# Verixa — User Requirements Specification

# Module 35: Infrastructure / Backup / Restore / Operational Resilience

| Field | Value |
|---|---|
| Document ID | VRX-URS-35 |
| Version | 1.0 |
| Status | Final — ready for QA, Validation, Regulatory Affairs, **Information Security Head (Co-Primary Owner)**, **DevOps / SRE Lead (Co-Primary Owner — operational resilience)**, Manufacturing Head, Site Quality Lead, Qualified Person Authority, and Founder approval. URS approval is separate from validation execution. This document becomes "Approved Controlled URS — released for engineering implementation and validation planning" only after signature capture in the Document Approval block. It becomes "Released for validation execution" only after the module migration evidence gate (URS-35-VAL-008) and validation evidence pack are satisfied. |
| Document Type | User Requirements Specification (URS) |
| GAMP 5 Category | Category 5 — Custom Application |
| Code Modules | Target implementation binding: expected primary code module `infrastructure` (with `plugin.ts`, `routes.ts`, `service.ts`), supporting modules `health` (existing), `config/env.ts` (centralized env validation), `app.ts` (Fastify bootstrap with hook chain), `core/job-scheduler`, expected API mounts `/api/v1/infrastructure/*` (canonical) + `/api/v1/health/*` (`/live`, `/ready`, `/startup`, `/metrics`), expected event-bus emission for `infra_health_check_recorded`, `infra_deployment_recorded`, `infra_rollback_recorded`, `infra_backup_schedule_created`, `infra_backup_schedule_updated`, `infra_backup_executed`, `infra_backup_verified`, `infra_backup_failed`, `infra_restore_requested`, `infra_restore_approved`, `infra_restore_executed`, `infra_restore_verified`, `infra_restore_released_to_service`, `infra_dr_test_executed`, `infra_dr_test_verified`, `infra_offline_queue_processed`, `infra_offline_queue_dlq`, `infra_secret_rotation_completed`, `infra_program_locked`, `infra_program_reopened`, expected MIRA context integration through `useMiraRecord('infra_health_check', id)`, `useMiraRecord('infra_deployment', id)`, `useMiraRecord('infra_backup', id)`, `useMiraRecord('infra_restore', id)`, `useMiraRecord('infra_dr_test', id)` mappings, expected URS-12 Document Control linkage for backup manifests / restore verification reports / DR test reports / deployment evidence storage, expected URS-13 Change Control linkage for backup schedule effective release + DR plan effective release + secret rotation, expected URS-21 Findings outbound emission for chronic infrastructure failures, expected URS-18 CAPA outbound emission for chronic backup/restore/DR failures, expected URS-22 Inspection back-room evidence retrieval source, expected URS-26 APQR data consumer for periodic infrastructure summary, expected URS-27 Regulatory consumer for any infrastructure-related regulatory submission (e.g., breach notifications), expected URS-28 training qualification-gate consumer for **DevOps/SRE on-call** / **DBA / Backup-Restore Authority** / **DR Coordinator** authority per DEC-35-19, expected URS-30 Notifications outbound consumer for health alerts / backup failures / restore alerts / DR test alerts / secret rotation alerts per DEC-35-20, expected URS-32 MIRA outcome-label inbound emission per URS-32 DEC-32-23 (every infrastructure record MIRA influences carries `mira_outcome_label`), expected **secret store substrate provider** for URS-29 / URS-30 / URS-31 / URS-32 / URS-33 / URS-34 (this module is the platform-wide secret-store backbone), expected Authority Profile + HITL + e-signature integration for non-bypassable rollback execution / restore approval / restore execution / restore verification / restore release-to-service / DR test execution / DR test verification / secret rotation / program lock / reopen, expected platform_admin / super_admin support / break-glass only paths. Implementation evidence remains subject to repository verification and validation evidence. |
| Architecture Bindings | This module is subject to **ARCH-AI-001 AI Optionality and Manual Continuity** (canonical binding explicitly stated in Module specification: "no AI, MIRA, agent, summarization, anomaly suggestion, runbook copilot, or auto-remediation component shall be the sole means to detect, triage, recover, restore, verify, approve, or close an infrastructure event, backup event, restore event, disaster recovery event, or operational resilience action. Manual controlled execution shall remain available when AI services are disabled, degraded, unavailable, or rejected."). Verixa adopts internal forward-looking AI governance for this AI surface, aligned with the classification approach in **EU AI Act (Regulation 2024/1689) Annex III** (infrastructure / backup / restore / DR decisions impact platform availability and data integrity for all regulated modules). AI-assisted infrastructure surfaces (anomaly suggestion, runbook copilot, restore-readiness suggestion, backup-verification anomaly detection, DR readiness scoring, MIRA infrastructure copilot) are advisory only under internal AI governance aligned with EU AI Act Article 13 transparency principles + Article 14 human oversight. Every AI surface shall provide a fully functional manual detect / triage / recover / restore / verify / approve / close path; **no AI service shall be the sole means to detect, triage, recover, restore, verify, approve, or close an infrastructure event, backup event, restore event, disaster recovery event, or operational resilience action** (canonical binding). This module binds ARCH-AI-001 AC-1, AC-2, AC-3, AC-4, AC-6, and AC-7. Verixa treats **EU GMP Annex 22 Draft 2025 §7** as an internal forward-looking architectural control (not an enacted predicate rule); under that internal control, **generative / probabilistic AI is PROHIBITED in restore approval, restore release-to-service, DR test verification, secret rotation, and rollback decisions**. Static deterministic AI may surface anomaly detection on health metrics, capacity prediction, and historical pattern matching as advisory help. Jurisdiction-specific legal enforceability of Annex 22 and the EU AI Act remains subject to a future jurisdiction-specific legal assessment. |
| Regulatory Classification | Critical infrastructure substrate — operates the canonical Infrastructure / Backup / Restore / Operational Resilience layer covering: (a) the **runtime configuration validation and secure startup gating** per DEC-35-02; (b) the **process health, readiness, startup, metrics** per DEC-35-03; (c) the **controlled deployment registration + rollback registration + environment traceability** per DEC-35-04; (d) the **backup schedule governance + backup execution evidence** per DEC-35-05; (e) the **restore request + restore execution + restore verification + post-restore release-to-service** per DEC-35-07 (Restore lifecycle `requested → approved → in_execution → executed → verified → released_to_service | rejected_post_verification`; restore approval requires `infra_restore_authority` + URS-28 + HITL + bound e-signature; release-to-service requires Qualified Person co-sign per DEC-35-07); (f) the **DR and resilience targets, test execution evidence, and continuity verification** per DEC-35-08 (DR test lifecycle with documented RTO / RPO targets); (g) the **offline event queue resilience controls** per DEC-35-09; (h) the **infrastructure administration UI/API controls** per DEC-35-10; (i) the **auditability, authority, e-signature, and operational segregation** for critical infrastructure actions per DEC-35-11 (rollback execution + restore approval + restore execution + restore verification + restore release-to-service + DR test verification + backup verification + secret rotation MUST transit `withAuthority(.)` + URS-28 qualification per DEC-35-19 + HITL + bound e-signature); (j) the **operational monitoring, alerting, retention, and resilience evidence** per DEC-35-12; (k) the **secret store substrate** per DEC-35-13 — Module 35 owns the platform-wide secret-store backbone consumed by URS-29 (DEC-29-07 IMAP credentials), URS-30 (DEC-30-04 outbound channel credentials), URS-31 (DEC-31-11 ingest channel credentials), URS-32 (DEC-32-04 AI provider credentials), URS-33 / URS-34 (where applicable); secret rotation per DEC-35-14 governed; (l) the multi-dimensional context capture (`tenant_id` mandatory for tenant-scoped resources, `environment` ENUM `dev` / `staging` / `production` for deployment context, `region` for multi-region resilience); (m) the canonical API contract `/api/v1/infrastructure/*` + `/api/v1/health/*`; (n) the typed schema validation across every route (lesson learned from GMP DEC-33-04 / GDP DEC-34-15); (o) the controlled frontend route surface; (p) the **attributable infrastructure audit logging** per DEC-35-15 (lesson learned from GMP DEC-33-03 / GDP DEC-34-16 — every infrastructure audit-trail entry MUST persist authenticated `userId`); (q) the Authority/HITL/e-signature substrate on every regulated final action per DEC-35-11; (r) the AI/MIRA assistive-only constraint per DEC-35-16; (s) the post-locked record immutability across the infrastructure program; (t) the controlled reopen workflow with executive authority co-sign and Qualified Person co-sign per DEC-35-22; (u) the canonical findings emission to URS-21 per DEC-35-17; (v) the canonical CAPA emission to URS-18 per DEC-35-18; (w) the URS-26 APQR consumer integration; (x) the URS-28 training qualification-gate inbound consumer for DevOps/SRE on-call / DBA-Backup-Restore / DR Coordinator authority per DEC-35-19; (y) the URS-30 Notifications outbound consumer per DEC-35-20; (z) the URS-32 MIRA outcome-label inbound emission per URS-32 DEC-32-23; and the per-jurisdictional regulatory expectations under FDA 21 CFR Part 11 (§11.10(a) validation; §11.10(d) authority checks; §11.10(e) audit trails; §11.30 open systems controls); EU GMP Annex 11 §§4 (Validation), 7 (Data Storage — including backup/restore), 9 (Audit Trails), 12 (Security including credential governance), 14 (Electronic Records / Signatures), 16 (Incident Management); EU GMP Annex 22 Draft 2025 §7 (HITL — internal forward-looking control); EU AI Act (Regulation 2024/1689) Annex III + Articles 13/14 (adopted as internal forward-looking AI governance); MHRA Data Integrity Guidance (ALCOA+ — backup/restore essential for record retention); GAMP 5 Cat 5; **PIC/S PI 041** (Data Integrity — including backup/restore controls); **WHO TRS** quality system expectations; ICH Q9 R1; ICH Q10; **FDA Computer Software Assurance (CSA) — September 2025 Final Guidance** (infrastructure systems classified per process-risk); **ISO/IEC 27001** (information security including backup/restore + secret management); **ISO/IEC 27002** (security controls); **ISO 22301** (business continuity / DR); **NIST SP 800-34** (Contingency Planning); **HIPAA Security Rule §164.308(a)(7)** (Contingency Plan); **GDPR Article 32** (Security of processing including backup); and India CDSCO Schedule M (Revised) §16 (Records and Reports — applicable to infrastructure record retention) + IT Act 2000 + DPDP Act 2023 (Digital Personal Data Protection Act for India data residency / backup) subject to a future jurisdiction-specific legal assessment for Verixa's exact CDSCO obligations. |
| Date of Issue | 2026-05-07 |
| Module Owner (Engineering) | DevOps / SRE / Platform Engineering |
| Module Owner (Quality Validation) | CSV / CSA Lead — Infrastructure |
| Module Owner (Compliance) | **Information Security (Co-Primary Owner)**, **DevOps / SRE Lead (Co-Primary Owner — operational resilience)**, Quality Assurance, Regulatory Affairs |
| Approving Authority | Founder / Chairman & MD; QA Head; **Information Security Head (Co-Primary Owner)**; **DevOps / SRE Lead (Co-Primary Owner)**; Manufacturing Head; Validation Head; RA Head; Qualified Person (QP) Authority; Site Quality Lead |

---

## 0. Document Framing

### 0.1 Purpose of this document

This URS defines the target expected state for Verixa's Infrastructure / Backup / Restore / Operational Resilience module (Module 35) — **the operational resilience backbone for the entire platform**. It is the binding contract between product, engineering, quality validation, regulatory affairs, **information security (co-primary owner)**, **DevOps / SRE Lead (co-primary owner — operational resilience)**, manufacturing, the Qualified Person authority, and the executive authority for the design, implementation, validation, release, and on-going periodic review of the regulated infrastructure substrate: the **runtime configuration validation and secure startup gating** per DEC-35-02; the **process health, readiness, startup, metrics** per DEC-35-03 (extended readiness); the **controlled deployment registration + rollback registration + environment traceability** per DEC-35-04; the **backup schedule governance + backup execution evidence** per DEC-35-05; the **immutable backup verification** per DEC-35-06 (addresses the controlled-action gate); the **restore request + restore execution + restore verification + post-restore release-to-service** per DEC-35-07 (including QP co-sign on release-to-service); the **DR test execution evidence and continuity verification with documented RTO/RPO targets** per DEC-35-08; the offline event queue resilience controls per DEC-35-09; the infrastructure administration UI/API controls per DEC-35-10; the **auditability, authority, e-signature, and operational segregation** per DEC-35-11 (addresses the controlled-action gate); operational monitoring + alerting per DEC-35-12; **the secret store substrate** per DEC-35-13 (consumed by URS-29/-30/-31/-32/-33/-34); secret rotation per DEC-35-14; multi-dimensional context capture; canonical API contract; typed schema validation; controlled frontend route surface; **attributable infrastructure audit logging** per DEC-35-15 (lesson learned from GMP/GDP); Authority/HITL/e-signature substrate per DEC-35-11; AI/MIRA assistive-only constraint per DEC-35-16; post-locked record immutability; controlled reopen workflow per DEC-35-22; canonical findings emission to URS-21 per DEC-35-17; canonical CAPA emission to URS-18 per DEC-35-18; URS-26 APQR consumer integration; URS-28 training qualification-gate inbound consumer for DevOps/SRE on-call / DBA-Backup-Restore / DR Coordinator authority per DEC-35-19; URS-30 Notifications outbound consumer per DEC-35-20; URS-32 MIRA outcome-label inbound emission per URS-32 DEC-32-23; audit trail coverage with reason-for-change discipline; and the per-jurisdictional regulatory expectations including FDA 21 CFR Part 11 §11.30 (open systems) + EU GMP Annex 11 §7 (Data Storage including backup/restore) + PIC/S PI 041 + ISO/IEC 27001/27002 + ISO 22301 + NIST SP 800-34 + HIPAA §164.308(a)(7) + GDPR Article 32 + India IT Act 2000 + DPDP Act 2023. Compliance with this URS is mandatory.

