# Verixa Demo Execution Test Pack — 6+1 Workflows

**Companion to:** `Verixa_Demo_Scenario_and_EndUser_AcceptanceCriteria_6plus1.md`
**Purpose:** the *how-to-run-and-test* pack so engineering/QA can execute, rehearse, and evidence the demo **without re-interpretation**.
**Audience:** Head of QA (acceptance), FE/BE engineering (setup), Founder (narration), CSV/Validation (evidence review).
**Branch:** `dev-vimal-deploy` · **SHA at authoring:** `cc6e6157` · **Date:** 2026-06-10
**Status:** **Draft / blockers open / not executed / not approved.** This is a *target* execution plan, not an executed test record. Nothing herein is "validated" or "passed" until QA executes it against a deployed build and dispositions the evidence.

---

## Revision Gate — close ALL before the pack is used for rehearsal

| Gate | Must be closed | State |
|---|---|---|
| Persona alignment | Scenario Part A and this pack use the **same** roles: **Ravi = QA Reporter; Meera = QA Investigator + RCA/CAPA/SOP author; Anand = QA Approver/closer/evidence/inspection (+ executive co-sign)** | **Closed in this revision** |
| Workflow order | Runbook order matches Part A story: **Deviation → RCA → CAPA → Document Control → AI Gov Evidence → Inspection Readiness → MIRA** | **Closed in this revision** |
| Authority map | Exact authority-profile names/IDs filled per persona (§2.1) | `«execution-captured»` — fill before run |
| Email domains | Real seeded logins are `@acme.com`/`@beta.com`; for external evidence packs, seed demo-safe `*.example.test` aliases (§2 note) | Decision required before evidence capture |
| Critical records | Closed deviation (DV-9), closed CAPA linked to critical deviation (DV-12), title-only SOP (DC-10), MBR negative (DC-9) confirmed/seeded (§3) | `[VERIFY]` — confirm in setup |
| Evidence basis | Direct repo paths to migrations/modules listed (Appendix A) | **Closed in this revision** (paths; URL prefix `«execution-captured»`) |
| Load-bearing pre-flight | DC-7, DC-10, DV-4a, DV-7, CA-7, CA-8, EV-1a, EV-4, IR-5 each **PASS or on the cut list** | Run at rehearsal (§10) |

---

## 0. Evidence-grounding & discipline note (read first)

This pack distinguishes three kinds of cell so no one mistakes a placeholder for a fact:

| Marker | Meaning |
|---|---|
| **plain value** | Grounded in repo evidence on `dev-vimal-deploy` (named seed migration / module / column). Cited. |
| `«execution-captured»` | A runtime fact that **must be filled by the person who deploys/runs the demo** (live URL, password, generated record ID, build timestamp, screenshot hash). Do **not** invent it. |
| `[VERIFY]` | Derivable but **not yet confirmed against code** in this pass — the tester confirms before relying on it (e.g., exact authority-profile name, exact route slug). |

**Authority model — important:** the end-user AC doc writes permissions as `documents:create`, `deviations:create`, etc. That notation is **illustrative**. On `dev-vimal-deploy` the control is **authority-profile based** (module `authority/`, profiles seeded by migrations 310/319/334/336/329/207/236), **not** `requirePermission('x:y')` literal strings (grep for that pattern returned none in these modules). The matrix therefore names the **seeded authority profile** and tags the exact label `[VERIFY]` where unconfirmed. Engineering must map persona → authority profile during setup (§2), not assume a string.

---

## 1. Environment baseline & build manifest

| Field | Value |
|---|---|
| Demo environment URL | `«execution-captured»` (record the exact deployed URL) |
| Branch | `dev-vimal-deploy` |
| Build / commit SHA deployed | `«execution-captured»` (authoring SHA was `cc6e6157`; capture the **deployed** SHA) |
| Build timestamp | `«execution-captured»` |
| Demo tenant | **Acme** — tenant UUID `f47ac10b-58cc-4372-a567-0e02b2c3d479` (per mig 072) |
| Seed set applied | see §3 (named migrations) — record **applied migration high-water mark** `«execution-captured»` |
| Browser / resolution for capture | `«execution-captured»` (fix one, e.g. Chrome 1920×1080, for consistent screenshots) |
| Reset method | see §8 |
| Region setting of demo tenant | **Unknown — evidence required.** `gxp_alignment`/region attribute is **not implemented** on branch (finding F1, SPEC_ONLY). For the demo the EU gate is **narrated only**; **no region toggle shall be exercised** unless implemented and verified. Do not state a concrete region value as if live. |

> Capture the deployed SHA and migration high-water mark **before** rehearsal. If they differ from the rehearsed build, re-run the go/no-go (§10).

---

## 2. Demo users & authority profiles (deterministic logins)

Roles below are **aligned to scenario Part A** (canonical). **Passwords are not in source and must be set/reset at deploy** — record them in a controlled location, never in this file.

> **Email-domain note:** the seeded logins are `@acme.com` / `@beta.com` (real seed values in `db/seeds/002_seed_test_data.ts` — used verbatim here so logins match). For any **external** evidence pack or screenshot leaving the building, prefer non-routable demo-safe aliases (`*.example.test`). That requires a **demo-safe alias seed** (a setup action), **not** an edit to this pack — do not rename a login here that doesn't exist in the seed.

