Last Updated: 2026-06-11
Spec: PF-101 Google Workspace Integration
Status: In Progress (38/44 tasks; schema baselined, edge functions + settings UI shipped; Drive/Chat/consumer cutover pending)
Constitution Reference: Section 1.3 (Integration Patterns), Section 4.2 (PHI/PII Handling), Section 5.7 (RLS)
Overview
PF-101 defines the tenant-level Google Workspace connector for Admin SDK Directory, Gmail, Calendar/Meet, Drive, Chat, License Manager, and Reports APIs. It consolidates the existing Gmail and Calendar paths into a governed PF integration layer, while HR, CE, PF-10, PF-11, and PF-86 remain consumers.Integration Points
Platform Layer Contract
Planned package:src/platform/integrations/google-workspace/
Event Contracts
HR-01 publisher status (confirmed 2026-04-28):hr_employee_created,hr_employee_assigned_to_site, andhr_employee_terminatedare documented as published by HR-01 inHR-01-employee-directory-INTEGRATION.md§Events. The canonical-name registry rows forhr_employee_createdandhr_employee_assigned_to_siteare added toEVENT_CONTRACTS.md§HR Core Events alongside the existinghr_employee_terminatedrow. PF-76 disambiguation: “PF-76” in this document = PF-76 Credential Vault (specs/pf/specs/PF-76-credential-vault.md), not PF-76 React 19 Migration. Cross-core column comment: Migrations creatingpf_google_workspace_user_links.employee_idMUST addCOMMENT ON COLUMN ... IS 'Cross-core reference to hr_employees.id (HR core); no FK; validated at application layer.'perdatabase-patterns.
Consumed: hr_employee_created
Publisher: HR-01Subscriber: PF-101
Purpose: Provision or link a Google Workspace user when tenant policy enables account provisioning. Minimum payload:
Consumed: hr_employee_assigned_to_site
Publisher: HR-01Subscriber: PF-101
Purpose: Reconcile site-based group, org unit, Drive, Calendar resource, or Chat mappings when a tenant explicitly enables site mapping sync. Minimum payload:
Consumed: hr_employee_terminated
Publisher: HR-01Subscriber: PF-101
Purpose: Suspend/offboard linked Workspace user, revoke licenses, remove groups, and queue Drive transfer review. Minimum payload:
Published: pf_google_workspace_user_provisioned
Publisher: PF-101
Subscribers: PF-10, HR status consumers
Purpose: Signal successful Workspace user provisioning without exposing secrets or PHI.
Note: Subscribers requiring the email address must perform scoped lookups using google_user_id or profile_id.
Published: pf_google_workspace_connector_degraded
Publisher: PF-101Subscribers: PF-10, PF-36
Purpose: Alert admins when credential, scope, quota, BAA gate, or sync health degrades.
Edge Function Contracts
All functions must use PF-76 credential retrieval, PF-42 rate limiting where applicable, sanitized errors, and correlation IDs.
Tenant-scoping contract: Service-role edge functions (
google-workspace-directory-sync, google-workspace-provision-user, google-workspace-offboard-user, google-workspace-calendar-sync, google-workspace-drive-sync, google-workspace-reports-ingest, google-workspace-chat-notify) MUST include explicit tenant-scoping filters on all queries against multi-tenant tables:
.eq('organization_id', organizationId)— REQUIRED on all multi-tenant table queries.eq('connection_id', connectionId)— REQUIRED where applicable (connection-scoped resources)
Security and Compliance
- No PHI-capable Gmail, Calendar, Drive, Chat, or Meet operation may run unless
pf_google_workspace_connections.baa_attested_atis set and tenant policy enables the capability. - Raw Google credentials, service account keys, OAuth client secrets, refresh tokens, and Pub/Sub webhook secrets remain in PF-76 only.
- Domain-wide delegation scopes are versioned, reviewed, and tested per capability.
- Restricted Google OAuth scopes require verification/security-assessment status tracking before production use.
- Chat messages, calendar titles, logs, cache keys, and telemetry must not contain PHI/PII.
Testing
- Contract tests for each edge function with mocked Google API 200/401/403/429/5xx responses.
- RLS tests for all PF-101 tables.
- Integration tests for HR event consumption, Gmail send, Calendar free/busy/event, group sync preview, and Reports ingestion.
- Manual setup wizard tests using non-PHI tenant data before production enablement.