### 0.2 Audience

Engineering, QA, RA, Manufacturing, Qualified Person Authority, **Information Security (co-primary owner)**, **DevOps / SRE Lead (co-primary owner)**, DBAs, Backup-Restore Authority, DR Coordinators, On-call Engineers, Validation, executive authority, the platform's Implementation team, internal and external auditors, and inspectors from regulatory bodies (FDA, EMA, MHRA, Health Canada, **CDSCO (India launch scope)**, PIC/S, PMDA, WHO).

### 0.3 Cross-references

- **URS-01.URS-34** — every other regulated module depends on Module 35 for runtime + backup + restore + DR + secret-store services
- **URS-04** Workflow / HITL / E-Signature / Approval Authority — Controlled Approval Modal contract for rollback / restore approval / restore execution / restore release-to-service / DR test verification / backup verification / secret rotation / program lock / reopen
- **URS-05** Authority Profile / Delegation / SoD — `infra_rollback_authority`, `infra_backup_verification_authority`, `infra_restore_authority`, `infra_restore_release_to_service_authority` (QP per DEC-35-07), `infra_dr_coordinator_authority`, `infra_secret_rotation_authority`, `qualified_person_authority`, `final_quality_approver`, `executive_authority`, `information_security_authority`, `devops_sre_lead_authority`
- **URS-06** Audit Trail / Hash Chain — attributable per DEC-35-15
- **URS-12** Document Control — backup manifests / restore verification reports / DR test reports / deployment evidence storage
- **URS-13** Change Control — backup schedule effective release + DR plan effective release + secret rotation
- **URS-18** CAPA — outbound for chronic infrastructure failures per DEC-35-18
- **URS-21** Findings — outbound for chronic infrastructure failures per DEC-35-17
- **URS-22** Inspection Mgmt — back-room evidence retrieval source
- **URS-26** APQR — periodic infrastructure summary consumer
- **URS-27** Regulatory Intelligence — outbound for any infrastructure-related regulatory submission (e.g., breach notifications per GDPR / DPDP Act)
- **URS-28** Training — primary inbound qualification-gate consumer for DevOps/SRE on-call / DBA-Backup-Restore / DR Coordinator per DEC-35-19
- **URS-29** Screen Reader / Data Capture — secret-store consumer for IMAP credentials per URS-29 DEC-29-07
- **URS-30** Notifications — secret-store consumer for outbound channel credentials per URS-30 DEC-30-04 + outbound consumer for health alerts / backup failures / restore alerts per DEC-35-20
- **URS-31** DQG — secret-store consumer for ingest channel credentials per URS-31 DEC-31-11
- **URS-32** MIRA AI — secret-store consumer for AI provider credentials per URS-32 DEC-32-04 + read-only context with `mira_outcome_label` inbound per URS-32 DEC-32-23
- **URS-33** GMP Manufacturing — secret-store consumer (where applicable)
- **URS-34** GDP Distribution — secret-store consumer (where applicable)

### 0.4 Plain-language primer

In a regulated pharmaceutical operation, **infrastructure / backup / restore / operational resilience (Module 35)** is the operational backbone ensuring the platform itself remains available, recoverable, and continuously operating to support all regulated modules (URS-01.URS-34). Module 35 is in regulatory scope under: **FDA 21 CFR Part 11 §11.30** (open systems controls including encryption + digital signature + appropriate controls); **EU GMP Annex 11 §§7** (Data Storage including backup/restore — primary EU predicate), **§9** (Audit Trails), **§12** (Security including credential governance), **§14** (Electronic Records / Signatures), **§16** (Incident Management); **MHRA Data Integrity (ALCOA+ — backup/restore essential for record retention)**; **PIC/S PI 041** (Data Integrity — including backup/restore controls); **GAMP 5 Cat 5**; **FDA CSA September 2025**; **ISO/IEC 27001/27002** (information security); **ISO 22301** (business continuity / DR); **NIST SP 800-34** (Contingency Planning); **HIPAA Security Rule §164.308(a)(7)** (Contingency Plan); **GDPR Article 32** (Security of processing including backup); **India IT Act 2000** + **DPDP Act 2023** (data residency / backup for India operations).

The most consequential launch controls are: (a) target restore orchestration requirement; (b) backup verification MUST be immutable, attributable, and linked to restore evidence; (c) readiness includes storage, secret-store, queue, AI health dependency classification, disk, and capacity; (d) critical infrastructure actions require authority gate, HITL, bound e-signature, and audit.

The most consequential cross-module integration is the **secret store substrate** per DEC-35-13 — Module 35 owns the platform-wide secret-store backbone consumed by URS-29 (IMAP), URS-30 (outbound channels), URS-31 (ingest channels), URS-32 (AI providers), and URS-33/-34 (where applicable). Secret rotation per DEC-35-14 is governed by `infra_secret_rotation_authority` + HITL + bound e-signature.

The **AI-assistance** dimension is canonically explicit: "**no AI service shall be the sole means to detect, triage, recover, restore, verify, approve, or close an infrastructure event, backup event, restore event, disaster recovery event, or operational resilience action.**" Static deterministic AI may surface anomaly detection on health metrics + capacity prediction + historical pattern matching as advisory help. Generative AI is PROHIBITED in restore approval / restore release-to-service / DR test verification / secret rotation / rollback decisions. Every infrastructure record MIRA influences carries `mira_outcome_label` per URS-32 DEC-32-23.

The **two-step release path** mirrors every other Module: this URS becomes "Approved Controlled URS — released for engineering implementation and validation planning" upon signature capture in the Document Approval block; it becomes "Released for validation execution" only after URS-35-VAL-008 (Migration Evidence Gate) and the §17 validation evidence pack are satisfied.

### 0.5 Conventions

Each requirement has a unique identifier. "MUST" denotes a mandatory requirement; "SHOULD" denotes a strong recommendation; "MAY" denotes an option. The document is self-contained: front end (§5), back end (§6), data model (§6.2), application programming interface (§6.3), workflow (§6.4), business rules (§6.5), audit (§6.6), security (§12), regulatory mapping (§14), test cases (§16), and validation evidence (§17) are all in this single file.

### 0.6 Glossary

| Term | Definition |
|---|---|
| Infrastructure | Platform runtime + storage + compute + network + secret-store + observability backbone supporting all URS-01.URS-34 modules. |
| Backup | Controlled point-in-time data copy for disaster recovery; lifecycle `scheduled → in_execution → executed → verified | failed`; verification with checksum + manifest + restore-test evidence per DEC-35-06. |
| Restore | Controlled data restoration from backup; lifecycle `requested → approved → in_execution → executed → verified → released_to_service | rejected_post_verification` per DEC-35-07; release-to-service requires QP co-sign. |
| DR (Disaster Recovery) | Documented recovery from major outage with RTO (Recovery Time Objective) and RPO (Recovery Point Objective) targets; tested per DEC-35-08. |
| RTO | Recovery Time Objective — maximum acceptable downtime per service/module. |
| RPO | Recovery Point Objective — maximum acceptable data loss per service/module. |
| Health check | Liveness / readiness / startup / metrics endpoint per DEC-35-03. |
| Deployment | Controlled release of new platform version with `infra_deployment` record per DEC-35-04. |
| Rollback | Reversion to prior platform version with `infra_rollback_authority` + URS-28 + HITL + bound e-signature per DEC-35-04 / DEC-35-11. |
| Offline event queue | Resilience queue for events occurring during downstream service degradation per DEC-35-09. |
| Secret store | Platform-wide secret management substrate consumed by URS-29/-30/-31/-32/-33/-34 per DEC-35-13. |
| Secret rotation | Controlled secret rotation per DEC-35-14. |
| Reopen | A governed transition event from `locked → in_progress` requiring `executive_authority` co-sign AND `qualified_person_authority` co-sign + reason; appends new program iteration without mutating prior locked evidence per DEC-35-22. |
| ARCH-AI-001 | Platform architecture binding; canonically explicit infrastructure binding. |
| Annex 22 | EU GMP Annex 22 (Draft 2025) §7. Verixa treats Annex 22 §7 + EU AI Act Annex III high-risk as internal forward-looking AI governance controls. AI advisory only; GenAI prohibited in restore approval / restore release / DR verification / secret rotation / rollback decisions. |
| MIRA | Modular Intelligent Regulatory Assistant — read-only context per DEC-35-16; outcome_label per URS-32 DEC-32-23. |

### 0.7 Module-35 architectural picture

```mermaid
flowchart TD
 RUN[Runtime Bootstrap — config/env.ts + app.ts] --> ENV[Env Validation + Secret Store Validation per DEC-35-02]
 ENV --> HC[/Health Endpoints — /live /ready /startup /metrics — DEC-35-03/]
 HC -- extended readiness --> EXT_R[Storage / Secret Store / Queue / AI Health / Disk / Capacity per DEC-35-03]
 RUN --> DEPLOY[/Deployments — DEC-35-04/]
 DEPLOY --> ROLLBACK[Rollback — infra_rollback_authority + URS-28 + HITL + bound e-sign per DEC-35-11]
 RUN --> BS[/Backup Schedules — DEC-35-05 + URS-13 CR/]
 BS --> BL[/Backup Logs — DEC-35-05/]
 BL --> BV[/Backup Verification — immutable + checksum + manifest + restore-test evidence per DEC-35-06/]
 RR[/Restore Request per DEC-35-07/]
 RR --> RA[Restore Approval — infra_restore_authority + URS-28 + HITL + bound e-sign]
 RA --> RE[Restore Execution]
 RE --> RV[Restore Verification — infra_restore_authority + bound e-sign]
 RV --> RTS[Restore Release-to-Service — QP co-sign per DEC-35-07]
 DR[/DR Test per DEC-35-08/]
 DR --> DRV[DR Test Verification — infra_dr_coordinator_authority + URS-28 + HITL + bound e-sign]
 OFFL[/Offline Event Queue — DEC-35-09/]
 OFFL --> DLQ[Dead-Letter Queue Review]
 SS[/Secret Store Substrate — DEC-35-13/]
 SS -. consumed by.-> M29[URS-29 IMAP creds]
 SS -. consumed by.-> M30[URS-30 outbound channel creds]
 SS -. consumed by.-> M31[URS-31 ingest channel creds]
 SS -. consumed by.-> M32[URS-32 AI provider creds]
 SS -. consumed by.-> M33[URS-33 (where applicable)]
 SS -. consumed by.-> M34[URS-34 (where applicable)]
 ROT[Secret Rotation — infra_secret_rotation_authority + HITL + bound e-sign per DEC-35-14] --> SS
 AI[MIRA AI — read-only context] -. outcome_label per URS-32 DEC-32-23.-> HC / DEPLOY / BS / BL / RR / DR
 M21[URS-21 Findings] <-- chronic infra failures per DEC-35-17
 M18[URS-18 CAPA] <-- chronic infra CAPA per DEC-35-18
 M30N[URS-30 Notifications] <-- health alerts / backup failures / restore alerts / DR test alerts / secret rotation alerts per DEC-35-20
 M28[URS-28 Training] -- qualification gate for DevOps/SRE / DBA / DR Coordinator --> ROLLBACK / RA / RV / RTS / DRV / ROT
 M26[URS-26 APQR] <-- periodic infra summary
 M22[URS-22 Inspection] -- back-room retrieval --> DEPLOY / BL / BV / RR / DR
 LOCK[Program Lock] --> RUN
 LOCK -. governed reopen + executive + QP co-sign.-> RUN
```

---

## 1. Scope and Out-of-Scope

### 1.1 In-scope

- The runtime configuration validation and secure startup gating (retained per DEC-35-02).
- The process health, readiness, startup, metrics endpoints (+ for extended readiness per DEC-35-03).
- The controlled deployment registration + rollback registration (+ for rollback authority per DEC-35-04 / DEC-35-11).
- The backup schedule governance + backup execution evidence (per DEC-35-05).
- The immutable backup verification (per DEC-35-06).
- The restore request + restore execution + restore verification + post-restore release-to-service with QP co-sign (per DEC-35-07).
- The DR test execution evidence with documented RTO/RPO targets (per DEC-35-08).
- The offline event queue resilience controls (+ per DEC-35-09).
- The infrastructure administration UI/API controls (+ target route per DEC-35-10).
- The Authority/HITL/e-signature on every regulated infrastructure final action (per DEC-35-11).
- The operational monitoring + alerting (per DEC-35-12).
- The secret store substrate (per DEC-35-13).
- The secret rotation (per DEC-35-14).
- The attributable infrastructure audit logging (lesson learned from GMP/GDP per DEC-35-15).
- The MIRA copilot read-only context with `outcome_label` inbound emission per URS-32 DEC-32-23.
- The findings emission to URS-21.
- The CAPA emission to URS-18.
- The URS-26 APQR consumer integration.
- The URS-28 training qualification-gate inbound consumer.
- The URS-30 Notifications outbound consumer.
- The governed reopen workflow.
- The per-jurisdictional regulatory expectations including FDA 21 CFR Part 11 §11.30 + EU GMP Annex 11 §7 + PIC/S PI 041 + ISO 27001/27002 + ISO 22301 + NIST SP 800-34 + HIPAA §164.308(a)(7) + GDPR Article 32 + India IT Act 2000 + DPDP Act 2023.