### 2.0 Demo personas (appear in the client walkthrough)

| Persona (Part A) | Login (seeded) | Role | Does (per Part A) | Authority profile(s) to confirm | Password |
|---|---|---|---|---|---|
| **Ravi** — QA Reporter | `reviewer@acme.com` | `reviewer` | Raises the deviation; **selects classification + severity himself**. Triggers reporter≠investigator SoD. | deviation **create/report** profile (mig 310) `[VERIFY exact name]` | `«execution-captured»` |
| **Meera** — QA Investigator + RCA/CAPA/SOP **author** | `lead@acme.com` | `quality_lead` | Investigates; authors RCA (uses MIRA); authors CAPA + effectiveness criteria; uploads/edits revised SOP. **Blocked from approving/closing her own work.** | deviation investigator + RCA author + CAPA author + document author (mig 310/319/334) `[VERIFY]` | `«execution-captured»` |
| **Anand** — QA Approver / closer / evidence / inspection | `«execution-captured»` (confirm Acme account with **approver/closer + executive** authority — candidate `admin@acme.com`) `[VERIFY]` | `admin`/`executive` | Approves SOP/RCA/CAPA; closes deviation/CAPA; **executive co-sign** on critical close; generates evidence pack; assembles inspection readiness. | approver/closer + evidence-pack + inspection-readiness + executive co-sign (mig 329/274/207) `[VERIFY]` | `«execution-captured»` |

### 2.1 Pre-flight authority map (fill before run — execution-captured)

| Persona | Exact authority profile ID/name | Expected (positive) authorities | Must NOT hold (negative) |
|---|---|---|---|
| Ravi | `«fill»` | deviation create/report | RCA/CAPA approve; close; evidence-pack; executive |
| Meera | `«fill»` | investigate, RCA author, CAPA author, SOP author/upload | approve/close **own** record; executive co-sign |
| Anand | `«fill»` | approve, close, evidence-pack, inspection-readiness, executive co-sign | author/investigate the records he approves |
| Viewer | `«fill»` | read only | any create/approve/close/evidence |

### 2.2 QA-only negative-test users (NOT demo personas — never shown to the client)

| User | Login | Used only to prove |
|---|---|---|
| No-permission | `viewer@acme.com` (`viewer`) | disabled controls / no authority (DC-2, DV-2, RC-2, CA-2, EV-2, IR-2) |
| Cross-tenant | `admin@beta.com` (Beta admin) | Acme records unreachable (tenant isolation) |
| Auditor (optional) | `auditor@acme.com` | read/inspection path if a separate read role is needed |

**SoD setup rule (actor-vs-record, not account-capability):** **no actor may approve, review, close, or effectiveness-check a record they authored, created, investigated, or are otherwise conflicted on.** The SoD blocks (DC-7, DV-7, RC-6, CA-7, CA-8) fire only if the conflicted actor is the one attempting the second step — confirm **Ravi ≠ Meera ≠ Anand** on each record under test.

> **Critical-close note (DV-12):** critical closure requires an **executive co-sign by an authority distinct from the author/investigator (Meera).** If tenant SoD config also requires executive ≠ closer, seed a 4th executive account `«execution-captured»`; otherwise Anand provides the executive co-sign as approver-closer-executive. Decide and record before run.

---

## 3. Deterministic test data inventory (named, seeded)

All grounded in real demo-seed migrations on `dev-vimal-deploy`. Record actual generated IDs at run time where marked.

| Data | Seeded record(s) | Source migration | Run-time ID |
|---|---|---|---|
| Controlled documents | **SOP-001 Cold Storage Monitoring** (UUID `d0c00001-…-0001`), **WI-042 Batch Record Completion** (`…-0002`), **REG-005 FDA 21 CFR Part 211 Checklist** (`…-0003`), **POL-012 Deviation Management Policy** (`…-0004`) | `072_seed_test_documents.sql` | fixed UUIDs |
| Demo SOP for MIRA review | **[DEMO] SOP-MFG-047 Aseptic Fill Operation** | `323_seed_demo_rca_findings_inspection_documents.sql` | `«capture»` |
| MBR / batch record (negative for DC-9) | **WI-042 Batch Record Completion** (use as the "AI review not permitted for this type" target) `[VERIFY type=batch/MBR gate]` | `072` / `219_seed_mbr_ipc_parameters.sql` | `…-0002` |
| Deviations (ref `DEV-{yr}-DEMO-{n}`) | **(1) Aseptic Fill Line Temperature Excursion** (investigating, Manufacturing); **(2) LIMS Data Entry Error — Incorrect Batch Number** (Quality Control); **(3) SOP-MFG-047 Out-of-Date Revision Used** (**critical**, Document Control) | `263_seed_demo_deviations_and_capas.sql` | `«capture»` |
| CAPAs | **Corrective Action: Fill Line Temperature Control Improvement** (corrective); **Preventive Action: LIMS Batch Number Validation Rule** (preventive) | `263` | `«capture»` |
| RCAs (ref `RCA-{yr}-DEMO-{n}`) | **RCA: Aseptic Fill Line Temperature Excursion** (in_progress); **RCA: LIMS Batch Number Transposition** (approved) | `323` | `«capture»` |
| Findings | **Gowning logbook entries missing secondary verification**; **Calibration label past due on balance BAL-07** | `323` | `«capture»` |
| Inspection event (ref `INSP-{yr}-DEMO-{n}`) | Internal QA inspection, in_progress | `323` | `«capture»` |
| Demo e-signatures / HITL / escalation | signatures on demo deviation; HITL decisions; escalated decision | `272`, `266/267`, `271` | `«capture»` |
| Workflow templates | Phase-1 SOP+RCA templates; demo effective template; AI-gov evidence template | `306`, `264`, `303` | seeded |
| **Out-of-scope route (IR-5 negative)** | seeded **batch + OOS linked** records — the Phase-3 out-of-scope path that must be **unreachable** in the demo tenant | `378_seed_demo_batch_oos_linked.sql` | n/a — must be hidden |

