# Verixa — User Requirements Specification

# Module 31: Document Quality Gateway (DQG) — Intake, Classification, and Filing Handoff Governance

| Field | Value |
|---|---|
| Document ID | VRX-URS-31 |
| Version | 1.0 |
| Status | Final — ready for QA, Validation, Regulatory Affairs (Primary Owner — TMF/eTMF integration), Information Security, Manufacturing Head, Site Quality Lead, Qualified Person Authority, and Founder approval. URS approval is separate from validation execution. This document becomes "Approved Controlled URS — released for engineering implementation and validation planning" only after signature capture in the Document Approval block. It becomes "Released for validation execution" only after the module migration evidence gate (URS-31-VAL-008) and validation evidence pack are satisfied **including the three workflow-engine controlled actions per DEC-31-04 / DEC-31-06**. |
| Document Type | User Requirements Specification (URS) |
| GAMP 5 Category | Category 5 — Custom Application |
| Code Modules | Target implementation binding: expected primary code module `document-quality-gateway`, expected API mounts `/api/v1/dqg/*` (canonical API mount per DEC-31-01), expected supporting modules `audit-log`, `auth/rbac`, `electronic_signatures`, `hitl`, `documents` (URS-12 — controlled storage of artifact files + immutable provenance), expected event-bus emission for `dqg_taxonomy_created`, `dqg_taxonomy_released_effective`, `dqg_taxonomy_superseded`, `dqg_artifact_submitted`, `dqg_artifact_classified`, `dqg_artifact_reviewed`, `dqg_artifact_hitl_approved`, `dqg_artifact_hitl_rejected`, `dqg_artifact_staged`, `dqg_artifact_filed`, `dqg_artifact_filing_failed`, `dqg_artifact_withdrawn`, `dqg_filing_handoff_packaged`, `dqg_filing_handoff_qa_reviewed`, `dqg_filing_handoff_approved_for_filing`, `dqg_filing_handoff_transmitted`, `dqg_filing_handoff_confirmed_filed`, `dqg_filing_handoff_acknowledged`, `dqg_inbound_import_initiated`, `dqg_inbound_import_completed`, `dqg_inbound_import_failed`, `dqg_ingest_channel_polled`, `dqg_sender_communication_dispatched`, `dqg_artifact_program_locked`, `dqg_artifact_program_reopened`, expected MIRA context integration through `useMiraRecord('dqg_artifact', id)`, `useMiraRecord('dqg_taxonomy', id)`, `useMiraRecord('dqg_filing_handoff', id)`, `useMiraRecord('dqg_inbound_import', id)` mappings, expected URS-12 Document Control linkage for **immutable artifact-file storage + provenance** per DEC-31-09, expected URS-13 Change Control linkage for taxonomy effective release + ingest-channel effective release + filing-handoff target-system change requests, expected URS-21 findings emission for stale inbound imports + chronic filing-handoff failures + missed-handoff findings, expected URS-18 CAPA emission for chronic filing failures, expected URS-20 Reviews **outbound linkage** (artifact-level QC review in DQG; substantive compliance review delegated to URS-20 per DEC-31-08), expected URS-22 Inspection inbound retrieval (DQG artifacts as inspection back-room evidence), expected URS-27 Regulatory linkage (filing handoff to regulatory submissions where applicable), expected URS-28 training qualification-gate consumption for HITL reviewer authority, expected URS-29 Screen Reader / Data Capture inbound consumer integration (capture extractions promoted to DQG artifacts where applicable), expected URS-30 Notifications outbound consumer for sender communication delivery (DQG sender communication is a specialized URS-30 client per DEC-31-12), expected Authority Profile + HITL + e-signature integration for non-bypassable HITL review approval / rejection / filing-handoff approval / inbound-import review / artifact withdrawal / program lock / reopen, expected platform_admin / super_admin support / break-glass only paths. Implementation evidence remains subject to repository verification and validation evidence. |
| Architecture Bindings | This module is subject to **ARCH-AI-001 AI Optionality and Manual Continuity** (canonical binding explicitly stated in Module specification). Verixa internally classifies this AI surface as **limited-risk under internal AI governance**, aligned with the limited-risk transparency approach in **EU AI Act (Regulation 2024/1689) Article 13**, escalating to **internal forward-looking AI governance aligned with EU AI Act Annex III concepts** where AI classification, AI review, or AI-assisted filing handoff feeds a regulated downstream record (e.g., regulatory submission per URS-27, controlled document per URS-12, inspection back-room evidence per URS-22). Every DQG AI-assisted surface (AI classification, AI review, OCR-assist on inbound imports, taxonomy recommendation, HITL auto-route suggestion, MIRA DQG copilot) shall provide a fully functional non-AI manual execution path; **no AI service shall be the only path to advance a regulated DQG workflow** (canonical binding). The full AI prohibition surface includes: AI cannot finalize HITL approval, AI cannot finalize HITL rejection, AI cannot approve filing handoff for transmission to eTMF, AI cannot acknowledge filing confirmation, AI cannot approve inbound-import review, AI cannot withdraw an artifact, AI cannot release a taxonomy version. AI may surface advisory classification suggestions, advisory review summaries, advisory taxonomy recommendations, and advisory HITL routing recommendations through the controlled `dqg_ai_assistance` substructure with full provenance + mandatory human acceptance per DEC-31-13. This module binds ARCH-AI-001 AC-1, AC-2, AC-3, AC-4, and AC-7. Verixa treats **EU GMP Annex 22 Draft 2025 §7** as an internal forward-looking architectural control (not an enacted predicate rule); under that internal control, generative AI may draft advisory artifact classification, taxonomy alignment, and review summaries only with mandatory human acceptance recorded; generative / probabilistic AI is **PROHIBITED from being the sole path to finalize HITL review disposition, approve filing handoff, acknowledge filing confirmation, or release a controlled taxonomy version**. Static deterministic AI (rule-based classification, regex-based metadata extraction) may surface advisory help. Jurisdiction-specific legal enforceability of Annex 22 and the EU AI Act remains subject to a future jurisdiction-specific legal assessment. |
| Regulatory Classification | Critical infrastructure substrate — operates the canonical Document Quality Gateway (DQG) artifact-centric governance covering: (a) the **canonical module scope: DQG is artifact-centric** (artifact-level QC / intake / filing handoff) — substantive compliance review is delegated to URS-20 Reviews per DEC-31-08; (b) the artifact-centric data domain (taxonomy, artifact, artifact review, artifact classification, filing handoff, inbound import, cross-reference, health metrics, ingest channel, sender communication); (c) the **artifact lifecycle state machine (16 states: `submitted → ai_classifying → ai_classified → ai_reviewing → ai_reviewed → hitl_review_pending → hitl_under_review → hitl_approved | hitl_rejected → reclassification_required | remediation_required → staged → filing_in_progress → filed | filing_failed → withdrawn` with controlled transitions)** per DEC-31-03; (d) the **filing-handoff lifecycle state machine** (`packaging → packaged → qa_review → approved_for_filing → transmitting → transmitted → confirmed_filed`; `filing_failed → retrying → transmitting`; cancellation at any node) with **CR-001 controlled-action fix: `createFilingHandoff` MUST seed valid `packaging` initial state, NOT invalid `pending`** per DEC-31-04 + **CR-002 controlled-action fix: `transitionFilingHandoffStatus` `acknowledged` branch MUST be wired into the valid `confirmed_filed → acknowledged` transition with `acknowledgment_received_at` stamp** per DEC-31-04 (— three Critical workflow-engine defects from Module specification are controlled-action fixes per DEC-31-04); (e) the **inbound-import lifecycle state machine** (`initiated → files_uploading → files_received → parsing → parsed → classifying → classified → review_pending → under_review → reviewed → staging → staged → completed`; `failed → initiated`) with **CR-003 controlled-action fix: `createInboundImport` MUST seed valid `initiated` initial state, NOT invalid `pending`** per DEC-31-06; (f) the **TMF-aligned taxonomy registry** (DIA TMF Reference Model alignment for clinical artifacts; ICH eCTD modules for regulatory artifacts) with controlled lifecycle (`draft → under_review → effective → superseded → archived`) + URS-13 CR linkage per DEC-31-07 (-002); (g) the artifact-classification substructure with **AI-classification provenance + HITL human acceptance + classification confidence + taxonomy-version snapshot** per DEC-31-13; (h) the **DQG dedicated authority model replacing `document_review` permission overload** per DEC-31-10; (i) the ingest-channel registry (Email IMAP / Webhook with HMAC-signed / Direct Upload / Partner API with OAuth 2.0) with **secret-store credential governance** per DEC-31-11 (parallel to URS-29 DEC-29-07 / URS-30 DEC-30-04); (j) the sender-communication substructure as a **specialized URS-30 client** per DEC-31-12 (artifact-related communications dispatched through URS-30 Notifications dispatcher); (k) the **outward linkage to enterprise modules**: URS-20 Reviews for substantive compliance review per DEC-31-08, URS-12 Document Control for controlled-document libraries, URS-22 Inspection for back-room evidence retrieval, URS-27 Regulatory for filing handoff to regulatory submissions, URS-29 Screen Reader for inbound capture extraction promotions per DEC-31-08; (l) the multi-dimensional context capture (`tenant_id` mandatory, `study_id` mandatory at artifact-level for clinical artifacts, `product_id` optional, `taxonomy_id` mandatory, `taxonomy_version_snapshot`); (m) the canonical API contract `/api/v1/dqg/*` (per DEC-31-01); (n) the typed schema validation across every route; (o) the controlled frontend route surface per DEC-31-12; (p) the audit-trail coverage with reason-for-change discipline including **attributable state transitions per 21 CFR Part 11 §11.10(e) — every state transition MUST be attributable to an authenticated user OR an explicitly documented system context** per DEC-31-14; (q) the Authority/HITL/e-signature substrate on every regulated final action per DEC-31-10; (r) the AI-assisted classification / review / taxonomy / routing substrate with **provenance + mandatory human acceptance** per DEC-31-13; (s) the post-locked record immutability across the DQG program; (t) the controlled reopen workflow with executive authority co-sign and Qualified Person co-sign per DEC-31-22; (u) the canonical findings-source emission to URS-21 for stale inbound imports / chronic filing failures / missed-handoff findings per DEC-31-15; (v) the canonical CAPA-source emission to URS-18 for chronic filing failures per DEC-31-16; (w) the URS-28 training qualification-gate consumer for HITL reviewer authority per DEC-31-23; (x) the MIRA copilot read-only context integration on DQG records, and the per-jurisdictional regulatory expectations under FDA 21 CFR Part 11 §11.10(a) (validation), §11.10(d) (authority checks), §11.10(e) (audit trails — attributable state transitions), §11.50 (signature manifestations), §11.70 (signature/record linking), §11.200 (electronic signature controls — primary FDA predicate); EU GMP Annex 11 §4 (Validation), §5 (Data — including artifact integrity), §9 (Audit Trails), §12 (Security including credential governance), §14 (Electronic Records / Signatures), §16 (Incident Management) — primary EU predicate; EU GMP Annex 22 Draft 2025 §7 (HITL — internal forward-looking control); EU AI Act (Regulation 2024/1689) Art. 13 / Annex III (internal forward-looking control); MHRA Data Integrity Guidance (ALCOA+); GAMP 5 Cat 5; **FDA Computer Software Assurance (CSA) — September 2025 Final Guidance** (DQG classified as not-high-process-risk for artifact intake EXCEPT where filing handoff to regulatory submission applies — those become high-process-risk); **DIA TMF Reference Model v3.3** (TMF-aligned taxonomy primary reference per DEC-31-07); **ICH E6(R3) §8** (Essential Documents for Conduct of a Clinical Trial — TMF basis); **ICH M2 / eCTD Specification** (eCTD module alignment for regulatory artifacts); **ICH M8 (Implementation Working Group) eCTD v4.0** (eCTD v4.0 alignment); **ISO/IEC 27001** (information security — credential governance for ingest channels); and India CDSCO NDCT 2019 §27 (clinical trial documentation) + Schedule M (Revised) §16 (Records and Reports) subject to a future jurisdiction-specific legal assessment for Verixa's exact CDSCO obligations. |
| Date of Issue | 2026-05-07 |
| Module Owner (Engineering) | Quality / DQG Squad |
| Module Owner (Quality Validation) | CSV / CSA Lead — DQG |
| Module Owner (Compliance) | Regulatory Affairs (Primary Owner — TMF/eTMF integration), Quality Assurance, Information Security, Qualified Person Authority |
| Approving Authority | Founder / Chairman & MD; QA Head; **RA Head (Primary Owner)**; Manufacturing Head; Validation Head; Information Security Head; Qualified Person (QP) Authority; Site Quality Lead |

---

## 0. Document Framing

### 0.1 Purpose of this document

This URS defines the target expected state for Verixa's Document Quality Gateway (DQG) — Intake, Classification, and Filing Handoff Governance module (Module 31). It is the binding contract between product, engineering, quality validation, regulatory affairs (primary owner — TMF/eTMF integration), information security, manufacturing, the Qualified Person authority, distribution, laboratory operations, and the executive authority for the design, implementation, validation, release, and on-going periodic review of the regulated DQG artifact-centric substrate: the **canonical module scope as artifact-centric** (substantive compliance review delegated to URS-20 Reviews per DEC-31-08); the artifact lifecycle state machine (16 states per DEC-31-03); the **filing-handoff lifecycle with three workflow-engine controlled actions** (CR-001 invalid `pending` initial state on `createFilingHandoff` → seed `packaging`; CR-002 missing `acknowledged` transition wiring; CR-003 invalid `pending` initial state on `createInboundImport` → seed `initiated`) per DEC-31-04 / DEC-31-06; the inbound-import lifecycle per DEC-31-06; the TMF-aligned taxonomy per DEC-31-07; the **dedicated DQG authority model replacing `document_review` permission overload** per DEC-31-10; the ingest-channel registry with secret-store credential governance per DEC-31-11; the sender-communication substructure as specialized URS-30 client per DEC-31-12; the outward linkage to URS-20 / URS-12 / URS-22 / URS-27 / URS-29 per DEC-31-08; the multi-dimensional context capture; the canonical API contract `/api/v1/dqg/*` per DEC-31-01; the typed schema validation; the controlled frontend route surface; the **attributable state transitions audit (21 CFR Part 11 §11.10(e))** per DEC-31-14; the Authority/HITL/e-signature substrate on every regulated final action per DEC-31-10; the AI-assisted classification / review / taxonomy substrate with provenance + mandatory human acceptance per DEC-31-13; the post-locked record immutability; the controlled reopen workflow with executive authority co-sign and Qualified Person co-sign per DEC-31-22; the canonical findings emission to URS-21 per DEC-31-15; the canonical CAPA emission to URS-18 per DEC-31-16; the URS-28 training qualification-gate consumer for HITL reviewer authority per DEC-31-23; the MIRA copilot read-only context integration with **AI advisory only — never the sole path to advance a regulated DQG workflow** under the canonical ARCH-AI-001 binding; the audit trail coverage with reason-for-change discipline; and the per-jurisdictional regulatory expectations including DIA TMF Reference Model v3.3 + ICH E6(R3) §8 + ICH M2/M8 eCTD specifications. Compliance with this URS is mandatory.

### 0.2 Audience

Engineering, QA, **Regulatory Affairs (primary owner — TMF/eTMF integration)**, Manufacturing, Qualified Person Authority, Distribution, Laboratory Operations, Validation, Information Security, executive authority, the platform's Implementation team, internal and external auditors, and inspectors from regulatory bodies (FDA, EMA, MHRA, Health Canada, CDSCO, PIC/S, PMDA, WHO). The plain-language primer (§0.4) and worked examples (§3.5) make Module 31 accessible to non-domain engineers, product owners, validation engineers, and quality investigators.