### 1.2 Out-of-scope

- The audit trail substrate itself (URS-06).
- The HITL / e-sign substrate (URS-04).
- The tenant management (URS-08).
- The MIRA orchestration (URS-32).
- The GMP operations (URS-33).
- The GDP distribution controls (URS-34).
- Vendor-specific cloud provider integration (AWS / GCP / Azure) — generic backbone in scope; vendor connectors are future-state.

---

## 2. Preconditions, Dependencies, Constraints

### 2.1 Operating preconditions

The following preconditions MUST hold for this URS to apply at validation time. Each bullet is a binding precondition; deviations require a controlled exception per URS-13 Change Control.

- The platform's foundational substrates are released and operational at validation time.
- DevOps / SRE on-call, DBAs, Backup-Restore Authority, DR Coordinators are URS-28 qualified per DEC-35-19.
- AI-assisted infrastructure surfaces are advisory only.
- The tenant operating jurisdiction(s) are configured.

### 2.2 Dependencies

- URS-01.URS-34 platform contracts (Module 35 supports all other modules).
- The `electronic_signatures` substrate.
- The `authority` substrate.
- The `hitl` substrate.
- The `audit_trail` substrate.
- The `documents` substrate (URS-12).
- The `change_control` substrate (URS-13).
- The training `qualification-gate` substrate (URS-28).
- The `notifications` substrate (URS-30).
- The MIRA `outcome_label` outbound emission per URS-32 DEC-32-23.
- External cloud / storage / secret-store providers (AWS Secrets Manager / HashiCorp Vault / Azure Key Vault / GCP Secret Manager).

### 2.3 Constraints

- The canonical API mounts are `/api/v1/infrastructure/*` and `/api/v1/health/*`.
- AI-assisted content is advisory-only; **no AI service is the sole means to detect / triage / recover / restore / verify / approve / close any infrastructure event** per ARCH-AI-001 binding.
- Generative AI is prohibited in restore approval / restore release-to-service / DR test verification / secret rotation / rollback decisions.
- Production startup blocked if required secrets missing or use known test defaults per DEC-35-02.
- Rollback / restore approval / restore execution / restore verification / restore release-to-service / DR test verification / backup verification / secret rotation MUST transit Authority + URS-28 + HITL + bound e-signature per DEC-35-11.
- Restore release-to-service requires QP co-sign per DEC-35-07.
- Backup verification persists immutable verified_by / verified_at / checksum / manifest / restore-test evidence per DEC-35-06.
- Infrastructure audit-trail entries MUST persist authenticated `userId` per DEC-35-15 (lesson learned from GMP / GDP).
- DevOps/SRE on-call / DBA-Backup-Restore / DR Coordinator MUST satisfy URS-28 qualification-gate per DEC-35-19.

---

## 3. Closed Launch Decisions

### 3.1 Decision register

| Decision ID | Title | Locked decision |
|---|---|---|
| DEC-35-01 | Two-step release path + canonical API contract | Module 35 follows the same two-step release path; canonical API mounts `/api/v1/infrastructure/*` and `/api/v1/health/*` (`/live`, `/ready`, `/startup`, `/metrics`). |
| DEC-35-02 | Runtime configuration validation + secure startup gating | : `config/env.ts` Zod-validated env validation; production startup blocked if required secrets missing or use known test defaults; production startup blocked if `COOKIE_SECURE` is false; secrets explicitly checked: `JWT_SECRET`, `CSRF_SECRET`, `ENCRYPTION_KEY`, `FIELD_ENCRYPTION_KEY`, `SSO_ENCRYPTION_KEY`, `APPROVAL_TOKEN_KEY`, `DB_PASSWORD`. |
| DEC-35-03 | **Health endpoints with extended readiness** ("Readiness includes storage, secret-store, queue, AI health dependency classification, disk, and capacity") | `/health/live`, `/health/ready`, `/health/startup`, `/health/metrics`; extends `/health/ready` to check: DB connectivity (CURRENT) + job scheduler (CURRENT) + storage provider connectivity + secret-store connectivity + offline queue health + AI health dependency classification (degraded vs unavailable) + disk capacity + memory capacity + connection pool capacity; readiness response classifies dependencies as `healthy` / `degraded` / `unavailable`; degraded dependencies do not fail readiness but emit URS-30 notifications per DEC-35-20. |
| DEC-35-04 | Controlled deployment registration + rollback registration with authority | `record-deployment` + `record-rollback`; deployment record persisted with `environment`, `version`, `deployed_at`, `deployed_by`, `git_commit_sha`, `deployment_evidence_document_id` (FK to URS-12); rollback execution requires `infra_rollback_authority` + URS-28 qualification per DEC-35-19 + HITL + bound e-signature per DEC-35-11; rollback target version validated; rollback emits URS-30 notification + URS-21 finding (rollbacks indicate prior deployment quality failure). |
| DEC-35-05 | Backup schedule governance + backup execution evidence | `backup_schedules` + `backup_logs`; backup schedule lifecycle `draft → effective → suspended → archived` with URS-13 CR linkage on effective release per DEC-35-18; backup execution persisted in `backup_logs` with `backup_id`, `started_at`, `completed_at`, `backup_size_bytes`, `backup_storage_location`, `status` (ENUM `in_execution` / `executed` / `failed`); backup failure emits URS-21 finding per DEC-35-17. |
| DEC-35-06 | **Immutable backup verification** ("Backup verification MUST be immutable, attributable, and linked to restore evidence") | Backup verification record `infra_backup_verifications` with: `backup_log_id` FK NOT NULL, `verification_type` (ENUM `checksum_only` / `manifest_review` / `restore_test`), `checksum_algorithm` (e.g., SHA-256), `checksum_value` (TEXT), `manifest_document_id` (FK to URS-12), `restore_test_evidence_document_id` (FK to URS-12 nullable for non-restore-test verification), `verified_by` FK NOT NULL per DEC-35-15, `verified_at` TIMESTAMPTZ NOT NULL, `verification_e_signature_id` FK NOT NULL per DEC-35-11; **immutable post-write**; `verifyBackup` extended to require these fields; backup status synchronized: `backup_logs.status = 'verified'` only when verification record exists; `infra_backup_verification_authority` + URS-28 + HITL + bound e-signature required per DEC-35-11. |
| DEC-35-07 | **Restore lifecycle with QP co-sign on release-to-service** | Restore lifecycle: `requested → approved → in_execution → executed → verified → released_to_service | rejected_post_verification`; restore record `infra_restore_executions` persisted; restore approval transition `requested → approved` requires `infra_restore_authority` + URS-28 qualification per DEC-35-19 + HITL + bound e-signature; restore execution transition `approved → in_execution → executed` requires same authority + audit; restore verification transition `executed → verified` requires `infra_restore_authority` + HITL + bound e-signature + scientific assessment of data integrity; **restore release-to-service transition `verified → released_to_service` requires `infra_restore_release_to_service_authority` (Qualified Person co-sign) + HITL + bound e-signature** — QP co-sign because restore impacts regulated record availability across all URS-01.URS-34 modules; rejection `verified → rejected_post_verification` requires reason; restore evidence persisted in URS-12 documents. |
| DEC-35-08 | **DR test execution evidence with documented RTO/RPO targets** | DR test lifecycle: `planned → in_execution → executed → verified → reported`; DR plan persisted with documented RTO (Recovery Time Objective) and RPO (Recovery Point Objective) targets per service/module — RTO targets default 4 hours / RPO targets default 15 minutes per service-criticality classification; DR test execution requires `infra_dr_coordinator_authority` + URS-28 qualification per DEC-35-19 + HITL + bound e-signature; DR test verification compares actual RTO/RPO achieved vs targets; DR test failure (actual RTO > target OR actual RPO > target) emits URS-21 finding + URS-18 CAPA per DEC-35-17 / DEC-35-18; DR test reports persisted in URS-12. |
| DEC-35-09 | Offline event queue resilience controls | offline queue metadata; adds offline-queue replay review UI + dead-letter queue (DLQ) handling; DLQ items captured with `original_event_payload`, `error_class`, `retry_count`, `last_error_at`, `disposition` (ENUM `pending_review` / `replayed` / `abandoned`); stale DLQ items emit URS-21 finding per DEC-35-17 (parallel pattern to URS-32 DEC-32-12 MIRA event DLQ). |
| DEC-35-10 | Infrastructure administration UI/API | admin dashboard read-side (DB status, uptime, version, memory, health response-time chart, deployments table, backup schedules table, offline queue badges, run health check button); : create-backup-schedule + update-backup-schedule + create-deployment-record + rollback action + backup log entry/review/verification + restore workflows + DR test workflows + offline queue replay review. |
| DEC-35-11 | **Authority/HITL/e-signature on every regulated infrastructure final action** ("admin-only but not authority/e-sign bound") | All critical infrastructure actions transit `withAuthority(.)` + URS-28 qualification per DEC-35-19 + HITL + bound e-signature: rollback execution + restore approval + restore execution + restore verification + restore release-to-service (with QP co-sign per DEC-35-07) + DR test execution + DR test verification + backup verification + secret rotation + program lock + reopen; admin-only role check is no longer sufficient for these critical decisions. |
| DEC-35-12 | Operational monitoring + alerting + retention | Health metrics emitted as Prometheus scrape output per; alerts dispatched via URS-30 Notifications per DEC-35-20 for: degraded readiness dependency, backup failure, restore failure, DR test failure, secret rotation, deployment / rollback events; retention per platform record-retention policy (longer of 30 years or applicable regulatory schedule). |
| DEC-35-13 | **Secret store substrate platform-wide** | Module 35 owns the platform-wide secret-store backbone; secret store provider configured per tenant (AWS Secrets Manager / HashiCorp Vault / Azure Key Vault / GCP Secret Manager); consumed by URS-29 IMAP credentials per URS-29 DEC-29-07, URS-30 outbound channel credentials per URS-30 DEC-30-04, URS-31 ingest channel credentials per URS-31 DEC-31-11, URS-32 AI provider credentials per URS-32 DEC-32-04, URS-33 / URS-34 (where applicable); secret-store reference pattern `<provider>:<tenant-id>/<secret-path>` (e.g., `aws-secrets-manager:tenant-x/lab-results-imap`); secret-store availability monitored as part of `/health/ready` per DEC-35-03; secret resolution latency budget per consuming module's NFR. |
| DEC-35-14 | Secret rotation governance | Secret rotation requires `infra_secret_rotation_authority` (typically Information Security authority) + URS-28 qualification + HITL + bound e-signature; rotation triggers configured: time-based (default 90 days), incident-driven, manual; rotation event emits URS-30 notification per DEC-35-20 + audit-trail entry; affected modules notified via event bus to refresh credential cache. |
| DEC-35-15 | **Attributable infrastructure audit logging** (lesson learned from GMP DEC-33-03 / GDP DEC-34-16) | Every infrastructure service create / update / transition method MUST persist authenticated `userId` from session context in audit-trail entry; **blank `userId` is rejected with `INFRA_AUDIT_USER_ID_REQUIRED`**; system-context attribution permitted only for system-generated events (e.g., scheduled backup execution) with explicit `system_context` value (XOR with `userId` per URS-31 DEC-31-14 pattern). |
| DEC-35-16 | AI/MIRA assistive-only constraint + URS-32 MIRA outcome-label inbound emission | AI/MIRA remains assistive only per ARCH-AI-001 binding; **MIRA never the sole means to detect / triage / recover / restore / verify / approve / close any infrastructure event**; advisory-only labeling on AI surfaces (anomaly suggestion, runbook copilot, restore-readiness suggestion, backup-verification anomaly detection, DR readiness scoring); **every infrastructure record MIRA influences carries `mira_outcome_label`** per URS-32 DEC-32-23 inbound emission; GenAI prohibited in restore approval / restore release-to-service / DR test verification / secret rotation / rollback decisions per Annex 22 §7 internal control. |
| DEC-35-17 | Findings emission to URS-21 | Chronic infrastructure failures (chronic backup failures, chronic restore failures, chronic DR test failures, chronic readiness degradation, chronic deployment rollbacks, chronic offline-queue DLQ buildup) emit `infra_finding_created` event to URS-21 with `infra_operational_resilience` source type. |
| DEC-35-18 | CAPA emission to URS-18 | Chronic infrastructure failures escalated to CAPA emit `infra_capa_linked` event consumed by URS-18 (`infra_operational_resilience` source type per URS-18 declared source set). |
| DEC-35-19 | **URS-28 training qualification-gate inbound consumer for DevOps/SRE on-call / DBA-Backup-Restore / DR Coordinator authority** | DevOps / SRE on-call + DBA / Backup-Restore Authority + DR Coordinator + Information Security secret rotation authority MUST satisfy URS-28 qualification-gate per URS-28 DEC-28-23: `GET /training/qualification/:userId/devops_sre_oncall` for on-call authority; `GET /training/qualification/:userId/dba_backup_restore` for backup-restore authority; `GET /training/qualification/:userId/dr_coordinator` for DR Coordinator; `GET /training/qualification/:userId/secret_rotation` for secret rotation authority; qualification-gate failure rejects with `INFRA_AUTHORITY_QUALIFICATION_GATE_FAILED`. |
| DEC-35-20 | URS-30 Notifications outbound consumer for infrastructure critical alerts | Infrastructure critical alerts (degraded readiness dependency, backup failure, restore failure, restore release-to-service, DR test failure, secret rotation, rollback execution, deployment, DLQ stale items) emitted as events consumed by URS-30 Notifications dispatcher per DEC-35-20 + URS-30 mandatory-alert allowlist per URS-30 DEC-30-05 (these are mandatory alerts forced regardless of user preferences). |
| DEC-35-21 | URS-26 APQR periodic infrastructure-summary consumer | URS-26 APQR consumes periodic infrastructure-control summary (uptime, backup success rate, restore success rate, DR test success rate, deployment frequency, rollback rate, secret rotation compliance) for periodic platform quality review per URS-26 lifecycle. |
| DEC-35-22 | Infrastructure program reopen as governed transition | Program `locked → in_progress` requires `executive_authority` co-sign AND `qualified_person_authority` co-sign + documented reason; appends a new program iteration without mutating prior locked evidence (consistent with M14.M34 reopen pattern). |
| DEC-35-23 | platform_admin / super_admin support / break-glass + India data residency | `platform_admin` / `super_admin` are support / break-glass only paths; **India data residency requirements per DPDP Act 2023 + IT Act 2000 are primary launch-scope considerations** for data storage location, backup location, and restore location subject to a future jurisdiction-specific legal assessment; India data residency configured per tenant. |

