> ## Documentation Index > Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt > Use this file to discover all available pages before exploring further. # GR — Governance & Compliance Integration Contracts > Status: ✅ Active (GR-01–GR-08, GR-10, GR-11 implemented; GR-09 pending; GR-12 specified) Last Updated: 2026-03-06 Constitution Reference: §1 Architecture & Mod… **Status:** ✅ Active (GR-01–GR-08, GR-10, GR-11 implemented; GR-09 pending; GR-12 specified)\ **Last Updated:** 2026-03-06\ **Constitution Reference:** §1 Architecture & Module Boundaries — no direct core-to-core imports; all cross-core via Platform Integration Layer, events, or API contracts. *** ## Overview The GR (Governance & Compliance) module manages policies, compliance tracking, audits, risk, quality improvement, accreditation, incident reporting, contracts, and procedures. This document is the canonical anchor for all GR integration contracts, cross-core event publisher/consumer mappings, API contracts, and platform layer usage. **Related documents:** * [CROSS\_CORE\_INTEGRATIONS.md](./CROSS_CORE_INTEGRATIONS.md) — integration matrix rows for GR * [EVENT\_CONTRACTS.md](./EVENT_CONTRACTS.md) — detailed GR event payload schemas * [CL-GR-CLINICAL-INCIDENT-INTEGRATION.md](./CL-GR-CLINICAL-INCIDENT-INTEGRATION.md) — bi-directional CL↔GR incident bridge * [IT\_INTEGRATION\_CONTRACTS.md](./IT_INTEGRATION_CONTRACTS.md) — IT security incident events consumed by GR * [FM\_INTEGRATION\_CONTRACTS.md](./FM_INTEGRATION_CONTRACTS.md) — FM vendor certification events consumed by GR *** ## Events Published by GR | Event | Channel | Publisher Spec | Subscribers | Status | | ------------------------------- | ----------- | -------------- | ------------------------------------------------------- | ---------- | | `policy_created` | `gr_events` | GR-01 | GR-02, GR-03 | 📝 Planned | | `policy_acknowledged` | `gr_events` | GR-01 | GR-02, GR-03 | 📝 Planned | | `training_completed` | `gr_events` | GR-02 | GR-03, HR-02 | 📝 Planned | | `requirement_created` | `gr_events` | GR-03 | GR-04, GR-06 | 📝 Planned | | `compliance_status_changed` | `gr_events` | GR-03 | GR-04, GR-05, GR-06 | 📝 Planned | | `audit_created` | `gr_events` | GR-04 | GR-06 | 📝 Planned | | `audit_finding_created` | `gr_events` | GR-04 | GR-05, GR-06 | 📝 Planned | | `risk_created` | `gr_events` | GR-05 | GR-06 | 📝 Planned | | `risk_assessed` | `gr_events` | GR-05 | GR-06 | 📝 Planned | | `qi_project_created` | `gr_events` | GR-07 | GR-03, GR-04 | 📝 Planned | | `accreditation_created` | `gr_events` | GR-08 | GR-03, GR-04 | 📝 Planned | | `incident_created` | `gr_events` | GR-09 | GR-05, GR-06, CL (chart flag via `gr_incident_created`) | 📝 Planned | | `incident_resolved` | `gr_events` | GR-09 | GR-05, GR-06 | 📝 Planned | | `gr_incident_created` | `gr_events` | GR-09 | CL — chart flag | 📝 Planned | | `procedure_approved` | `gr_events` | GR-11 | GR-02, GR-03, PF-10 | ✅ Complete | | `procedure_execution_completed` | `gr_events` | GR-11 | GR-03, PF-10 | ✅ Complete | | `gr_template_instantiated` | `gr_events` | GR-12 | GR-03, PF-10 | 📝 Planned | | `gr_template_contributed` | `gr_events` | GR-12 | GR-03 | 📝 Planned | | `procedure_gap_identified` | `gr_events` | GR-13 | GR-07 (QI project candidate) | 📝 Planned | **Notes:** * All GR trigger functions that publish to `gr_events` MUST use `SECURITY DEFINER`. * `gr_incident_created` is also documented in [CL-GR-CLINICAL-INCIDENT-INTEGRATION.md](./CL-GR-CLINICAL-INCIDENT-INTEGRATION.md); follow PHI payload restrictions there. *** ## Events Consumed by