### 0.3 Cross-references

- **URS-01** Authentication, Session & Access Control — identity envelope for every DQG mutation
- **URS-02** RBAC & Permissions — the **dedicated `dqg:*` permission set** (NOT `document_review:*` per DEC-31-10): `dqg:taxonomy:*`, `dqg:artifact:*`, `dqg:artifact:hitl:*`, `dqg:filing_handoff:*`, `dqg:inbound_import:*`, `dqg:ingest_channel:*`, `dqg:cross_reference:*`, `dqg:sender_communication:*`, `dqg:health_metrics:*`
- **URS-03** Context Gate & Approval Scope — context-gate enforcement
- **URS-04** Workflow / HITL / E-Signature / Approval Authority — Controlled Approval Modal contract for HITL review approval / rejection / filing-handoff approval / inbound-import review / artifact withdrawal / program lock / reopen
- **URS-05** Authority Profile / Delegation / SoD — Authority Profiles consumed (`dqg_taxonomy_release_authority`, `dqg_hitl_reviewer_authority`, `dqg_filing_handoff_qa_reviewer_authority`, `dqg_filing_handoff_approver_authority`, `dqg_inbound_import_reviewer_authority`, `dqg_artifact_withdrawal_authority`, `dqg_ingest_channel_release_authority`, `qualified_person_authority`, `final_quality_approver`, `executive_authority`, `information_security_authority`, `regulatory_affairs_authority`)
- **URS-06** Audit Trail / Hash Chain / Tamper-Evident — append-only audit substrate; **attributable state transitions per 21 CFR Part 11 §11.10(e)** per DEC-31-14
- **URS-07** Study Management — mandatory study-scope dimension for clinical artifacts
- **URS-08** Tenant Management Lifecycle — tenant context for DQG records
- **URS-09** Site / Facility Management — site-scope inherited via `studies` parent
- **URS-10** Product / SKU / Drug Master Data — optional product-scope dimension
- **URS-12** Document Control / SOP — **primary linkage**: controlled artifact-file storage with content hash; controlled-document libraries downstream linkage per DEC-31-08
- **URS-13** Change Control — taxonomy effective-release linkage; ingest-channel effective-release linkage; filing-handoff target-system change requests
- **URS-14** Complaints — read-only consumer for complaint-related DQG artifacts
- **URS-15** OOS / OOT — read-only consumer
- **URS-16** Deviations — read-only consumer
- **URS-17** RCA — read-only consumer
- **URS-18** CAPA — primary downstream consumer for chronic filing-failure CAPA per DEC-31-16
- **URS-19** Risk Assessment — read-only consumer
- **URS-20** Reviews — **primary outward linkage**: substantive compliance review delegated to URS-20 per DEC-31-08 (artifact-level QC review remains in DQG; substantive compliance review = URS-20)
- **URS-21** Findings — primary downstream consumer for stale inbound imports + chronic filing failures + missed-handoff findings per DEC-31-15
- **URS-22** Inspection Mgmt — DQG artifacts retrievable as inspection back-room evidence per URS-22
- **URS-23** Batch Records — read-only consumer
- **URS-24** Stability — read-only consumer
- **URS-25** EM — read-only consumer
- **URS-26** APQR — read-only consumer
- **URS-27** Regulatory Intelligence — **primary outward linkage**: filing-handoff to regulatory submissions per DEC-31-08 (DQG packages and stages; URS-27 governs the regulatory submission lifecycle)
- **URS-28** Training — **primary inward linkage**: HITL reviewer authority requires URS-28 qualification-gate verification per DEC-31-23
- **URS-29** Screen Reader / Data Capture — **primary inward linkage**: capture extractions promoted to DQG artifacts where applicable per URS-29 DEC-29-23
- **URS-30** Notifications — **primary outward linkage**: DQG sender-communication substructure is a specialized URS-30 client per DEC-31-12 (DQG emits artifact-related notification events; URS-30 dispatches)
- **URS-32** MIRA AI — read-only MIRA copilot context integration; AI advisory drafting only with mandatory human acceptance per DEC-31-13
- **URS-33** GMP Manufacturing — context for GMP artifacts
- **URS-34** GDP Distribution — context for GDP artifacts
- **URS-35** Infrastructure / Backup-Restore — operational continuity; secret-store linkage per DEC-31-11

### 0.4 Plain-language primer

In a regulated pharmaceutical operation, **the Document Quality Gateway (DQG)** is the controlled entry point through which artifacts (clinical trial documents, regulatory submission components, manufacturing records, supplier-provided documents, partner deliverables) are received, classified, QC-reviewed, staged, and handed off to downstream filing systems (eTMF for clinical trial artifacts, regulatory submission systems for eCTD modules, controlled-document libraries for SOPs and effective documents). DQG is **artifact-centric** — its scope is intake / taxonomy / artifact-level QC / filing handoff / inbound import / sender communication. **DQG is NOT a second standalone compliance review engine** — substantive compliance review is delegated to URS-20 Reviews per DEC-31-08 (this canonical module scope anchors DQG as artifact-centric with substantive compliance review delegated to URS-20 Reviews). DQG is in regulatory scope under: FDA 21 CFR Part 11 §§11.10(a), 11.10(d), 11.10(e), 11.50, 11.70, 11.200; EU GMP Annex 11 §§4, 5, 9, 12, 14, 16; **DIA TMF Reference Model v3.3** (TMF-aligned taxonomy); **ICH E6(R3) §8 (Essential Documents for Conduct of a Clinical Trial)** — the regulatory basis for the TMF; **ICH M2 / eCTD Specification + ICH M8 eCTD v4.0** for regulatory artifacts; MHRA Data Integrity Guidance (ALCOA+); FDA CSA September 2025; ICH Q10. Module 31 is the target specification for this regulated workflow.

The **most consequential** mistakes in regulated DQG handling — explicitly identified in the Module specification as workflow-engine blockers — are: **CR-001 — `createFilingHandoff` seeds invalid `pending` initial state silently blocking all subsequent transitions** (the filing-handoff state machine's valid entry is `packaging`, and `pending` is not a member of `FilingHandoffStatus`); **CR-002 — `transitionFilingHandoffStatus` branches on `acknowledged` which is not a member of `FilingHandoffStatus`, so the `acknowledgment_received_at` stamp is never written via the transition ceremony**; **CR-003 — `createInboundImport` seeds invalid `pending` initial state** (the inbound-import state machine's valid entry is `initiated`). Module 31 enforces the corrective pathway: **all three workflow-engine blockers MUST be fixed before validation execution per DEC-31-04 / DEC-31-06**; non-compliant with FDA 21 CFR Part 11 §11.10(a) System Validation. The fourth most consequential issue is the **canonical scope blur** — all 46 DQG routes permissioned under `resource: 'document_review'` blurs DQG into document review rather than a clean artifact governance domain. Module 31 enforces the corrective pathway: a **dedicated `dqg:*` permission set** replaces `document_review:*` permission overload per DEC-31-10. The fifth most consequential issue is **state transitions not always attributable to an authenticated user or documented system context** per FDA 21 CFR Part 11 §11.10(e). Module 31 enforces the pathway: every state transition MUST be attributable per DEC-31-14.

The **AI-assistance** dimension is critical and explicit in the Module specification ARCH-AI-001 binding: "every DQG AI-assisted surface (AI classification, AI review, OCR-assist, taxonomy recommendation, HITL auto-route suggestion) shall provide a non-AI manual execution path; **no AI service shall be the only path to advance a regulated DQG workflow**". MIRA copilot may surface advisory classification suggestions, advisory review summaries, advisory taxonomy recommendations, and advisory HITL routing recommendations through `dqg_ai_assistance` with full provenance + mandatory human acceptance per DEC-31-13. The qualified human HITL reviewer / filing-handoff approver / taxonomy releaser's signed disposition is the system of record.

The **two-step release path** mirrors every other Module: this URS becomes "Approved Controlled URS — released for engineering implementation and validation planning" upon signature capture in the Document Approval block; it becomes "Released for validation execution" only after URS-31-VAL-008 (Migration Evidence Gate including the three workflow-engine controlled actions) and the §17 validation evidence pack are satisfied.

### 0.5 Conventions

Each requirement has a unique identifier. "MUST" denotes a mandatory requirement; "SHOULD" denotes a strong recommendation; "MAY" denotes an option. The document is self-contained: front end (§5), back end (§6), data model (§6.2), application programming interface (§6.3), workflow (§6.4), business rules (§6.5), audit (§6.6), security (§12), regulatory mapping (§14), test cases (§16), and validation evidence (§17) are all in this single file. Every requirement is mandatory unless explicitly marked SHOULD or MAY.

### 0.6 Glossary

| Term | Definition |
|---|---|
| Artifact | The primary DQG record — a controlled document file (PDF / DOCX / XLSX / image / structured data) under DQG governance with full lifecycle per DEC-31-03. |
| Taxonomy | The controlled-template document defining the artifact classification hierarchy (TMF-aligned per DIA TMF Reference Model v3.3 for clinical artifacts; ICH M2/M8 eCTD module-aligned for regulatory artifacts); lifecycle `draft → under_review → effective → superseded → archived` per DEC-31-07; immutable historical versions. |
| Artifact classification | The assignment of an artifact to a taxonomy node with `taxonomy_version_snapshot` + classification confidence + (optional) AI-assistance provenance per DEC-31-13. |
| Artifact review | The artifact-level QC review (lifecycle `pending → in_progress → completed | cancelled`) — distinct from substantive URS-20 compliance review per DEC-31-08. |
| HITL review | The human-in-the-loop review step in the artifact lifecycle (`hitl_review_pending → hitl_under_review → hitl_approved | hitl_rejected`) with `dqg_hitl_reviewer_authority` (URS-28 qualification-gate verified per DEC-31-23) + bound e-signature per DEC-31-04. |
| Filing handoff | The controlled handoff of an approved artifact to a downstream filing system (eTMF / regulatory submission system / controlled-document library); lifecycle `packaging → packaged → qa_review → approved_for_filing → transmitting → transmitted → confirmed_filed` (with `acknowledged` post-confirmed, and `filing_failed → retrying → transmitting`); cancellation at any node per DEC-31-04. |
| Inbound import | The controlled receipt of artifacts from external sources (email, webhook, partner API, direct upload); lifecycle `initiated → files_uploading → files_received → parsing → parsed → classifying → classified → review_pending → under_review → reviewed → staging → staged → completed`; `failed → initiated` per DEC-31-06. |
| Ingest channel | A configured external source for inbound imports (Email IMAP/SMTP / Webhook HMAC-signed / Direct Upload / Partner API OAuth 2.0); credentials via secret store per DEC-31-11. |
| Cross-reference | A linkage between a DQG artifact and a related URS-12 controlled document or another DQG artifact. |
| Sender communication | A specialized URS-30 client emitting artifact-related communications (acknowledgments, requests for information, filing confirmations) per DEC-31-12. |
| Health metric | A DQG operational metric (intake throughput, classification accuracy, HITL backlog, filing-handoff cycle time, inbound-import success rate). |
| Reopen | A governed transition event from `locked → in_progress` requiring `executive_authority` co-sign AND `qualified_person_authority` co-sign + documented reason; appends a new program iteration without mutating prior locked evidence per DEC-31-22. |
| ARCH-AI-001 | Platform architecture binding requiring manual continuity for every AI surface (AC-1, AC-2, AC-3, AC-4, AC-7) — canonically explicit binding for this module. |
| Annex 22 | EU GMP Annex 22 (Draft 2025) §7. Verixa treats Annex 22 §7 + EU AI Act high-risk / transparency as internal forward-looking AI governance controls. AI may draft advisory classification / review / taxonomy with mandatory human acceptance; AI is prohibited from being the sole path to advance a regulated DQG workflow. Binding predicate-rule obligations remain those listed in §14. |
| MIRA | The platform's read-only AI copilot service; for Module 31 MIRA may propose advisory drafts via `dqg_ai_assistance`; no MIRA write paths to system-of-record DQG fields without explicit human confirmation; no AI advances regulated DQG workflow. |

### 0.7 Module-31 architectural picture

```mermaid
flowchart TD
 EXT[External Sources] --> IC[/Ingest Channels — secret-store credentials/]
 IC --> II[/Inbound Imports — controlled lifecycle/]
 UPLOAD[Direct Upload via URS-12] --> ART[/Artifacts — 16-state lifecycle/]
 II --> ART
 TAX[/Taxonomies — TMF/eCTD aligned + controlled lifecycle/]
 ART --> CLS[Artifact Classification — taxonomy snapshot + AI provenance]
 CLS --> AI_R[AI Review — advisory]
 AI_R --> HITL[HITL Review — dqg_hitl_reviewer_authority + URS-28 qualification-gate + bound e-sign]
 HITL --> APR[Approved]
 HITL --> REJ[Rejected]
 REJ --> RECL[reclassification_required]
 REJ --> REM[remediation_required]
 RECL --> CLS
 REM --> ART
 APR --> STG[Staged]
 STG --> FH[/Filing Handoff — controlled lifecycle/]
 FH -- packaging → packaged → qa_review → approved_for_filing → transmitting → transmitted → confirmed_filed → acknowledged --> ETMF[External eTMF / Regulatory / Controlled Doc Library]
 ETMF --> CFM[Confirmed Filed]
 AI[MIRA AI] --> AIA[/DQG AI Assistance — advisory + provenance + acceptance/]
 AIA -. advisory only.-> CLS / AI_R / HITL / TAX
 M20[URS-20 Reviews — substantive compliance review delegated per DEC-31-08] <-- ART
 M27[URS-27 Regulatory] <-- FH (filing handoff to regulatory submission per DEC-31-08)
 M12[URS-12 Document Control] <-- ART (artifact-file storage); <-- FH (controlled-document library)
 M22[URS-22 Inspection] -- back-room retrieval --> ART
 M28[URS-28 Training] -- qualification-gate --> HITL
 M29[URS-29 Screen Reader] -- promote extraction --> ART (per URS-29 DEC-29-23)
 M30[URS-30 Notifications] <-- SC[Sender Communication — specialized URS-30 client per DEC-31-12]
 M21[URS-21 Findings] <-- chronic filing failure / missed handoff
 M18[URS-18 CAPA] <-- chronic filing failure CAPA
 LOCK[Program Lock] --> ART
 LOCK -. governed reopen + executive + QP co-sign.-> ART
```

The platform shall implement: artifact-centric scope per DEC-31-08; 16-state artifact lifecycle per DEC-31-03; **filing-handoff lifecycle with three workflow-engine controlled actions** per DEC-31-04; inbound-import lifecycle with controlled-action fix per DEC-31-06; TMF/eCTD-aligned taxonomy per DEC-31-07; **dedicated `dqg:*` permission set** per DEC-31-10; secret-store credential governance for ingest channels per DEC-31-11; sender communication as specialized URS-30 client per DEC-31-12; outward linkage to URS-20 / URS-12 / URS-22 / URS-27 / URS-29 per DEC-31-08; multi-dimensional context capture; canonical API contract `/api/v1/dqg/*`; typed schema validation; controlled frontend route surface; **attributable state transitions audit per 21 CFR Part 11 §11.10(e)** per DEC-31-14; Authority/HITL/e-signature substrate per DEC-31-10; AI-assisted classification / review / taxonomy substrate with provenance + mandatory human acceptance per DEC-31-13; post-locked record immutability; governed reopen with executive + QP co-sign per DEC-31-22; canonical findings/CAPA emission per DEC-31-15.16; URS-28 training qualification-gate consumer per DEC-31-23; MIRA copilot read-only with advisory drafting only — **AI prohibited from sole-path advancement of regulated DQG workflow** per ARCH-AI-001; and per-jurisdictional regulatory expectations.