### 3.2 Locked-decision rationale narrative

The decisions above define the binding launch posture for Module 35 v1.0. The most consequential locked controls are: (a) **DEC-35-03 extends readiness** to storage / secret-store / queue / AI health / disk / capacity; (b) **DEC-35-06 requires immutable backup verification** with verification record + checksum + manifest + restore-test evidence + URS-28-qualified authority + bound e-signature; (c) **DEC-35-07 introduces the restore lifecycle** including QP co-sign on release-to-service (because restore impacts regulated record availability across all modules); (d) **DEC-35-08 introduces DR test execution evidence** with documented RTO/RPO targets; (e) **DEC-35-11 mandates Authority + URS-28 + HITL + bound e-signature** on every regulated infrastructure final action; (f) **DEC-35-13 introduces the platform-wide secret store substrate** consumed by URS-29/-30/-31/-32/-33/-34 — making Module 35 the operational backbone for all credential governance across the platform; (g) **DEC-35-15 requires attributable infrastructure audit logging** with authenticated `userId` persisted on every entry, consistent with the GMP/GDP attributable-audit pattern; (h) **DEC-35-19 introduces URS-28 qualification-gate inbound consumption** for DevOps/SRE / DBA / DR Coordinator / secret-rotation authority; (i) DEC-35-22 defines reopen as a governed append-only transition consistent with the Module-14..-34 reopen pattern.

### 3.3 Closed launch decisions: cross-link to items

| Specification item | Evidence basis | Locked decision |
|---|---|---|
| Target restore orchestration requirement | | DEC-35-07 |
| Backup verification immutable, attributable, restore-test-linked | target requirement | DEC-35-06 |
| Readiness includes storage / secret-store / queue / AI-health / disk / capacity | target requirement | DEC-35-03 |
| Critical infrastructure actions require authority gate, HITL, bound e-signature, and audit | target requirement | DEC-35-11 |
| UI gaps (create backup schedule, rollback, restore, DR, DLQ review) | | DEC-35-10 |

### 3.4 Locked-decision authority

Each locked decision is approved by the Founder / Chairman & MD on signature capture in the Document Approval block of this URS (§19). Decisions cannot be unlocked except through controlled URS revision under the URS change-control process and re-approval.

### 3.5 Worked examples

**Worked example 1 — Production startup gated by env validation.**
DevOps engineer attempts production deployment with `JWT_SECRET = "test-secret"`. Per DEC-35-02, `config/env.ts` Zod validation detects known-test default; production startup BLOCKED with explicit error. DevOps engineer rotates secret via secret store + DEC-35-14; deployment succeeds.

**Worked example 2 — Extended readiness with degraded AI dependency.**
On `2026-08-15` AI provider has partial degradation. Per DEC-35-03 extended readiness, `/health/ready` returns 200 (overall healthy) but classifies AI dependency as `degraded` in response body. URS-30 notification dispatched per DEC-35-20 to AI-ML Lead. Platform continues serving non-AI authoritative workflows (per ARCH-AI-001 AC-1 / URS-32 DEC-32-15 `bypass_ai`).

**Worked example 3 — Backup verification with immutable evidence.**
Scheduled backup completes for `production` environment at `2026-08-15T02:00:00Z`. Backup log persisted with status `executed`. DBA (URS-28 qualified per `dba_backup_restore` role per DEC-35-19) reviews backup; computes SHA-256 checksum + retrieves manifest from storage + executes restore-test in staging environment. DBA records verification per DEC-35-06: `verification_type = restore_test`, `checksum_algorithm = SHA-256`, `checksum_value`, `manifest_document_id` (URS-12 doc), `restore_test_evidence_document_id` (URS-12 doc); HITL + bound e-signature with `infra_backup_verification_authority`. `backup_logs.status` synchronized to `verified`.

**Worked example 4 — Restore execution with QP release-to-service co-sign.**
Production database corruption detected on `2026-08-20`. DBA submits restore request `RR-2026-08-20-001` per DEC-35-07. `infra_restore_authority` (URS-28 qualified) approves restore with HITL + bound e-signature; status `requested → approved`. Restore executed; status `approved → in_execution → executed`. DBA verifies restored data integrity; status `executed → verified` with bound e-signature. **Qualified Person co-signs `released_to_service`** per DEC-35-07 (because restored data impacts regulated records across URS-23/-24/-25/-26/-33/-34). Restore evidence persisted in URS-12; URS-30 notification dispatched.

**Worked example 5 — DR test with RTO/RPO verification.**
Quarterly DR test scheduled. DR Coordinator (URS-28 qualified per `dr_coordinator` role per DEC-35-19) executes DR test per DEC-35-08 with HITL + bound e-signature; documented RTO target = 4 hours; RPO target = 15 minutes. Actual RTO achieved = 3.5 hours (within target); actual RPO achieved = 8 minutes (within target). DR test verified with bound e-signature; report persisted in URS-12. If RTO/RPO targets had been missed, URS-21 finding + URS-18 CAPA would have emitted per DEC-35-17 / DEC-35-18.

**Worked example 6 — Rollback execution with authority + e-sign.**
Deployment `v2.5.0` causes critical regression. DevOps SRE on-call (URS-28 qualified per `devops_sre_oncall` per DEC-35-19) initiates rollback to `v2.4.5`. Per DEC-35-04 / DEC-35-11, rollback execution requires `infra_rollback_authority` + URS-28 + HITL + bound e-signature. Rollback executed; URS-30 notification dispatched + URS-21 finding emitted (rollback indicates prior deployment quality failure).

**Worked example 7 — Secret rotation.**
On scheduled 90-day cycle, `JWT_SECRET` rotation due. Information Security Authority (URS-28 qualified per `secret_rotation` role per DEC-35-19) executes rotation per DEC-35-14 with HITL + bound e-signature. New secret stored in secret store (DEC-35-13); affected modules (URS-01 authentication) refreshed via event bus. URS-30 notification dispatched per DEC-35-20.

**Worked example 8 — Offline queue DLQ stale → URS-21 finding.**
Over 30 days, 47 events accumulate in offline queue DLQ without disposition. Per DEC-35-09 stale-DLQ detector, `infra_finding_created` emitted to URS-21 with severity major. URS-21 standalone finding created; URS-18 CAPA opens if pattern persists per DEC-35-18.

**Worked example 9 — Secret store consumed by URS-32 MIRA.**
URS-32 MIRA AI Gateway invokes LLM provider; needs API credentials. Per URS-32 DEC-32-04 + DEC-35-13 secret store substrate, AI Gateway resolves credentials via secret-store reference `aws-secrets-manager:tenant-x/anthropic-api-key`; credentials never persisted in plain text in MIRA configuration. Same pattern for URS-29 IMAP, URS-30 Slack/Teams/Webhook, URS-31 ingest channels.

**Worked example 10 — India data residency.**
Tenant operating in India per DPDP Act 2023 requires data residency in India per DEC-35-23. Storage provider configured for India region (e.g., AWS ap-south-1); backup storage location India region; restore location India region. Periodic compliance verification.

**Worked example 11 — Governed reopen of locked infrastructure program.**
On `2027-04-15` an inspection finding (URS-22) reveals a previously locked infrastructure program may have under-recorded one DR test. DevOps Lead initiates reopen; per DEC-35-22 + SoD-35-06, both `executive_authority` co-sign AND `qualified_person_authority` co-sign + reason are required. On both co-signs the program transitions `locked → in_progress` and a new program iteration is appended; the prior locked evidence is NOT mutated.

