Skip to main content
Version: 1.0.0
Created: 2026-01-24
Status: ✅ Implemented
Spec Reference: specs/ce/specs/CE-08-sms-messaging-integration.md

Overview

This document defines the integration contracts for CE-08 (SMS/Text Messaging Integration). CE-08 integrates with multiple internal modules (CE-01, CE-03, CE-04, PF-10) and an external service (RingCentral SMS API).

Integration Patterns

Pattern Summary


Internal Integrations

CE-01: Contacts Integration

Pattern: Direct Reference (Foreign Key)
Direction: CE-08 → CE-01
Integration Points:
  • SMS matched to contact by phone number (E.164 format)
  • Contact detail includes SMS conversation tab
  • Consent status displayed on contact
  • SMS compose from contact detail page
API Contract:

CE-03: Platform Telephony Integration

Pattern: Platform Integration Layer
Direction: CE-08 → CE-03
Usage: Extend Platform Telephony Layer to include SMS alongside calls Import:
Integration Points:
  • Unified communication history (calls + SMS)
  • Shared phone number formatting utilities
  • RingCentral SMS API (if using RingCentral for telephony)

CE-04: Activities Integration

Pattern: Database Trigger (Event-Based)
Direction: CE-08 → CE-04
Trigger Contract:
Activity Created:

PF-10: Notifications Integration

Pattern: Platform Integration Layer
Direction: CE-08 → PF-10
Usage: In-app notifications for inbound SMS Import:
Notification Types: Notification Payload:

External Integrations

RingCentral SMS API Integration

Pattern: External API
Direction: Bi-directional
API Configuration:
API Endpoints Used: Edge Functions:
  • sms-send/index.ts - Send SMS via RingCentral
  • sms-webhook/index.ts - Receive inbound SMS and status updates
Request/Response Schemas: Send SMS Request:
Webhook Payload (Inbound / Status):

Event Contracts

SMS Sent Event

Event Name: ce.sms.sent
Publisher: CE-08
Subscribers: CE-04 (Activity creation)
Payload Schema:

SMS Received Event

Event Name: ce.sms.received
Publisher: CE-08 (webhook Edge Function)
Subscribers: PF-10 (Notifications), CE-04 (Activity creation)
Payload Schema:
Event Name: ce.sms.consent_changed
Publisher: CE-08
Subscribers: Audit logging
Payload Schema:

TCPA Compliance Contract

Express Written Consent (Marketing):
  • Required before sending marketing messages
  • Must capture: timestamp, method, source
  • Must be stored in ce_sms_consent table
Prior Express Consent (Informational):
  • Required for informational messages
  • Can be implied from business relationship
  • Document consent source

Opt-Out Contract

Keywords Recognized:
  • STOP, UNSUBSCRIBE, CANCEL, END, QUIT (case-insensitive)
Processing Requirements:
  1. Detect keyword in inbound message
  2. Update ce_sms_consent.consent_status to opted_out
  3. Record opted_out_at timestamp and opted_out_keyword
  4. Send confirmation: “You have been unsubscribed. Reply START to resubscribe.”
  5. Log activity for compliance audit
  6. Notify assigned users
Enforcement:
  • Hard block on sending to opted-out numbers
  • Check performed in sms-send Edge Function before API call
  • RLS does NOT prevent viewing opted-out contacts (for compliance review)

Security Considerations

Phone Number Privacy

  • Phone numbers stored in E.164 format
  • Display masked in UI (show last 4 digits only)
  • No phone numbers in application logs
  • Encrypted in transit (TLS 1.2+)

RingCentral Credential Security

  • Credentials stored in Supabase Secrets
  • Never exposed in client-side code
  • Webhook signature validation required

PHI Detection

  • Message content scanned for PHI patterns
  • Warning shown to user before send (not hard block)
  • Patterns: SSN, DOB formats, medical terms
  • Configurable via sms_phi_detection_mode setting

Module Settings

Settings stored in ce_module_settings:

Implementation Status


Security & Compliance Controls

CE-08 implements comprehensive security and compliance controls for SMS messaging:

PHI Detection

Implementation: supabase/functions/sms-send/index.ts
  • PHI detection runs before message send (when phiDetectionEnabled is true in provider config)
  • Detected PHI patterns are logged to ce_sms_messages.phi_detected and phi_detection_result fields
  • Detection uses pattern matching from _shared/phi-detection.ts utility
  • PHI detection results are included in audit logs for compliance review

TCPA Opt-Out Handling

Implementation: supabase/functions/sms-webhook/index.ts
  • Opt-out keywords detected: STOP, UNSUBSCRIBE, CANCEL, END, QUIT, STOPALL, UNSUBSCRIBEALL
  • Automatic consent revocation when opt-out keywords are received
  • Confirmation message sent: “You have been unsubscribed and will no longer receive SMS messages from us.”
  • Consent status updated in ce_sms_consent table with consent_status = 'revoked' and revoked_at timestamp
  • Future sends blocked via checkSmsConsent() validation in sms-send function

Webhook Signature Validation

Implementation: supabase/functions/sms-webhook/index.ts
  • RingCentral webhooks validated via the Validation-Token header during subscription validation
  • Inbound/status notifications are parsed from the RingCentral JSON envelope
  • Signature/token validation ensures webhook authenticity and prevents spoofing
  • Invalid signatures result in 403 Forbidden responses

Provider Abstraction & Configuration

Implementation: supabase/functions/_shared/sms-provider.ts, supabase/functions/_shared/ringcentral-client.ts
  • Provider abstraction routes all SMS through RingCentral
  • Provider configuration loaded from ce_module_settings with fallback to environment variables
  • Business hours enforcement via isWithinBusinessHours() utility
  • Phone number normalization to E.164 format via normalizeToE164()
  • Segment calculation for multi-part messages via calculateSmsSegments()
Implementation: supabase/functions/_shared/sms-provider.ts
  • checkSmsConsent() validates consent status before sending
  • Consent checked per contact phone number in ce_sms_consent table
  • Required consent status: 'granted' with valid granted_at timestamp
  • Revoked consent blocks all future sends until new consent is granted

References


Last Updated: 2026-01-24