### 3.1 Negative/edge records — explicit setup steps (load-bearing — do not leave vague)

| For AC | Record needed | Setup step | Confirm |
|---|---|---|---|
| DV-9 (post-closure immutability) | a **closed** deviation | Verify a closed-state demo deviation exists; if not, in setup take **deviation 2 (LIMS)** through to closed state and use it for DV-9 | `«capture closed-deviation ID»` |
| DV-12 (critical close needs linked closed CAPA) | **deviation 3 (critical, SOP-MFG-047)** + a **closed CAPA linked to it** | The two seeded CAPAs (mig 263) link to deviation 1 (fill-line) and deviation 2 (LIMS). In setup, **create/confirm a CAPA linked to deviation 3 and drive it to closed**, or re-link a seeded CAPA — DV-12 cannot pass without a closed linked CAPA | `«capture critical-dev ID + linked closed-CAPA ID»` |
| DC-10 (empty-text honesty) | a **title-only** document (no extractable body) | Seed/create a document with title+type only, no body text; run MIRA review against it | `«capture title-only doc ID»` |
| DC-9 (AI review refused on batch/MBR) | a **batch record / MBR** | Use **WI-042** *if* it is gated as batch/MBR `[VERIFY type-gate]`; if WI-042 is not gated, use a seeded **MBR from mig 219_seed_mbr_ipc_parameters.sql**; if neither is gated, **cut DC-9** | `«capture MBR record ID + gate result»` |
| DC-2/DV-2/RC-2/CA-2/EV-2/IR-2 (no authority) | no-permission user | `viewer@acme.com` (§2.2) | seeded |
| IR-5 (out-of-scope unreachable) | OOS/batch route | mig 378 records present **but hidden** | seeded; confirm hidden |
| Tenant isolation | cross-tenant | `admin@beta.com` (§2.2) | seeded |

---

## 4. Demo Execution Matrix

Columns: **AC** · **User** · **Authority needed** · **Preloaded record** · **Navigation** · **Action** · **Expected result** · **Evidence to capture** · **Owner** · **Status** · **Pass/Fail rule**.
Navigation slugs are `[VERIFY]` against the deployed route table. Evidence file convention in §5. Owner legend in §11.

### 4.1 Document Control

| AC | User | Authority needed | Preloaded record | Navigation | Action | Expected result | Evidence | Owner | Status | Pass/Fail |
|---|---|---|---|---|---|---|---|---|---|---|
| DC-1 | Meera | document author/create | — | Document Control | Click **New Document** | Form opens | `DC-1.png` | FE/QA | [BUILT] | **PASS** iff form renders; **FAIL** if button absent/errors |
| DC-2 | viewer@acme | none | — | Document Control | Observe **New Document** | Button **disabled/greyed** | `DC-2.png` | FE/QA | [BUILT] | PASS iff control non-clickable for viewer |
| DC-3 | Meera | author | new SOP file | Document Control → New | Upload SOP (type=SOP) | Stored as controlled **v1**; audit entry (who/when) | `DC-3.png` + audit `DC-3.json` | BE/QA | [BUILT] | PASS iff v1 created **and** audit row present |
| DC-4 | Meera | author | [DEMO] SOP-MFG-047 | Doc → open → **MIRA Review** | Run MIRA review | **Advisory** findings + confidence, labelled advisory; document unchanged | `DC-4.png` | QA | [BUILT] | PASS iff findings shown, labelled advisory, **doc body unchanged** |
| DC-5 | Meera | author | finding from DC-4 | Doc review panel | Accept / reject / modify a finding | Each decision **logged** (AI original + human decision) | `DC-5.json` | BE/QA | [BUILT] | PASS iff log shows original AI text + human action |
| DC-6 | Meera | author | SOP after review | Doc → Edit | Edit + save | **New version**; edit attributed to **human** | `DC-6.png` | QA | [BUILT] | PASS iff version increments and `updated_by`=Meera |
| DC-7 | Meera | (author) attempting approve | SOP authored by Meera | Doc → Approve | Meera approves own doc | **Blocked** (approver ≠ author) | `DC-7.png` | QA | **[VERIFY]** | PASS iff approve blocked for author; **load-bearing** |
| DC-8 | Anand | document approver e-sign (mig 334) | SOP authored by Meera | Doc → Approve → e-sign | Approve + e-sign | Approval w/ signer identity, meaning, timestamp, version link | `DC-8.png` + `DC-8.json` | QA/CSV | **[VERIFY]** | PASS iff e-sig record has all four fields |
| DC-9 | Meera | author | **WI-042 / MBR** (see §3.1) | Doc(MBR) → MIRA Review | Request MIRA review on batch/MBR | **Refused at gate** before any AI call | `DC-9.png` | QA | [BUILT] | PASS iff refusal precedes any AI request (check logs) — *internal test, not buyer walkthrough* |
| DC-10 | Meera | author | title-only document (see §3.1) | Doc → MIRA Review | Review a no-body document | Flags **weak input**, does not fake a review | `DC-10.png` | QA | **[VERIFY]** | PASS iff weak-input flag shown, no fabricated findings; **load-bearing** |

