Created: 2026-01-24
Status: ✅ Implemented
Spec Reference:
specs/ce/specs/CE-08-sms-messaging-integration.md
Overview
This document defines the integration contracts for CE-08 (SMS/Text Messaging Integration). CE-08 integrates with multiple internal modules (CE-01, CE-03, CE-04, PF-10) and an external service (RingCentral SMS API).Integration Patterns
Pattern Summary
Internal Integrations
CE-01: Contacts Integration
Pattern: Direct Reference (Foreign Key)Direction: CE-08 → CE-01
- SMS matched to contact by phone number (E.164 format)
- Contact detail includes SMS conversation tab
- Consent status displayed on contact
- SMS compose from contact detail page
CE-03: Platform Telephony Integration
Pattern: Platform Integration LayerDirection: CE-08 → CE-03 Usage: Extend Platform Telephony Layer to include SMS alongside calls Import:
- Unified communication history (calls + SMS)
- Shared phone number formatting utilities
- RingCentral SMS API (if using RingCentral for telephony)
CE-04: Activities Integration
Pattern: Database Trigger (Event-Based)Direction: CE-08 → CE-04 Trigger Contract:
PF-10: Notifications Integration
Pattern: Platform Integration LayerDirection: CE-08 → PF-10 Usage: In-app notifications for inbound SMS Import:
Notification Payload:
External Integrations
RingCentral SMS API Integration
Pattern: External APIDirection: Bi-directional API Configuration:
Edge Functions:
sms-send/index.ts- Send SMS via RingCentralsms-webhook/index.ts- Receive inbound SMS and status updates
Event Contracts
SMS Sent Event
Event Name:ce.sms.sentPublisher: CE-08
Subscribers: CE-04 (Activity creation) Payload Schema:
SMS Received Event
Event Name:ce.sms.receivedPublisher: CE-08 (webhook Edge Function)
Subscribers: PF-10 (Notifications), CE-04 (Activity creation) Payload Schema:
Consent Changed Event
Event Name:ce.sms.consent_changedPublisher: CE-08
Subscribers: Audit logging Payload Schema:
TCPA Compliance Contract
Consent Requirements
Express Written Consent (Marketing):- Required before sending marketing messages
- Must capture: timestamp, method, source
- Must be stored in
ce_sms_consenttable
- Required for informational messages
- Can be implied from business relationship
- Document consent source
Opt-Out Contract
Keywords Recognized:- STOP, UNSUBSCRIBE, CANCEL, END, QUIT (case-insensitive)
- Detect keyword in inbound message
- Update
ce_sms_consent.consent_statustoopted_out - Record
opted_out_attimestamp andopted_out_keyword - Send confirmation: “You have been unsubscribed. Reply START to resubscribe.”
- Log activity for compliance audit
- Notify assigned users
- Hard block on sending to opted-out numbers
- Check performed in
sms-sendEdge Function before API call - RLS does NOT prevent viewing opted-out contacts (for compliance review)
Security Considerations
Phone Number Privacy
- Phone numbers stored in E.164 format
- Display masked in UI (show last 4 digits only)
- No phone numbers in application logs
- Encrypted in transit (TLS 1.2+)
RingCentral Credential Security
- Credentials stored in Supabase Secrets
- Never exposed in client-side code
- Webhook signature validation required
PHI Detection
- Message content scanned for PHI patterns
- Warning shown to user before send (not hard block)
- Patterns: SSN, DOB formats, medical terms
- Configurable via
sms_phi_detection_modesetting
Module Settings
Settings stored ince_module_settings:
Implementation Status
Security & Compliance Controls
CE-08 implements comprehensive security and compliance controls for SMS messaging:PHI Detection
Implementation:supabase/functions/sms-send/index.ts
- PHI detection runs before message send (when
phiDetectionEnabledis true in provider config) - Detected PHI patterns are logged to
ce_sms_messages.phi_detectedandphi_detection_resultfields - Detection uses pattern matching from
_shared/phi-detection.tsutility - PHI detection results are included in audit logs for compliance review
TCPA Opt-Out Handling
Implementation:supabase/functions/sms-webhook/index.ts
- Opt-out keywords detected:
STOP,UNSUBSCRIBE,CANCEL,END,QUIT,STOPALL,UNSUBSCRIBEALL - Automatic consent revocation when opt-out keywords are received
- Confirmation message sent: “You have been unsubscribed and will no longer receive SMS messages from us.”
- Consent status updated in
ce_sms_consenttable withconsent_status = 'revoked'andrevoked_attimestamp - Future sends blocked via
checkSmsConsent()validation insms-sendfunction
Webhook Signature Validation
Implementation:supabase/functions/sms-webhook/index.ts
- RingCentral webhooks validated via the
Validation-Tokenheader during subscription validation - Inbound/status notifications are parsed from the RingCentral JSON envelope
- Signature/token validation ensures webhook authenticity and prevents spoofing
- Invalid signatures result in 403 Forbidden responses
Provider Abstraction & Configuration
Implementation:supabase/functions/_shared/sms-provider.ts, supabase/functions/_shared/ringcentral-client.ts
- Provider abstraction routes all SMS through RingCentral
- Provider configuration loaded from
ce_module_settingswith fallback to environment variables - Business hours enforcement via
isWithinBusinessHours()utility - Phone number normalization to E.164 format via
normalizeToE164() - Segment calculation for multi-part messages via
calculateSmsSegments()
Consent Verification
Implementation:supabase/functions/_shared/sms-provider.ts
checkSmsConsent()validates consent status before sending- Consent checked per contact phone number in
ce_sms_consenttable - Required consent status:
'granted'with validgranted_attimestamp - Revoked consent blocks all future sends until new consent is granted
References
- Spec:
specs/ce/specs/CE-08-sms-messaging-integration.md - Plan:
specs/ce/plans/CE-08-sms-messaging-PLAN.md - Tasks:
specs/ce/tasks/CE-08-sms-messaging-TASKS.md - RingCentral SMS API: https://developers.ringcentral.com/api-reference/SMS
- TCPA Guidelines: https://www.fcc.gov/consumers/guides/stop-unwanted-robocalls-and-texts
- Integration Patterns:
docs/architecture/integrations/index.md
Last Updated: 2026-01-24