GR | Event | Publisher | GR Consumer Spec | GR Action | Status | | ------------------------------------ | ---------- | ------------------- | ------------------------------------------------------------- | ------------- | | `employee_created` | HR | GR-01, GR-02 | Assign onboarding policies and training | 📝 Planned | | `incident_reported` | HR-14 | GR-03, GR-04 | Create compliance check; initiate audit workflow | ✅ Implemented | | `grievance_filed` | HR-14 | GR-03 | Create compliance check record | ✅ Implemented | | `vendor_certification_expiring` | FM | GR-03 | Create compliance check for expiring vendor cert | ✅ Implemented | | `pm_overdue` | FM | GR-03 | Flag preventive maintenance compliance gap | 📝 Planned | | `inspection_due` | FM | GR-03 | Create upcoming compliance check | 📝 Planned | | `inspection_failed` | FM | GR-03, GR-05 | Create compliance finding; link to risk | 📝 Planned | | `inspection_compliant` | FM | GR-03 | Update compliance check to compliant | 📝 Planned | | `it_security_incident_created` | IT | GR-09 | Create or link GR incident report | 📝 Planned | | `it_critical_vulnerability_detected` | IT | GR-09 | Create GR risk and potential incident | 📝 Planned | | `it_asset_disposed` | IT | GR-03 | Update compliance tracking for asset disposal | 📝 Planned | | `cl_safety_plan_activated` | CL (CL-07) | GR-09 | Create draft incident report (type: safety\_plan\_activation) | 📝 Planned | | `cl_restraint_event_documented` | CL (CL-13) | GR-09 | Create draft incident report (type: restraint\_seclusion) | 📝 Planned | | `cl_incident_reported` | CL (CL-15) | GR-03, GR-04, GR-08 | Compliance check; audit log; accreditation evidence | ✅ Implemented | | `goal_completed` | LO | GR | Cross-core governance linkage | 📝 Planned | **Security requirements for all GR consumers:** * Server-side tenant isolation: validate `organization_id` against JWT claims before writing. * Use `SECURITY DEFINER` stored procedures for event-triggered writes. * Log all event consumptions to `pf_audit_logs` with `user_id`, `organization_id`, `timestamp`, `correlation_id`. * Implement exponential backoff retries; dead-letter queue for max-retry failures. *** ## API Contracts No GR-owned API contracts are currently defined. The following are candidates for future specification: | Proposed API | Type | Consumer | Priority | | ---------------------------------------------------------------- | ---- | ----------------------------- | --------------------------------------- | | `GET /gr/incidents/{id}` (or incident lookup via platform layer) | REST | CL, IT, HR | High (needed for chart flag navigation) | | `GET /gr/compliance-status?org=&site=` | REST | CL, PM, HR | Medium | | `GET /gr/accreditation-readiness?org=` | REST | GR-06 AI, executive dashboard | Medium | *** ## Platform Layer Usage | Layer | PF Spec | GR Usage | Status | | ---------------------------- | ------- | ------------------------------------------------------------------------ | --------- | | Forms (PF-08) | PF-08 | Policy acknowledgment forms, audit checklists, compliance surveys | ✅ Used | | Notifications (PF-10) | PF-10 | Policy review reminders, compliance due dates, audit finding alerts | ✅ Used | | Documents (PF-11) | PF-11 | Policy documents, audit evidence, compliance certificates, contract docs | ✅ Used | | Reports (PF-12) | PF-12 | Compliance reports, audit reports, accreditation reports | ✅ Used | | AI (PF-27) | PF-27 | GR-06 AI Compliance Advisor; GR-10 contract analysis (Phase 2, planned) | Partial | | Permissions (PF-30) | PF-30 | Granular permission