immutable run context + manifest packaging for STR reproducibility. - InputFields automated suite (TV-ALG-001, TV-ALG-002, TV-ALG-003, TV-ALG-008, TV-ALG-009 subset) now runs as part of staged execution and emits structured assertions (results.json) plus observations (inputfields-observations.tsv). - CoreReqs requirement-tagged suite now runs as part of staged execution and maps assertion outcomes directly to SRS-ALG-001...005 with structured results (suites/core-reqs/results.json). - Differential requirement-tagged suite now runs as part of staged execution and emits structured assertions + JSON report (suites/differential/results.json, suites/differential/differential-report.json). - ToolVerification boundary-transfer suite now runs as part of staged execution and verifies bridge-to-core parity for deterministic boundary cases (suites/tool-verification/results.json). - StaticAnalysis suite now runs as part of staged execution and verifies clang build/analyze lane execution, CodeReviewLog run-SHA linkage, and MISRA-policy linkage metadata (suites/static-analysis/results.json). - MISRA is treated as a risk-based conditional quality lane for this host-side investigational path: formal evidence must close the lane either with linked MISRA report/deviation artifacts (when applicable) or with explicit not-applicable decision rationale captured in the STR decision package. - Package manifest includes quality-lane linkage fields (qualityLanes.codeReviewLinkage, qualityLanes.misraLinkage) for STR audit traceability. - Submission-grade packaging outputs now include: - str-template-check.json (required artifact completeness check) - suite-assertion-trace-map.{json,md} (assertion-level TV-ALG-* + SRS-ALG-* mapping) - reproducibility-recipe.md (single-command rerun + checksum verification recipe) - Coverage artifact paths: - Docs/Quality/Evidence/STR-ALG-001/2026-02-18-tv-alg-010-coverage/ - Docs/Quality/Evidence/STR-ALG-001/2026-02-18-tv-alg-010-coverage-clean-01/ - Docs/Quality/Evidence/STR-ALG-001/2026-02-18-tv-alg-011-verification-rerun/ - Docs/Quality/Evidence/STR-ALG-001/2026-02-18-tv-alg-012-verification-b2-b3-final/ - Current coverage snapshot (2026-02-18, latest run tv-alg-012-verification-b2-b3-final): - Algorithm_2015_10_13.cpp: function 100.00%, line 95.13%, branch 88.02% - Algo2015Bridge.c: function 100.00%, line 100.00%, branch 100.00% - Latest local working snapshot (2026-02-19, non-formal run): - Algorithm_2015_10_13.cpp: function 100.00%, line 97.33%, branch 90.58% - Algo2015Bridge.c: function 100.00%, line 100.00%, branch 100.00% - Branch-rationale artifact path: - Docs/Quality/Evidence/STR-ALG-001/2026-02-18-tv-alg-012-verification-b2-b3-final/suites/coverage/uncovered-branch-gap-map.md - Exception package (legacy baseline): Docs/Quality/Evidence/STR-ALG-001/2026-02-18-tv-alg-010-coverage-clean-01/branch-exception-package.md - Staged run summary artifacts: - Docs/Quality/Evidence/STR-ALG-001/2026-02-18-tv-alg-012-verification-b2-b3-final/evaluation-summary.json - Docs/Quality/Evidence/STR-ALG-001/2026-02-18-tv-alg-012-verification-b2-b3-final/manifest.json - Docs/Quality/Evidence/STR-ALG-001/2026-02-18-tv-alg-012-verification-b2-b3-final/suites/inputfields/results.json - Docs/Quality/Evidence/STR-ALG-001/2026-02-18-tv-alg-012-verification-b2-b3-final/suites/core-reqs/results.json - Docs/Quality/Evidence/STR-ALG-001/2026-02-18-tv-alg-012-verification-b2-b3-final/suites/differential/results.json - Docs/Quality/Evidence/STR-ALG-001/2026-02-18-tv-alg-012-verification-b2-b3-final/suites/differential/differential-report.json - Docs/Quality/Evidence/STR-ALG-001/2026-02-18-tv-alg-012-verification-b2-b3-final/suites/tool-verification/results.json

