# Verixa — Demo-Flow Gap Tickets (code → URS)

**Basis:** two independent code+URS reviews of `Verixa_Demo_User_Journey.html` against `dev-vimal-deploy` @ `cc6e6157` and Target-State URS Modules 1-41.
**Purpose:** the build items that would make the demo's regulated-control claims *true*. Until closed, the corrected walkthrough (`_v2`) demos them as `[TARGET]`/narrate, not live.
**Status:** Draft / not executed / not approved.

> Inspection note: for an FDA/QA-facing demo, **overclaiming a control is worse than labelling it target-state.** Each ticket below is a place where the URS wants a control the code hasn't built — close the code to the URS, don't soften the URS to the code.

---

## P0 — URS non-conformance (fix regardless of demo)

### GAP-1 · Inspection scorecard: UI breakdown does not reconcile to the score
- **URS:** DEC-22-09 / INS-DR-009 require the readiness scorecard to be explainable **with frontend contract alignment** to the formula (`formula_version`, `component_inputs`, component scores). *(URS-22)*
- **Code reality:** engine computes `overall_score` from **8** v1.2 components (`scorecard-formula.ts:7-16`, weights documentation .15 / deviation .12 / capa .12 / findings_residual .10 / rca .08 / training .15 / self_inspection .13 / mock_drill .15). The **UI renders only 5 legacy components at old weights 25/20/25/15/15** (`InspectionCalendarDetail.tsx:397-417`, from `mig 242`). The rendered breakdown cannot sum to the headline number.
- **Fix:** render the 8 v1.2 components + weights from the persisted `v12_components`/`component_inputs` (not the 5 legacy columns). Remove/retire the `mig 242` 5-column display contract.
- **Closes demo claim:** "if an auditor asks why it says 0.88, we can answer to the decimal."

---

## P1 — Code behind URS (the demo's multi-user separations the system doesn't yet enforce)

### GAP-2 · CAPA action items: reviewer-signed completion (item-level SoD)
- **URS:** URS-18 §1 — action-item lifecycle with **"reviewer-signed completion"**; status set `open/in_progress/completed/cancelled`.
- **Code reality:** `capa_action_items` has only `owner_id` — **no reviewer field, no item-level SoD, no item e-sig**; `updateActionItem` (`service.ts:1495`) lets any permitted user flip an item to `completed`. Status enum is `pending/in_progress/completed/cancelled` (URS says `open`, code says `pending`).
- **Fix:** add `reviewed_by` / `reviewed_at` / item e-sig; enforce reviewer ≠ `owner_id`; align status `pending`→`open` (or update URS). 
- **Closes demo claim:** the "Rohan reviews/closes each item" 5th-user beat.

### GAP-3 · Deviation major-closure practice-lead co-sign route
- **URS:** URS-16 §0.6 — "major: + practice_lead_* co-sign at closure."
- **Code reality:** `majorCoSign()` service method exists (`service.ts:1911`) but is **not wired to any HTTP route** (only `/:id/close/critical-cosign` is routed).
- **Fix:** expose `POST /:id/close/major-cosign` with `deviation_major_practice_lead_authority` + e-sig + SoD, mirroring the critical route.
- **Closes demo claim:** "major close adds practice-lead co-sign."

### GAP-4 · RCA third-role SoD (approver ≠ closer)
- **URS:** URS-17 §0.4 — only **SoD-17-01: creator ≠ approver** is mandated. *(URS does not require a third distinct closer — so the "3 distinct users" beat is a product decision, not a current URS requirement.)*
- **Code reality:** drafter ≠ approver (`service.ts:853`) and drafter ≠ closer (`:1258`) enforced; **approver ≠ closer is not enforced anywhere** → a 2-user flow passes all checks. RCA `close` has **no authority check and no e-signature** (route comment: "administrative cleanup", `routes.ts:488`).
- **Decision needed:** either (a) accept 2-user RCA as the supported flow (update the demo), or (b) if a 3-person RCA is desired, add approver ≠ closer enforcement **and** an authority/e-sig gate on close, **and** raise it in the URS.
- **Closes demo claim:** "three distinct users, none carried it end to end" + "RCA close is a controlled signed disposition."

### GAP-5 · Document effectivity: publisher ≠ approver SoD + a `document_controller` authority
- **URS:** URS-12 §0.4-0.5 — `approved → effective` is **date-driven**; DOC-009 mandates initiator ≠ approver, but URS does **not** require a controller distinct from the approver.
- **Code reality:** separate `makeEffective` step under `document_publisher` authority + own e-sig exists (`service.ts:3933`), but **publisher ≠ approver is not enforced**, and there is **no `document_controller` authority** (the demo's "controller" maps to `document_publisher`).
- **Decision needed:** if a 4th distinct effectivity person is wanted, add publisher ≠ approver enforcement (and raise in URS). Otherwise demo only "a separate, e-signed make-effective step exists."
- **Closes demo claim:** "a document controller, not the approver, sets the effective date."

---

## P2 — Drift / hygiene

### GAP-6 · RCA authority-key drift
- **Code reality:** approve checks the literal string `'rca_lead'` (`service.ts:896`); reject checks `'final_quality_approver'`; the seeded keys `rca_approval_authority` / `rca_close_authority` (`mig 319`) are **never referenced** → dead authority profiles.
- **URS:** URS-17 §0.3 names `investigation_lead_authority`, `final_quality_approver`, `executive_authority`.
- **Fix:** reconcile code authority keys to the seeded/URS keys; remove dead seeds; update the demo AuthorityMap so QA isn't misled.

### GAP-7 · LLM-audit completeness + evidence-pack model mapping (carried from AI-gov review)
- **Code reality:** `AiGatewayService` accepts **optional** `llmAudit?` (writes only `if (this.llmAudit)`); evidence pack reads `meta.model_name` only, missing `model_id` fallback (`evidence-pack.service.ts:450`).
- **Fix:** make `llmAudit` **mandatory** in regulated mode (fail-closed `LLM_AUDIT_REQUIRED`); add the `model_id` fallback. *(Already in the AI-Governance Engineering Build Instruction, items 7/10.)*
- **Closes demo claim:** "full per-suggestion AI provenance is live" (keep `[TARGET]` until closed).

### GAP-8 · Negative / OQ test coverage for "no AI write" + SoD
- **Code reality:** static scan finds **no AI write path** to core regulated registers (deviations/rca/capa/documents/findings/e-sigs/scorecards) — AI writes only `ai_*`/`mira_*`/prediction/draft tables. But only 3 relevant `.test.ts` files exist; there is **no comprehensive negative suite** asserting this per register, nor SoD-violation negative tests across deviation/RCA/CAPA.
- **Fix:** add negative integration tests: (a) each AI route cannot mutate each controlled table; (b) each SoD block (investigator≠reporter, approver≠author, effectiveness≠owner, closer≠author) returns 403. This converts "scan-evidenced" → "OQ-locked."

---

## Demo disposition (until tickets close)
- **Demo live (verified):** human severity; generative-classification-off; investigator ≠ reporter; critical exec co-sign; CAPA effectiveness ≠ owner; CAPA close e-sig + gating; doc author ≠ approver + approval e-sig; separate make-effective e-sig; evidence-pack hash + audited export; deviation→RCA→CAPA signed evidence chain; MIRA suggestion-only (no AI write path — scan-evidenced).
- **`[TARGET]` / narrate:** GAP-1…GAP-5 (scorecard UI reconciliation, CAPA item-level reviewer, major co-sign route, 3-person RCA, doc publisher≠approver), plus full AI provenance / fail-closed LLM audit / MIRA sanitizer.