### 4.2 Deviation

| AC | User | Authority needed | Preloaded record | Navigation | Action | Expected result | Evidence | Owner | Status | Pass/Fail |
|---|---|---|---|---|---|---|---|---|---|---|
| DV-1 | Ravi | deviation create (mig 310) | — | Deviations | Click **New Deviation** | Form opens | `DV-1.png` | FE/QA | [BUILT] | PASS iff form renders |
| DV-2 | viewer@acme | none | — | Deviations | Observe **New Deviation** | **Disabled** | `DV-2.png` | FE/QA | [BUILT] | PASS iff non-clickable |
| DV-3 | Ravi | deviation create + classify | — | Deviations → New | Create; **human selects** classification + severity | Unique ID; saved; audit entry | `DV-3.png` + `DV-3.json` | QA | [BUILT] | PASS iff human-set severity persisted + audited |
| DV-4a | Ravi | — | demo deviation | Deviations → (severity assist) | Attempt generative classification when T2 off | **Blocked** — `deviation_classification` OFF by default | `DV-4a.png` + gate log | BE/QA | **[VERIFY]** | PASS iff generative path not invokable with toggle false; **load-bearing** |
| DV-4b | system | — | — | — | Generative AI attempts to autonomously set classification/severity/disposition/closure/signature | **Refused** by T3 hard block; audited | n/a (narrate) | — | **[TARGET]** | **Do not demo live** — narrate only |
| DV-5 | Ravi | — | demo deviation | Deviations → similar | Request "similar prior deviations" | **Rule-based** list, labelled "rule-based suggestion — requires human review", no LLM | `DV-5.png` | QA | **[VERIFY]** | PASS iff list labelled rule-based (not "AI"), no LLM call in logs |
| DV-6 | (none) | — | — | API/UI create | Unauthenticated create | **401**, no record | `DV-6.json` | BE/QA | [BUILT] | PASS iff 401 and no row created |
| DV-7 | Ravi=reporter | — | deviation reported by Ravi | Deviation → assign investigator | Assign Ravi as investigator | **Blocked** (investigator ≠ reporter) | `DV-7.png` | QA | **[VERIFY]** | PASS iff SoD block fires; **load-bearing** |
| DV-8 | Anand | classification/triage authority | demo deviation (Ravi-reported) | Deviation → triage | Confirm triage; assign **Meera** as investigator (≠reporter Ravi) | Recorded; enters investigation | `DV-8.png` | QA | [BUILT] | PASS iff state→investigating, investigator(Meera)≠reporter(Ravi) |
| DV-9 | Meera | — | **closed** deviation (see §3.1) | Deviation(closed) → edit | Edit a closed field | **Refused** (post-closure immutability) | `DV-9.png` | QA | **[VERIFY]** | PASS iff edit refused on closed record |
| DV-10 | Anand | closure + QA reviewer | minor deviation | Deviation → close | Close minor | Closure authority + QA reviewer e-sign | `DV-10.json` | QA/CSV | [BUILT] | PASS iff both signatures recorded |
| DV-11 | Anand (+ practice lead) | major closure | major deviation | Deviation → close | Close major | + practice-lead co-sign + **independent** QA reviewer (≠ investigator Meera) | `DV-11.json` | QA/CSV | [BUILT] | PASS iff reviewer≠investigator(Meera) enforced |
| DV-12 | Anand (closer) + executive co-signer | executive co-sign (§2.2 note) | **deviation 3 (critical)** + **linked closed CAPA** (see §3.1) | Deviation(critical) → close | Close critical | + **executive co-sign** by an authority ≠ author/investigator (Meera); requires linked closed CAPA | `DV-12.json` | QA/CSV/Founder | [BUILT] | PASS iff exec co-sign present (≠Meera) **and** closed-CAPA link required |
| DV-13 | — | — | — | — | AI advisory influences major/critical class under approved T2 | Independent QA review mandatory (reviewer≠classifier) | n/a (narrate) | — | **[TARGET]** | Do not demo live — narrate |

### 4.3 RCA

| AC | User | Authority needed | Preloaded record | Navigation | Action | Expected result | Evidence | Owner | Status | Pass/Fail |
|---|---|---|---|---|---|---|---|---|---|---|
| RC-1 | Meera | rca create (mig 319) | deviation 1 | Deviation → Start RCA | Start RCA | Enabled; RCA links to deviation | `RC-1.png` | FE/QA | [BUILT] | PASS iff RCA created + linked |
| RC-2 | viewer@acme | none | deviation 1 | Deviation → Start RCA | Observe | **Disabled** | `RC-2.png` | FE/QA | [BUILT] | PASS iff non-clickable |
| RC-3 | Meera | rca author | RCA: Aseptic Fill (in_progress) | RCA → MIRA assist | Request MIRA assist | Theme/next-why prompts, **advisory-labelled**; RCA unchanged until human acts | `RC-3.png` | QA | [BUILT] | PASS iff suggestions advisory + record unchanged |
| RC-4 | Meera | rca author | RCA in_progress | RCA → edit suggestion → save | Edit MIRA suggestion, save systemic cause | Stores **MIRA original + human final**, model/version, timestamp; attributed to human | `RC-4.json` | BE/QA | [BUILT] | PASS iff both AI-original and human-final stored |
| RC-5 | Meera | rca author | RCA in_progress | RCA → discard suggestion | Fully discard MIRA suggestion | MIRA original **retained**, marked rejected | `RC-5.json` | BE/QA | **[VERIFY]** | PASS iff rejected suggestion still persisted |
| RC-6 | Meera | (creator) approve | RCA created by Meera | RCA → approve | Approve own RCA | **Blocked** (approver ≠ creator) | `RC-6.png` | QA | [BUILT] | PASS iff SoD block fires |
| RC-7 | Anand | rca_lead approve | RCA by Meera | RCA → approve | Approve | Approval recorded | `RC-7.json` | QA/CSV | [BUILT] | PASS iff approval by approver(Anand)≠creator(Meera) |
| RC-8 | Meera | rca author | RCA in_progress | RCA (gateway down) | Author manually with AI gateway unavailable | Manual authoring proceeds | `RC-8.png` | BE/QA | **[VERIFY]** | PASS iff RCA can be saved with gateway down |