### 0.8 Locked Launch Controls

| Locked control | Authority | Rationale |
|---|---|---|
| Two-step release path: signature → engineering implementation → validation execution | DEC-31-01 / VAL-008 | Mirrors every other Module. |
| "No Module 31 internal decisions outstanding" | §11.6 | Captured in locked decisions DEC-31-01..DEC-31-23 (§3.2), including the three workflow-engine controlled actions (CR-001 / CR-002 / CR-003). |
| `platform_admin` / `super_admin` support / break-glass only | DEC-31-20 / SoD-31-07 | Operating-tenant DQG ownership is the regulated path. |
| Target implementation binding language | Module bindings | URS specifies expected implementation. |
| AI overclaim posture as **internal forward-looking governance** with **canonical ARCH-AI-001 prohibition on AI-only sole-path advancement of regulated DQG workflow** | Architecture Bindings | Canonical Module specification explicitly invokes ARCH-AI-001; AI advisory only; AI cannot finalize HITL approval / rejection / filing-handoff approval / acknowledgment / inbound-import review / artifact withdrawal / taxonomy release. |
| Enumerated error codes | §6.7 | Stable machine-readable error contract. |
| JSON multi-signature evidence as **derived snapshot** | §6.6 | The `electronic_signatures` substrate is the system of record. |
| India CDSCO §27 / §16 row | §14 | India CDSCO clinical trial documentation + Records and Reports captured (subject to a future jurisdiction-specific legal assessment). |
| Version 1.0 posture | Header | First binding version. |
| Canonical API mount `/api/v1/dqg/*` | DEC-31-01 | Canonical API mount; route comments aligned to canonical mount. |
| **DQG scope as artifact-centric** | DEC-31-08 | Substantive compliance review delegated to URS-20 Reviews;.008/013. |
| **CR-001 controlled-action fix: `createFilingHandoff` MUST seed `packaging` initial state** (P0) | DEC-31-04 | Closes 21 CFR Part 11 §11.10(a) System Validation defect. |
| **CR-002 controlled-action fix: `transitionFilingHandoffStatus` `acknowledged` branch wired to valid transition** (P0) | DEC-31-04 | Closes acknowledgment-stamp gap. |
| **CR-003 controlled-action fix: `createInboundImport` MUST seed `initiated` initial state** (P0) | DEC-31-06 | Closes 21 CFR Part 11 §11.10(a) System Validation defect. |
| 16-state artifact lifecycle | DEC-31-03 | Per this URS `workflow.ts`; controlled transitions per state machine. |
| TMF/eCTD-aligned taxonomy with controlled lifecycle | DEC-31-07 | DIA TMF Reference Model v3.3 + ICH M2/M8 eCTD; URS-13 CR linkage on effective release. |
| **Dedicated `dqg:*` permission set replacing `document_review` overload** | DEC-31-10 | Closes URS-031-010 conflict. |
| Ingest-channel secret-store credential governance | DEC-31-11 | Parallel to URS-29 DEC-29-07 / URS-30 DEC-30-04. |
| Sender communication as specialized URS-30 client | DEC-31-12 | DQG emits artifact-related notification events; URS-30 dispatches. |
| Outward linkage to enterprise modules | DEC-31-08 | URS-20 / URS-12 / URS-22 / URS-27 / URS-29 integration. |
| AI-assisted classification / review / taxonomy / routing substrate with provenance + mandatory human acceptance (target requirement) | DEC-31-13 / ARCH-AI-001 | `dqg_ai_assistance` table; advisory only. |
| **Attributable state transitions audit per 21 CFR Part 11 §11.10(e)** | DEC-31-14 | Every state transition attributable to authenticated user OR documented system context. |
| Authority/HITL/e-sign on every regulated final action | DEC-31-10 | HITL approval / rejection / filing-handoff approval / inbound-import review / artifact withdrawal / program lock / reopen all gated. |
| URS-28 training qualification-gate consumer for HITL reviewer authority (target requirement) | DEC-31-23 | HITL reviewer must be qualified per URS-28 DEC-28-23. |
| Bound e-signature persistence on every regulated final action | DEC-31-10 / DEC-31-23 | All regulated finals carry bound e-signature. |
| Governed reopen pattern (`locked → in_progress`) | DEC-31-22 / SoD-31-06 | Append-only iteration; executive + QP co-sign; does NOT mutate prior locked evidence. |

---

## 1. Scope and Out-of-Scope

### 1.1 In-scope

- The **artifact-centric** DQG governance (intake / taxonomy / artifact-level QC / filing handoff / inbound import / sender communication / cross-reference / health metrics / ingest channels).
- The 16-state artifact lifecycle.
- The filing-handoff lifecycle with the three workflow-engine controlled actions.
- The inbound-import lifecycle.
- The TMF/eCTD-aligned taxonomy with controlled lifecycle.
- The dedicated `dqg:*` permission set.
- The ingest-channel registry with secret-store credential governance.
- The sender-communication substructure as specialized URS-30 client.
- The outward linkage to URS-20 / URS-12 / URS-22 / URS-27 / URS-29.
- The Authority/HITL/e-signature substrate on every regulated final action.
- The audit-trail coverage with attributable state transitions.
- The MIRA copilot read-only context integration (advisory drafting only).
- The AI-assisted classification / review / taxonomy substrate with provenance + mandatory human acceptance.
- The findings emission to URS-21.
- The CAPA emission to URS-18.
- The change-control linkage to URS-13.
- The URS-12 Document Control integration for artifact-file storage.
- The URS-28 training qualification-gate consumer for HITL reviewer authority.
- The governed reopen workflow.
- The per-jurisdictional regulatory expectations including DIA TMF Reference Model v3.3 + ICH E6(R3) §8 + ICH M2/M8 eCTD.

### 1.2 Out-of-scope

- **Substantive compliance review** — delegated to URS-20 Reviews per DEC-31-08 (DQG handles artifact-level QC review only).
- The CAPA register itself (URS-18).
- The change-control register itself (URS-13).
- The findings register itself (URS-21).
- The document-control register itself (URS-12).
- The reviews register itself (URS-20).
- The MIRA copilot service itself (URS-32).
- The notifications dispatcher itself (URS-30) — DQG sender communication is a specialized URS-30 client per DEC-31-12.
- The secret-store substrate itself (URS-35).
- The training register itself (URS-28).
- Direct integration with specific eTMF vendors (Veeva Vault, Phlexglobal, Wingspan) — generic eTMF connector pattern in scope; vendor connectors are future-state.
- Direct integration with FDA ESG / EMA EudraVigilance for regulatory submission transmission — handled via URS-27 Regulatory per DEC-31-08.

---

## 2. Preconditions, Dependencies, Constraints

### 2.1 Operating preconditions

The following preconditions MUST hold for this URS to apply at validation time. Each bullet is a binding precondition; deviations require a controlled exception per URS-13 Change Control.

- The platform's authentication and session substrate (URS-01), RBAC (URS-02), context gate (URS-03), HITL / e-sign (URS-04), Authority Profile registry (URS-05), audit-trail hash-chain (URS-06), document-control (URS-12), change-control (URS-13), reviews (URS-20), CAPA (URS-18), findings (URS-21), training qualification-gate (URS-28), notifications (URS-30), and MIRA AI (URS-32), and infrastructure secret-store (URS-35) are released and operational at validation time.
- DQG program owners, taxonomy releasers, HITL reviewers, filing-handoff approvers, Qualified Person, Information Security authority, RA Authority are trained, attributable users with documented authority.
- HITL reviewers are qualified per URS-28 DEC-28-23 qualification-gate.
- AI-assisted DQG surfaces are advisory only.
- The tenant operating jurisdiction(s) are configured.

### 2.2 Dependencies

- URS-01.URS-30, URS-32.URS-35 platform contracts.
- The `electronic_signatures` substrate.
- The `authority` substrate.
- The `hitl` substrate.
- The `audit_trail` substrate.
- The `documents` substrate (URS-12 — primary artifact-file storage).
- The `secret_store` substrate (URS-35 — ingest-channel credential governance per DEC-31-11).
- The `change_control` substrate (URS-13).
- The `reviews` substrate (URS-20 — substantive compliance review delegation).
- The `notifications` substrate (URS-30 — sender communication dispatch).
- The training `qualification-gate` substrate (URS-28).

### 2.3 Constraints

- The canonical API mount is `/api/v1/dqg/*`. No frontend hook may use `/api/dqg/*` (extra `/api`) or the legacy `document-quality-gateway/*` form.
- AI-assisted content is advisory-only; **no AI service shall be the only path to advance a regulated DQG workflow** (canonical ARCH-AI-001 binding).
- DQG is **artifact-centric**; substantive compliance review is delegated to URS-20.
- DQG uses dedicated `dqg:*` permission set; `document_review:*` permission overload is rejected.
- Ingest-channel credentials sourced from secret store; inline credentials rejected.
- Effective taxonomy / ingest-channel versions are immutable; revisions create new version rows.
- Filing-handoff initial state MUST be `packaging` (NOT `pending`) per CR-001 controlled-action fix.
- `transitionFilingHandoffStatus` MUST wire `acknowledged` transition correctly per CR-002 controlled-action fix.
- Inbound-import initial state MUST be `initiated` (NOT `pending`) per CR-003 controlled-action fix.
- Every state transition attributable to authenticated user or documented system context per 21 CFR Part 11 §11.10(e).
- HITL reviewer MUST satisfy URS-28 qualification-gate per DEC-31-23.

---

## 3. Closed Launch Decisions

### 3.1 Decision register

| Decision ID | Title | Locked decision |
|---|---|---|
| DEC-31-01 | Two-step release path + canonical API contract | Module 31 follows the same two-step release path; canonical API mount `/api/v1/dqg/*`; all hooks use canonical relative `/dqg/*` paths; route comments aligned to the canonical `/api/v1/dqg/*` mount. |
| DEC-31-02 | Multi-dimensional context model | `tenant_id` mandatory, `study_id` mandatory at artifact level for clinical artifacts (TMF context), `product_id` optional, `taxonomy_id` mandatory on classification, `taxonomy_version_snapshot` mandatory at classification time. |
| DEC-31-03 | Artifact 16-state lifecycle | Artifact lifecycle is the 16-state machine: `submitted → ai_classifying → ai_classified → ai_reviewing → ai_reviewed → hitl_review_pending → hitl_under_review → hitl_approved | hitl_rejected → reclassification_required | remediation_required → staged → filing_in_progress → filed | filing_failed → withdrawn`; controlled transitions per state machine; `withdrawn` requires `dqg_artifact_withdrawal_authority` + HITL + bound e-sign per DEC-31-10. |
| DEC-31-04 | **Filing-handoff lifecycle with three workflow-engine blocker fixes** | Filing-handoff lifecycle is `packaging → packaged → qa_review → approved_for_filing → transmitting → transmitted → confirmed_filed → acknowledged`; `filing_failed → retrying → transmitting`; cancellation at any node; **CR-001 controlled-action fix: `createFilingHandoff` MUST seed valid `packaging` initial state, NOT invalid `pending`**; **CR-002 controlled-action fix: `transitionFilingHandoffStatus` `acknowledged` branch MUST be wired into the valid `confirmed_filed → acknowledged` transition with `acknowledgment_received_at` stamp written via the transition ceremony**; QA review requires `dqg_filing_handoff_qa_reviewer_authority` + HITL + bound e-sign; approval-for-filing requires `dqg_filing_handoff_approver_authority` + HITL + bound e-sign + URS-13 CR for filing-handoff target-system change; transmission emits `dqg_filing_handoff_transmitted` event; confirmation parses external system response; acknowledgment stamps timestamp from external system response. |
| DEC-31-05 | Sender communication as specialized URS-30 client | DQG sender-communication substructure persists artifact-related communication intent (`acknowledgment` / `request_for_information` / `filing_confirmation` / `rejection_notice`); dispatch is delegated to URS-30 Notifications via `dqg_sender_communication_dispatched` event consumed by URS-30; URS-30 is the system of record for delivery; DQG persists the dispatched-event linkage (`linked_notification_send_id` from URS-30) for back-traceability per DEC-31-12. |
| DEC-31-06 | **Inbound-import lifecycle with CR-003 controlled-action fix** | Inbound-import lifecycle is `initiated → files_uploading → files_received → parsing → parsed → classifying → classified → review_pending → under_review → reviewed → staging → staged → completed`; `failed → initiated`; **CR-003 controlled-action fix: `createInboundImport` MUST seed valid `initiated` initial state, NOT invalid `pending`**; review requires `dqg_inbound_import_reviewer_authority` + HITL + bound e-sign per DEC-31-10. |
| DEC-31-07 | TMF/eCTD-aligned taxonomy + controlled lifecycle | Taxonomy registry persists hierarchical classification with TMF reference (DIA TMF Reference Model v3.3 alignment for clinical artifacts) and eCTD reference (ICH M2 / ICH M8 eCTD v4.0 alignment for regulatory artifacts); lifecycle `draft → under_review → effective → superseded → archived`; release to `effective` requires `dqg_taxonomy_release_authority` + HITL + bound e-sign + URS-13 CR linkage per DEC-31-19; effective versions are immutable; revisions create new version rows; `taxonomy_version_snapshot` captured at artifact-classification time per DEC-31-13 (-002). |
| DEC-31-08 | DQG scope as artifact-centric + outward linkage to enterprise modules | DQG scope is **artifact-centric** (intake / taxonomy / artifact-level QC review / filing handoff / inbound import / sender communication); **substantive compliance review is delegated to URS-20 Reviews** (not duplicated in DQG); outward linkage configured: URS-20 Reviews for compliance review, URS-12 Document Control for controlled-document libraries, URS-22 Inspection for back-room evidence retrieval, URS-27 Regulatory for filing handoff to regulatory submissions, URS-29 Screen Reader for inbound capture extraction promotions per URS-29 DEC-29-23 (-005.008/013). |
| DEC-31-09 | URS-12 Document Control linkage for artifact-file storage | Artifact files are stored as URS-12 documents with `document_id` + `document_version_id` + `content_hash` + server-attributed storage path; DQG `dqg_artifacts.file_document_id` references URS-12; the URS-12 document version is immutable post-staging; promotion to URS-12 controlled-document library upon `filed` state per DEC-31-08. |
| DEC-31-10 | **Dedicated `dqg:*` permission set replacing `document_review` overload + Authority/HITL/e-sign on every regulated final action** | All DQG routes use the dedicated `dqg:*` permission set (`dqg:taxonomy:*`, `dqg:artifact:*`, `dqg:artifact:hitl:*`, `dqg:filing_handoff:*`, `dqg:inbound_import:*`, `dqg:ingest_channel:*`, `dqg:cross_reference:*`, `dqg:sender_communication:*`, `dqg:health_metrics:*`); `document_review:*` permission overload is rejected; HITL approval / rejection / filing-handoff QA-review / approval / inbound-import review / artifact withdrawal / taxonomy release / ingest-channel release / program lock / reopen all use `withAuthority(.)` + HITL + bound e-signature per `electronic_signatures` substrate (-010 + URS-031-011 — + missing authority/HITL/e-sign gaps). |
| DEC-31-11 | Ingest-channel secret-store credential governance | Ingest-channel records persist `secret_store_ref` (TEXT — reference to tenant-controlled secret-store path) — NOT inline credentials; release to `effective` requires `dqg_ingest_channel_release_authority` + HITL + bound e-sign + URS-13 CR linkage; channel test action does not replay live credentials in test response; secret rotation supported per DEC-31-11 (parallel pattern to URS-29 DEC-29-07 / URS-30 DEC-30-04). |
| DEC-31-12 | Sender communication as specialized URS-30 client + frontend route surface | Sender communication substructure is a specialized URS-30 client per DEC-31-05; frontend route surface includes `/dqg/dashboard`, `/dqg/artifacts`, `/dqg/artifacts/:id`, `/dqg/taxonomies`, `/dqg/filing-handoffs`, `/dqg/inbound-imports`, `/dqg/ingest-channels`, `/dqg/sender-communications`, `/dqg/health-metrics`, `/dqg/cross-references`. |
| DEC-31-13 | AI-assisted classification / review / taxonomy / routing substrate with provenance + mandatory human acceptance | `dqg_ai_assistance` table persists per-record columns including `assistance_type` (ENUM `ai_classification` / `ai_review_summary` / `taxonomy_recommendation` / `hitl_routing_recommendation` / `ocr_assist`), `narrative_text` / `field_value_text`, `model_id`, `model_version`, `prompt_version`, `confidence`, `proposed_at`, `proposed_by_system`, `accepted_by`, `accepted_at`, `acceptance_e_signature_id`, `accepted_text_immutable`, `rejection_reason`, `status` (ENUM `proposed` / `accepted` / `rejected`); AI classification stored on `dqg_artifact_classifications` includes `ai_provenance_assistance_id` (FK nullable to `dqg_ai_assistance`) + `ai_classification_confidence` + `taxonomy_version_snapshot`; AI-generated content is advisory until accepted; promotion to system-of-record artifact classification requires explicit human confirmation captured in `acceptance_e_signature_id`; **AI cannot finalize HITL approval, AI cannot finalize HITL rejection, AI cannot approve filing handoff for transmission, AI cannot acknowledge filing confirmation, AI cannot approve inbound-import review, AI cannot withdraw an artifact, AI cannot release a taxonomy version** per ARCH-AI-001 (target requirement, ARCH-AI-001 binding, parallel pattern to URS-26.URS-30). |
| DEC-31-14 | **Attributable state transitions per 21 CFR Part 11 §11.10(e)** | Every DQG record state transition (artifact, filing handoff, inbound import, taxonomy, ingest channel, sender communication) MUST be attributable to an authenticated `actor_user_id` OR an explicitly documented `system_context` (e.g., `system_context = 'scheduled_inbound_import_job'`); audit-trail entry persists `actor_user_id` OR `system_context` (XOR — exactly one); silent transitions without attribution are rejected with `DQG_STATE_TRANSITION_NOT_ATTRIBUTABLE` per DEC-31-14. |
| DEC-31-15 | Findings emission to URS-21 | DQG findings (stale inbound-imports older than configurable threshold default 7 days, chronic filing-handoff failures ≥ configurable threshold per period, missed-handoff findings where `filed` state never reached after configurable SLA default 14 days from `staged`) emit `dqg_finding_created` event to URS-21 with `dqg_artifact_governance` source type. |
| DEC-31-16 | CAPA emission to URS-18 | Chronic filing-handoff failures escalated to CAPA emit `dqg_filing_capa_linked` event consumed by URS-18 (`dqg_filing_failure` source type per URS-18 declared source set). |
| DEC-31-17 | URS-12 Document Control linkage | Per DEC-31-09 and DEC-31-08; promotion to URS-12 controlled-document library on `filed` state. |
| DEC-31-18 | URS-13 change-control linkage | Per DEC-31-04 (filing-handoff target-system CR), DEC-31-07 (taxonomy effective release), DEC-31-11 (ingest-channel effective release). |
| DEC-31-19 | URS-13 change-control linkage for taxonomy release | Taxonomy `under_review → effective` requires URS-13 change-request linkage via `taxonomy_release_change_request_id` per DEC-31-07. |
| DEC-31-20 | platform_admin / super_admin | `platform_admin` / `super_admin` are support / break-glass only paths. |
| DEC-31-21 | Reason-for-change on material updates | Captured per DEC-31-14 as part of attributable state transitions. |
| DEC-31-22 | DQG program reopen as governed transition | Program `locked → in_progress` requires `executive_authority` co-sign AND `qualified_person_authority` co-sign + documented reason; appends a new program iteration without mutating prior locked evidence (consistent with M14.M30 reopen pattern). |
| DEC-31-23 | URS-28 training qualification-gate consumer for HITL reviewer authority | The `dqg_hitl_reviewer_authority` HITL reviewer MUST satisfy URS-28 qualification-gate (`GET /training/qualification/:userId/:roleId`) for the role of `dqg_hitl_reviewer` before performing HITL approval / rejection per URS-28 DEC-28-23; qualification-gate failure rejects with `DQG_HITL_REVIEWER_QUALIFICATION_GATE_FAILED`. |