---

## 4. End-to-End User Journeys (28 launch journeys)

| # | Journey | Actor | Pre-condition | Path | Post-condition |
|---|---|---|---|---|---|
| 1 | Production startup with env validation | DevOps Engineer | Production deployment | Per DEC-35-02 — env Zod validation + secret check + COOKIE_SECURE check | Startup succeeds OR blocks with explicit error |
| 2 | Liveness check | System (load balancer) | Continuous | GET `/health/live` per DEC-35-03 | Returns 200 if process alive |
| 3 | Readiness check (extended) | System (orchestrator) | Continuous | GET `/health/ready` checks DB + scheduler + storage + secret-store + queue + AI health + disk + capacity per DEC-35-03 | Returns 200 with `healthy` / `degraded` / `unavailable` per dependency |
| 4 | Degraded dependency notification | System (per DEC-35-03) | Dependency degraded | Emit URS-30 notification per DEC-35-20 | Notification dispatched |
| 5 | Record deployment | DevOps SRE | Deployment completed | Per DEC-35-04 — record in `deployments` table with environment / version / git_commit_sha / deployment_evidence | Deployment recorded |
| 6 | Execute rollback | DevOps SRE on-call (URS-28 qualified per DEC-35-19) | Critical regression detected | `infra_rollback_authority` + URS-28 + HITL + bound e-sign per DEC-35-11; URS-30 notification + URS-21 finding | Rollback executed |
| 7 | Create backup schedule | Information Security / DBA | New backup schedule needed | Per DEC-35-05 — create with URS-13 CR linkage on effective release | Schedule created; effective release with bound e-sign |
| 8 | Execute scheduled backup | System (scheduled) | Backup schedule effective | Per DEC-35-05 — backup execution; persist in `backup_logs` | Backup executed |
| 9 | Backup failure notification | System | Backup failed | Emit URS-30 notification + URS-21 finding per DEC-35-17 / DEC-35-20 | Notification dispatched |
| 10 | Backup verification (immutable evidence) | DBA (URS-28 qualified) | Backup `executed` | Per DEC-35-06 — record verification with checksum + manifest + restore-test + bound e-sign + `infra_backup_verification_authority` | Verification recorded immutably; backup status `verified` |
| 11 | Restore request | DBA | Data corruption / loss event | Per DEC-35-07 — create restore request | Restore `requested` |
| 12 | Restore approval | `infra_restore_authority` (URS-28 qualified) | Restore `requested` | HITL + bound e-sign per DEC-35-07 / DEC-35-11 | Restore `approved` |
| 13 | Restore execution | DBA | Restore `approved` | Execute restore; transition `approved → in_execution → executed` | Restore `executed` |
| 14 | Restore verification | `infra_restore_authority` | Restore `executed` | HITL + bound e-sign + scientific assessment per DEC-35-07 | Restore `verified` |
| 15 | Restore release-to-service (QP co-sign) | `infra_restore_release_to_service_authority` (Qualified Person per DEC-35-07) + URS-28 | Restore `verified` | HITL + bound e-sign per DEC-35-07 / DEC-35-11 | Restore `released_to_service`; URS-30 notification |
| 16 | Restore rejection post-verification | `infra_restore_authority` | Restore `verified` but data integrity unacceptable | HITL + bound e-sign + reason per DEC-35-07 | Restore `rejected_post_verification` |
| 17 | Plan DR test | DR Coordinator (URS-28 qualified per DEC-35-19) | Quarterly schedule | Per DEC-35-08 — plan with documented RTO / RPO targets | DR test `planned` |
| 18 | Execute DR test | DR Coordinator | DR test `planned` | HITL + bound e-sign per DEC-35-08 / DEC-35-11 | DR test `executed` |
| 19 | Verify DR test (RTO/RPO comparison) | DR Coordinator | DR test `executed` | Compare actual RTO/RPO vs targets per DEC-35-08 | DR test `verified` |
| 20 | DR test failure → URS-21 + URS-18 | System | RTO or RPO target missed | Emit URS-21 finding + URS-18 CAPA per DEC-35-17 / DEC-35-18 | Finding + CAPA created |
| 21 | Rotate secret | Information Security Authority (URS-28 qualified per DEC-35-19) | Rotation due (90 days OR incident OR manual) | `infra_secret_rotation_authority` + HITL + bound e-sign per DEC-35-14 | Secret rotated; affected modules notified via event bus; URS-30 notification |
| 22 | Process offline queue | System (continuous) | Queue items pending | Per DEC-35-09 — process and emit events to consumers | Queue processed |
| 23 | DLQ disposition | Authorized user | DLQ items pending review | Disposition: replayed | abandoned per DEC-35-09 | Disposition recorded |
| 24 | Stale DLQ → URS-21 finding | System (scheduled) | DLQ items > 30 days unprocessed | Emit `infra_finding_created` per DEC-35-17 | URS-21 finding created |
| 25 | Secret store consumer integration (URS-32 MIRA AI) | URS-32 MIRA service | AI invocation | Resolve credentials via secret-store reference per DEC-35-13 | Credentials resolved; never persisted in plain text |
| 26 | Reject AI-only authoritative infrastructure action | System (per DEC-35-16) | AI service as acting principal | Reject with `INFRA_AI_AS_AUTHORITATIVE_PROHIBITED` | Operation rejected |
| 27 | India data residency configuration | Tenant Admin + Information Security | India operations | Configure data storage location India region per DEC-35-23 | India residency enforced |
| 28 | Reopen locked infrastructure program (governed transition) | DevOps Lead + Executive Authority + Qualified Person | Program `locked` | Executive co-sign AND QP co-sign + reason; transition `locked → in_progress`; append new iteration per DEC-35-22 | Program `in_progress`; new iteration appended; prior locked evidence NOT mutated |

---

## 5. Front-end Requirements

### 5.1 Infrastructure Admin Dashboard

The dashboard (URS-35-FE-001) renders summary cards (system status, uptime, version, memory, health response-time chart, deployments table, backup schedules table, offline queue badges, recent backup verifications, recent restores, recent DR tests) per + per DEC-35-10.

### 5.2 Backup Management Console

Renders backup schedule lifecycle + create / update with URS-13 CR linkage per DEC-35-05.

### 5.3 Backup Verification Console

Renders backup verification ceremony with checksum + manifest + restore-test evidence per DEC-35-06.

### 5.4 Restore Console

Renders restore lifecycle with approval + execution + verification + release-to-service ceremonies (QP co-sign on release-to-service) per DEC-35-07.

### 5.5 DR Test Console

Renders DR test plan + execution + verification with RTO/RPO comparison per DEC-35-08.

### 5.6 Deployment Console

Renders deployment + rollback ceremonies with bound e-sign per DEC-35-04 / DEC-35-11 (+ for rollback action).

### 5.7 Offline Queue + DLQ Console

Renders offline queue + DLQ with disposition controls per DEC-35-09.

### 5.8 Secret Store Console

Renders secret rotation ceremonies per DEC-35-13 / DEC-35-14.

### 5.9 Health Status Console

Renders detailed health/readiness with dependency classification per DEC-35-03 (for extended readiness display).

### 5.10 Infrastructure Metrics Dashboard

Renders periodic infrastructure metrics consumed by URS-26 APQR per DEC-35-21.

### 5.11 MIRA Copilot Integration

Read-only context per DEC-35-16; `mira_outcome_label` per URS-32 DEC-32-23.

### 5.12 Accessibility

WCAG 2.1 AA accessible.

---

## 6. Back-end Requirements

### 6.1 Module structure

`packages/backend/src/modules/infrastructure/` with `plugin.ts`, `routes.ts` (typed schemas; routes per §6.3), `service.ts` (attributable audit per DEC-35-15; URS-28 qualification consumer per DEC-35-19; restore/DR/secret-rotation services), `schemas.ts`, `events.ts`, `secret-store-resolver.ts` (per DEC-35-13), `restore-orchestrator.ts` (per DEC-35-07), `dr-test-engine.ts` (per DEC-35-08).

### 6.2 Data model

#### 6.2.1 `system_health_checks` (retained)

`id`, `tenant_id` (nullable for platform-wide checks), `check_at`, `dependency_classifications_json` (JSONB per DEC-35-03 — extended readiness), `overall_status`, audit columns. RLS enabled.

#### 6.2.2 `deployments` (retained)

`id`, `environment` (ENUM `dev` / `staging` / `production`), `version`, `git_commit_sha`, `deployed_at`, `deployed_by` (FK NOT NULL per DEC-35-15), `deployment_evidence_document_id` (FK to URS-12 nullable), `is_rollback` (BOOLEAN), `rollback_target_version` (TEXT nullable), `rollback_e_signature_id` (FK nullable per DEC-35-11), `mira_outcome_label`, audit columns.

#### 6.2.3 `backup_schedules` 

`id`, `tenant_id`, `schedule_code`, `frequency_cron`, `backup_type` (ENUM `full` / `incremental` / `differential`), `release_change_request_id` (FK to URS-13 per DEC-35-05), `effective_from`, `effective_to`, `released_by`, `released_at`, `release_e_signature_id`, `status` (ENUM `draft` / `effective` / `suspended` / `archived`), `mira_outcome_label`, audit columns.

#### 6.2.4 `backup_logs` (retained)

`id`, `tenant_id`, `backup_schedule_id` (FK), `started_at`, `completed_at`, `backup_size_bytes` (BIGINT), `backup_storage_location` (TEXT), `status` (ENUM `in_execution` / `executed` / `failed` / `verified` per DEC-35-06), `failure_reason` (TEXT nullable), `mira_outcome_label`, audit columns.

#### 6.2.5 `infra_backup_verifications` (per DEC-35-06)

`id`, `tenant_id`, `backup_log_id` (FK NOT NULL), `verification_type` (ENUM `checksum_only` / `manifest_review` / `restore_test`), `checksum_algorithm` (TEXT — e.g., `SHA-256`), `checksum_value` (TEXT NOT NULL for checksum verification), `manifest_document_id` (FK to URS-12 NOT NULL for manifest_review or restore_test), `restore_test_evidence_document_id` (FK to URS-12 NOT NULL for restore_test), `verified_by` (FK NOT NULL per DEC-35-15), `verified_at` (TIMESTAMPTZ NOT NULL), `verification_e_signature_id` (FK NOT NULL per DEC-35-11), `mira_outcome_label`, audit columns. **Immutable post-write per DEC-35-06**.

#### 6.2.6 `infra_restore_executions` (per DEC-35-07)

`id`, `tenant_id`, `requested_by` (FK), `requested_at`, `request_reason`, `source_backup_log_id` (FK to `backup_logs`), `target_environment`, `approved_by` (FK nullable) / `approved_at` / `approval_e_signature_id` per DEC-35-07, `executed_by` (FK nullable) / `executed_at`, `verified_by` (FK nullable) / `verified_at` / `verification_e_signature_id`, `released_to_service_by` (FK nullable — Qualified Person per DEC-35-07) / `released_to_service_at` / `release_e_signature_id`, `rejected_post_verification_by` (FK nullable) / `rejection_reason`, `restore_evidence_document_id` (FK to URS-12), `status` (ENUM `requested` / `approved` / `in_execution` / `executed` / `verified` / `released_to_service` / `rejected_post_verification`), `mira_outcome_label`, audit columns.

#### 6.2.7 `infra_dr_plans` (per DEC-35-08)

`id`, `tenant_id`, `plan_code`, `service_class` (e.g., `regulated_critical` / `regulated_advisory` / `non_regulated`), `rto_target_minutes` (INTEGER NOT NULL), `rpo_target_minutes` (INTEGER NOT NULL), `release_change_request_id` (FK to URS-13), `effective_from`, `effective_to`, `released_by` / `released_at` / `release_e_signature_id`, `status` (ENUM `draft` / `effective` / `superseded` / `archived`), audit columns.

#### 6.2.8 `infra_dr_tests` (per DEC-35-08)

`id`, `tenant_id`, `dr_plan_id` (FK), `planned_at`, `executed_by` (FK) / `executed_at` / `execution_e_signature_id`, `actual_rto_minutes` (INTEGER), `actual_rpo_minutes` (INTEGER), `rto_within_target` (BOOLEAN GENERATED), `rpo_within_target` (BOOLEAN GENERATED), `verified_by` (FK) / `verified_at` / `verification_e_signature_id`, `dr_test_report_document_id` (FK to URS-12), `linked_finding_id` (FK to URS-21 nullable), `linked_capa_id` (FK to URS-18 nullable), `status` (ENUM `planned` / `in_execution` / `executed` / `verified` / `reported`), `mira_outcome_label`, audit columns.

#### 6.2.9 `offline_event_queue` (retained)

`id`, `tenant_id`, `event_payload_json` (JSONB), `target_consumer`, `created_at`, `processed_at`, `status` (ENUM `pending` / `processed` / `failed`), audit columns.

#### 6.2.10 `infra_event_dlq` (per DEC-35-09)

`id`, `tenant_id`, `original_event_payload` (JSONB), `error_class`, `retry_count`, `last_error_at`, `disposition` (ENUM `pending_review` / `replayed` / `abandoned`), `dispositioned_by`, `dispositioned_at`, audit columns.

#### 6.2.11 `infra_secret_rotations` (per DEC-35-14)

`id`, `tenant_id`, `secret_path`, `secret_type`, `rotation_trigger` (ENUM `time_based` / `incident_driven` / `manual`), `rotated_by` (FK NOT NULL per DEC-35-15), `rotated_at`, `rotation_e_signature_id` (FK NOT NULL per DEC-35-11 / DEC-35-14), `affected_modules` (TEXT[]), audit columns.

#### 6.2.12 `infra_program_locks` (per DEC-35-22)

`id`, `tenant_id`, `period_start`, `period_end`, `locked_by`, `locked_at`, `lock_e_signature_id`, `reopened_at`, `reopened_by`, `reopen_executive_co_signer`, `reopen_qp_co_signer`, `reopen_reason`, audit columns.

#### 6.2.13 RLS

All Module 35 tables have RLS enabled where tenant-scoped; platform-wide tables have explicit `FORCE ROW LEVEL SECURITY` with platform-admin policies.