6. Evidence

Expected evidence package per change:

  • test command output (xcodebuild, swift test)
  • failing/passing test IDs
  • device test logs where applicable
  • screenshots for UI safety behavior
  • link to changed requirement and risk IDs

7. Deferred/Planned Validation

  • Extended overnight cadence reliability runs.
  • Real hardware fault-injection scenarios (disconnects, stale CGM, unavailable pump).
  • Real hardware no-new-CGM-data interruption runs to verify threshold breach, alert timing, and clear-on-recovery behavior distinct from G7 failed/expired states.
  • Planned reconnect-fallback hardware runs after policy implementation to verify >5 minute accepted-CGM-receipt gating, current-due-step-only execution, and restored CGM priority after data flow resumes.
  • Algorithm Stepping Interrupted unit/integration validation is now implemented for step-based timing, no-alert-when-disarmed behavior, and clear-on-success/disarm behavior. Remaining planned validation is real-device/background confirmation for non-CGM blocker coverage and rendered root-cause messaging under live pump/CGM conditions.

Current automated coverage for CGM interruption behavior: - BionicLoopAlertTests.testAlgorithmSteppingInterruptionMonitoringSchedulesFutureNotificationAndRaisesAlertAtDeadline - BionicLoopAlertTests.testAlgorithmSteppingInterruptionMonitoringClearsActiveAlertWhenSteppingResumes - BionicLoopInfrastructureTests.testLoopRuntimeEngineArmedSessionSchedulesStepInterruptionMonitoringAndResetClearsIt - BionicLoopInfrastructureTests.testLoopRuntimeEngineForegroundRefreshShowsStepInterruptionWhenThresholdExceededBeforeFirstStep - BionicLoopInfrastructureTests.testLoopRuntimeEngineForegroundRefreshUsesLastSuccessfulRunDeadlineWhenAvailable - BionicLoopInfrastructureTests.testLoopRuntimeEngineForegroundRefreshDoesNotShowStepInterruptionWhenDisarmed - BionicLoopInfrastructureTests.testLoopRuntimeEngineForegroundRefreshDoesNotShowCGMInterruptionWhenDisarmed - Formal usability/human-factors sessions for meal announcement and safety messaging.

8. Xcode Automated UI Testing Strategy

Purpose: - Use XCTest UI automation as repeatable verification evidence for deterministic UI behavior and requirement conformance.

Best leverage areas: - Navigation and modal routing correctness. - Presence/enabled-state of safety-critical controls. - State-to-message rendering for known inputs. - Regression checks for setup flows and dismiss paths. - Non-hardware-dependent interaction logic (for example meal sheet presentation/cancel behavior).

Not a primary tool for: - BLE transport reliability and reconnect behavior. - Background wake cadence and overnight timing reliability. - Real pump delivery confirmation and physical device alert timing.

Execution model: - Run UI tests on Simulator with deterministic launch fixtures. - Use app launch arguments/environment to force reproducible runtime states. - Use stable accessibility identifiers for controls, labels, and state badges. - Keep one fast smoke suite as release gate; keep extended suite for nightly runs.

9. UI Automation Verification Mapping

  • Automated UI evidence is acceptable for [SRS-UI](SoftwareRequirementsSpecification.md#srs-ui)-* and portions of [SRS-MEAL](SoftwareRequirementsSpecification.md#srs-meal)-* and [SRS-ALERT](SoftwareRequirementsSpecification.md#srs-alert)-* where behavior is deterministic and fixture-driven.
  • Hardware-coupled requirements still require integration/system evidence from real-device runs.
  • Preferred command:
  • xcodebuild -scheme BionicLoop -destination 'platform=iOS Simulator,name=iPhone 17' -only-testing:BionicLoopUITests test
  • Evidence artifacts:
  • test logs, pass/fail results, captured screenshots/attachments, and linked TV-* IDs in RTM.