### 3.2 Locked-decision rationale narrative

The decisions above define the binding launch posture for Module 31 v1.0. The most consequential locked controls are: (a) **DEC-31-04 locks the three workflow-engine controlled actions** (CR-001 / CR-002 / CR-003) — these MUST be fixed before validation execution per 21 CFR Part 11 §11.10(a) System Validation; (b) **DEC-31-08 anchors DQG as artifact-centric** with explicit outward linkage to URS-20 Reviews for substantive compliance review; (c) **DEC-31-10 introduces a dedicated `dqg:*` permission set** replacing `document_review:*` permission overload across all 46 DQG routes; (d) DEC-31-07 mandates TMF/eCTD-aligned taxonomy with `draft → under_review → effective → superseded → archived` lifecycle + URS-13 CR linkage; (e) DEC-31-11 mandates secret-store governance for ingest-channel credentials parallel to URS-29 / URS-30; (f) DEC-31-12 anchors sender communication as a specialized URS-30 client; (g) DEC-31-13 introduces the AI-assisted classification / review / taxonomy substrate with provenance + mandatory human acceptance, parallel to URS-26..URS-30; (h) **DEC-31-14 mandates `actor_user_id` OR `system_context`** on every state transition per 21 CFR Part 11 §11.10(e); (i) DEC-31-23 introduces URS-28 qualification-gate consumption for HITL reviewer authority; (j) DEC-31-22 defines reopen as a governed append-only transition consistent with the Module-14..-30 reopen pattern.

### 3.3 Closed launch decisions: cross-link to items

| Specification item ID | Specification item | Locked decision |
|---|---|---|
| URS-031-002 | Taxonomy lifecycle missing | DEC-31-07 / DEC-31-19 |
| URS-031-003/004/005/008/013 | Filing handoff lifecycle defects (CR-001/CR-002/CR-003 P0) + outward linkage | DEC-31-04 / DEC-31-06 / DEC-31-08 |
| URS-031-005.008/013 | Substantive compliance review boundary | DEC-31-08 |
| URS-031-010 | `document_review` permission overload | DEC-31-10 |
| URS-031-011 | Authority/HITL/e-sign missing | DEC-31-10 / DEC-31-23 |
| Canonical "state transitions not always attributable" | 21 CFR Part 11 §11.10(e) gap | DEC-31-14 |
| Canonical AI-only-path advancement risk | ARCH-AI-001 binding | DEC-31-13 |
| Canonical ingest-channel credential governance | parallel to URS-29 / URS-30 | DEC-31-11 |

### 3.4 Locked-decision authority

Each locked decision is approved by the Founder / Chairman & MD on signature capture in the Document Approval block of this URS (§19). Decisions cannot be unlocked except through controlled URS revision under the URS change-control process and re-approval. The three workflow-engine controlled actions (CR-001 / CR-002 / CR-003) MUST be implemented before URS-31-VAL-008 migration evidence gate per DEC-31-04 / DEC-31-06.

### 3.5 Worked examples

**Worked example 1 — TMF artifact intake → classification → HITL review → filing handoff.**
A clinical artifact (Investigator Brochure v3.2 for Study STD-PTabs-001) is uploaded directly via URS-12 Document Control upload UI. URS-12 returns `document_id = DOC-IB-001` + `document_version_id = v1` + `content_hash = sha256:abc.` + server-attributed storage path. A DQG artifact `DQG-ART-2026-08-12-001` is created with `file_document_id = DOC-IB-001`, `study_id = STD-PTabs-001`, status `submitted`. Per DEC-31-03 lifecycle proceeds: `submitted → ai_classifying`. MIRA proposes an advisory classification via `dqg_ai_assistance` with `assistance_type = ai_classification`, model identifier, model version, confidence 0.93, suggesting TMF zone `4.2 Investigator Brochure` per DIA TMF Reference Model v3.3 — proposal persisted with full provenance per DEC-31-13. Status `ai_classifying → ai_classified` (state transition attributed to `system_context = 'ai_classification_engine'` per DEC-31-14). `ai_classified → ai_reviewing → ai_reviewed`. `ai_reviewed → hitl_review_pending → hitl_under_review`. The HITL reviewer is identified — per DEC-31-23 the URS-28 qualification-gate is checked (`GET /training/qualification/:userId/dqg_hitl_reviewer`); the reviewer is qualified. The reviewer accepts the AI classification with bound e-signature per DEC-31-13 (the AI-assistance `accepted_by`, `accepted_at`, `acceptance_e_signature_id`, `accepted_text_immutable` populated). The reviewer signs HITL approval with `dqg_hitl_reviewer_authority` + HITL + bound e-sign per DEC-31-10. Status `hitl_under_review → hitl_approved → staged`. A filing handoff is initiated; per DEC-31-04 CR-001 controlled-action fix `createFilingHandoff` seeds **`packaging`** (NOT `pending`). Lifecycle proceeds: `packaging → packaged → qa_review` (with `dqg_filing_handoff_qa_reviewer_authority` + HITL + bound e-sign) `→ approved_for_filing` (with `dqg_filing_handoff_approver_authority` + HITL + bound e-sign + URS-13 CR `CC-2026-0099` for filing-handoff target-system change) `→ transmitting → transmitted → confirmed_filed`. The external eTMF acknowledges filing; per DEC-31-04 CR-002 controlled-action fix the `acknowledged` transition is wired and `acknowledgment_received_at` is stamped. Status `confirmed_filed → acknowledged`; artifact status `filing_in_progress → filed`; URS-30 Notifications consumes the `dqg_filing_handoff_acknowledged` event for sender communication dispatch.

**Worked example 2 — Inbound import via email ingest channel with CR-003 fix.**
An ingest channel `IC-EMAIL-Lab-Reports` is configured for IMAP polling of `lab-reports@verixa-tenant.com` with `secret_store_ref = aws-secrets-manager:tenant/lab-reports-imap` per DEC-31-11. Released to `effective` with `dqg_ingest_channel_release_authority` + HITL + bound e-sign + URS-13 CR per DEC-31-11. Polling detects 3 new messages with PDF attachments. An inbound import `DQG-INB-2026-08-13-001` is created — per DEC-31-06 CR-003 controlled-action fix `createInboundImport` seeds **`initiated`** (NOT `pending`). Lifecycle proceeds: `initiated → files_uploading → files_received` (3 PDF files stored as URS-12 documents per DEC-31-09) `→ parsing → parsed → classifying` (AI proposes classification per DEC-31-13) `→ classified → review_pending → under_review` (with `dqg_inbound_import_reviewer_authority` + HITL + bound e-sign per DEC-31-06 / DEC-31-10) `→ reviewed → staging → staged → completed`. Three DQG artifacts created from the import; each follows artifact lifecycle per Worked Example 1.

**Worked example 3 — AI cannot finalize HITL approval (rejected attempt).**
An automation script attempts to call `POST /api/v1/dqg/artifacts/:id/hitl-approve` with the AI service as the acting principal. Per DEC-31-13 + ARCH-AI-001 + DEC-31-10, the system rejects with `DQG_AI_CANNOT_FINALIZE_HITL_APPROVAL`. The HITL approval requires a qualified human reviewer with `dqg_hitl_reviewer_authority` + URS-28 qualification-gate verified per DEC-31-23 + HITL + bound e-signature.

**Worked example 4 — Stale inbound import → URS-21 finding.**
On `2027-01-15` the stale-inbound-import detector identifies 12 inbound imports older than 7 days without progressing past `under_review` state. A `dqg_finding_created` event is emitted to URS-21 per DEC-31-15 with `severity = major`. URS-21 standalone finding is created. If the pattern persists, URS-18 CAPA opens via `dqg_filing_capa_linked` event per DEC-31-16.

**Worked example 5 — Substantive compliance review delegated to URS-20.**
After HITL approval of artifact `DQG-ART-2026-08-12-001`, the artifact requires substantive compliance review (regulatory citation alignment, scientific content verification). Per DEC-31-08 the substantive review is **NOT** performed in DQG; instead, DQG emits a `dqg_artifact_substantive_review_requested` event consumed by URS-20 Reviews; URS-20 manages the substantive review lifecycle with its own authority/HITL/e-sign substrate; DQG receives back the URS-20 review outcome via `urs20_review_completed` event and proceeds with filing handoff or remediation per DEC-31-08.

**Worked example 6 — Governed reopen of locked DQG program.**
On `2027-04-15` an inspection finding (URS-22) reveals a previously locked DQG program may have under-recorded one filing acknowledgment. The Manufacturing Head initiates a reopen; per DEC-31-22 + SoD-31-06, both `executive_authority` co-sign AND `qualified_person_authority` co-sign + documented reason are required. On both co-signs the program transitions `locked → in_progress` and a new program iteration is appended; the prior locked evidence (artifacts, taxonomies, filing handoffs, inbound imports) is NOT mutated.

---

## 4. End-to-End User Journeys (28 launch journeys)

| # | Journey | Actor | Pre-condition | Path | Post-condition |
|---|---|---|---|---|---|
| 1 | Author taxonomy draft | Taxonomy Author | `dqg:taxonomy:create` | Create taxonomy in `draft` aligned with DIA TMF Ref Model v3.3 / ICH M2/M8 eCTD per DEC-31-07 | Taxonomy `draft`; audit entry |
| 2 | Release taxonomy to effective | `dqg_taxonomy_release_authority` | Taxonomy `under_review`; URS-13 CR | HITL + bound e-sign + URS-13 CR linkage per DEC-31-07 / DEC-31-19 | Taxonomy `effective`; bound e-signature |
| 3 | Configure ingest channel (IMAP) | Information Security Authority | `dqg:ingest_channel:create` | Create channel with `secret_store_ref` per DEC-31-11 | Channel `draft` |
| 4 | Reject inline credentials in ingest channel | System (validation) | Body contains credentials | Reject with `DQG_CREDENTIALS_IN_PAYLOAD_FORBIDDEN` per DEC-31-11 | Operation rejected |
| 5 | Release ingest channel to effective | `dqg_ingest_channel_release_authority` | Channel `draft`; URS-13 CR | HITL + bound e-sign + URS-13 CR linkage per DEC-31-11 | Channel `effective`; bound e-signature |
| 6 | Submit artifact via direct upload | Artifact Owner | URS-12 upload completed | Create DQG artifact with `file_document_id` per DEC-31-09 | Artifact `submitted`; audit entry attributed to user per DEC-31-14 |
| 7 | Inbound import from ingest channel (CR-003 controlled-action fix verified) | System (poll) | Ingest channel `effective` | `createInboundImport` seeds **`initiated`** state per DEC-31-06 (NOT `pending`); lifecycle proceeds | Inbound import `initiated`; valid state |
| 8 | AI classification (advisory) | System (MIRA) | Artifact `submitted` | Persist `dqg_ai_assistance` with full provenance per DEC-31-13; transition `submitted → ai_classifying → ai_classified` (state transition attributed to `system_context = 'ai_classification_engine'` per DEC-31-14) | Classification `proposed`; advisory only |
| 9 | AI review (advisory) | System (MIRA) | Artifact `ai_classified` | Transition `ai_classified → ai_reviewing → ai_reviewed` | AI review `proposed`; advisory only |
| 10 | HITL reviewer URS-28 qualification check | System (validation) | Artifact `hitl_review_pending` | URS-28 qualification-gate verified per DEC-31-23 | If qualified: proceeds; if not: rejects with `DQG_HITL_REVIEWER_QUALIFICATION_GATE_FAILED` |
| 11 | Accept AI classification | HITL Reviewer | Suggestion `proposed`; URS-28 qualified | HITL + bound e-sign; persist `accepted_text_immutable` per DEC-31-13 | Suggestion `accepted`; locked text |
| 12 | HITL approve artifact | `dqg_hitl_reviewer_authority` (URS-28 qualified) | Artifact `hitl_under_review` | HITL + bound e-sign per DEC-31-10 | Artifact `hitl_approved → staged`; bound e-signature |
| 13 | HITL reject artifact | `dqg_hitl_reviewer_authority` | Artifact `hitl_under_review`; rejection reason | HITL + bound e-sign + reason per DEC-31-10 | Artifact `hitl_rejected → reclassification_required | remediation_required` |
| 14 | Reject AI-only HITL approval | System (validation) | AI service as acting principal | Reject with `DQG_AI_CANNOT_FINALIZE_HITL_APPROVAL` per DEC-31-13 | Operation rejected |
| 15 | Substantive compliance review delegation to URS-20 | System (event) | Artifact `staged`; substantive review required | Emit `dqg_artifact_substantive_review_requested` event consumed by URS-20 per DEC-31-08 | URS-20 review opened |
| 16 | Initiate filing handoff (CR-001 controlled-action fix verified) | DQG Operator | Artifact `staged` | `createFilingHandoff` seeds **`packaging`** state per DEC-31-04 (NOT `pending`) | Filing handoff `packaging`; valid state |
| 17 | QA review filing handoff | `dqg_filing_handoff_qa_reviewer_authority` | `qa_review` state | HITL + bound e-sign per DEC-31-04 | Filing handoff `qa_review → approved_for_filing` |
| 18 | Approve filing handoff for transmission | `dqg_filing_handoff_approver_authority` | `approved_for_filing` state; URS-13 CR for target-system | HITL + bound e-sign + URS-13 CR linkage per DEC-31-04 | Filing handoff `approved_for_filing → transmitting` |
| 19 | Transmit to external eTMF / Regulatory | System | `transmitting` state | Outbound transmission; persist `dqg_filing_handoff_transmitted` event | Filing handoff `transmitting → transmitted` |
| 20 | Confirm filing | System (parse external response) | `transmitted` state | Parse external system response; persist `confirmed_filing_reference` | Filing handoff `transmitted → confirmed_filed` |
| 21 | Acknowledge filing (CR-002 controlled-action fix verified) | System (parse external ack) | `confirmed_filed` state | `transitionFilingHandoffStatus('acknowledged')` wires correctly per DEC-31-04 CR-002 fix; `acknowledgment_received_at` stamped | Filing handoff `confirmed_filed → acknowledged`; artifact `filing_in_progress → filed` |
| 22 | Filing failure with retry | System | Filing transmission failure | Transition `transmitting → filing_failed → retrying → transmitting` per DEC-31-04 | Retry initiated |
| 23 | Withdraw artifact | `dqg_artifact_withdrawal_authority` | Artifact in any pre-`filed` state | HITL + bound e-sign + reason per DEC-31-10 | Artifact `withdrawn` |
| 24 | Sender communication via URS-30 | System (event) | Artifact event triggering communication | Emit `dqg_sender_communication_dispatched` to URS-30 per DEC-31-12 | URS-30 dispatches notification |
| 25 | Stale inbound import → URS-21 finding | System (scheduled) | Inbound imports > 7 days unprocessed | Emit `dqg_finding_created` to URS-21 per DEC-31-15 | URS-21 finding created |
| 26 | Chronic filing failure → URS-18 CAPA | System (scheduled) | Chronic failure threshold exceeded | Emit `dqg_filing_capa_linked` to URS-18 per DEC-31-16 | URS-18 CAPA opened |
| 27 | Cross-tenant `platform_admin` break-glass | platform_admin | Documented reason | Cross-tenant DQG access; logged | Break-glass action logged per DEC-31-20 |
| 28 | Reopen locked DQG program (governed transition) | Manufacturing Head + Executive Authority + Qualified Person | Program `locked` | Executive co-sign AND QP co-sign + reason; transition `locked → in_progress`; append new iteration per DEC-31-22 | Program `in_progress`; new iteration appended; prior locked evidence NOT mutated |

---

## 5. Front-end Requirements

### 5.1 DQG Dashboard

The dashboard (URS-31-FE-001) renders summary cards (artifact pipeline by state, filing-handoff status, inbound-import status, ingest-channel health, HITL backlog, recent failures, health metrics) with filters; uses canonical `/dqg/*` hooks per DEC-31-01.

