Developer-ready checklist for Module 11: Document Center / File Library, following the same engineering-compliance template as prior modules. It’s built for direct dev, QA, and audit use during implementation and hand-off.
11. Document Center / File Library — Developer Checklist
(OSHA §1910.1200 (e)(1)(iii) record availability & retention compliance)
0) Foundations (blockers if incomplete)
Feature flags: docs.enabled, docs.versioning, docs.review_workflow, docs.ai_search, docs.integrations. DB schema: documents, document_versions, document_tags, document_reviews, document_access_logs, document_embeddings. Storage backends: Digital Ocean Spaces (default) + Google Drive / S3 (Pro). Indexing services: pgvector / Pinecone (Pro) for semantic search. Scheduler: daily expiry check → Sentinel (#9) alerts + monthly digest generator. UI shell: drag-and-drop uploader, breadcrumb nav, preview pane, version timeline.
11.1 Purpose / Audit Hooks
Emit events: doc.uploaded, doc.versioned, doc.approved, doc.expired, doc.review_due, doc.accessed. Integrate with Insights (#8) for doc counts & review rates. Feed expiry alerts into Sentinel (#9). Acceptance: Metrics and alerts reflect library state across modules.
11.2 Structure & Organization
Folder tree Company → Site → Location → Module. Custom folders per org; rename/drag enabled. Breadcrumbs + upload to current path. Metadata fields: name, type, site, uploader, owner, version, tags, expiry, review interval. Acceptance: Folder permissions inherit from Site/Company roles; metadata visible in grid and detail view.
11.3 Uploading & Version Control
11.3.1 Upload Methods
Manual upload (PDF/DOCX/PPTX/XLSX/Images). Bulk ZIP / CSV mapping. Drive / SharePoint / S3 connectors (Pro). Acceptance: Upload < 5 s per file; duplicates handled via version merge prompt.
11.3.2 Versioning
Auto increment (V1→V2). “Mark as Superseded” flag. Compare versions (diff); Pro adds AI summary diff. Acceptance: History timeline accurate; download restores correct version.
11.3.3 Integrity & Retention
SHA-256 hash stored for each file. Default retention 5 yrs (configurable). Auto-archive expired → read-only state.
11.4 Search & Retrieval
11.4.1 Standard Search
Title/tag/type/site/uploader filters; “Expiring Soon” flag.
11.4.2 AI Search (Pro)
Full-text embeddings for SDS, Plans, Training docs. Natural-language query → top-k docs + summary snippets.
11.4.3 Linked Access
Deep links from HazCom Plans, Training, Incidents, Audits. Acceptance: Search latency < 1 s; AI results relevant (precision > 0.8).
11.5 Approvals & Review Workflow
Workflow: Upload → Reviewer → Approve/Reject → Publish. Role mapping per category (Plan, Training, Permit). Reminders X days before expiry; AI triggers on related changes (e.g., new SDS). Audit trail of uploader, reviewer, decision + timestamps. Acceptance: Approvals recorded; rejected files return to Draft; exports show sign-off log.
11.6 Notifications & Alerts
Acceptance: Alerts per tier; no spam duplicates; Sentinel logs delivery.
11.7 Analytics & Insights
KPIs: total docs, review rate, expiration rate, overdue count. Charts: category pie, expiry trend line. AI (Pro): missing mandatory docs, stale files, monthly “Document Health Digest”. Acceptance: Digest PDF emailed monthly to Coordinator; metrics update nightly.
11.8 Permissions & Security
Role matrix: Admin(all), Manager(site), Employee(read SDS/Training), Contractor(temp read). Field-level encryption (Pro) for medical docs. 2-factor approval for critical uploads (optional). Access logs with user/IP/timestamp/device. Acceptance: RLS enforced; access logs visible in AdminHQ (#14).
11.9 Tier Validation
Acceptance: Feature availability matches license flags and UI/API restrictions.
Security Checklist (must-pass)
Tenant RLS on documents and versions. Checksum verification on upload/download. Signed URLs with 1-h TTL; revocable. Virus/MIME scan before persist. Audit log append-only with hash chain. PII redaction in AI indexer.
QA Test Matrix
Happy Paths Upload SDS → auto tag → version V1 created. Upload revised SDS → V2 auto-incremented → V1 archived. Reviewer approves Plan PDF → Sentinel logs event. AI search “flammable PPE policy” returns correct doc snippet. Edge Cases Duplicate filename → merge prompt. Drive integration failure → fallback manual upload. Expired doc → auto-archive; restore works. Reviewer rejects doc → status back to Draft. Pro AI diff disabled → manual compare still works. Performance Search query p95 < 700 ms. Upload throughput ≥ 25 MB / s. Digest job completes < 3 min (10k docs).
Observability / Alerts
Metrics: uploads/day, storage used, expired count, AI index latency. System alerts: upload failures, virus detections, indexer timeouts. Weekly health email to Ops & Coordinator.
Deliverables (Definition of Done)
Figma/UI: Library browser, upload modal, version timeline, AI search results, review workflow, analytics page.
OpenAPI: /documents, /documents/{id}/versions, /documents/search, /documents/reviews, /documents/exports.
Localization: EN/ES UI and email templates.
E2E tests: upload/version/approve/search/export flows.
Admin tools: bulk expire, force reindex, purge old versions, access log export.
Rollback plan: disable docs.ai_search → fallback to keyword search; core uploads unaffected.
✅ Compliance Alignment
| Plan | Channels | Focus |
|---|---|---|
| Starter | Email only | Upload & expiry reminders |
| Standard | Email + In-app | Pending review & expiring docs |
| Pro | Email + In-app + Slack/Webhook (+SMS opt) | AI prioritized high-risk alerts |
| Feature | Starter | Standard | Pro |
|---|---|---|---|
| Manual Upload | ✅ | ✅ | ✅ |
| Bulk Upload | — | ✅ | ✅ |
| Drive/S3 Integration | — | — | ✅ |
| Versioning | Basic | Full | Full + AI Diff |
| Review Workflow | Manual | Approvals + Reminders | + AI Suggestions |
| Search | Keyword | Keyword + Filters | AI Semantic |
| Alerts | Email + In-app | All + Webhook | |
| Analytics | Counts | Dashboard | AI Digest |
| Exports | PDF + CSV | PDF + CSV + XLSX + API | |
| Security | Role Read Only | Role + Approvals | Encryption + Logs |
| Regulation | Feature | Purpose |
|---|---|---|
| §1910.1200 (e)(1)(iii) | Central library | Employees can access written plan/SDS |
| Record Retention | Versioning + retention | Maintain 5-year records |
| Contractor access | Temporary read roles | Share information securely |
| Periodic review | Reminders + AI triggers | Ensure SDS/plans current |
| Audit evidence | Access logs + exports | Prove traceability to inspectors |