Current Automated UI Suite Mapping (F5)

XCTest Method TV-ID Link Requirement Link Notes
testUI001_HomeShowsPrimaryControls TV-UI-005 SRS-UI-002 Smoke check for Home control availability using deterministic fixtures.
testUI002_MealUnavailableWhenLoopOff TV-UI-002 SRS-UI-002 Verifies unavailable-state messaging path and dismissal UX.
testUI003_SettingsSheetCanDismiss TV-UI-006 SRS-UI-002 Guards against modal navigation traps in settings entry path.
testUI004_ManualBGSheetCanOpenAndCancel TV-UI-006 SRS-BG-001 Verifies explicit cancel path for manual BG entry UX.
testUI005_HomeShowsAlertBannerPreview TV-ALERT-002 SRS-ALERT-003 Verifies deterministic top-alert preview rendering on Home.
testUI006_HomeShowsCriticalAlertPreview TV-ALERT-002 SRS-ALERT-003 Verifies critical alert preview path and title rendering.
testUI007_HomeAlertCenterButtonOpensAlertCenter TV-ALERT-007 SRS-ALERT-008 Verifies Home alert-center bell entry and active-alert visibility in Alert Center.
testUI008_AlertCenterAcknowledgeMovesAlertToRecentlyCleared TV-ALERT-007 SRS-ALERT-005, SRS-ALERT-008 Verifies acknowledge transition from active alert state to recently-cleared timeline.
testUI009_AlertCenterPersistsAcrossRelaunch TV-ALERT-008 SRS-ALERT-009 Verifies persisted active alert visibility after relaunch (UI_TEST_PRESERVE_DEFAULTS).
testUI010_ClinicalSettingsNavigatesAndAutoLocksOnExit TV-CLIN-001 SRS-CLIN-001, SRS-CLIN-002 Verifies passcode-gated entry, unlock success, and auto-lock on exit/re-entry.
testUI011_ClinicalSettingsSaveDismissesSettingsSheet TV-CLIN-009 SRS-CLIN-007, SRS-CLIN-008 Verifies Save+OK closes settings flow after review-confirmation path.
testUI012_ClinicalSettingsInvalidPasscodeBlocksUnlock TV-CLIN-001 SRS-CLIN-001, SRS-CLIN-002 Verifies invalid passcode path shows explicit error and keeps clinician controls hidden.
testUI013_ClinicalControlsVisibleOnlyInsideUnlockedClinicalSettings TV-CLIN-002 SRS-CLIN-003 Verifies relocated Start/Reset controls are absent in general settings and present only in unlocked Clinical Settings.
testUI014_RegularTargetChangeRequiresApprovalCaptureAndPersists TV-CLIN-011, TV-CLIN-013 SRS-CLIN-011, SRS-CLIN-007 Verifies regular-settings target changes block until approval fields are completed, then persist into clinician-visible applied target state.
testUI015_ClinicalTargetPickerFollowsSelectedProfileRange TV-CLIN-010 SRS-CLIN-009, SRS-CLIN-010 Verifies the clinician target picker only exposes the targets enabled by the selected Pregnancy/Standard profile.
testUI016_ClinicalProfileChangeNormalizesTargetAndPersists TV-CLIN-012, TV-CLIN-013 SRS-CLIN-012, SRS-CLIN-009, SRS-CLIN-010 Verifies changing the clinician-selected profile snaps an inherited out-of-range draft target to the nearest allowed value and persists the normalized result.

Evidence reference: - STR-UI-AUTO-001 / 2026-02-12-f5-ui-smoke

Current Clinical Unit Mapping (K1/K2 baseline)