### 5.2 Artifact Console

The artifact console (URS-31-FE-002) renders artifacts with 16-state lifecycle visualization per DEC-31-03; supports artifact submission via URS-12 upload only per DEC-31-09; new route `/dqg/artifacts` per DEC-31-12.

### 5.3 Artifact Detail

The artifact detail (URS-31-FE-003) renders full lifecycle history with attributable state transitions per DEC-31-14; classification with AI provenance badges; HITL review ceremony with URS-28 qualification-gate UI feedback + bound e-sign per DEC-31-10 / DEC-31-23.

### 5.4 Taxonomy Console

The taxonomy console (URS-31-FE-004) supports taxonomy draft authoring with TMF (DIA Ref Model v3.3) / eCTD (ICH M2/M8) alignment; release flow with HITL + bound e-signature + URS-13 CR linkage per DEC-31-07.

### 5.5 Filing Handoff Console

The filing handoff console (URS-31-FE-005) renders filing-handoff lifecycle (with CR-001/CR-002 controlled actions verified — UI shows `packaging` initial state and `acknowledged` transition); QA review + approval ceremonies with bound e-signature per DEC-31-04.

### 5.6 Inbound Import Console

The inbound import console (URS-31-FE-006) renders inbound-import lifecycle (with CR-003 controlled-action fix verified — UI shows `initiated` initial state); review ceremony with bound e-signature per DEC-31-06.

### 5.7 Ingest Channel Console

The ingest channel console (URS-31-FE-007) supports channel configuration with **`secret_store_ref` field only** (no credential fields in UI per DEC-31-11); release flow with HITL + bound e-sign.

### 5.8 Sender Communication Console

The sender communication console (URS-31-FE-008) renders artifact-related communication intent with URS-30 dispatch linkage badge per DEC-31-12.

### 5.9 Cross-Reference Console

The cross-reference console (URS-31-FE-009) renders DQG artifact cross-references to URS-12 documents and other DQG artifacts.

### 5.10 Health Metrics Console

The health metrics console (URS-31-FE-010) renders DQG operational metrics (intake throughput, classification accuracy, HITL backlog, filing-handoff cycle time, inbound-import success rate).

### 5.11 AI Assistance Console

The AI assistance console (URS-31-FE-011) renders AI-generated assistance with provenance, accept ceremony with bound e-sign, reject ceremony with reason; advisory-only labeling per DEC-31-13.

### 5.12 MIRA Copilot Integration

MIRA copilot (URS-31-FE-012) is read-only context. **AI-generated content is advisory only with mandatory human acceptance per DEC-31-13; no AI advances regulated DQG workflow** per ARCH-AI-001.

### 5.13 Accessibility

WCAG 2.1 AA accessible.

---

## 6. Back-end Requirements

### 6.1 Module structure

`packages/backend/src/modules/document-quality-gateway/` (path retained; canonical mount at `/api/v1/dqg/*` per DEC-31-01) with `plugin.ts`, `routes.ts`, `service.ts`, `workflow.ts` (16-state artifact + filing-handoff + inbound-import state machines per CR-001/CR-002/CR-003 controlled-action fixes), `schemas.ts`, `events.ts`, `secret-store-resolver.ts` (per DEC-31-11), `ai-assistance.ts` (per DEC-31-13), `attributable-transition-engine.ts` (per DEC-31-14), `qualification-gate-resolver.ts` (per DEC-31-23).

### 6.2 Data model

#### 6.2.1 `dqg_taxonomies`

`id`, `tenant_id`, `taxonomy_code`, `taxonomy_type` (ENUM `dia_tmf_ref_model_v3_3` / `ich_ectd_v3` / `ich_ectd_v4` / `controlled_doc_lib` / `custom`), `version` (INTEGER NOT NULL), `effective_from`, `effective_to`, `supersedes_taxonomy_id` (self-FK nullable), `taxonomy_release_change_request_id` (FK to URS-13 per DEC-31-19), `node_tree_json` (JSONB — hierarchical taxonomy nodes), `approved_by`, `approved_at`, `e_signature_id`, `status` (ENUM `draft` / `under_review` / `effective` / `superseded` / `archived` per DEC-31-07), audit columns. Partial unique index `WHERE status = 'effective'` on `(tenant_id, taxonomy_type)`. RLS enabled.

#### 6.2.2 `dqg_artifacts`

`id`, `tenant_id`, `study_id` (FK nullable — mandatory for clinical artifacts per DEC-31-02), `product_id` (FK nullable), `file_document_id` (FK to URS-12 NOT NULL per DEC-31-09), `file_document_version_id` (FK to URS-12), `content_hash` (TEXT), `artifact_code`, `title`, `status` (ENUM 16-state per DEC-31-03), `submitted_by` (FK), `submitted_at`, `withdrawn_by` (FK nullable), `withdrawn_at`, `withdrawal_e_signature_id` (FK nullable), `withdrawal_reason` (TEXT nullable), audit columns.

#### 6.2.3 `dqg_artifact_classifications`

`id`, `tenant_id`, `artifact_id` (FK), `taxonomy_id` (FK), `taxonomy_version_snapshot` (INTEGER NOT NULL per DEC-31-13), `taxonomy_node_path` (TEXT — e.g., `4.2.Investigator_Brochure`), `classification_method` (ENUM `human_manual` / `ai_assisted` / `auto_rule_based`), `ai_provenance_assistance_id` (FK nullable to `dqg_ai_assistance`), `ai_classification_confidence` (NUMERIC nullable), `classified_by` (FK), `classified_at`, audit columns.

#### 6.2.4 `dqg_artifact_reviews`

`id`, `tenant_id`, `artifact_id` (FK), `reviewer_user_id` (FK), `review_type` (ENUM `qc_review` / `hitl_review` per DEC-31-08 — substantive compliance review = URS-20), `status` (ENUM `pending` / `in_progress` / `completed` / `cancelled`), `outcome` (ENUM `approved` / `rejected` / `requires_remediation`), `reviewer_notes`, `started_at`, `completed_at`, `e_signature_id` (FK), audit columns.

#### 6.2.5 `dqg_filing_handoffs`

`id`, `tenant_id`, `artifact_id` (FK), `filing_target_system` (ENUM `etmf_veeva` / `etmf_phlexglobal` / `etmf_wingspan` / `etmf_generic` / `regulatory_submission_urs27` / `controlled_doc_library_urs12` / `external_other`), `filing_target_change_request_id` (FK to URS-13), `status` (ENUM `packaging` / `packaged` / `qa_review` / `approved_for_filing` / `transmitting` / `transmitted` / `confirmed_filed` / `acknowledged` / `filing_failed` / `retrying` / `cancelled` per DEC-31-04), `qa_reviewed_by`, `qa_reviewed_at`, `qa_review_e_signature_id`, `approved_by`, `approved_at`, `approval_e_signature_id`, `transmitted_at`, `confirmed_filed_at`, `confirmed_filing_reference` (TEXT — external system filing ID), `acknowledgment_received_at` (TIMESTAMPTZ nullable per CR-002 fix), `failed_at`, `failure_reason` (TEXT nullable), `retry_count` (INTEGER DEFAULT 0), audit columns. Note: `createFilingHandoff` MUST seed `status = 'packaging'` per CR-001 controlled-action fix per DEC-31-04.

#### 6.2.6 `dqg_inbound_imports`

`id`, `tenant_id`, `ingest_channel_id` (FK), `status` (ENUM `initiated` / `files_uploading` / `files_received` / `parsing` / `parsed` / `classifying` / `classified` / `review_pending` / `under_review` / `reviewed` / `staging` / `staged` / `completed` / `failed` per DEC-31-06), `received_at`, `reviewed_by`, `reviewed_at`, `review_e_signature_id`, `failed_at`, `failure_reason` (TEXT nullable), `retry_count` (INTEGER DEFAULT 0), audit columns. Note: `createInboundImport` MUST seed `status = 'initiated'` per CR-003 controlled-action fix per DEC-31-06.

#### 6.2.7 `dqg_inbound_import_files`

`id`, `tenant_id`, `inbound_import_id` (FK), `source_filename`, `file_document_id` (FK to URS-12 — file stored in URS-12 per DEC-31-09), `content_hash`, `file_size_bytes`, `mime_type`, audit columns.

#### 6.2.8 `dqg_ingest_channels`

`id`, `tenant_id`, `channel_code`, `channel_type` (ENUM `email_imap` / `webhook_hmac` / `direct_upload` / `partner_api_oauth2`), `endpoint_url`, `secret_store_ref` (TEXT NOT NULL per DEC-31-11 — except `direct_upload`), `polling_method` (ENUM `imap_idle` / `imap_poll` / `webhook_push` / `direct_upload_event` / `oauth_poll`), `gdpr_basis` (TEXT — explicit GDPR processing basis), `tls_required` (BOOLEAN DEFAULT true), `release_change_request_id` (FK to URS-13), `last_poll_at`, `last_poll_status` (ENUM `success` / `partial` / `failed`), `status` (ENUM `draft` / `under_review` / `effective` / `suspended` / `archived`), audit columns. Note: legacy inline credential fields removed per DEC-31-11.

#### 6.2.9 `dqg_cross_references`

`id`, `tenant_id`, `source_artifact_id` (FK), `target_record_type` (ENUM `dqg_artifact` / `urs12_document`), `target_record_id` (UUID), `reference_type` (TEXT), audit columns.

#### 6.2.10 `dqg_sender_communications`

`id`, `tenant_id`, `artifact_id` (FK nullable), `communication_type` (ENUM `acknowledgment` / `request_for_information` / `filing_confirmation` / `rejection_notice`), `recipient_descriptor`, `linked_notification_send_id` (FK to URS-30 `notification_sends` per DEC-31-12), `dispatched_at`, audit columns.

#### 6.2.11 `dqg_health_metrics_snapshots`

`id`, `tenant_id`, `metric_period_start`, `metric_period_end`, `metrics_json` (JSONB — intake throughput, classification accuracy, HITL backlog, filing-handoff cycle time, inbound-import success rate), `generated_at`, audit columns. Immutable snapshot.

#### 6.2.12 `dqg_ai_assistance`

`id`, `tenant_id`, `assistance_type` (ENUM per DEC-31-13), `linked_record_type` (ENUM `artifact` / `taxonomy` / `inbound_import`), `linked_record_id` (UUID), `narrative_text` / `field_value_text`, `model_id`, `model_version`, `prompt_version`, `confidence`, `proposed_at`, `proposed_by_system`, `accepted_by`, `accepted_at`, `acceptance_e_signature_id`, `accepted_text_immutable`, `rejection_reason`, `status` (ENUM `proposed` / `accepted` / `rejected`), audit columns.

#### 6.2.13 `dqg_state_transitions_audit`

`id`, `tenant_id`, `record_type` (ENUM `dqg_artifact` / `dqg_filing_handoff` / `dqg_inbound_import` / `dqg_taxonomy` / `dqg_ingest_channel` / `dqg_sender_communication`), `record_id` (UUID), `from_status`, `to_status`, `actor_user_id` (FK nullable — XOR with system_context per DEC-31-14), `system_context` (TEXT nullable — XOR with actor_user_id), `transition_e_signature_id` (FK nullable), `reason_for_change` (TEXT nullable), `transitioned_at`, audit columns. Constraint: exactly one of `actor_user_id` OR `system_context` populated per DEC-31-14.

#### 6.2.14 `dqg_program_locks`

`id`, `tenant_id`, `period_start`, `period_end`, `locked_by`, `locked_at`, `lock_e_signature_id`, `reopened_at`, `reopened_by`, `reopen_executive_co_signer`, `reopen_qp_co_signer`, `reopen_reason`, audit columns.

#### 6.2.15 RLS

All Module 31 tables have RLS enabled.

### 6.3 API contract

| Route | Method | Permission | Status |
|---|---|---|---|
| `/api/v1/dqg/taxonomies` | GET / POST | `dqg:taxonomy:read` / `dqg:taxonomy:create` | |
| `/api/v1/dqg/taxonomies/:id` | GET / PATCH (draft only) | `dqg:taxonomy:read` / `dqg:taxonomy:update` | |
| `/api/v1/dqg/taxonomies/:id/release` | POST | `dqg_taxonomy_release_authority` + HITL + bound e-sign + URS-13 CR per DEC-31-07 / DEC-31-19 | target route |
| `/api/v1/dqg/artifacts` | GET / POST | `dqg:artifact:read` / `dqg:artifact:create` (file via URS-12 per DEC-31-09) | |
| `/api/v1/dqg/artifacts/:id` | GET / PATCH | `dqg:artifact:read` / `dqg:artifact:update` | |
| `/api/v1/dqg/artifacts/:id/transition` | POST | controlled state machine; attributable per DEC-31-14 | |
| `/api/v1/dqg/artifacts/:id/hitl-approve` | POST | `dqg_hitl_reviewer_authority` + URS-28 qualification gate per DEC-31-23 + HITL + bound e-sign per DEC-31-10 | target route |
| `/api/v1/dqg/artifacts/:id/hitl-reject` | POST | `dqg_hitl_reviewer_authority` + URS-28 qualification gate + HITL + bound e-sign + reason | target route |
| `/api/v1/dqg/artifacts/:id/withdraw` | POST | `dqg_artifact_withdrawal_authority` + HITL + bound e-sign + reason | target route |
| `/api/v1/dqg/artifacts/:id/classifications` | GET / POST | `dqg:artifact:classification:read` / `dqg:artifact:classification:create` | |
| `/api/v1/dqg/artifacts/:id/reviews` | GET / POST | `dqg:artifact:review:read` / `dqg:artifact:review:create` | |
| `/api/v1/dqg/filing-handoffs` | GET / POST | `dqg:filing_handoff:read` / `dqg:filing_handoff:create` (seeds `packaging` per CR-001 controlled-action fix per DEC-31-04) | (P0) |
| `/api/v1/dqg/filing-handoffs/:id` | GET / PATCH | `dqg:filing_handoff:read` / `dqg:filing_handoff:update` | |
| `/api/v1/dqg/filing-handoffs/:id/transition` | POST | controlled state machine including `acknowledged` per CR-002 controlled-action fix per DEC-31-04 | (P0) |
| `/api/v1/dqg/filing-handoffs/:id/qa-review` | POST | `dqg_filing_handoff_qa_reviewer_authority` + HITL + bound e-sign per DEC-31-04 | target route |
| `/api/v1/dqg/filing-handoffs/:id/approve-for-filing` | POST | `dqg_filing_handoff_approver_authority` + HITL + bound e-sign + URS-13 CR per DEC-31-04 | target route |
| `/api/v1/dqg/inbound-imports` | GET / POST | `dqg:inbound_import:read` / `dqg:inbound_import:create` (seeds `initiated` per CR-003 controlled-action fix per DEC-31-06) | (P0) |
| `/api/v1/dqg/inbound-imports/:id` | GET / PATCH | `dqg:inbound_import:read` / `dqg:inbound_import:update` | |
| `/api/v1/dqg/inbound-imports/:id/transition` | POST | controlled state machine | |
| `/api/v1/dqg/inbound-imports/:id/review` | POST | `dqg_inbound_import_reviewer_authority` + HITL + bound e-sign per DEC-31-06 | target route |
| `/api/v1/dqg/ingest-channels` | GET / POST | `dqg:ingest_channel:read` / `dqg:ingest_channel:create` (rejects inline credentials per DEC-31-11) | |
| `/api/v1/dqg/ingest-channels/:id` | GET / PATCH | `dqg:ingest_channel:read` / `dqg:ingest_channel:update` | |
| `/api/v1/dqg/ingest-channels/:id/release` | POST | `dqg_ingest_channel_release_authority` + HITL + bound e-sign + URS-13 CR per DEC-31-11 | target route |
| `/api/v1/dqg/ingest-channels/:id/poll` | POST | `dqg:ingest_channel:poll` (resolves credentials from secret store per DEC-31-11) | |
| `/api/v1/dqg/sender-communications` | GET / POST | `dqg:sender_communication:read` / `dqg:sender_communication:create` (dispatches via URS-30 per DEC-31-12) | |
| `/api/v1/dqg/cross-references` | GET / POST | `dqg:cross_reference:read` / `dqg:cross_reference:create` | |
| `/api/v1/dqg/health-metrics` | GET | `dqg:health_metrics:read` | |
| `/api/v1/dqg/ai-assistance` | GET / POST | `dqg:ai_assistance:read` / `dqg:ai_assistance:propose` per DEC-31-13 | target route |
| `/api/v1/dqg/ai-assistance/:id/accept` | POST | `dqg:ai_assistance:accept` + HITL + bound e-sign | target route |
| `/api/v1/dqg/ai-assistance/:id/reject` | POST | `dqg:ai_assistance:reject` + reason | target route |
| `/api/v1/dqg/program-locks` | POST | `final_quality_approver` + HITL + bound e-sign | target route |
| `/api/v1/dqg/program-locks/:id/reopen` | POST | `executive_authority` co-sign AND `qualified_person_authority` co-sign + HITL + reason per DEC-31-22 | target route |