### 4.4 CAPA

| AC | User | Authority needed | Preloaded record | Navigation | Action | Expected result | Evidence | Owner | Status | Pass/Fail |
|---|---|---|---|---|---|---|---|---|---|---|
| CA-1 | Meera | capa create | approved RCA (LIMS) | RCA → Create CAPA | Create CAPA | Enabled; links to deviation+RCA | `CA-1.png` | FE/QA | [BUILT] | PASS iff CAPA linked to both |
| CA-2 | viewer@acme | none | approved RCA | RCA → Create CAPA | Observe | **Disabled** | `CA-2.png` | FE/QA | [BUILT] | PASS iff non-clickable |
| CA-3 | Meera | capa author | CAPA draft | CAPA → edit | Author action plan + effectiveness criteria | Saved under human authorship | `CA-3.png` | QA | [BUILT] | PASS iff `created_by`=Meera |
| CA-4 | Meera | — | CAPA draft | CAPA / MIRA | Ask MIRA to **draft CAPA action** | **Not available** (`draft_capa` removed) | `CA-4.png` | QA | [BUILT] | PASS iff no draft-CAPA action exists |
| CA-5 | Meera | — | CAPA draft | CAPA / MIRA | Ask MIRA to **set priority/SLA** | **Not available** (T2 OFF) | `CA-5.png` | QA | [BUILT] | PASS iff no priority-set action exists |
| CA-6 | system | — | CAPA tables | — | AI surface attempts to **write** CAPA tables | **No AI write path** (`capas`, `capa_action_items`, `capa_effectiveness_checks`, `capa_cascade_items`) | static-scan + `CA-6.json` | BE/CSV | **[VERIFY]** | PASS iff negative integration test + static scan find no AI write |
| CA-7 | Meera | (author) approve | CAPA by Meera | CAPA → approve | Approve own CAPA | **Blocked** (approver ≠ author) | `CA-7.png` | QA | [BUILT] | PASS iff SoD block; **load-bearing** |
| CA-8 | Meera | (author) eff-check | CAPA by Meera | CAPA → effectiveness | Do own effectiveness check | **Blocked** (reviewer ≠ author) | `CA-8.png` | QA | **[VERIFY]** | PASS iff SoD block; **load-bearing** |
| CA-9 | Anand | approver + reviewer | CAPA by Meera | CAPA → approve / eff-check | Approve (≠author); eff-check (≠author) | Recorded w/ evidence/date/actor | `CA-9.json` | QA/CSV | [BUILT] | PASS iff both done by non-author(≠Meera) |
| CA-10 | Anand | closer e-sign | CAPA verified | CAPA → close | Close w/ e-sig | Signer identity/meaning/timestamp/state link | `CA-10.json` | QA/CSV | [BUILT] | PASS iff e-sig complete |
| CA-11 | Meera | — | CAPA | CAPA / MIRA | Ask MIRA to close/disposition/mark-effective | **Not possible** | `CA-11.png` | QA | [BUILT] | PASS iff no such action |
| CA-12 | Anand | closer | CAPA w/o eff-check | CAPA → close | Close before effectiveness verified | **Blocked** (lifecycle gate) | `CA-12.png` | QA | **[VERIFY]** | PASS iff close blocked pre-effectiveness |

### 4.5 AI Governance Evidence (evidence pack)

| AC | User | Authority needed | Preloaded record | Navigation | Action | Expected result | Evidence | Owner | Status | Pass/Fail |
|---|---|---|---|---|---|---|---|---|---|---|
| EV-1a | Anand | evidence-pack authority | closed deviation+RCA+CAPA chain | AI Governance Evidence | Generate pack | Assembled **live** from records; **hash-sealed** | `EV-1a.pdf/.zip` + hash | QA/CSV | [BUILT] | PASS iff pack generated + hash present; **load-bearing** |
| EV-1b | Anand | evidence-pack authority | chain w/ AI suggestions | AI Gov Evidence | Inspect provenance completeness | Every AI suggestion w/ type, model ID/version, prompt/output hash, confidence, accept/edit/reject, reviewer, override reason, final-record link | `EV-1b.json` | CSV/BE | **[TARGET]** | Do not claim live — provenance completeness pending LLM-audit + model-id fixes |
| EV-2 | viewer@acme | none | — | AI Gov Evidence | Observe **Generate** | **Disabled** | `EV-2.png` | FE/QA | **[VERIFY]** | PASS iff non-clickable |
| EV-3 | Anand | audit view | full chain | Audit trail | Open audit trail | Actor, role, UTC, before/after, reason across chain | `EV-3.png` | QA/CSV | [BUILT] | PASS iff fields present incl. before/after |
| EV-4 | QA | — | generated pack | (tamper test) | Alter pack contents | Stored **hash no longer matches** | `EV-4.json` | BE/CSV | **[VERIFY]** | PASS iff tamper detected; **load-bearing** |
| EV-5 | Anand | evidence-pack | chain w/ a rejected AI suggestion | Pack contents | Inspect | Rejected suggestion shown (AI-proposed vs human-decided) | `EV-5.png` | QA/CSV | **[VERIFY]** | PASS iff rejected suggestion visible |
| EV-6 | Anand | evidence-pack | prior pack | AI Gov Evidence | Regenerate pack | New pack, new hash+timestamp; prior immutable | `EV-6.json` | BE/CSV | **[VERIFY]** | PASS iff prior pack unchanged + new hash |
| EV-7 | system | — | — | — | Generative call without LLM audit (regulated mode) | **Fails closed** (`LLM_AUDIT_REQUIRED`) | n/a (narrate) | — | **[TARGET]** | Do not demo live — narrate |

### 4.6 Inspection Readiness

| AC | User | Authority needed | Preloaded record | Navigation | Action | Expected result | Evidence | Owner | Status | Pass/Fail |
|---|---|---|---|---|---|---|---|---|---|---|
| IR-1 | Anand | inspection-readiness authority (mig 329) | closed chain | Inspection Readiness | Open module | **Generate readiness pack** enabled | `IR-1.png` | FE/QA | **[VERIFY]** | PASS iff enabled for authorized user |
| IR-2 | viewer@acme | none | — | Inspection Readiness | Observe | **Disabled** | `IR-2.png` | FE/QA | **[VERIFY]** | PASS iff non-clickable |
| IR-3 | Anand | inspection-readiness | closed deviation/CAPA | Inspection Readiness → generate | Generate inspection pack | Assembles deviation+RCA+CAPA+e-sigs+eff-check+audit+AI-advisory history | `IR-3.pdf` | QA/CSV | **[VERIFY]** | PASS iff all chain elements present |
| IR-4 | Anand | inspection-readiness | generated pack | Inspection Readiness → export | Export pack | Controlled export; metadata+signatures manifested; export audited | `IR-4.pdf` + `IR-4.json` | QA/CSV | **[VERIFY]** | PASS iff export audited + signatures manifested |
| IR-5 | Anand | — | **mig 378 OOS/batch** | (attempt to reach OOS/batch) | Request out-of-scope module | **Unreachable** (hidden / not-found) | `IR-5.png` | QA | **[VERIFY]** | PASS iff OOS/batch not reachable in demo tenant; **load-bearing** |

