# Verixa — Demo Gap Tickets: Code Audit (current HEAD)

**Audited:** 2026-06-13 · **Repo:** `Verixa` (verixa.ai product repo) · **HEAD:** `6dfca132` · **Branch:** `dev-vimal-deploy`
**Baseline being re-checked:** the Demo-Flow Gap Tickets were written against `dev-vimal-deploy @ cc6e6157`. Code has advanced since; this audit records present state with `file:line` evidence.
**Discipline:** verdicts are evidence-bound. "Addressed" = direct code evidence found; "Open" = absence confirmed by reading the function; "Partial" = mechanism present but the specific hard-requirement not fully enforced. Built ≠ validated — these are code-presence findings, not executed-test results.

---

| Gap | Pri | Baseline claim (cc6e6157) | Audit verdict @ 6dfca132 | Evidence (file:line) |
|---|---|---|---|---|
| GAP-1 | P0 | Scorecard UI rendered 5 legacy components; engine used 8 v1.2 — couldn't reconcile | **Addressed — verify UI sum** | Engine: `inspection-readiness/scorecard-formula.ts` `READINESS_FORMULA_V12`, `V12_WEIGHTS`, `component_labels` (8 components). FE: `frontend/.../InspectionCalendarDetail.tsx:401-412` renders `component_inputs`/`mock_drill_component_inputs` (v1.2), not the mig-242 5-column display. Confirm the rendered breakdown visually sums to the headline. |
| GAP-2 | P1 | CAPA action items: owner-only, any permitted user can flip to completed; no item-level reviewer/SoD | **OPEN (confirmed)** | `capas/service.ts:1495 updateActionItem` — sets `status='completed'` with `owner_id` only; no `reviewed_by`/`reviewer≠owner` check. Closed-CAPA immutability exists (`DEC-18-15`) but item-level reviewer-signed completion is still absent. |
| GAP-3 | P1 | Deviation major-closure practice-lead co-sign route missing | **Addressed** | `deviations/service.ts:934` closeDeviation accepts `coSignEsigId/Hash`; URS-16 step 42 persists `practice_lead_gmp` co-sign via `critical_cosign_*` columns (`:1181-1187`). |
| GAP-4 | P1 | RCA third-role SoD (approver ≠ closer) | **Largely addressed** | `rca/service.ts`: creator≠approver (`:852-857`), creator≠rejecter (`:1062`), creator≠closer (`closeRCA :1255-1264`), all 21 CFR 11.10(d), + mandatory e-sig + linked-CAPA gate. Note: both approver and closer are enforced ≠creator; an explicit approver≠closer leg is not separately coded — confirm whether that distinct check is required. |
| GAP-5 | P1 | Document effectivity: publisher ≠ approver SoD + a controller authority | **Addressed** | `documents/routes.ts` make-effective/retire gated by `requiredAuthorityKey:'document_publisher'` + e-signature (DOC-004, `:1765, :1899, :2019`); comments separate the publisher role from the approver. The gap's "document_controller" is realized as the `document_publisher` authority. |
| GAP-6 | P2 | RCA authority-key drift | **Appears resolved** | `rca/service.ts` uses clean, intentional authority keys: `rca_lead` (`:896`) and `final_quality_approver` (`:1099`). No drift observed. |
| GAP-7 | P2 | LLM-audit completeness + evidence-pack model mapping; fail-open if `llmAudit` absent | **Partial** | `ai/ai-gateway.service.ts`: logs to `llm_audit_log` when configured (`:244-249, :445-446`), budget/rate "fail-closed" (`:470`). BUT `llmAudit` is still optional (`:116 llmAudit?`, `:244 if(this.llmAudit)`) — the hard-require-in-regulated-mode (Phase-2 WP-2.2) is not fully enforced. Keep `[TARGET]` on "full AI provenance live" until required. |
| GAP-8 | P2 | Negative/OQ test coverage for "no AI write" + SoD | **Partial** | Substantial SoD negative suites exist: `hitl/__tests__/esig-sod-check.{test,configurable,phase0,phase7}.ts`, `config/__tests__/workflow-engine-binding.test.ts`, plus `hitl/__tests__/esig-validate-for-record.test.ts` (Issue #100). Confirm a dedicated `DEVIATION_GENAI_PROHIBITED` negative test exists for the no-AI-write claim. |

## Phase-2 critical path — also advanced
- **2.1 / WP-4 (e-sig substrate on terminal decisions):** `validateEsignatureForRecord` (`hitl/esig.service.ts:691`) is now **called** from `capas/service.ts` (CAPA closure `:1065, :1777`) and `rca/service.ts` (RCA approve/reject/close), with dedicated unit tests (`esig-validate-for-record.test.ts`, Issue #100). Baseline said only `oos-oot` called it — materially advanced. Confirm `findings` and `change-control` terminal decisions are also wired.
- **1.3 / 2.11 (AI handover write-hole):** `handover-bridge/handover-bridge.service.ts` runs `checkHitlRequired` (`:252`) before `createDomainRecord` (`:405` → `createDeviationRecord :435` / `createCapaRecord :469`). HITL gate is present on the handover path. Confirm the demo `environment_class` block + MIRA write-back disable for the demo tenant.

## Net read for the 26 June gate
Of the 8 gap tickets, **GAP-2 is the only one confirmed still open** (CAPA item-level reviewer SoD). GAP-1/3/5 are addressed; GAP-4/6 largely addressed/resolved; GAP-7/8 partial (AI-audit hard-require + one AI-write negative test). The Phase-2 e-sig critical path (2.1) is substantially implemented. This is a **materially stronger** position than the cc6e6157 gap tickets implied — the demo's control claims are closer to "true in code" than the original tickets stated. Each "Addressed" verdict still needs an executed test (verification) before any "validated" claim.

*Code-presence audit only. Verixa verifies under its SDLC; the customer validates intended use. No "validated / Part 11-compliant" claim is made here. Re-confirm at the exact build used for the 26 June demo.*
