Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt

Use this file to discover all available pages before exploring further.

Feature ID: PF-48
Status: ✅ Complete
Spec: PF-48-security-event-monitoring.md
Last Updated: 2026-02-12

Overview

PF-48 integrates with PF-04 (Audit Logging), PF-10 (Notifications), and PF-36 (System Health Dashboard) via event-based and platform patterns. Security events are emitted from the database (trigger → pg_notify / Database Webhook) and consumed by an Edge Function that delivers alerts and feeds dashboards.

Integration Points (from Spec)

DependencyPatternPurpose
PF-04 (Audit Logging)Event / AuditAll security events are audited
PF-10 (Notifications)Event / PlatformSecurity alerts sent via notification system (email, in-app; SMS when supported)
PF-36 (System Health Dashboard)Event / DataSecurity events displayed on health dashboard

Event Contract

Event name: security_event_detected (logical). Table: pf_security_events. Channel/payload: security_event pg_notify or Database Webhook payload.
  • Publisher: PF-48 (security event monitoring; INSERT on pf_security_events)
  • Subscribers: PF-04 (Audit), PF-10 (Notifications), PF-36 (Health Dashboard)
  • Payload (notification payload shape):
    • event_id: uuid
    • organization_id: uuid (nullable for pre-auth/system events)
    • event_type: text
    • severity: text
  • Handler requirements: Handlers MUST (1) refetch the full row from pf_security_events by event_id before any sensitive processing; (2) verify fetched_row.organization_id matches notification.organization_id and enforce org-level authorization; (3) validate payload keys (event_id, organization_id, event_type, severity) before processing; (4) implement resilient delivery (retries with backoff, DLQ for permanent failures) to prevent TOCTOU and ensure authorization checks. See spec Downstream Service Contract.
  • Documentation: EVENT_CONTRACTS.md — add PF-48 entry when implemented.

Implementation Notes

  • Downstream handler: Supabase Database Webhook on pf_security_events INSERT invokes an Edge Function. The function refetches the event row from pf_security_events, enforces org-level authorization, then calls PF-10 for delivery and may log to PF-04 / feed PF-36.
  • Dead-letter: On permanent delivery failure, the handler MUST write a row to pf_security_alert_delivery_failures (see spec Data Model). No PHI in payload_reference.
  • IP blocking: Enforced at edge/API layer (document exact point in implementation plan).