### 4.7 MIRA (the +1)

| AC | User | Authority needed | Preloaded record | Navigation | Action | Expected result | Evidence | Owner | Status | Pass/Fail |
|---|---|---|---|---|---|---|---|---|---|---|
| MI-1 | Meera | MIRA access | — | MIRA chat | Open chat, ask a question | Advisory copilot answers | `MI-1.png` | QA | [BUILT] | PASS iff responds as advisory |
| MI-2 | Meera | — | any domain record | MIRA chat | Ask MIRA to modify a record | **Cannot** — MIRA never writes a **domain/GxP record** | `MI-2.png` + `MI-2.json` | BE/QA | [BUILT] | PASS iff **no mutation to controlled domain tables** (deviations/rca/capas/documents…); MIRA conversation/query-log/audit logging may occur |
| MI-3 | Meera | — | — | MIRA chat | Ask MIRA to draft CAPA action / set severity / write disposition | **Blocked/routed** by sanitizer; no ungoverned record-ready text | n/a (narrate) | — | **[TARGET]** | **Do not demo live** unless sanitizer build confirmed — narrate |
| MI-4 | Meera | MIRA access | — | MIRA chat | Ask MIRA to **explain** an RCA concept | **Allowed** (educational/non-record) | `MI-4.png` | QA | [BUILT] | PASS iff explanation given, no controlled text |
| MI-5 | Meera | MIRA access | RCA / doc review | RCA/Doc → MIRA | MIRA provides themes / review findings | **Advisory, labelled**; human decides; logged | `MI-5.json` | QA | [BUILT] | PASS iff labelled advisory + decisions logged |
| MI-6 | Meera | — | tenant w/o exception | MIRA chat | Ask MIRA to draft controlled content | **Blocked** (T2 default-off) | n/a (narrate) | — | **[TARGET]** | Do not demo live — narrate |
| MI-7 | — | — | tenant w/ approved exception | editor | Chat-assisted drafting under exception | Draft appears **only** as provenance-logged tracked suggestion in editor | n/a (narrate) | — | **[TARGET]** | Do not demo live — narrate |
| MI-8 | — | — | EU-aligned tenant | admin | Enable MIRA critical drafting | **Hard-gated + blocked** (`T2_EU_GMP_BLOCKED`); audited | n/a (narrate) | — | **[TARGET]** | Do not demo live — narrate |

### 4.8 AI Critical-Use Exception — Admin flow (TARGET — narrate only)
AG-1…AG-8 are **all `[TARGET]`**. **None are demonstrated live.** They are narrated from the scenario doc §8 as the roadmap control for client-approved T2. If asked, show the *design* (exception = signed electronic record, not a toggle), not a running screen.

**Founder narration script (use verbatim if the topic comes up — do not improvise a live screen):**
> "By default, generative AI is **off** for every critical decision — severity, CAPA priority, disposition, closure. A customer can't just flip a toggle to turn that on. To use generative AI on a critical-adjacent path, they raise a **controlled exception** — a signed electronic record stating the region basis, the exact feature, the intended use, the scope, and an expiry. It's **e-signed by QA, Regulatory, and an Executive**, and it's audit-trailed. For EU-aligned tenants it's **hard-blocked** by default. Even with an approved exception, two things never move: AI still **never writes** the record, and **every** suggestion is provenance-logged. And fully autonomous AI on a critical decision is **non-relaxably prohibited** — there's no exception for that. This is target-state; I'm describing the control, not showing a live screen today."

---

## 5. Evidence capture & naming convention

- **Folder:** `VRX-DEMO_<deployedSHA>_<YYYYMMDD>/` (e.g. `VRX-DEMO_«sha»_20260626/`).
- **File:** `<AC-ID>.<ext>` — `.png` (screenshot), `.json` (audit/API/log export), `.pdf`/`.zip` (pack/export). Sub-sequence if multiple: `DC-3_a.png`, `DC-3_b.png`.
- **Each evidence file must show:** logged-in user, UTC timestamp visible, and (for audit/pack) the record reference.
- **Hash capture:** for EV-1a/EV-4/EV-6 record the **pack content hash** alongside the file (`EV-1a.hash`).
- **Do not** edit screenshots. If a value must be redacted (password), re-take with it not on screen.
- **Index:** maintain `evidence_index.csv` — this is the QA execution record. Template columns:

```
ac_id,workflow,demo_user,evidence_file,capturer,capture_utc,deployed_sha,result(PASS|FAIL|CUT),reset_method,note
DC-7,Document Control,Meera,DC-7.png,,,,,,
DV-12,Deviation,Anand,DV-12.json,,,,,,
EV-1a,AI Gov Evidence,Anand,EV-1a.zip,,,,,,
...one row per executed AC...
```