### 6.4 Workflow

#### 6.4.1 Artifact 16-state lifecycle

```mermaid
stateDiagram-v2
 [*] --> submitted: create (file via URS-12)
 submitted --> ai_classifying
 ai_classifying --> ai_classified
 ai_classified --> ai_reviewing
 ai_reviewing --> ai_reviewed
 ai_reviewed --> hitl_review_pending
 hitl_review_pending --> hitl_under_review
 hitl_under_review --> hitl_approved: dqg_hitl_reviewer_authority + URS-28 qualification + HITL + bound e-sign — DEC-31-10 / DEC-31-23
 hitl_under_review --> hitl_rejected: + reason
 hitl_approved --> staged
 hitl_rejected --> reclassification_required
 hitl_rejected --> remediation_required
 reclassification_required --> ai_classifying
 remediation_required --> submitted
 staged --> filing_in_progress
 filing_in_progress --> filed
 filing_in_progress --> filing_failed
 filing_failed --> filing_in_progress: retry
 submitted --> withdrawn: dqg_artifact_withdrawal_authority + HITL + bound e-sign — DEC-31-10
 filed --> [*]
 withdrawn --> [*]
```

#### 6.4.2 Filing-handoff lifecycle (with CR-001 / CR-002 controlled-action fixes)

```mermaid
stateDiagram-v2
 [*] --> packaging: createFilingHandoff seeds packaging (NOT pending) — CR-001 controlled-action fix per DEC-31-04
 packaging --> packaged
 packaged --> qa_review
 qa_review --> approved_for_filing: dqg_filing_handoff_qa_reviewer_authority + HITL + bound e-sign — DEC-31-04
 approved_for_filing --> transmitting: dqg_filing_handoff_approver_authority + HITL + bound e-sign + URS-13 CR — DEC-31-04
 transmitting --> transmitted
 transmitting --> filing_failed
 filing_failed --> retrying
 retrying --> transmitting
 transmitted --> confirmed_filed
 confirmed_filed --> acknowledged: acknowledged transition wired with acknowledgment_received_at stamp — CR-002 controlled-action fix per DEC-31-04
 packaging --> cancelled
 packaged --> cancelled
 qa_review --> cancelled
 approved_for_filing --> cancelled
 transmitting --> cancelled
 transmitted --> cancelled
 confirmed_filed --> cancelled
 filing_failed --> cancelled
 retrying --> cancelled
 acknowledged --> [*]
 cancelled --> [*]
```

#### 6.4.3 Inbound-import lifecycle (with CR-003 controlled-action fix)

```mermaid
stateDiagram-v2
 [*] --> initiated: createInboundImport seeds initiated (NOT pending) — CR-003 controlled-action fix per DEC-31-06
 initiated --> files_uploading
 files_uploading --> files_received
 files_received --> parsing
 parsing --> parsed
 parsed --> classifying
 classifying --> classified
 classified --> review_pending
 review_pending --> under_review
 under_review --> reviewed: dqg_inbound_import_reviewer_authority + HITL + bound e-sign — DEC-31-06
 reviewed --> staging
 staging --> staged
 staged --> completed
 files_uploading --> failed
 files_received --> failed
 parsing --> failed
 parsed --> failed
 classifying --> failed
 classified --> failed
 review_pending --> failed
 under_review --> failed
 reviewed --> failed
 staging --> failed
 staged --> failed
 failed --> initiated
 completed --> [*]
```

#### 6.4.4 Taxonomy lifecycle

```mermaid
stateDiagram-v2
 [*] --> draft
 draft --> under_review
 under_review --> effective: dqg_taxonomy_release_authority + HITL + bound e-sign + URS-13 CR — DEC-31-07
 effective --> superseded: revise (new version)
 superseded --> archived
```

### 6.5 Business rules

- BR-31-01: Canonical API mount `/api/v1/dqg/*` per DEC-31-01.
- BR-31-02: DQG is artifact-centric; substantive compliance review delegated to URS-20 per DEC-31-08.
- BR-31-03: Artifact lifecycle is the 16-state machine per DEC-31-03.
- BR-31-04: **`createFilingHandoff` MUST seed `status = 'packaging'`** (NOT `pending`) per CR-001 controlled-action fix per DEC-31-04.
- BR-31-05: **`transitionFilingHandoffStatus('acknowledged')` MUST be wired to valid `confirmed_filed → acknowledged` transition with `acknowledgment_received_at` stamp** per CR-002 controlled-action fix per DEC-31-04.
- BR-31-06: **`createInboundImport` MUST seed `status = 'initiated'`** (NOT `pending`) per CR-003 controlled-action fix per DEC-31-06.
- BR-31-07: Filing-handoff QA review requires `dqg_filing_handoff_qa_reviewer_authority` + HITL + bound e-sign per DEC-31-04.
- BR-31-08: Filing-handoff approval requires `dqg_filing_handoff_approver_authority` + HITL + bound e-sign + URS-13 CR per DEC-31-04.
- BR-31-09: Inbound-import review requires `dqg_inbound_import_reviewer_authority` + HITL + bound e-sign per DEC-31-06.
- BR-31-10: Taxonomy effective release requires `dqg_taxonomy_release_authority` + HITL + bound e-sign + URS-13 CR per DEC-31-07.
- BR-31-11: Effective taxonomy versions are immutable.
- BR-31-12: At most one effective taxonomy version per `(tenant_id, taxonomy_type)` enforced.
- BR-31-13: All DQG routes use dedicated `dqg:*` permission set; `document_review:*` permission overload rejected per DEC-31-10.
- BR-31-14: Ingest-channel credentials sourced from secret store; inline credentials rejected per DEC-31-11.
- BR-31-15: Ingest-channel effective release requires `dqg_ingest_channel_release_authority` + HITL + bound e-sign + URS-13 CR per DEC-31-11.
- BR-31-16: Sender communication dispatched via URS-30 per DEC-31-12.
- BR-31-17: Artifact files stored as URS-12 documents with content hash per DEC-31-09.
- BR-31-18: Artifact promotion to URS-12 controlled-document library on `filed` state per DEC-31-08.
- BR-31-19: Substantive compliance review delegated to URS-20 via `dqg_artifact_substantive_review_requested` event per DEC-31-08.
- BR-31-20: HITL reviewer MUST satisfy URS-28 qualification-gate per DEC-31-23.
- BR-31-21: AI classification provenance persisted in `dqg_ai_assistance` + `ai_provenance_assistance_id` on classification per DEC-31-13.
- BR-31-22: AI assistance is advisory until human-accepted; promotion to system-of-record requires bound e-sign per DEC-31-13.
- BR-31-23: **AI cannot finalize HITL approval, AI cannot finalize HITL rejection, AI cannot approve filing handoff for transmission, AI cannot acknowledge filing confirmation, AI cannot approve inbound-import review, AI cannot withdraw an artifact, AI cannot release a taxonomy version** per ARCH-AI-001 / DEC-31-13.
- BR-31-24: **Every state transition MUST be attributable to `actor_user_id` OR `system_context`** (XOR — exactly one) per DEC-31-14 / 21 CFR Part 11 §11.10(e).
- BR-31-25: Material updates after draft require structured reason-for-change per DEC-31-21.
- BR-31-26: Bound e-signature persistence on every regulated final action per DEC-31-10.
- BR-31-27: Program reopen `locked → in_progress` requires `executive_authority` co-sign AND `qualified_person_authority` co-sign + reason per DEC-31-22.
- BR-31-28: `platform_admin` / `super_admin` are support / break-glass only paths per DEC-31-20.
- BR-31-29: Stale inbound imports + chronic filing failures emit `dqg_finding_created` to URS-21 per DEC-31-15.
- BR-31-30: Chronic filing failures emit `dqg_filing_capa_linked` to URS-18 per DEC-31-16.

### 6.6 Audit trail

Every Module 31 record mutation persists an audit-trail entry. **Every state transition persists `dqg_state_transitions_audit` entry with `actor_user_id` OR `system_context` per DEC-31-14**. Material updates persist `reason_for_change` per DEC-31-21. Regulated final actions persist a bound e-signature via the `electronic_signatures` substrate. Append-only.

### 6.7 Error handling

| Code | HTTP | Meaning |
|---|---|---|
| `DQG_VALIDATION_FAILED` | 400 | Schema validation failure |
| `DQG_UNAUTHORIZED` | 401 | Authentication required |
| `DQG_FORBIDDEN` | 403 | RBAC denied |
| `DQG_NOT_FOUND` | 404 | Resource not found |
| `DQG_DUPLICATE_KEY` | 409 | Uniqueness violation |
| `DQG_INVALID_TRANSITION` | 422 | Lifecycle transition not permitted |
| `DQG_FILING_HANDOFF_INITIAL_STATE_INVALID` | 422 | Filing handoff initial state must be `packaging` per CR-001 controlled-action fix per DEC-31-04 |
| `DQG_FILING_HANDOFF_ACKNOWLEDGED_TRANSITION_INVALID` | 422 | `acknowledged` transition only valid from `confirmed_filed` per CR-002 controlled-action fix per DEC-31-04 |
| `DQG_INBOUND_IMPORT_INITIAL_STATE_INVALID` | 422 | Inbound import initial state must be `initiated` per CR-003 controlled-action fix per DEC-31-06 |
| `DQG_TAXONOMY_RELEASE_CHANGE_REQUEST_REQUIRED` | 422 | Taxonomy release without URS-13 CR per DEC-31-07 |
| `DQG_FILING_TARGET_CHANGE_REQUEST_REQUIRED` | 422 | Filing handoff approval-for-filing without URS-13 CR per DEC-31-04 |
| `DQG_CREDENTIALS_IN_PAYLOAD_FORBIDDEN` | 422 | Inline credentials in ingest channel payload per DEC-31-11 |
| `DQG_SECRET_STORE_REF_REQUIRED` | 422 | Ingest channel missing `secret_store_ref` per DEC-31-11 |
| `DQG_AUTHORITY_REQUIRED` | 422 | Authority Profile missing |
| `DQG_HITL_REVIEWER_QUALIFICATION_GATE_FAILED` | 422 | HITL reviewer not qualified per URS-28 per DEC-31-23 |
| `DQG_HITL_DECISION_REQUIRED` | 422 | HITL decision capture missing |
| `DQG_E_SIGNATURE_REQUIRED` | 422 | Bound e-signature persistence missing |
| `DQG_REASON_FOR_CHANGE_REQUIRED` | 422 | Material update without reason-for-change |
| `DQG_STATE_TRANSITION_NOT_ATTRIBUTABLE` | 422 | State transition without `actor_user_id` OR `system_context` per DEC-31-14 / 21 CFR Part 11 §11.10(e) |
| `DQG_AI_CANNOT_FINALIZE_HITL_APPROVAL` | 422 | AI service attempted HITL approval per ARCH-AI-001 |
| `DQG_AI_CANNOT_FINALIZE_HITL_REJECTION` | 422 | AI service attempted HITL rejection per ARCH-AI-001 |
| `DQG_AI_CANNOT_APPROVE_FILING_HANDOFF` | 422 | AI service attempted filing-handoff approval per ARCH-AI-001 |
| `DQG_AI_CANNOT_ACKNOWLEDGE_FILING` | 422 | AI service attempted filing acknowledgment per ARCH-AI-001 |
| `DQG_AI_CANNOT_APPROVE_INBOUND_IMPORT` | 422 | AI service attempted inbound-import review per ARCH-AI-001 |
| `DQG_AI_CANNOT_WITHDRAW_ARTIFACT` | 422 | AI service attempted artifact withdrawal per ARCH-AI-001 |
| `DQG_AI_CANNOT_RELEASE_TAXONOMY` | 422 | AI service attempted taxonomy release per ARCH-AI-001 |
| `DQG_AI_ASSISTANCE_NOT_ACCEPTED` | 422 | Promotion of AI assistance without human acceptance per DEC-31-13 |
| `DQG_REOPEN_AUTHORITY_REQUIRED` | 422 | Reopen attempted without executive AND QP co-sign per DEC-31-22 |
| `DQG_PERMISSION_DOCUMENT_REVIEW_OVERLOAD_REJECTED` | 403 | Attempted use of `document_review:*` permission for DQG route per DEC-31-10 |
| `DQG_INTERNAL` | 500 | Sanitized server error |

### 6.8 Configuration rules

- Stale inbound import threshold (default 7 days) configurable per tenant per DEC-31-15.
- Chronic filing failure threshold configurable per tenant per DEC-31-15.
- Missed-handoff SLA (default 14 days from `staged`) configurable per tenant per DEC-31-15.
- Taxonomy types (DIA TMF Ref Model v3.3 / ICH M2/M8 eCTD / custom) configured at platform level per DEC-31-07.
- Ingest channel types and polling methods configured at platform level per DEC-31-11.
- Filing target systems configured at platform level per DEC-31-04.

---

## 7. Non-functional Requirements

- NFR-31-01: List pagination (default 50, max 200).
- NFR-31-02: List p95 < 800ms (1M artifacts, 100k filing handoffs per tenant).
- NFR-31-03: Artifact state transition p95 < 500ms.
- NFR-31-04: Filing handoff transmission p95 < 30s per artifact.
- NFR-31-05: Inbound import processing p95 < 60s per artifact.
- NFR-31-06: Audit-trail append p99 < 200ms (state transition critical path).
- NFR-31-07: Concurrent DQG users per tenant: 100.
- NFR-31-08: Storage scalability: 10M artifacts per tenant; 1M filing handoffs per tenant.
- NFR-31-09: Backup / restore RPO ≤ 15 min; RTO ≤ 4 hours per URS-35.
- NFR-31-10: Bound e-signature persistence transaction p95 < 1.5s.
- NFR-31-11: Secret-store resolution p95 < 200ms.
- NFR-31-12: URS-28 qualification-gate consumption p95 < 200ms (consumed at HITL approval).

---

## 8. Localization

English (en-US, en-GB), Hindi (hi-IN), Marathi (mr-IN), Japanese (ja-JP) at launch.

---

## 9. Migration

### 9.1 Migration scope

Greenfield at launch. Legacy DQG records (if any from pre-) require migration with corrective state seeding per CR-001/CR-002/CR-003 controlled-action fixes.

### 9.2 Schema migration

Migration baseline aligned with target migrations columns: API canonical mount path correction per DEC-31-01; **CR-001 controlled-action fix to `service.ts:1424` `createFilingHandoff` to seed `packaging`** per DEC-31-04; **CR-002 controlled-action fix to `service.ts:1528` `transitionFilingHandoffStatus` to wire `acknowledged` transition** per DEC-31-04; **CR-003 controlled-action fix to `service.ts:1638` `createInboundImport` to seed `initiated`** per DEC-31-06; remove `document_review` permission references on all 46 DQG routes; replace with dedicated `dqg:*` permission set per DEC-31-10; add `secret_store_ref` NOT NULL on `dqg_ingest_channels` (except `direct_upload` channels); deprecate inline credential fields on `dqg_ingest_channels` per DEC-31-11; add `linked_notification_send_id` FK to URS-30 `notification_sends` on `dqg_sender_communications` per DEC-31-12; add `dqg_state_transitions_audit` table with `actor_user_id` XOR `system_context` constraint per DEC-31-14; add `dqg_ai_assistance` table per DEC-31-13; add `ai_provenance_assistance_id`, `ai_classification_confidence`, `taxonomy_version_snapshot` on `dqg_artifact_classifications` per DEC-31-13; add `taxonomy_release_change_request_id` FK to URS-13 on `dqg_taxonomies` per DEC-31-07; add partial unique index on `dqg_taxonomies` for `WHERE status = 'effective'` per DEC-31-07; add `release_change_request_id` FK on `dqg_ingest_channels` per DEC-31-11; add `filing_target_change_request_id` FK on `dqg_filing_handoffs` per DEC-31-04; add `dqg_program_locks` table with reopen columns per DEC-31-22.