### 6.3 API contract

| Route | Method | Permission | Status |
|---|---|---|---|
| `/api/v1/health/live` | GET | public per | |
| `/api/v1/health/ready` | GET | public per; extended dependencies per DEC-35-03 | |
| `/api/v1/health/startup` | GET | public per | |
| `/api/v1/health/metrics` | GET | platform-admin per | |
| `/api/v1/infrastructure/system-status` | GET | `infra:status:read` | |
| `/api/v1/infrastructure/health-checks` | GET / POST | `infra:health_check:read` / `infra:health_check:create` | |
| `/api/v1/infrastructure/deployments` | GET / POST | `infra:deployment:read` / `infra:deployment:create` | |
| `/api/v1/infrastructure/deployments/:id/rollback` | POST | `infra_rollback_authority` + URS-28 qualification per DEC-35-19 + HITL + bound e-sign per DEC-35-11 | |
| `/api/v1/infrastructure/backup-schedules` | GET / POST | `infra:backup_schedule:read` / `infra:backup_schedule:create` | |
| `/api/v1/infrastructure/backup-schedules/:id/release` | POST | `info_security_authority` + HITL + bound e-sign + URS-13 CR per DEC-35-05 | |
| `/api/v1/infrastructure/backup-logs` | GET / POST | `infra:backup_log:read` / `infra:backup_log:create` | |
| `/api/v1/infrastructure/backup-verifications` | POST | `infra_backup_verification_authority` + URS-28 + HITL + bound e-sign per DEC-35-06 / DEC-35-11 | |
| `/api/v1/infrastructure/restore-executions` | GET / POST | `infra:restore:read` / `infra:restore:create` per DEC-35-07 | |
| `/api/v1/infrastructure/restore-executions/:id/approve` | POST | `infra_restore_authority` + URS-28 + HITL + bound e-sign per DEC-35-07 / DEC-35-11 | |
| `/api/v1/infrastructure/restore-executions/:id/execute` | POST | `infra_restore_authority` + URS-28 + HITL + bound e-sign per DEC-35-07 | |
| `/api/v1/infrastructure/restore-executions/:id/verify` | POST | `infra_restore_authority` + URS-28 + HITL + bound e-sign per DEC-35-07 | |
| `/api/v1/infrastructure/restore-executions/:id/release-to-service` | POST | `infra_restore_release_to_service_authority` (Qualified Person per DEC-35-07) + URS-28 + HITL + bound e-sign | |
| `/api/v1/infrastructure/restore-executions/:id/reject-post-verification` | POST | `infra_restore_authority` + HITL + bound e-sign + reason | |
| `/api/v1/infrastructure/dr-plans` | GET / POST | `infra:dr_plan:read` / `infra:dr_plan:create` | |
| `/api/v1/infrastructure/dr-plans/:id/release` | POST | `infra_dr_coordinator_authority` + URS-28 + HITL + bound e-sign + URS-13 CR per DEC-35-08 | |
| `/api/v1/infrastructure/dr-tests` | GET / POST | `infra:dr_test:read` / `infra:dr_test:create` | |
| `/api/v1/infrastructure/dr-tests/:id/execute` | POST | `infra_dr_coordinator_authority` + URS-28 + HITL + bound e-sign per DEC-35-08 / DEC-35-11 | |
| `/api/v1/infrastructure/dr-tests/:id/verify` | POST | `infra_dr_coordinator_authority` + URS-28 + HITL + bound e-sign + RTO/RPO comparison per DEC-35-08 | |
| `/api/v1/infrastructure/offline-queue` | GET | `infra:offline_queue:read` | |
| `/api/v1/infrastructure/offline-queue/process` | POST | `infra:offline_queue:process` | |
| `/api/v1/infrastructure/dlq` | GET | `infra:dlq:read` | per DEC-35-09 |
| `/api/v1/infrastructure/dlq/:id/replay` | POST | `infra:dlq:replay` per DEC-35-09 | |
| `/api/v1/infrastructure/dlq/:id/abandon` | POST | `infra:dlq:abandon` + reason per DEC-35-09 | |
| `/api/v1/infrastructure/secret-store/rotate` | POST | `infra_secret_rotation_authority` + URS-28 + HITL + bound e-sign per DEC-35-14 | |
| `/api/v1/infrastructure/program-locks` | POST | `final_quality_approver` + HITL + bound e-sign | |
| `/api/v1/infrastructure/program-locks/:id/reopen` | POST | `executive_authority` co-sign AND `qualified_person_authority` co-sign + HITL + reason per DEC-35-22 | |

### 6.4 Workflow

#### 6.4.1 Restore lifecycle

```mermaid
stateDiagram-v2
 [*] --> requested: create
 requested --> approved: infra_restore_authority + URS-28 + HITL + bound e-sign — DEC-35-07
 approved --> in_execution: execute
 in_execution --> executed: completion
 executed --> verified: infra_restore_authority + HITL + bound e-sign + scientific assessment — DEC-35-07
 verified --> released_to_service: infra_restore_release_to_service_authority (Qualified Person per DEC-35-07) + URS-28 + HITL + bound e-sign
 verified --> rejected_post_verification: HITL + bound e-sign + reason
 released_to_service --> [*]
 rejected_post_verification --> [*]
```

#### 6.4.2 DR test lifecycle

```mermaid
stateDiagram-v2
 [*] --> planned: create per DEC-35-08
 planned --> in_execution: execute (infra_dr_coordinator_authority + URS-28 + HITL + bound e-sign — DEC-35-11)
 in_execution --> executed: completion
 executed --> verified: verify (RTO/RPO comparison + bound e-sign — DEC-35-08)
 verified --> reported
 note right of verified: RTO/RPO miss → URS-21 finding + URS-18 CAPA per DEC-35-17/18
 reported --> [*]
```

### 6.5 Business rules

- BR-35-01: Production startup blocked if required secrets missing or use known test defaults per DEC-35-02.
- BR-35-02: Health readiness extended to all dependencies per DEC-35-03.
- BR-35-03: Rollback execution requires `infra_rollback_authority` + URS-28 + HITL + bound e-sign per DEC-35-04 / DEC-35-11.
- BR-35-04: Backup schedule effective release requires `info_security_authority` + HITL + bound e-sign + URS-13 CR per DEC-35-05.
- BR-35-05: **Backup verification immutable + checksum + manifest + restore-test evidence + bound e-sign + `infra_backup_verification_authority`** per DEC-35-06 / DEC-35-11.
- BR-35-06: Restore lifecycle per DEC-35-07.
- BR-35-07: **Restore release-to-service requires Qualified Person co-sign** per DEC-35-07.
- BR-35-08: DR test lifecycle with RTO/RPO comparison per DEC-35-08.
- BR-35-09: DR test failure (RTO or RPO miss) emits URS-21 finding + URS-18 CAPA per DEC-35-17 / DEC-35-18.
- BR-35-10: Offline queue + DLQ per DEC-35-09; stale DLQ → URS-21 finding.
- BR-35-11: Authority/HITL/e-sign on all critical infrastructure actions per DEC-35-11.
- BR-35-12: **Secret store substrate platform-wide** per DEC-35-13; consumed by URS-29/-30/-31/-32/-33/-34.
- BR-35-13: Secret rotation requires `infra_secret_rotation_authority` + URS-28 + HITL + bound e-sign per DEC-35-14.
- BR-35-14: **Attributable infrastructure audit** per DEC-35-15; blank `userId` rejected.
- BR-35-15: AI/MIRA assistive-only per DEC-35-16; `mira_outcome_label` per URS-32 DEC-32-23.
- BR-35-16: **AI cannot detect / triage / recover / restore / verify / approve / close any infrastructure event** per ARCH-AI-001 / DEC-35-16.
- BR-35-17: Findings emission to URS-21 per DEC-35-17.
- BR-35-18: CAPA emission to URS-18 per DEC-35-18.
- BR-35-19: URS-28 qualification-gate inbound per DEC-35-19.
- BR-35-20: URS-30 Notifications outbound per DEC-35-20.
- BR-35-21: URS-26 APQR consumer per DEC-35-21.
- BR-35-22: Reopen requires executive AND QP co-sign per DEC-35-22.
- BR-35-23: `platform_admin` / `super_admin` are support / break-glass only per DEC-35-23.
- BR-35-24: India data residency per DPDP Act 2023 + IT Act 2000 per DEC-35-23.

### 6.6 Audit trail

Every Module 35 record mutation persists an audit-trail entry **with authenticated `userId` mandatory per DEC-35-15** (system-context permitted only for system-generated events with explicit `system_context`). Material updates persist `reason_for_change`. Regulated final actions persist a bound e-signature via the `electronic_signatures` substrate. Append-only.

### 6.7 Error handling

| Code | HTTP | Meaning |
|---|---|---|
| `INFRA_VALIDATION_FAILED` | 400 | Schema validation failure |
| `INFRA_UNAUTHORIZED` | 401 | Authentication required |
| `INFRA_FORBIDDEN` | 403 | RBAC denied |
| `INFRA_NOT_FOUND` | 404 | Resource not found |
| `INFRA_DUPLICATE_KEY` | 409 | Uniqueness violation |
| `INFRA_INVALID_TRANSITION` | 422 | Lifecycle transition not permitted |
| `INFRA_PRODUCTION_STARTUP_BLOCKED` | 503 | Startup blocked per DEC-35-02 (env validation failure) |
| `INFRA_BACKUP_VERIFICATION_EVIDENCE_REQUIRED` | 422 | Backup verification missing checksum / manifest / restore-test evidence per DEC-35-06 |
| `INFRA_BACKUP_VERIFICATION_IMMUTABLE` | 422 | Attempt to modify backup verification post-write per DEC-35-06 |
| `INFRA_RESTORE_RELEASE_QP_COSIGN_REQUIRED` | 422 | Restore release-to-service without QP co-sign per DEC-35-07 |
| `INFRA_DR_RTO_MISSED` | 422 | DR test actual RTO > target per DEC-35-08 (triggers URS-21/-18) |
| `INFRA_DR_RPO_MISSED` | 422 | DR test actual RPO > target per DEC-35-08 |
| `INFRA_AUTHORITY_REQUIRED` | 422 | Authority Profile missing |
| `INFRA_AUTHORITY_QUALIFICATION_GATE_FAILED` | 422 | URS-28 qualification gate failed per DEC-35-19 |
| `INFRA_HITL_DECISION_REQUIRED` | 422 | HITL decision capture missing |
| `INFRA_E_SIGNATURE_REQUIRED` | 422 | Bound e-signature persistence missing |
| `INFRA_AUDIT_USER_ID_REQUIRED` | 422 | Audit-trail write with blank `userId` per DEC-35-15 |
| `INFRA_AI_AS_AUTHORITATIVE_PROHIBITED` | 422 | AI service attempted regulated infrastructure action per ARCH-AI-001 / DEC-35-16 |
| `INFRA_REASON_FOR_CHANGE_REQUIRED` | 422 | Material update / terminal transition without reason-for-change |
| `INFRA_REOPEN_AUTHORITY_REQUIRED` | 422 | Reopen attempted without executive AND QP co-sign per DEC-35-22 |
| `INFRA_SECRET_ROTATION_AUTHORITY_REQUIRED` | 422 | Secret rotation without `infra_secret_rotation_authority` per DEC-35-14 |
| `INFRA_INTERNAL` | 500 | Sanitized server error |

### 6.8 Configuration rules

- Health readiness check timeout configurable per dependency per DEC-35-03.
- Backup schedule frequency configurable via cron per DEC-35-05.
- DR plan RTO/RPO targets configurable per service-class per DEC-35-08.
- Stale DLQ threshold (default 30 days) configurable per DEC-35-09.
- Secret rotation interval (default 90 days) configurable per secret type per DEC-35-14.

---

## 7. Non-functional Requirements

- NFR-35-01: List pagination (default 50, max 200).
- NFR-35-02: Health endpoints p95 < 100ms.
- NFR-35-03: Extended readiness check p95 < 500ms.
- NFR-35-04: Backup verification recording p95 < 2s.
- NFR-35-05: Restore approval ceremony p95 < 1.5s.
- NFR-35-06: Audit-trail append p99 < 200ms.
- NFR-35-07: Concurrent infrastructure admin users per tenant: 20.
- NFR-35-08: Storage scalability: 100M health-check records per tenant.
- NFR-35-09: Backup / restore RPO ≤ 15 min; RTO ≤ 4 hours per DR plan.
- NFR-35-10: Bound e-signature persistence transaction p95 < 1.5s.
- NFR-35-11: URS-28 qualification-gate consumption p95 < 200ms.
- NFR-35-12: Secret store resolution p95 < 200ms.

---

## 8. Localization

English (en-US, en-GB), Hindi (hi-IN), Marathi (mr-IN), Japanese (ja-JP) at launch. **India launch scope priority** per DEC-35-23.

---

## 9. Migration

### 9.1 Migration scope

 retained for: `system_health_checks`, `deployments`, `backup_schedules`, `backup_logs`, `offline_event_queue` per migration `042_i18n_bulk_infra.sql`. migrations for: `infra_backup_verifications`, `infra_restore_executions`, `infra_dr_plans`, `infra_dr_tests`, `infra_event_dlq`, `infra_secret_rotations`, `infra_program_locks`.

### 9.2 Schema migration

Migration baseline per; target migrations add: `mira_outcome_label` ENUM column to existing tables per DEC-35-16 / URS-32 DEC-32-23; `userId` NOT NULL audit columns per DEC-35-15; `release_change_request_id` FK to URS-13 on `backup_schedules` per DEC-35-05; deployment evidence FK to URS-12 + rollback e-signature FK; migrations for §6.2.5–§6.2.12 tables.

### 9.3 Migration evidence gate (URS-35-VAL-008)

(a) all migrations applied; (b) RLS verified; (c) typed schema verified per DEC-35-15; (d) attributable audit verified per DEC-35-15 (blank `userId` rejected); (e) production startup gating verified per DEC-35-02 (test-default secret rejection); (f) extended readiness verified per DEC-35-03; (g) deployment + rollback authority verified per DEC-35-04 / DEC-35-11; (h) backup schedule effective release + URS-13 CR linkage verified per DEC-35-05; (i) **immutable backup verification verified per DEC-35-06** (checksum + manifest + restore-test evidence + post-write immutability); (j) **Restore lifecycle verified per DEC-35-07** including QP co-sign on release-to-service; (k) ** DR test execution + RTO/RPO comparison verified per DEC-35-08**; (l) offline queue + DLQ verified per DEC-35-09; (m) Authority/HITL/e-sign on critical actions verified per DEC-35-11; (n) **secret store substrate verified per DEC-35-13** (consumed by URS-29/-30/-31/-32 mocks); (o) secret rotation verified per DEC-35-14; (p) AI/MIRA assistive-only verified per DEC-35-16; (q) URS-28 qualification-gate consumption verified per DEC-35-19; (r) URS-30 notifications outbound verified per DEC-35-20; (s) URS-26 APQR consumer verified per DEC-35-21; (t) URS-32 MIRA outcome-label inbound verified; (u) cross-module event emission verified; (v) governed reopen verified per DEC-35-22; (w) §17 validation evidence pack signed.