---

## 6. Demo runbook (how to run)

1. **Deploy** the build; record URL + SHA + migration high-water mark in §1.
2. **Apply seed set** (§3 migrations) into tenant Acme; confirm the demo deviations/RCAs/CAPAs/docs/inspection exist; confirm mig 378 OOS/batch present **but hidden**.
3. **Set passwords** for the §2 accounts; confirm persona→authority mapping (Ravi≠Meera≠Anand); confirm `viewer@acme.com` has none of the create/approve authorities.
4. **Pre-flight the load-bearing `[VERIFY]` items** (DC-7, DC-10, DV-4a, DV-7, CA-7, CA-8, EV-1a, EV-4, IR-5) — these decide the cut list (§9/§10).
5. **Login sequence (per Part A):** start as **Ravi (Reporter)** — raise the deviation, **select severity**; hand to **Meera (Investigator/RCA/CAPA/SOP author)** — RCA + MIRA, author CAPA, upload/edit SOP; hand to **Anand (Approver/closer)** — approve SOP/RCA/CAPA, close, executive co-sign critical, generate evidence pack, inspection readiness. **Never approve/close as the persona who authored or investigated.**
6. **Workflow order (narrative, per Part A story):** **Deviation → RCA → CAPA → Document Control → AI Governance Evidence → Inspection Readiness → MIRA.** Foreground a **"watch it refuse"** beat (DV-7 / CA-7 / DV-4a / DC-7) and a **live audit-trail** beat (EV-3) in each segment — refusals + audit trail are what convince Quality.
7. **What NOT to click:** the OOS/batch route (IR-5 must stay unreachable); any AG admin enable screen; any MIRA chat request to draft CAPA/severity/disposition (MI-3/6/7/8) — these are **narrate-only**.
8. **Target-state items to narrate, never mock:** DV-4b, DV-13, EV-1b, EV-7, MI-3, MI-6/7/8, AG-1…AG-8.
9. **Capture evidence** per §5 as you go (don't reconstruct afterward).
10. **Run the go/no-go (§10)** at end of rehearsal and again on the deployed demo build the morning of 26 June.

---

## 7. Segment timing & QA-convincing cues

| Segment | ~Time | The one beat that convinces Quality |
|---|---|---|
| Deviation (Ravi) | 6 min | DV-4a — severity AI **off**; DV-7 — reporter≠investigator SoD; DV-12 — critical close needs **executive co-sign + linked closed CAPA** |
| RCA (Meera) | 4 min | RC-4 — MIRA suggestion + human override **both** retained (provenance) |
| CAPA (Meera→Anand) | 5 min | CA-7/CA-8 — author **cannot** approve/eff-check own CAPA; CA-4/5/11 — MIRA **cannot** draft/prioritize/close |
| Document Control (Meera→Anand) | 4 min | DC-7 — author **cannot** approve own doc (SoD fires live) |
| AI Governance Evidence (Anand) | 5 min | EV-3 live audit trail (before/after) + EV-1a hash-sealed pack |
| Inspection Readiness (Anand) | 4 min | IR-3 one-click chain retrieval; IR-5 OOS/batch **unreachable** |
| MIRA (Meera) | 3 min | MI-2 — MIRA **never writes a domain record**; MI-4/5 advisory + labelled |

Narration spine: **"AI assists, humans decide, the system refuses what it must, and the record proves who."** Lead each segment with the refusal/audit beat, not the happy path.

---

## 8. Reset / seed / re-run procedure

- **Re-run safe — PRE-FLIGHT BLOCKER (not a note):** demo seeds (263/323/072/378…) are migration-based; before any multi-run rehearsal, **BE must confirm each demo seed is idempotent** (`IF NOT EXISTS` / dedupe on `%-DEMO-%` refs). If any demo seed is **not** idempotent, multi-run rehearsal is **blocked** until fixed or a snapshot-restore reset (below) is used instead. Record the confirmation in the go/no-go (§10).
- **Between rehearsals:** to reset mutated state (a deviation you closed, a CAPA you signed), either (a) restore the tenant from a **pre-demo snapshot** `«execution-captured snapshot/restore method»`, or (b) re-seed fresh demo refs (`DEV-{yr}-DEMO-n`, `RCA-{yr}-DEMO-n`, `INSP-{yr}-DEMO-n`) and use the new IDs. **Do not** hand-delete GxP records (immutability) — reset by snapshot/re-seed, not deletion.
- **Record** which reset method was used in `evidence_index.csv` so a re-run's evidence is traceable to a clean baseline.

---

## 9. Per-workflow fallback (if a `[VERIFY]` fails at pre-flight)

| Workflow | If this fails | Action |
|---|---|---|
| Document Control | DC-7 (own-approve block) or DC-10 (empty-text honesty) | **Cut** the failing beat; narrate as roadmap. Keep DC-1…DC-6 (BUILT). |
| Document Control | DC-9 (AI-review refused on MBR) — WI-042 not gated as batch/MBR | Use a seeded **MBR from mig 219**; if no document is gated as batch/MBR, **cut DC-9** (it's an internal control test, not a buyer beat). |
| Deviation | DV-4a (severity AI off) | **Cut**; narrate "generative classification is off by default." Do **not** force-show a block that isn't firing. Keep human-severity DV-3 + closure DV-10/11/12. |
| Deviation | DV-7 (SoD) | Cut the SoD beat; keep closure matrix. |
| RCA | RC-5 (rejected-suggestion retained) or RC-8 (gateway-down continuity) | Cut; keep RC-3/RC-4 advisory+provenance (BUILT). |
| CAPA | CA-6 (never-write), CA-7/CA-8 (SoD), CA-12 (lifecycle gate) | Cut the failing negative; **never** substitute a mock. CA-4/CA-5/CA-11 (not-available) are BUILT and safe. |
| Evidence | EV-1a (assemble+hash) | If pack won't assemble live, **do not** show a pre-made pack as if live — narrate as target. EV-1a is load-bearing; its failure is a go/no-go flag. |
| Evidence | EV-4 (tamper) / EV-5 / EV-6 | Cut the specific negative; keep EV-1a + EV-3 audit trail. |
| Inspection | IR-1…IR-4 | If the readiness module isn't live, narrate the *concept* using the closed chain + audit trail (EV-3); do not mock a pack. |
| Inspection | **IR-5 (OOS/batch unreachable)** | If OOS/batch is **reachable**, **stop** — that's a scope-leak; hide it before any client sees it. Hard blocker. |
| MIRA | MI-3/6/7/8 | Already narrate-only. Keep MI-1/2/4/5 (BUILT). Never ask chat for controlled drafting. |