### 9.3 Migration evidence gate (URS-31-VAL-008)

(a) all migrations applied; (b) RLS verified; (c) typed schema validation verified; (d) **CR-001 controlled-action fix verified — `createFilingHandoff` seeds `packaging` (test attempts to seed `pending` rejected)**; (e) **CR-002 controlled-action fix verified — `transitionFilingHandoffStatus('acknowledged')` wires correctly from `confirmed_filed` and stamps `acknowledgment_received_at`**; (f) **CR-003 controlled-action fix verified — `createInboundImport` seeds `initiated` (test attempts to seed `pending` rejected)**; (g) canonical API mount `/api/v1/dqg/*` verified; (h) `dqg:*` permission set replacing `document_review:*` verified; (i) artifact 16-state lifecycle verified end-to-end; (j) taxonomy controlled lifecycle + URS-13 CR linkage verified; (k) ingest-channel secret-store credential governance verified (inline-credential rejection tested); (l) sender communication URS-30 dispatch linkage verified; (m) substantive compliance review delegation to URS-20 verified; (n) **state transition attributability per 21 CFR Part 11 §11.10(e) verified — non-attributable transitions rejected**; (o) HITL reviewer URS-28 qualification-gate consumption verified; (p) AI assistance substrate + AI-only-finalization rejections verified (all 7 AI prohibition error codes tested); (q) cross-module event emission verified (URS-12, URS-13, URS-18, URS-20, URS-21, URS-22, URS-27, URS-28, URS-29, URS-30); (r) audit-trail coverage verified; (s) governed reopen verified; (t) §17 validation evidence pack signed.

---

## 10. Decommissioning

Module 31 records subject to platform record-retention policy. Artifact files retained via URS-12 Document Control. On tenant decommissioning, records exported per URS-35.

---

## 11. Decisions, Dependencies, Risks, and Error Handling
### 11.1 Closed decision posture

**No Module 31 internal decisions outstanding.** All items including the three workflow-engine controlled actions (CR-001 / CR-002 / CR-003) are captured in the locked decisions DEC-31-01.DEC-31-23.

### 11.2 External dependencies

- URS-12 Document Control must support artifact-file storage with content hash per DEC-31-09.
- URS-13 change-control register must support taxonomy + ingest-channel + filing-handoff target-system release linkage per DEC-31-04 / DEC-31-07 / DEC-31-11.
- URS-18 CAPA register must accept `dqg_filing_failure` source type per DEC-31-16.
- URS-20 Reviews register must accept `dqg_artifact_substantive_review_requested` event per DEC-31-08.
- URS-21 findings register must accept `dqg_artifact_governance` source type per DEC-31-15.
- URS-22 Inspection must support DQG artifact retrieval as back-room evidence.
- URS-27 Regulatory must consume DQG filing-handoff handoffs.
- URS-28 Training must expose qualification-gate API for HITL reviewer authority per DEC-31-23.
- URS-29 Screen Reader must be able to promote extractions to DQG artifacts per URS-29 DEC-29-23.
- URS-30 Notifications must consume `dqg_sender_communication_dispatched` events per DEC-31-12.
- URS-32 MIRA AI must support read-only `useMiraRecord(.)` mappings; AI advisory drafting only.
- URS-35 infrastructure must support secret-store integration per DEC-31-11.

### 11.3 Risks

- Risk-31-01: External eTMF / regulatory submission system availability (Veeva / Phlexglobal / Wingspan / FDA ESG outages). Mitigation: filing-handoff retry with exponential backoff per DEC-31-04; URS-21 chronic-failure finding + URS-18 CAPA escalation per DEC-31-15 / DEC-31-16.
- Risk-31-02: TMF Reference Model version evolution (DIA TMF Ref Model v3.3 → v4.0 future). Mitigation: taxonomy controlled lifecycle with version immutability per DEC-31-07; URS-13 CR for taxonomy version transition.
- Risk-31-03: AI-assistance acceptance rate may be high if reviewers rubber-stamp. Mitigation: acceptance-rate audit; periodic review.
- Risk-31-04: Reopen workflow gravity may delay urgent investigations. Mitigation: documented reopen SLA.
- Risk-31-05: HITL reviewer qualification-gate latency under high load. Mitigation: NFR-31-12 latency budget; URS-28 cache layer with TTL.

### 11.4 Out-of-scope risks tracked elsewhere

- Vendor-specific eTMF connectors (future-state).
- FDA ESG / EMA EudraVigilance direct integration (URS-27 Regulatory).
- Substantive compliance review (URS-20).

### 11.5 Risk owner

Module-31 risk register owned by Quality / DQG Squad with quarterly review by **RA Head (Primary Owner)** + QA Head + Validation Head + Qualified Person Authority + Information Security Head.

### 11.6 Decision discipline

No Module 31 internal decisions outstanding.

### 11.7 Error Handling and Negative Paths

This section defines the controlled error envelope, the enumerated machine-code catalogue, and the negative-path response contract required for this module. The error envelope is the standard platform envelope (human message, machine code in upper-snake-case, optional structured details, correlation identifier). Errors are returned with the appropriate HTTP status; the UI surfaces inline errors at the field of cause where applicable, otherwise a controlled error toast or modal. Every error path is logged to the URS-06 audit substrate when the originating action is regulated; errors that occur before authentication are logged without `userId`. Audit-trail write failure on a state-changing action MUST cause the originating action to NOT commit (atomic write per URS-04 BR-04-15). The enumerated machine codes for this module's negative paths are defined alongside the corresponding lifecycle gates, segregation-of-duties controls, and authority-resolution outcomes throughout §6 (Back-end Requirements) and §13 (Segregation of Duties); engineering MUST surface every enumerated machine code through the standard envelope and MUST NOT swallow errors silently. Cross-module error propagation follows the §20 Cross-Module Event Contract.


---

## 12. Security

- SEC-31-01: Tenant isolation enforced at RLS on every Module 31 table.
- SEC-31-02: RBAC enforced on every route via `requirePermission(.)` using dedicated `dqg:*` permission set per DEC-31-10.
- SEC-31-03: Authority resolution enforced on regulated final actions before HITL + e-signature.
- SEC-31-04: HITL decision capture enforced before bound e-signature persistence.
- SEC-31-05: Bound e-signature persistence via `electronic_signatures` substrate.
- SEC-31-06: PII redaction in logs.
- SEC-31-07: Audit-trail integrity via URS-06 hash chain; **`dqg_state_transitions_audit` enforces XOR `actor_user_id` / `system_context` per DEC-31-14**.
- SEC-31-08: AI-request provenance via `ai_requests` linked to `dqg_ai_assistance`; **AI cannot advance regulated DQG workflow** per ARCH-AI-001; AI may draft advisory only.
- SEC-31-09: `platform_admin` / `super_admin` break-glass actions logged per DEC-31-20.
- SEC-31-10: **Ingest-channel credentials via tenant-controlled secret store per DEC-31-11**.
- SEC-31-11: Channel test action does not replay live credentials in test response.
- SEC-31-12: Artifact files via URS-12 Document Control with content hash per DEC-31-09.
- SEC-31-13: HITL reviewer qualification gated via URS-28 per DEC-31-23.
- SEC-31-14: `document_review:*` permission overload rejected at runtime per DEC-31-10.

---

## 13. Segregation of Duties

| SoD ID | Constraint |
|---|---|
| SoD-31-01 | The taxonomy releaser MUST NOT be the taxonomy author when tenant policy requires content-author/releaser separation. |
| SoD-31-02 | The HITL reviewer MUST NOT be the artifact submitter (DB-level constraint). |
| SoD-31-03 | The filing-handoff QA reviewer MUST NOT be the filing-handoff approver (separate steps). |
| SoD-31-04 | The inbound-import reviewer MUST NOT be the inbound-import initiator. |
| SoD-31-05 | The artifact withdrawal authority MUST NOT be the original HITL reviewer (when the withdrawal occurs after HITL approval). |
| SoD-31-06 | The reopen co-signers (executive AND Qualified Person per DEC-31-22) MUST NOT be the original lock signer. |
| SoD-31-07 | The `platform_admin` / `super_admin` support / break-glass action MUST NOT be a regulated production action; logged and reviewed per DEC-31-20. |

---

## 14. Regulatory Mapping

| Predicate rule | Section | Module 31 binding |
|---|---|---|
| **FDA 21 CFR Part 11 §11.10(a)** | Validation | URS-31-VAL-008 (including three workflow-engine controlled actions) |
| **FDA 21 CFR Part 11 §11.10(d)** | Authority checks | Authority/HITL/e-sign substrate; dedicated `dqg:*` permission set per DEC-31-10 |
| **FDA 21 CFR Part 11 §11.10(e)** | Audit trails — attributable state transitions | `dqg_state_transitions_audit` with XOR `actor_user_id` / `system_context` per DEC-31-14 |
| **FDA 21 CFR Part 11 §11.50** | Signature manifestations | Bound e-signature manifestations |
| **FDA 21 CFR Part 11 §11.70** | Signature/record linking | Bound e-signature linked via `electronic_signatures` substrate |
| **FDA 21 CFR Part 11 §11.200** | Electronic signature controls | E-sign substrate compliance |
| **EU GMP Annex 11 §4** | Validation | URS-31-VAL-008 |
| **EU GMP Annex 11 §5** | Data — including artifact integrity | Immutable URS-12 storage + content hash per DEC-31-09 |
| **EU GMP Annex 11 §9** | Audit Trails | Audit-trail substrate including state transitions per DEC-31-14 |
| **EU GMP Annex 11 §12** | Security including credential governance | Secret-store credential governance per DEC-31-11 |
| **EU GMP Annex 11 §14** | Electronic Records / Signatures | Bound e-signature on every regulated final action |
| **EU GMP Annex 11 §16** | Incident Management | URS-21 finding emission + URS-18 CAPA escalation |
| EU GMP Annex 22 Draft 2025 | §7 — HITL / GenAI advisory only | Internal forward-looking control |
| EU AI Act (Regulation 2024/1689) | Annex III; Art. 13 transparency | Internal forward-looking control |
| **MHRA Data Integrity Guidance** | ALCOA+ | Module 31 artifact integrity ALCOA+-compliant |
| GAMP 5 Cat 5 | Custom-application validation lifecycle | URS-31 validation evidence pack per URS-31-VAL-008 |
| **FDA Computer Software Assurance (CSA) — September 2025 Final Guidance** | High-process-risk classification where filing handoff feeds regulatory submission | Per DEC-31-04 risk-based validation aligned with CSA |
| **DIA TMF Reference Model v3.3** | TMF-aligned taxonomy | Primary taxonomy reference per DEC-31-07 |
| **ICH E6(R3) §8** | Essential Documents for Conduct of a Clinical Trial — TMF basis | Module 31 system of record for TMF artifacts |
| **ICH M2 / eCTD Specification** | eCTD module structure | Regulatory artifact taxonomy alignment per DEC-31-07 |
| **ICH M8 (Implementation Working Group) eCTD v4.0** | eCTD v4.0 specification | eCTD v4.0 taxonomy alignment per DEC-31-07 |
| **ISO/IEC 27001** | Information security — credential governance for ingest channels | Secret-store credential governance per DEC-31-11 |
| **India CDSCO NDCT 2019 §27** | Clinical trial documentation | India clinical trial DQG operations subject to a future jurisdiction-specific legal assessment |
| **India CDSCO Schedule M (Revised) §16** | Records and Reports | India operations subject to a future jurisdiction-specific legal assessment |

---

## 15. Code Modules

| Code module | Path | Status |
|---|---|---|
| `document-quality-gateway` plugin | `packages/backend/src/modules/document-quality-gateway/plugin.ts` | (canonical mount `/api/v1/dqg/*` per DEC-31-01) |
| `document-quality-gateway` routes | `packages/backend/src/modules/document-quality-gateway/routes.ts` | (typed schemas; route additions per §6.3; `dqg:*` permission set per DEC-31-10) |
| `document-quality-gateway` service | `packages/backend/src/modules/document-quality-gateway/service.ts` | ** (P0)** — CR-001 fix at line 1424; CR-002 fix at line 1528; CR-003 fix at line 1638; secret-store credential resolution; sender communication URS-30 dispatch; AI assistance substrate; attributable state transitions; URS-28 qualification gate consumption |
| `document-quality-gateway` workflow | `packages/backend/src/modules/document-quality-gateway/workflow.ts` | (state machines validated; `acknowledged` transition wired) |
| `document-quality-gateway` schemas | `packages/backend/src/modules/document-quality-gateway/schemas.ts` | (inline credentials removed) |
| `document-quality-gateway` events | `packages/backend/src/modules/document-quality-gateway/events.ts` | target route |
| `document-quality-gateway` secret-store-resolver | `packages/backend/src/modules/document-quality-gateway/secret-store-resolver.ts` | target route per DEC-31-11 |
| `document-quality-gateway` ai-assistance | `packages/backend/src/modules/document-quality-gateway/ai-assistance.ts` | target route per DEC-31-13 |
| `document-quality-gateway` attributable-transition-engine | `packages/backend/src/modules/document-quality-gateway/attributable-transition-engine.ts` | target route per DEC-31-14 |
| `document-quality-gateway` qualification-gate-resolver | `packages/backend/src/modules/document-quality-gateway/qualification-gate-resolver.ts` | target route per DEC-31-23 |
| Migration | `packages/backend/src/db/migrations/.` | (per §9.2) |
| Shared types | `packages/shared/src/types/document-quality-gateway.ts` | |
| Shared schemas | `packages/shared/src/schemas/document-quality-gateway.schema.ts` | |
| Frontend hooks | `packages/frontend/src/api/hooks/useDQG.ts` | (canonical relative `/dqg/*`) |
| Frontend dashboard | `packages/frontend/src/pages/DQGDashboard.tsx` | target route per DEC-31-12 |
| Frontend artifact console | `packages/frontend/src/pages/DQGArtifacts.tsx` | target route |
| Frontend artifact detail | `packages/frontend/src/pages/DQGArtifactDetail.tsx` | target route |
| Frontend taxonomy console | `packages/frontend/src/pages/DQGTaxonomies.tsx` | target route per DEC-31-07 |
| Frontend filing handoff console | `packages/frontend/src/pages/DQGFilingHandoffs.tsx` | target route per DEC-31-04 |
| Frontend inbound import console | `packages/frontend/src/pages/DQGInboundImports.tsx` | target route per DEC-31-06 |
| Frontend ingest channel console | `packages/frontend/src/pages/DQGIngestChannels.tsx` | target route per DEC-31-11 |
| Frontend sender communication | `packages/frontend/src/pages/DQGSenderCommunications.tsx` | target route per DEC-31-12 |
| Frontend cross references | `packages/frontend/src/pages/DQGCrossReferences.tsx` | target route |
| Frontend health metrics | `packages/frontend/src/pages/DQGHealthMetrics.tsx` | target route |
| Frontend AI assistance | `packages/frontend/src/pages/DQGAIAssistance.tsx` | target route per DEC-31-13 |
| App routing | `packages/frontend/src/App.tsx` | (per DEC-31-12) |

