Skip to main content
Version: 1.0.0
Last Updated: 2026-03-20
Spec: HR-02 Credentialing & Compliance
Constitution Reference: Section 1.2 (Core Independence), Section 1.3 (Integration Patterns)

Overview

HR-02 manages employee credentials, certifications, and compliance tracking. It publishes events for credential expiration and verification, and integrates with PF-10 (Notifications), PF-11 (Document Management), and FW (Forms & Workflow) for renewal workflows.

Integration Points

Platform Foundation (PF) Dependencies

Required PF Features:
  • PF-10 (Notifications): Send expiration alerts (90/60/30/14/7 days), verification status notifications
  • PF-11 (Document Management): Store credential PDFs, manage versions, secure access
  • PF-04 (Audit Logging): Log credential uploads, verifications, expirations for compliance
  • FW (Forms & Workflow): Credential renewal workflows (Enhancement 1)
Integration Type: Direct dependency (PF features are complete), Platform Integration Layer for FW

Consumer Core Dependencies (Downstream)

Internal HR Features:
  • HR-01 (Employee Directory): Links credentials to employees, displays compliance status on profile
  • HR-03 (Onboarding): New hire checklist includes credential uploads
  • HR-04 (Scheduling): Blocks scheduling for employees with expired credentials (via event subscription)
  • HR-05 (Time Tracking): Blocks clock-in for employees with expired credentials (via event subscription)
  • HR-07 (Payroll): Compliance report for payroll eligibility
External Cores:
  • RH (Recovery Housing): Clinical staff credential verification for resident care (future)
  • GR (Governance): Training completion tracking (future)

Event Contracts

Event: hr_credential_expired (canonical)

Publisher: HR (HR-02)
Subscribers: HR-04 (Scheduling), HR-05 (Time Tracking)
Status: 📝 Planned (Q2 2026)
Purpose: Block scheduling and time tracking for employees with expired credentials Payload Schema:
Note: Event name follows canonical {core}_{entity}_{action} format. Legacy alias credential_expired may be deprecated in favor of hr_credential_expired.

Event: hr_credential_verified

Publisher: HR (HR-02)
Subscribers: HR-04 (Scheduling)
Status: 📝 Planned (Q2 2026)
Purpose: Enable scheduling once credentials are verified Payload Schema:

Event: hr_credential_renewal_workflow_started (Enhancement 1)

Publisher: HR (HR-02)
Subscribers: FW (Forms & Workflow)
Status: 📝 Planned (Enhancement 1)
Purpose: Trigger renewal workflow 60 days before credential expiration Payload Schema:

Event: hr_credential_renewed (Enhancement 1)

Publisher: FW (Forms & Workflow)
Subscribers: HR-02
Status: 📝 Planned (Enhancement 1)
Purpose: Update credential expiration date after renewal workflow completes Payload Schema:

Platform Integration Layer Usage

Consumes:
  • PF-10 (Notifications):
    • Expiration alerts via send_notification() function
    • Notification types: credential_expiring, credential_expired, credential_verified
    • Channels: in_app, email (future)
  • PF-11 (Document Management):
    • Credential PDFs stored in pf_documents bucket
    • Category: credential
    • Access controlled via document permissions
  • PF-12 (Reports):
    • Compliance reports (expiration forecasts, audit reports)
    • Pre-built templates for credential compliance
  • FW (Forms & Workflow):
    • Credential renewal workflows via @/platform/forms
    • Renewal form templates and approval gates
    • Workflow triggers based on credential expiration dates

Integration Examples

Example 1: Send Expiration Alert via PF-10

Example 2: Store Credential Document via PF-11


Security Considerations

Multi-Tenancy

  • RLS Enforcement: All hr_credentials tables filtered by organization_id via RLS policies
  • Document Access: Credential PDFs access-controlled via PF-11 document permissions

Role-Based Access Control

  • HR Admin: Full access to all credentials (CRUD)
  • Manager: View credentials for direct reports
  • Staff: View own credentials only

Data Protection

  • PII Handling: Credential documents may contain PII; stored securely in PF-11
  • Audit Trail: All credential uploads, verifications, expirations logged via PF-04

Testing Requirements

  • Event payload structure validation
  • Event fires on trigger condition (credential expiration, verification)
  • Correct organization_id included in all events
  • Subscribers handle events correctly (HR-04, HR-05, FW)
  • PF-10 notifications sent at correct expiration thresholds
  • PF-11 document upload and access control works correctly
  • RLS policies enforce org isolation on credential queries

References