**Rule:** a failed `[VERIFY]` is **cut and narrated as roadmap — never mocked.** QA owns the cut; Founder owns the date.

---

## 10. Go / No-Go checklist (run at rehearsal end + demo morning)

- [ ] Deployed URL + SHA + migration high-water mark recorded (§1).
- [ ] Acme tenant seeded; demo deviations/RCAs/CAPAs/docs/inspection present; **OOS/batch hidden** (IR-5).
- [ ] Passwords set; **Ravi ≠ Meera ≠ Anand**; `viewer@acme.com` has no create/approve authority.
- [ ] Load-bearing `[VERIFY]` pre-flighted: DC-7, DC-10, DV-4a, DV-7, CA-7, CA-8, EV-1a, EV-4, IR-5 — each **PASS or on the cut list**.
- [ ] Evidence folder + `evidence_index.csv` created; capture convention agreed.
- [ ] Cut list finalized (any failed `[VERIFY]`); narration script updated to match.
- [ ] Target-state items confirmed **narrate-only**: DV-4b, DV-13, EV-1b, EV-7, MI-3/6/7/8, AG-1…AG-8.
- [ ] Audit-trail beat (EV-3) confirmed working — the QA-convincing moment.
- [ ] **Revision Gate (top of pack) all closed** — persona alignment, order, authority map filled, email-domain decision, critical records confirmed.
- [ ] **Authority map (§2.1) filled** with exact profile IDs; Ravi/Meera/Anand positive+negative authorities confirmed.
- [ ] **Seed idempotency confirmed** by BE (§8) — or snapshot-restore reset adopted for re-runs.
- [ ] No `console.log`/error banners — checked **per screen group** (Deviation, RCA, CAPA, Document Control, Evidence, Inspection, MIRA); one screenshot per group.
- [ ] **Go/No-Go signed:** QA (execution), Founder (date). No-Go if IR-5 leaks, EV-1a can't assemble live, or the Revision Gate is open.

---

## 11. Owner legend

| Owner | Responsibility |
|---|---|
| **FE** | UI control state (enabled/disabled), navigation, render correctness |
| **BE** | gates, SoD enforcement, never-write proof, audit-trail writes, hash/seal, API behavior |
| **QA** | execute the matrix, capture evidence, own the cut list + go/no-go execution |
| **Founder-demo** | narration, critical-closure persona (Anand), owns the date |
| **CSV-review** | verify evidence sufficiency (e-sig fields, audit before/after, provenance, hash) — **does not** declare "validated"; confirms evidence quality |

---

## Appendix A — Evidence basis (repo paths on `dev-vimal-deploy` @ `cc6e6157`)

Repo-relative paths verified in this pass. Prepend your repo host prefix to linkify (`«execution-captured repo URL»/blob/dev-vimal-deploy/<path>`).

**Demo data seeds**
- `packages/backend/src/db/migrations/263_seed_demo_deviations_and_capas.sql` — 3 deviations + 2 CAPAs (incl. critical "SOP-MFG-047 Out-of-Date Revision Used")
- `packages/backend/src/db/migrations/323_seed_demo_rca_findings_inspection_documents.sql` — 2 RCAs, 2 findings, inspection events, `[DEMO] SOP-MFG-047`
- `packages/backend/src/db/migrations/072_seed_test_documents.sql` — SOP-001/WI-042/REG-005/POL-012 (fixed UUIDs); tenant `f47ac10b-…`
- `packages/backend/src/db/migrations/378_seed_demo_batch_oos_linked.sql` — OOS/batch out-of-scope route (IR-5 negative)
- `packages/backend/src/db/migrations/219_seed_mbr_ipc_parameters.sql` — MBR (DC-9 fallback)
- `packages/backend/src/db/migrations/264_seed_demo_effective_workflow_template.sql`, `306_seed_phase1_sop_rca_workflow_templates.sql`, `303_seed_ai_governance_evidence_workflow_template.sql` — workflow templates
- `packages/backend/src/db/migrations/266_…/267_…seed_demo_hitl_decisions*.sql`, `271_seed_demo_escalated_decision.sql`, `272_seed_demo_signatures_on_demo_deviation.sql` — HITL/e-sig demo
- `packages/backend/src/db/seeds/002_seed_test_data.ts` — tenant users (`@acme.com`, `@beta.com`)

**Authority seeds (the permission model)**
- `310_seed_urs16_deviation_authority_profiles.sql` · `319_seed_urs17_rca_authority_profiles.sql` · `334_seed_document_reviewer_authority.sql` · `336_seed_document_control_permission.sql` · `329_seed_ie_closure_authority.sql` · `274_seed_hitl_final_reviewer_authority_for_test_users.sql` · `207_seed_mbr_approval_authority.sql` · `236_seed_missing_authority_profiles.sql` (all under `packages/backend/src/db/migrations/`)

**Modules referenced**
- `packages/backend/src/modules/{documents,deviations,rca,capas,ai-evidence,inspection-readiness,ai,scoring-ai,authority,hitl}/`

**Findings referenced** (from the verified §A drift table, Engineering Build Instruction v3)
- F1 `gxp_alignment`/region absent (mig 227 toggles only) → §1 region cell · F5/F6 HITL-skip + optional `llmAudit` → EV-1b/EV-7 · F7 evidence-pack `model_name`/`model_id` mapping → EV-1b · MIRA "never modifies domain entities" (`modules/ai`/MIRA service) → MI-2.

> Authority-profile **exact names/IDs** are seeded by the migrations above but were not enumerated in this pass — fill §2.1 from the seed files (`[VERIFY]`).

---

## Final status

**Draft / blockers open / not executed / not approved.**
This pack tells the team **how** to run, set up, test, evidence, reset, and gate the 6+1 demo. It is grounded in `dev-vimal-deploy` seeds (cited) with runtime facts left as `«execution-captured»` and unconfirmed labels as `[VERIFY]` — by design, so no placeholder is mistaken for a validated fact. Verixa verifies under its SDLC; the customer validates intended use. No "validated/compliant" claim is made or implied.