system for all GR entities | ✅ Used | | Workflow / Swim Lane (PF-73) | PF-73 | Diagram generation from GR-01 policies and GR-11 procedures | ✅ Used | | Picklists (PF-15) | PF-15 | Policy categories, compliance status, audit types | ❌ Pending | | Custom Fields (PF-16) | PF-16 | `gr_policies` custom\_fields | ❌ Pending | | Configurable Forms (PF-17) | PF-17 | Policy acknowledgment form, audit checklist form | ❌ Pending | **PF-15/16/17 adoption is tracked in [PF\_ADOPTION\_STATUS.md](../../../docs/development/PF_ADOPTION_STATUS.md).** *** ## Cross-Core Data References GR does not hold foreign keys to other cores (per constitution §1 / ADR-002 restrictions). Cross-core linkage is by UUID reference columns: | GR Entity | References | Method | | --------------------------- | ---------------------------- | ------------------------------------------------------------------ | | `gr_compliance_checks` | HR employees, FM vendors | UUID column (`entity_id`, `entity_type`) — no FK | | `gr_incidents` (GR-09) | CL `chart_id` | UUID column — no FK; link surfaced via `gr_incident_created` event | | `gr_contracts` | FM vendors, HR employees, FA | UUID columns (`counterparty_id`) — no FK | | `gr_accreditation_evidence` | Any document | Via PF-11 document UUIDs — no direct FK | *** ## Implementation Notes for GR-09 (Pending) The GR-09 Incident Reporting implementation must: 1. Create `gr_incidents` table with RLS, org isolation, and full audit trail. 2. Subscribe to `cl_safety_plan_activated` and `cl_restraint_event_documented` to auto-create draft incidents. 3. Publish `gr_incident_created` and `incident_created` on incident creation. 4. Subscribe to `it_security_incident_created` and `it_critical_vulnerability_detected` for IT-originated incidents. 5. Implement statutory deadline tracking for ARS 46-454, ARS 13-3620, AHCCCS AMPM 1620-O. 6. Create `gr_incident_regulatory_reports` sub-table for state/AHCCCS report tracking. 7. Add RLS tests for all new tables in `tests/rls/`. 8. Add E2E tests in `tests/e2e/gr-incident-workflow.test.ts`. See [GR-09-incident-reporting.md](../../../specs/gr/specs/GR-09-incident-reporting.md) for full spec.\ See [CL-GR-CLINICAL-INCIDENT-INTEGRATION.md](./CL-GR-CLINICAL-INCIDENT-INTEGRATION.md) for bridge implementation requirements. *** ## Testing Requirements | Test Type | File | Coverage | | --------------------------------- | ------------------------------------------------------------ | ----------------------------------------- | | RLS — policies | `tests/rls/gr-policies.rls.test.ts` | ✅ | | RLS — procedures | `tests/rls/gr-procedures.rls.test.ts` | ✅ | | RLS — audits | `tests/rls/gr-audits.rls.test.ts` | ✅ | | RLS — compliance | `tests/rls/gr-compliance*.rls.test.ts` | ✅ | | RLS — accreditation | `tests/rls/gr-accreditation*.rls.test.ts` | ✅ | | RLS — contracts | `tests/rls/gr-contracts.test.ts` | ✅ | | RLS — risks | `tests/rls/gr-risks.rls.test.ts` | ✅ | | RLS — incidents | `tests/rls/gr-incidents.rls.test.ts` | ❌ Missing — create when GR-09 implemented | | RLS — procedure templates | `tests/rls/gr-procedure-templates.rls.test.ts` | ❌ Missing — create when GR-12 implemented | | E2E — AI compliance advisor | `tests/e2e/gr-ai-compliance-advisor.test.ts` | ⚠️ Uses `test.fixme` — needs enabling | | E2E — incident workflow | `tests/e2e/gr-incident-workflow.test.ts` | ❌ Missing — create when GR-09 implemented | | Integration — procedure workflows | `src/cores/gr/tests/integration/procedure-workflows.test.ts` | ✅ | | Integration — contracts | `tests/integration/gr-contracts*.ts` | ✅ |