---

## 10. Decommissioning

Module 35 records subject to platform record-retention policy. Deployment records / backup logs / verification records / restore records / DR test records retained per regulatory record-retention rules. On tenant decommissioning, records exported.

---

## 11. Decisions, Dependencies, Risks, and Error Handling
### 11.1 Closed decision posture

**No Module 35 internal decisions outstanding.** All decision items captured in locked decisions DEC-35-01..DEC-35-23. All launch-critical infrastructure, backup, restore, resilience, and recovery controls are locked in this URS.

### 11.2 External dependencies

- URS-12 Document Control must support backup manifests / restore verification reports / DR test reports / deployment evidence storage.
- URS-13 change-control register must support backup schedule + DR plan effective release linkage.
- URS-18 CAPA register must accept `infra_operational_resilience` source type per DEC-35-18.
- URS-21 findings register must accept `infra_operational_resilience` source type per DEC-35-17.
- URS-22 Inspection must support infrastructure back-room evidence retrieval.
- URS-26 APQR must consume periodic infrastructure summary per DEC-35-21.
- URS-27 Regulatory must accept any infrastructure-related regulatory submission (e.g., breach notifications per GDPR / DPDP Act).
- URS-28 training must expose qualification-gate API for DevOps/SRE / DBA / DR Coordinator / secret rotation authority per DEC-35-19.
- URS-29 / URS-30 / URS-31 / URS-32 / URS-33 / URS-34 must consume secret store substrate per DEC-35-13.
- URS-30 Notifications must consume infrastructure critical alerts per DEC-35-20.
- URS-32 MIRA AI must emit `outcome_label` per URS-32 DEC-32-23 inbound to infrastructure records.

### 11.3 Risks

- Risk-35-01: Cloud provider availability. Mitigation: multi-region resilience per DR plan; vendor abstraction layer.
- Risk-35-02: Secret store provider availability impacts URS-29/-30/-31/-32 consumers. Mitigation: NFR-35-12 latency budget; failover patterns.
- Risk-35-03: Backup storage cost scaling. Mitigation: tiered storage strategy; retention policy enforcement.
- Risk-35-04: India DPDP Act 2023 + IT Act 2000 enforcement evolution. Mitigation: jurisdiction-specific advisory layer; legal assessment deferred.
- Risk-35-05: Reopen workflow gravity may delay urgent investigations. Mitigation: documented reopen SLA.

### 11.4 Out-of-scope risks tracked elsewhere

- All other URS modules.

### 11.5 Risk owner

Module-35 risk register owned by DevOps / SRE / Platform Engineering with quarterly review by **Information Security Head + DevOps / SRE Lead (Co-Primary Owners)** + QA Head + Validation Head + Qualified Person Authority.

### 11.6 Decision discipline

No Module 35 internal decisions outstanding.

### 11.7 Error Handling and Negative Paths

This section defines the controlled error envelope, the enumerated machine-code catalogue, and the negative-path response contract required for this module. The error envelope is the standard platform envelope (human message, machine code in upper-snake-case, optional structured details, correlation identifier). Errors are returned with the appropriate HTTP status; the UI surfaces inline errors at the field of cause where applicable, otherwise a controlled error toast or modal. Every error path is logged to the URS-06 audit substrate when the originating action is regulated; errors that occur before authentication are logged without `userId`. Audit-trail write failure on a state-changing action MUST cause the originating action to NOT commit (atomic write per URS-04 BR-04-15). The enumerated machine codes for this module's negative paths are defined alongside the corresponding lifecycle gates, segregation-of-duties controls, and authority-resolution outcomes throughout §6 (Back-end Requirements) and §13 (Segregation of Duties); engineering MUST surface every enumerated machine code through the standard envelope and MUST NOT swallow errors silently. Cross-module error propagation follows the §20 Cross-Module Event Contract.


---

## 12. Security

- SEC-35-01: Tenant isolation enforced at RLS where tenant-scoped.
- SEC-35-02: RBAC enforced on every route via `requirePermission(.)` using dedicated `infra:*` permission set.
- SEC-35-03: Authority resolution enforced on regulated final actions before HITL + e-signature.
- SEC-35-04: HITL decision capture enforced before bound e-signature persistence.
- SEC-35-05: Bound e-signature persistence via `electronic_signatures` substrate.
- SEC-35-06: PII redaction in logs.
- SEC-35-07: Audit-trail integrity via URS-06 hash chain; **`userId` mandatory per DEC-35-15**.
- SEC-35-08: AI-request provenance via `ai_requests`; **AI cannot advance regulated infrastructure action** per ARCH-AI-001; AI may draft advisory only.
- SEC-35-09: `platform_admin` / `super_admin` break-glass actions logged per DEC-35-23.
- SEC-35-10: Production startup gating per DEC-35-02 (env Zod validation + secret check).
- SEC-35-11: **Secret store substrate platform-wide per DEC-35-13**; live credentials never persisted in plain text.
- SEC-35-12: Secret rotation governed per DEC-35-14.
- SEC-35-13: Backup verification immutable per DEC-35-06.
- SEC-35-14: Restore release-to-service requires QP co-sign per DEC-35-07.
- SEC-35-15: India data residency per DPDP Act 2023 + IT Act 2000 per DEC-35-23.

---

## 13. Segregation of Duties

| SoD ID | Constraint |
|---|---|
| SoD-35-01 | The Backup Verification authority MUST be SoD-distinct from the original Backup Executor. |
| SoD-35-02 | The Restore Approval authority MUST NOT be the Restore Execution operator (DB-level constraint where applicable). |
| SoD-35-03 | The Restore Verification authority MUST NOT be the Restore Execution operator. |
| SoD-35-04 | The Restore Release-to-Service authority (Qualified Person per DEC-35-07) MUST NOT be the Restore Verification authority. |
| SoD-35-05 | The DR Test Verification authority MUST NOT be the DR Test Execution operator. |
| SoD-35-06 | The reopen co-signers (executive AND Qualified Person per DEC-35-22) MUST NOT be the original lock signer. |
| SoD-35-07 | The `platform_admin` / `super_admin` support / break-glass action MUST NOT be a regulated production action; logged and reviewed per DEC-35-23. |

---

## 14. Regulatory Mapping

| Predicate rule | Section | Module 35 binding |
|---|---|---|
| **FDA 21 CFR Part 11** §11.10(a)/(d)/(e) | E-records | URS-35-VAL-008 + bound e-sign + audit-trail; **attributable per DEC-35-15** |
| **FDA 21 CFR Part 11 §11.30** | Open systems controls including encryption + digital signature + appropriate controls | Production startup gating + secret-store + bound e-sign per DEC-35-02 / DEC-35-13 / DEC-35-11 |
| **EU GMP Annex 11 §4** | Validation | URS-35-VAL-008 |
| **EU GMP Annex 11 §7** | Data Storage including backup/restore — primary EU predicate | Backup + restore lifecycle per DEC-35-05 / DEC-35-06 / DEC-35-07 |
| **EU GMP Annex 11 §9** | Audit Trails | Audit-trail substrate |
| **EU GMP Annex 11 §12** | Security including credential governance | Secret store substrate per DEC-35-13 |
| **EU GMP Annex 11 §14** | Electronic Records / Signatures | Bound e-signature on every regulated final action |
| **EU GMP Annex 11 §16** | Incident Management | URS-21 finding emission + URS-18 CAPA escalation |
| EU GMP Annex 22 Draft 2025 | §7 — HITL / GenAI prohibition | Internal forward-looking control |
| EU AI Act (Regulation 2024/1689) | Annex III + Articles 13/14 | Adopted as internal forward-looking AI governance |
| **MHRA Data Integrity Guidance** | ALCOA+ | Backup/restore essential for record retention |
| GAMP 5 Cat 5 | Custom-application validation lifecycle | URS-35 validation evidence pack |
| **PIC/S PI 041** | Data Integrity including backup/restore controls | Primary international harmonization |
| **WHO TRS** quality system expectations | Computerised system substrate | WHO scope |
| **ICH Q9 R1** | Quality Risk Management | Risk-precipitated infrastructure control |
| **ICH Q10** | Pharmaceutical Quality System | Quality system foundation |
| **FDA Computer Software Assurance (CSA) — September 2025** | Risk-based validation for infrastructure | URS-35 risk-based validation aligned with CSA |
| **ISO/IEC 27001** | Information security including backup/restore + secret management | Primary international standard |
| **ISO/IEC 27002** | Security controls | Information security controls |
| **ISO 22301** | Business continuity / DR | DR plan + DR test per DEC-35-08 |
| **NIST SP 800-34** | Contingency Planning | DR planning per DEC-35-08 |
| **HIPAA Security Rule §164.308(a)(7)** | Contingency Plan | DR + backup + restore per DEC-35-07 / DEC-35-08 |
| **GDPR Article 32** | Security of processing including backup | Backup + restore + secret store + breach notification per DEC-35-05 / DEC-35-13 |
| **India CDSCO Schedule M (Revised) §16** | Records and Reports — applicable to infrastructure record retention | India operations subject to a future jurisdiction-specific legal assessment |
| **India IT Act 2000** | Information Technology Act | India IT scope |
| **India DPDP Act 2023** | Digital Personal Data Protection Act | India data residency / backup per DEC-35-23 |

---

## 15. Code Modules

| Code module | Path | Status |
|---|---|---|
| `infrastructure` plugin | `packages/backend/src/modules/infrastructure/plugin.ts` | |
| `infrastructure` routes | `packages/backend/src/modules/infrastructure/routes.ts` | (routes added per §6.3) |
| `infrastructure` service | `packages/backend/src/modules/infrastructure/service.ts` | (attributable audit per DEC-35-15; URS-28 qualification consumer; restore/DR/secret-rotation services) |
| `infrastructure` schemas | `packages/backend/src/modules/infrastructure/schemas.ts` | |
| `infrastructure` events | `packages/backend/src/modules/infrastructure/events.ts` | target route |
| `infrastructure` secret-store-resolver | `packages/backend/src/modules/infrastructure/secret-store-resolver.ts` | per DEC-35-13 |
| `infrastructure` restore-orchestrator | `packages/backend/src/modules/infrastructure/restore-orchestrator.ts` | per DEC-35-07 |
| `infrastructure` dr-test-engine | `packages/backend/src/modules/infrastructure/dr-test-engine.ts` | per DEC-35-08 |
| `health` routes | `packages/backend/src/modules/health/health.routes.ts` | (extended readiness per DEC-35-03) |
| `config/env` | `packages/backend/src/config/env.ts` | retained per DEC-35-02 |
| Migration | `packages/backend/src/db/migrations/.` | (per §9.2) |
| Shared types | `packages/shared/src/types/infrastructure.ts` | |
| Shared schemas | `packages/shared/src/schemas/infrastructure.schema.ts` | |
| Frontend hooks | `packages/frontend/src/api/hooks/useInfrastructure.ts` | |
| Frontend dashboard | `packages/frontend/src/pages/admin/InfrastructureDashboard.tsx` | (UI for create-backup-schedule + rollback + restore + DR + DLQ per DEC-35-10) |
| Frontend backup management | `packages/frontend/src/pages/admin/BackupManagementConsole.tsx` | per DEC-35-05 / DEC-35-10 |
| Frontend backup verification | `packages/frontend/src/pages/admin/BackupVerificationConsole.tsx` | per DEC-35-06 |
| Frontend restore console | `packages/frontend/src/pages/admin/RestoreConsole.tsx` | per DEC-35-07 |
| Frontend DR test console | `packages/frontend/src/pages/admin/DRTestConsole.tsx` | per DEC-35-08 |
| Frontend deployment console | `packages/frontend/src/pages/admin/DeploymentConsole.tsx` | per DEC-35-04 / DEC-35-10 |
| Frontend offline queue + DLQ console | `packages/frontend/src/pages/admin/OfflineQueueDLQConsole.tsx` | per DEC-35-09 |
| Frontend secret store console | `packages/frontend/src/pages/admin/SecretStoreConsole.tsx` | per DEC-35-13 / DEC-35-14 |
| Frontend health status console | `packages/frontend/src/pages/admin/HealthStatusConsole.tsx` | per DEC-35-03 |
| Frontend infrastructure metrics dashboard | `packages/frontend/src/pages/admin/InfrastructureMetricsDashboard.tsx` | per DEC-35-21 |

---

## 16. Test Cases

### 16.1 Unit tests

- TC-35-U-001: Production startup blocked with test-default secret per DEC-35-02.
- TC-35-U-002: Production startup blocked with `COOKIE_SECURE = false` per DEC-35-02.
- TC-35-U-003: Extended readiness classifies dependencies as `healthy` / `degraded` / `unavailable` per DEC-35-03.
- TC-35-U-004: Rollback execution without `infra_rollback_authority` rejected per DEC-35-04 / DEC-35-11.
- TC-35-U-005: Rollback execution without URS-28 qualification rejected with `INFRA_AUTHORITY_QUALIFICATION_GATE_FAILED` per DEC-35-19.
- TC-35-U-006: Backup verification without checksum / manifest / restore-test evidence rejected with `INFRA_BACKUP_VERIFICATION_EVIDENCE_REQUIRED` per DEC-35-06.
- TC-35-U-007: Backup verification modification post-write rejected with `INFRA_BACKUP_VERIFICATION_IMMUTABLE` per DEC-35-06.
- TC-35-U-008: Restore release-to-service without QP co-sign rejected with `INFRA_RESTORE_RELEASE_QP_COSIGN_REQUIRED` per DEC-35-07.
- TC-35-U-009: DR test with actual RTO > target emits URS-21 finding + URS-18 CAPA per DEC-35-08 / DEC-35-17 / DEC-35-18.
- TC-35-U-010: DR test with actual RPO > target emits URS-21 + URS-18 per DEC-35-08.
- TC-35-U-011: Audit-trail write with blank `userId` rejected with `INFRA_AUDIT_USER_ID_REQUIRED` per DEC-35-15.
- TC-35-U-012: Secret rotation without `infra_secret_rotation_authority` rejected per DEC-35-14.
- TC-35-U-013: AI service attempting infrastructure action rejected with `INFRA_AI_AS_AUTHORITATIVE_PROHIBITED` per DEC-35-16.
- TC-35-U-014: Reopen without executive AND QP co-sign rejected per DEC-35-22.