XCTest Method TV-ID Link Requirement Link Notes
testClinicalSettingsPolicyPasscodeValidation TV-CLIN-001 SRS-CLIN-001, SRS-CLIN-002 Verifies the current investigational clinical passcode gate accepts only configured value (020508).
testClinicalSettingsPolicyNormalizationAndDefaults TV-CLIN-003, TV-CLIN-004, TV-CLIN-005 SRS-CLIN-004, SRS-CLIN-005, SRS-CLIN-006 Verifies allowed-option enforcement and deterministic fallback defaults for target/upfront/TMAX selectors.
testClinicalSettingsSavePolicyPrepareSaveReviewBlockedStates TV-CLIN-001 SRS-CLIN-001, SRS-CLIN-002 Verifies locked/invalid/no-change save attempts are blocked with deterministic reasons/messages.
testClinicalSettingsSavePolicyPrepareSaveReviewBuildsChangedFieldList TV-CLIN-009 SRS-CLIN-007 Verifies review model includes complete changed-field set for old/new clinical config diff.
testClinicalSettingsSavePolicySaveApplySemantics TV-CLIN-009 SRS-CLIN-007, SRS-CLIN-008, SRS-LOG-001 Verifies no persisted change before save confirmation, cancel preserves applied config, and saved config appears in next-step telemetry snapshot fields.
testClinicalSettingsSavePolicyUICriticalEvents TV-LOG-005 SRS-LOG-005 Verifies deterministic ui.critical event mapping and detail payload for state_viewed/submit/cancel/blocked paths.
testClinicalSettingsPolicyTargetRangeProfiles TV-CLIN-010, TV-CLIN-012 SRS-CLIN-009, SRS-CLIN-010, SRS-CLIN-012 Verifies Pregnancy/Standard profile subsets and nearest-allowed normalization behavior when the active profile changes.
testRegularTargetChangeApprovalPolicyPrepareAndValidate TV-CLIN-011 SRS-CLIN-011 Verifies participant target changes require approver name and approval timestamp before apply.
testRegularTargetChangeApprovalPolicyBlocksNoChangeAndOutOfProfileSelection TV-CLIN-010, TV-CLIN-011 SRS-CLIN-010, SRS-CLIN-011 Verifies participant target-change flow rejects no-op requests and targets outside the clinician-selected profile.
testRegularTargetChangeApprovalTelemetryEvents TV-LOG-008 SRS-LOG-008 Verifies participant approval-capture telemetry includes target profile, requested/current target, approver name, and approval timestamp.

Current regression command used in development for this slice: - xcodebuild -scheme BionicLoop -project BionicLoop.xcodeproj -destination 'platform=iOS Simulator,name=iPhone 17' -only-testing:BionicLoopTests test

UI execution note for this slice: - BionicLoopUITests are wired into the current scheme and targeted UI cases can be launched with xcodebuild ... -only-testing:BionicLoopUITests/... test. - Focused UI verification for testUI014_RegularTargetChangeRequiresApprovalCaptureAndPersists, testUI015_ClinicalTargetPickerFollowsSelectedProfileRange, and testUI016_ClinicalProfileChangeNormalizesTargetAndPersists passed on 2026-03-25 against simulator device 21A8EB79-294B-4DB2-8AB5-9166F5B375A8 (Test-BionicLoop-2026.03.25_11-55-08--0400.xcresult). - Local simulator/xctrunner instability may still require rerunning the focused UI lane in future environments, but this slice now has a captured green UI pass.

10. Manual Screenshot UI Review Protocol

Scope: - Required for all user-facing changes, especially safety-state messaging, alert presentation, and clinical controls.

Capture set: - Light mode and dark mode screenshots. - Changed screen in: baseline state, interactive state, blocked/error state, and post-action state. - If applicable, include one large-text (Dynamic Type) capture for key screens.

Review rubric: - Typography and text integrity: - no clipping, truncation, overlap, or ambiguous wording. - units/values formatting is consistent (mg/dL, U, %, min, timestamps). - Spacing and alignment: - consistent spacing rhythm and card/control alignment. - safe-area compliance; no accidental edge clipping. - Visual hierarchy: - critical safety states and primary actions are immediately distinguishable. - secondary text does not compete with critical signals. - Accessibility and contrast: - sufficient contrast in both themes. - color is supplemented by text/icon/position cues. - tappable controls remain legible and touch-accessible. - Motion and transitions: - state transitions are smooth and non-jarring. - no stale labels/icons during animated or async state changes.

Evidence and traceability: - Save screenshots and review notes under the applicable STR-* evidence path. - Link that path in: - Docs/Quality/TraceabilityMatrix.md - Docs/Quality/CodeReviewLog.md entry for the commit - any related bug entry in Docs/Quality/Bugs/BugTracker.md.