---

## 16. Test Cases

### 16.1 Unit tests (blocker fixes prioritized)

- TC-31-U-001 (P0): `createFilingHandoff` MUST seed `status = 'packaging'` per CR-001 fix; attempt to seed `pending` rejected.
- TC-31-U-002 (P0): `transitionFilingHandoffStatus('acknowledged')` MUST be valid only from `confirmed_filed` per CR-002 fix; `acknowledgment_received_at` MUST be stamped.
- TC-31-U-003 (P0): `createInboundImport` MUST seed `status = 'initiated'` per CR-003 fix; attempt to seed `pending` rejected.
- TC-31-U-004: Taxonomy uniqueness `(tenant_id, taxonomy_type, version)` rejects duplicate.
- TC-31-U-005: At most one effective taxonomy per `(tenant_id, taxonomy_type)` enforced.
- TC-31-U-006: Taxonomy effective release without URS-13 CR rejects with `DQG_TAXONOMY_RELEASE_CHANGE_REQUEST_REQUIRED`.
- TC-31-U-007: Effective taxonomy edit rejects with `DQG_INVALID_TRANSITION`.
- TC-31-U-008: Use of `document_review:*` permission for DQG route rejects with `DQG_PERMISSION_DOCUMENT_REVIEW_OVERLOAD_REJECTED`.
- TC-31-U-009: Inline credentials in ingest channel payload rejects with `DQG_CREDENTIALS_IN_PAYLOAD_FORBIDDEN`.
- TC-31-U-010: Ingest channel without `secret_store_ref` rejects with `DQG_SECRET_STORE_REF_REQUIRED`.
- TC-31-U-011: HITL approval without URS-28 qualification rejects with `DQG_HITL_REVIEWER_QUALIFICATION_GATE_FAILED`.
- TC-31-U-012: HITL approval by artifact submitter rejects per SoD-31-02.
- TC-31-U-013: Filing handoff QA reviewer = approver rejects per SoD-31-03.
- TC-31-U-014: Inbound import reviewer = initiator rejects per SoD-31-04.
- TC-31-U-015: AI service attempting HITL approval rejects with `DQG_AI_CANNOT_FINALIZE_HITL_APPROVAL`.
- TC-31-U-016: AI service attempting HITL rejection rejects with `DQG_AI_CANNOT_FINALIZE_HITL_REJECTION`.
- TC-31-U-017: AI service attempting filing-handoff approval rejects with `DQG_AI_CANNOT_APPROVE_FILING_HANDOFF`.
- TC-31-U-018: AI service attempting filing acknowledgment rejects with `DQG_AI_CANNOT_ACKNOWLEDGE_FILING`.
- TC-31-U-019: AI service attempting inbound-import review rejects with `DQG_AI_CANNOT_APPROVE_INBOUND_IMPORT`.
- TC-31-U-020: AI service attempting artifact withdrawal rejects with `DQG_AI_CANNOT_WITHDRAW_ARTIFACT`.
- TC-31-U-021: AI service attempting taxonomy release rejects with `DQG_AI_CANNOT_RELEASE_TAXONOMY`.
- TC-31-U-022: AI assistance promotion without acceptance rejects with `DQG_AI_ASSISTANCE_NOT_ACCEPTED`.
- TC-31-U-023: State transition without `actor_user_id` OR `system_context` rejects with `DQG_STATE_TRANSITION_NOT_ATTRIBUTABLE`.
- TC-31-U-024: State transition with both `actor_user_id` AND `system_context` rejects (XOR enforced).
- TC-31-U-025: Reopen without executive AND QP co-sign rejects.

### 16.2 Integration tests

- TC-31-I-001: Full TMF artifact intake → classification → HITL review → filing handoff per Worked Example 1.
- TC-31-I-002: Inbound import via email ingest channel with CR-003 fix per Worked Example 2.
- TC-31-I-003: AI cannot finalize HITL approval per Worked Example 3.
- TC-31-I-004: Stale inbound import → URS-21 finding per Worked Example 4.
- TC-31-I-005: Substantive compliance review delegated to URS-20 per Worked Example 5.
- TC-31-I-006: Governed reopen of locked program per Worked Example 6.
- TC-31-I-007: Filing handoff to URS-27 Regulatory submission integration.
- TC-31-I-008: Filing handoff to URS-12 controlled-document library on `filed` state per DEC-31-08.
- TC-31-I-009: URS-28 qualification-gate consumed at HITL approval per DEC-31-23.
- TC-31-I-010: URS-29 Screen Reader extraction promoted to DQG artifact per URS-29 DEC-29-23.
- TC-31-I-011: Sender communication via URS-30 dispatch per DEC-31-12.
- TC-31-I-012: Cross-tenant `platform_admin` break-glass logged per DEC-31-20.
- TC-31-I-013: MIRA copilot read-only context; advisory drafting only.
- TC-31-I-014: Secret-store integration with AWS Secrets Manager mock for ingest channel.
- TC-31-I-015: Cross-module event emission verified (URS-12, URS-13, URS-18, URS-20, URS-21, URS-22, URS-27, URS-28, URS-29, URS-30).

### 16.3 End-to-end tests

- TC-31-E-001: TMF artifact end-to-end per Worked Example 1.
- TC-31-E-002: Inbound import scenario per Worked Example 2.
- TC-31-E-003: AI-only-finalization rejection per Worked Example 3.
- TC-31-E-004: Stale import scenario per Worked Example 4.
- TC-31-E-005: URS-20 delegation per Worked Example 5.
- TC-31-E-006: Reopen scenario per Worked Example 6.
- TC-31-E-007: 100 concurrent DQG users — NFR-31-07.
- TC-31-E-008: India CDSCO NDCT 2019 §27 clinical trial documentation scenario.

### 16.4 Performance tests

- TC-31-P-001: List p95 latency (NFR-31-02).
- TC-31-P-002: Artifact state transition p95 latency (NFR-31-03).
- TC-31-P-003: Filing handoff transmission p95 latency (NFR-31-04).
- TC-31-P-004: Inbound import processing p95 latency (NFR-31-05).
- TC-31-P-005: Bound e-signature p95 latency (NFR-31-10).
- TC-31-P-006: Secret-store resolution p95 latency (NFR-31-11).
- TC-31-P-007: URS-28 qualification-gate p95 latency (NFR-31-12).

### 16.5 Security tests

- TC-31-S-001: Cross-tenant access rejected by RLS.
- TC-31-S-002: Missing RBAC rejected.
- TC-31-S-003: `document_review:*` permission overload rejected per DEC-31-10.
- TC-31-S-004: Missing Authority Profile rejected.
- TC-31-S-005: Missing HITL rejected.
- TC-31-S-006: Missing bound e-signature rejected.
- TC-31-S-007: SQL injection rejected.
- TC-31-S-008: Audit-trail UPDATE / DELETE rejected.
- TC-31-S-009: AI service attempting any of the 7 prohibited finalization actions rejected.
- TC-31-S-010: PII redaction in logs verified.
- TC-31-S-011: Inline credentials in ingest channel rejected.
- TC-31-S-012: HITL reviewer ≠ artifact submitter DB constraint enforced.
- TC-31-S-013: State transition attributability XOR constraint enforced.

---

## 17. Validation Evidence

### 17.1 URS-31-VAL-001: Requirements traceability matrix

Complete RTM mapping every URS-31 requirement (DEC-31-01.DEC-31-23, BR-31-01.BR-31-30, NFR-31-01.NFR-31-12, SoD-31-01.SoD-31-07, SEC-31-01.SEC-31-14) to test cases (TC-31-U-001.TC-31-U-025, TC-31-I-001.TC-31-I-015, TC-31-E-001.TC-31-E-008, TC-31-P-001.TC-31-P-007, TC-31-S-001.TC-31-S-013) and code modules (§15). **The three workflow-engine controlled actions (CR-001/CR-002/CR-003) are explicitly validated in TC-31-U-001/002/003.**

### 17.2 URS-31-VAL-002: Design qualification (DQ)

Architecture, data model, API contract, workflow, business rules, audit trail, security, integration; signed by Validation Head, QA Head, **RA Head (Primary Owner)**, Manufacturing Head, Information Security Head, Qualified Person Authority.

### 17.3 URS-31-VAL-003: Installation qualification (IQ)

Migration application + RLS verification + route mount verification + frontend hook resolution + secret-store integration verification + **the workflow-engine controlled action fix verification**.

### 17.4 URS-31-VAL-004: Operational qualification (OQ)

Happy-path execution of every test case with evidence captures. **controlled-action fix verification tests (TC-31-U-001/002/003) are mandatory pass criteria.**

### 17.5 URS-31-VAL-005: Performance qualification (PQ)

NFR-31-01.NFR-31-12 verification.

### 17.6 URS-31-VAL-006: AI/ML governance evidence

Per ARCH-AI-001: (a) MIRA read-only context integration; (b) AI advisory drafting only with mandatory human acceptance via `dqg_ai_assistance`; (c) **AI cannot finalize HITL approval / rejection / filing-handoff approval / acknowledgment / inbound-import review / artifact withdrawal / taxonomy release** verification (all 7 prohibitions tested); (d) Annex 22 §7 + EU AI Act Annex III internal forward-looking control compliance evidence.

### 17.7 URS-31-VAL-007: Regulatory mapping evidence

FDA 21 CFR Part 11 §§11.10(a), 11.10(d), 11.10(e), 11.50, 11.70, 11.200; EU GMP Annex 11 §§4, 5, 9, 12, 14, 16; Annex 22 Draft 2025 §7; EU AI Act Art. 13 / Annex III; MHRA Data Integrity (ALCOA+); GAMP 5 Cat 5; FDA CSA September 2025; **DIA TMF Reference Model v3.3**; **ICH E6(R3) §8**; **ICH M2 / eCTD Specification**; **ICH M8 eCTD v4.0**; ISO/IEC 27001; India CDSCO NDCT 2019 §27 / Schedule M §16.

### 17.8 URS-31-VAL-008: Migration evidence gate

Per §9.3. **Mandatory the workflow-engine controlled action fix verification: CR-001 (filing handoff `packaging` initial state) + CR-002 (`acknowledged` transition wired with `acknowledgment_received_at` stamp) + CR-003 (inbound import `initiated` initial state). Migration evidence gate cannot pass without all three workflow-engine controlled actions verified.**

### 17.9 URS-31-VAL-009: Signature manifest

QA Head, **RA Head (Primary Owner)**, Validation Head, Manufacturing Head, Information Security Head, Qualified Person Authority, Site Quality Lead, Founder / Chairman & MD per §19.

### 17.10 URS-31-VAL-010: Post-launch periodic-review pack

(a) DQG metrics (artifacts per tenant, classification accuracy, HITL backlog, filing-handoff cycle time, inbound-import success rate); (b) AI-assistance acceptance rate; (c) audit-trail integrity; (d) reopen-event audit; (e) cross-tenant break-glass audit; (f) cross-module event integrity (URS-12, URS-13, URS-18, URS-20, URS-21, URS-22, URS-27, URS-28, URS-29, URS-30); (g) secret-store reliability; (h) URS-28 qualification-gate compliance; (i) state transition attributability compliance; periodic review at quarterly cadence by RA Head + QA Head + Validation Head + Qualified Person Authority + Information Security Head.

---

## 18. Document Change History

| Version | Date | Author | Change Summary |
|---|---|---|---|
| 1.0 | 2026-05-07 | Founder Doctrine — Verixa URS Cell | First issued user requirements specification for Module 31. |

---

## 19. Document Approval

| Role | Name | Signature | Date |
|---|---|---|---|
| Founder / Chairman & MD | Vimal | __________ | __________ |
| QA Head | __________ | __________ | __________ |
| RA Head (Primary Owner) | __________ | __________ | __________ |
| Validation Head | __________ | __________ | __________ |
| Manufacturing Head | __________ | __________ | __________ |
| Information Security Head | __________ | __________ | __________ |
| Qualified Person Authority | __________ | __________ | __________ |
| Site Quality Lead | __________ | __________ | __________ |

---

## 20. Cross-Module Event Contract

| Event | Emitter | Consumer | Payload key fields |
|---|---|---|---|
| `dqg_taxonomy_released_effective` | Module 31 | URS-13, URS-30 | `taxonomy_id`, `change_request_id`, `released_by`, `e_signature_id` |
| `dqg_artifact_submitted` | Module 31 | URS-30 | `artifact_id`, `study_id`, `submitted_by` |
| `dqg_artifact_classified` | Module 31 | URS-30 | `artifact_id`, `taxonomy_node_path`, `taxonomy_version_snapshot`, `ai_provenance_assistance_id` (where applicable) |
| `dqg_artifact_hitl_approved` | Module 31 | URS-30 | `artifact_id`, `approved_by`, `e_signature_id`, `urs28_qualification_evidence` |
| `dqg_artifact_hitl_rejected` | Module 31 | URS-30 | `artifact_id`, `rejected_by`, `rejection_reason`, `e_signature_id` |
| `dqg_artifact_substantive_review_requested` | Module 31 | **URS-20 (Reviews — primary consumer per DEC-31-08)**, URS-30 | `artifact_id`, `review_type` |
| `dqg_artifact_filed` | Module 31 | **URS-12 (controlled-document library promotion per DEC-31-08)**, URS-30 | `artifact_id`, `filing_target_system`, `confirmed_filing_reference` |
| `dqg_filing_handoff_packaged` | Module 31 | URS-30 | `filing_handoff_id`, `artifact_id` |
| `dqg_filing_handoff_qa_reviewed` | Module 31 | URS-30 | `filing_handoff_id`, `qa_reviewed_by`, `qa_review_e_signature_id` |
| `dqg_filing_handoff_approved_for_filing` | Module 31 | URS-30 | `filing_handoff_id`, `approved_by`, `approval_e_signature_id`, `change_request_id` |
| `dqg_filing_handoff_transmitted` | Module 31 | URS-27 (Regulatory where target = regulatory_submission_urs27), URS-30 | `filing_handoff_id`, `filing_target_system` |
| `dqg_filing_handoff_confirmed_filed` | Module 31 | URS-30 | `filing_handoff_id`, `confirmed_filing_reference` |
| `dqg_filing_handoff_acknowledged` | Module 31 | URS-30 | `filing_handoff_id`, `acknowledgment_received_at` (CR-002 controlled-action fix verified) |
| `dqg_filing_handoff_failed` | Module 31 | URS-30, URS-21 (chronic-failure detection) | `filing_handoff_id`, `failure_reason`, `retry_count` |
| `dqg_inbound_import_initiated` | Module 31 | URS-30 | `inbound_import_id`, `ingest_channel_id` (CR-003 controlled-action fix verified) |
| `dqg_inbound_import_completed` | Module 31 | URS-30 | `inbound_import_id`, `artifacts_created_count` |
| `dqg_inbound_import_failed` | Module 31 | URS-30 | `inbound_import_id`, `failure_reason` |
| `dqg_ingest_channel_polled` | Module 31 | URS-30 | `ingest_channel_id`, `last_poll_status`, `items_received` |
| `dqg_sender_communication_dispatched` | Module 31 | **URS-30 (Notifications — primary dispatcher per DEC-31-12)** | `sender_communication_id`, `artifact_id`, `communication_type`, `linked_notification_send_id` |
| `dqg_finding_created` | Module 31 | **URS-21 (Findings — primary consumer)**, URS-30 | `finding_id` (URS-21), `severity`, `finding_type`, `source_record_id` |
| `dqg_filing_capa_linked` | Module 31 | **URS-18 (CAPA — primary consumer)**, URS-30 | `capa_id`, `linked_by`, `source_type = dqg_filing_failure` |
| `dqg_artifact_program_locked` | Module 31 | URS-30 | `program_lock_id`, `locked_by`, `lock_e_signature_id` |
| `dqg_artifact_program_reopened` | Module 31 | URS-30, URS-21 (governed-reopen audit) | `program_lock_id`, `reopened_by`, `executive_co_signer`, `qp_co_signer`, `reopen_reason` |

---

## 21. References

- ARCH-AI-001 — AI Optionality and Manual Continuity (binding architecture; Module specification explicitly invokes)
- VRX-SPEC-URS-031-Document-Quality-Gateway-DQG-Intake-Classification-and-Filing-Handoff-Governance.md (Module specification)
- URS-01.URS-30, URS-32.URS-35 (cross-module contracts)
- **FDA 21 CFR Part 11** §§11.10(a), 11.10(d), 11.10(e), 11.50, 11.70, 11.200
- **EU GMP Annex 11** §§4, 5, 9, 12, 14, 16
- EU GMP Annex 22 (Draft 2025) §7 — internal forward-looking control
- EU AI Act (Regulation 2024/1689) Art. 13 / Annex III — internal forward-looking control
- **MHRA Data Integrity Guidance (2018)** — ALCOA+
- GAMP 5 Cat 5
- **FDA Computer Software Assurance (CSA) — September 2025 Final Guidance**
- **DIA TMF Reference Model v3.3**
- **ICH E6(R3) §8** — Essential Documents for Conduct of a Clinical Trial
- **ICH M2 / eCTD Specification**
- **ICH M8 (Implementation Working Group) eCTD v4.0**
- **ISO/IEC 27001** — information security
- India CDSCO NDCT 2019 §27
- India CDSCO Schedule M (Revised) §16

---

**END OF VRX-URS-31 — DOCUMENT QUALITY GATEWAY (DQG) — INTAKE, CLASSIFICATION, AND FILING HANDOFF GOVERNANCE — VERSION 1.0**