### 16.2 Integration tests

- TC-35-I-001 through TC-35-I-011: Worked Examples 1–11 end-to-end.
- TC-35-I-012: Cross-module secret store consumption verified (URS-29 / URS-30 / URS-31 / URS-32 mocks).
- TC-35-I-013: Cross-module event emission verified (URS-12, URS-13, URS-18, URS-21, URS-22, URS-26, URS-28, URS-30, URS-32).

### 16.3 End-to-end tests

- TC-35-E-001 through TC-35-E-011: Worked Examples 1–11.
- TC-35-E-012: India data residency scenario per DEC-35-23.

### 16.4 Performance tests

- TC-35-P-001: Health endpoints p95 latency (NFR-35-02).
- TC-35-P-002: Extended readiness p95 latency (NFR-35-03).
- TC-35-P-003: Backup verification p95 latency (NFR-35-04).
- TC-35-P-004: Restore approval p95 latency (NFR-35-05).
- TC-35-P-005: Bound e-signature p95 latency (NFR-35-10).
- TC-35-P-006: Secret store resolution p95 latency (NFR-35-12).

### 16.5 Security tests

- TC-35-S-001: Cross-tenant access rejected by RLS.
- TC-35-S-002: Missing RBAC rejected.
- TC-35-S-003: Missing Authority Profile rejected.
- TC-35-S-004: Missing HITL rejected.
- TC-35-S-005: Missing bound e-signature rejected.
- TC-35-S-006: SQL injection rejected.
- TC-35-S-007: Audit-trail UPDATE / DELETE rejected.
- TC-35-S-008: AI service attempting authoritative infrastructure action rejected per DEC-35-16.
- TC-35-S-009: PII redaction in logs verified.
- TC-35-S-010: Blank `userId` in audit rejected per DEC-35-15.
- TC-35-S-011: Production startup with test-default secrets rejected per DEC-35-02.
- TC-35-S-012: Backup verification tampering rejected (immutable post-write).
- TC-35-S-013: India data residency enforcement.

---

## 17. Validation Evidence

### 17.1 URS-35-VAL-001: Requirements traceability matrix

Complete RTM mapping every URS-35 requirement (DEC-35-01.DEC-35-23, BR-35-01.BR-35-24, NFR-35-01.NFR-35-12, SoD-35-01.SoD-35-07, SEC-35-01.SEC-35-15) to test cases and code modules.

### 17.2 URS-35-VAL-002: Design qualification (DQ)

Architecture, data model, API contract, workflow, business rules, audit trail, security, integration; signed by Validation Head, QA Head, **Information Security Head (Co-Primary Owner)**, **DevOps / SRE Lead (Co-Primary Owner)**, RA Head, Manufacturing Head, Qualified Person Authority.

### 17.3 URS-35-VAL-003: Installation qualification (IQ)

Migration application + RLS verification + route mount verification + frontend hook resolution + secret store integration verification.

### 17.4 URS-35-VAL-004: Operational qualification (OQ)

Happy-path execution of every test case with evidence captures.

### 17.5 URS-35-VAL-005: Performance qualification (PQ)

NFR-35-01.NFR-35-12 verification.

### 17.6 URS-35-VAL-006: AI/ML governance evidence

Per ARCH-AI-001: (a) MIRA read-only context with `mira_outcome_label` per URS-32 DEC-32-23 inbound; (b) AI advisory drafting only; (c) **AI cannot detect / triage / recover / restore / verify / approve / close any infrastructure event** verification per DEC-35-16; (d) Annex 22 §7 + EU AI Act Annex III internal forward-looking control compliance evidence.

### 17.7 URS-35-VAL-007: Regulatory mapping evidence

FDA 21 CFR Part 11 §§11.10(a)/(d)/(e), 11.30; **EU GMP Annex 11 §§4, 7, 9, 12, 14, 16** primary EU predicate; Annex 22 Draft 2025 §7; EU AI Act Art. 13 / 14 / Annex III; MHRA Data Integrity (ALCOA+); GAMP 5 Cat 5; **PIC/S PI 041**; WHO TRS quality system; ICH Q9 R1, Q10; **FDA CSA September 2025**; **ISO/IEC 27001 + 27002**; **ISO 22301**; **NIST SP 800-34**; **HIPAA §164.308(a)(7)**; **GDPR Article 32**; **India CDSCO Schedule M (Revised) §16 + IT Act 2000 + DPDP Act 2023**.

### 17.8 URS-35-VAL-008: Migration evidence gate

Per §9.3.

### 17.9 URS-35-VAL-009: Signature manifest

QA Head, **Information Security Head (Co-Primary Owner)**, **DevOps / SRE Lead (Co-Primary Owner)**, Manufacturing Head, RA Head, Validation Head, Qualified Person Authority, Site Quality Lead, Founder / Chairman & MD per §19.

### 17.10 URS-35-VAL-010: Post-launch periodic-review pack

(a) Infrastructure metrics (uptime, backup success rate, restore success rate, DR test success rate, deployment frequency, rollback rate, secret rotation compliance); (b) attributable audit verification; (c) typed schema enforcement; (d) backup verification compliance; (e) restore release-to-service QP co-sign compliance; (f) DR RTO/RPO target compliance; (g) AI-assistance acceptance rate; (h) reopen-event audit; (i) cross-tenant break-glass audit; (j) cross-module event integrity (especially secret store consumption by URS-29/-30/-31/-32); periodic review at quarterly cadence by Information Security Head + DevOps/SRE Lead + QA Head + Validation Head + Qualified Person Authority.

---

## 18. Document Change History

| Version | Date | Author | Change Summary |
|---|---|---|---|
| 1.0 | 2026-05-07 | Founder Doctrine — Verixa URS Cell | First issued user requirements specification for Module 35. |

---

## 19. Document Approval

| Role | Name | Signature | Date |
|---|---|---|---|
| Founder / Chairman & MD | Vimal | __________ | __________ |
| QA Head | __________ | __________ | __________ |
| Information Security Head (Co-Primary Owner) | __________ | __________ | __________ |
| DevOps / SRE Lead (Co-Primary Owner) | __________ | __________ | __________ |
| Manufacturing Head | __________ | __________ | __________ |
| RA Head | __________ | __________ | __________ |
| Validation Head | __________ | __________ | __________ |
| Qualified Person Authority | __________ | __________ | __________ |
| Site Quality Lead | __________ | __________ | __________ |

---

## 20. Cross-Module Event Contract

| Event | Emitter | Consumer | Payload key fields |
|---|---|---|---|
| `infra_health_check_recorded` | Module 35 | URS-30 (per dependency degradation per DEC-35-20) | `health_check_id`, `dependency_classifications_json` |
| `infra_deployment_recorded` | Module 35 | URS-30 | `deployment_id`, `environment`, `version`, `deployed_by` |
| `infra_rollback_recorded` | Module 35 | URS-30, URS-21 (per DEC-35-04) | `rollback_id`, `rollback_target_version`, `rollback_e_signature_id` |
| `infra_backup_executed` | Module 35 | URS-30 | `backup_log_id`, `status` |
| `infra_backup_verified` | Module 35 | URS-30 | `backup_verification_id`, `verified_by`, `verification_e_signature_id` |
| `infra_backup_failed` | Module 35 | URS-30 (mandatory alert per DEC-35-20), URS-21 | `backup_log_id`, `failure_reason` |
| `infra_restore_requested` | Module 35 | URS-30 | `restore_id`, `requested_by` |
| `infra_restore_approved` | Module 35 | URS-30 | `restore_id`, `approved_by`, `approval_e_signature_id` |
| `infra_restore_executed` | Module 35 | URS-30 | `restore_id`, `executed_by` |
| `infra_restore_verified` | Module 35 | URS-30 | `restore_id`, `verified_by`, `verification_e_signature_id` |
| `infra_restore_released_to_service` | Module 35 | URS-30 (mandatory alert) | `restore_id`, `released_to_service_by` (QP per DEC-35-07), `release_e_signature_id` |
| `infra_dr_test_executed` | Module 35 | URS-30 | `dr_test_id`, `actual_rto_minutes`, `actual_rpo_minutes` |
| `infra_dr_test_verified` | Module 35 | URS-30, URS-21 (if RTO/RPO miss per DEC-35-08) | `dr_test_id`, `rto_within_target`, `rpo_within_target`, `verified_by`, `verification_e_signature_id` |
| `infra_offline_queue_processed` | Module 35 | URS-30 | `queue_item_id`, `target_consumer` |
| `infra_offline_queue_dlq` | Module 35 | URS-30, URS-21 (if stale per DEC-35-09) | `dlq_item_id`, `error_class` |
| `infra_secret_rotation_completed` | Module 35 | URS-30 (mandatory alert), URS-29 / URS-30 / URS-31 / URS-32 (consumers refresh credential cache per DEC-35-14) | `rotation_id`, `secret_path`, `rotated_by`, `rotation_e_signature_id`, `affected_modules` |
| `infra_finding_created` | Module 35 | **URS-21 (Findings — primary consumer)** | `finding_id` (URS-21), `severity`, `finding_type` |
| `infra_capa_linked` | Module 35 | **URS-18 (CAPA — primary consumer)** | `capa_id`, `linked_by`, `source_type = infra_operational_resilience` |
| `infra_program_locked` | Module 35 | URS-30 | `program_lock_id`, `locked_by`, `lock_e_signature_id` |
| `infra_program_reopened` | Module 35 | URS-30, URS-21 | `program_lock_id`, `reopened_by`, `executive_co_signer`, `qp_co_signer`, `reopen_reason` |

---

## 21. References

- ARCH-AI-001 — AI Optionality and Manual Continuity (canonical binding architecture)
- VRX-SPEC-URS-035-Infrastructure-Backup-Restore-Operational-Resilience.md (Module specification)
- URS-01.URS-34 (cross-module contracts — every regulated module depends on Module 35)
- **FDA 21 CFR Part 11** §§11.10(a)/(d)/(e), 11.30
- **EU GMP Annex 11** §§4, 7, 9, 12, 14, 16 — primary EU predicate
- EU GMP Annex 22 (Draft 2025) §7 — internal forward-looking control
- EU AI Act (Regulation 2024/1689) Annex III + Articles 13/14 — internal forward-looking control
- **MHRA Data Integrity Guidance (2018)** — ALCOA+
- GAMP 5 Cat 5
- **PIC/S PI 041** — Data Integrity including backup/restore
- **WHO TRS** quality system expectations
- **ICH Q9 R1** — Quality Risk Management
- **ICH Q10** — Pharmaceutical Quality System
- **FDA Computer Software Assurance (CSA) — September 2025 Final Guidance**
- **ISO/IEC 27001** — information security
- **ISO/IEC 27002** — security controls
- **ISO 22301** — business continuity / DR
- **NIST SP 800-34** — Contingency Planning
- **HIPAA Security Rule §164.308(a)(7)** — Contingency Plan
- **GDPR Article 32** — Security of processing including backup
- **India CDSCO Schedule M (Revised) §16**
- **India IT Act 2000**
- **India DPDP Act 2023** — Digital Personal Data Protection Act

---

**END OF VRX-URS-35 — INFRASTRUCTURE / BACKUP / RESTORE / OPERATIONAL RESILIENCE — VERSION 1.0**

**END OF 35-MODULE VERIXA TARGET-STATE URS PACK — Modules 1 through 35 complete.**
