Documentation Index
Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt
Use this file to discover all available pages before exploring further.
Generated: 2026-01-11
Total Tables: 433
Overall Coverage: 94.2%
Executive Summary
| Metric | Count | Percentage |
|---|
| Tables with Full Coverage (4 policies) | 408 | 94.2% |
| Tables with Partial Coverage (intentional) | 20 | 4.6% |
| Tables with Special Access Patterns | 5 | 1.2% |
| Tables Missing RLS | 0 | 0.0% |
Coverage by Module
| Module | Prefix | Total Tables | Full | Partial | Special |
|---|
| Platform Foundation | pf_ | 73 | 68 | 3 | 2 |
| Human Resources | hr_ | 75 | 70 | 4 | 1 |
| Finance & Accounting | fa_ | 45 | 43 | 2 | 0 |
| Forms & Workflow | fw_ | 54 | 48 | 4 | 2 |
| Recovery Housing | rh_ | 51 | 49 | 2 | 0 |
| Facilities Management | fm_ | 22 | 21 | 1 | 0 |
| Governance & Risk | gr_ | 49 | 47 | 2 | 0 |
| Leadership OS | lo_ | 29 | 28 | 1 | 0 |
| IT Service Management | it_ | 35 | 34 | 1 | 0 |
Policy Type Coverage
UPDATE Policies WITH CHECK Clause
| Status | Count | Notes |
|---|
| ✅ Has WITH CHECK | 398 | All UPDATE policies have WITH CHECK |
| ⚠️ Missing WITH CHECK | 0 | None remaining after audit |
Recursion-Safe Policies
| Status | Count | Notes |
|---|
| ✅ Uses SECURITY DEFINER helpers | 433 | All policies use helper functions |
| ❌ Direct pf_user_roles query | 0 | None remaining after audit |
Detailed Coverage Tables
| Table | SELECT | INSERT | UPDATE | DELETE | WITH CHECK | Notes |
|---|
| pf_organizations | ✅ | ✅ | ✅ | ✅ | ✅ | |
| pf_profiles | ✅ | ✅ | ✅ | ✅ | ✅ | |
| pf_sites | ✅ | ✅ | ✅ | ✅ | ✅ | |
| pf_user_roles | ✅ | ✅ | ✅ | ✅ | ✅ | |
| pf_departments | ✅ | ✅ | ✅ | ✅ | ✅ | |
| pf_notifications | ✅ | ✅ | ✅ | ✅ | ✅ | |
| pf_documents | ✅ | ✅ | ✅ | ✅ | ✅ | |
| pf_document_versions | ✅ | ✅ | - | - | - | Version table (immutable) |
| pf_audit_logs | ✅ | ✅ | - | - | - | Audit table (append-only) |
| pf_health_metrics | ✅ | ✅ | ✅ | ✅ | ✅ | Platform admin only |
| pf_integration_credentials | ❌ | ❌ | ❌ | ❌ | ❌ | Deny-all (service-only) |
| pf_marketplace_ratings | ✅ | ✅ | ✅ | ✅ | ✅ | Public read intentional |
Human Resources (HR)
| Table | SELECT | INSERT | UPDATE | DELETE | WITH CHECK | Notes |
|---|
| hr_employees | ✅ | ✅ | ✅ | ✅ | ✅ | |
| hr_positions | ✅ | ✅ | ✅ | ✅ | ✅ | |
| hr_departments_v | ✅ | ✅ | ✅ | ✅ | ✅ | |
| hr_leave_requests | ✅ | ✅ | ✅ | ✅ | ✅ | |
| hr_leave_balances | ✅ | ✅ | ✅ | ✅ | ✅ | |
| hr_timesheets | ✅ | ✅ | ✅ | ✅ | ✅ | |
| hr_timesheet_entries | ✅ | ✅ | ✅ | ✅ | ✅ | |
| hr_payroll_runs | ✅ | ✅ | ✅ | ✅ | ✅ | |
| hr_payroll_records | ✅ | ✅ | ✅ | ✅ | ✅ | |
| hr_payroll_audit_log | ✅ | ✅ | - | - | - | Audit table |
| hr_ssn_access_log | ✅ | ✅ | - | - | - | Audit table |
| hr_document_access_logs | ✅ | ✅ | - | - | - | Audit table |
Finance & Accounting (FA)
| Table | SELECT | INSERT | UPDATE | DELETE | WITH CHECK | Notes |
|---|
| fa_accounts | ✅ | ✅ | ✅ | ✅ | ✅ | |
| fa_funds | ✅ | ✅ | ✅ | ✅ | ✅ | |
| fa_journal_entries | ✅ | ✅ | ✅ | ✅ | ✅ | |
| fa_journal_entry_lines | ✅ | ✅ | ✅ | ✅ | ✅ | |
| fa_invoices | ✅ | ✅ | ✅ | ✅ | ✅ | |
| fa_customers | ✅ | ✅ | ✅ | ✅ | ✅ | |
| fa_bills | ✅ | ✅ | ✅ | ✅ | ✅ | |
| fa_vendors | ✅ | ✅ | ✅ | ✅ | ✅ | |
| fa_budgets | ✅ | ✅ | ✅ | ✅ | ✅ | |
| fa_bank_accounts | ✅ | ✅ | ✅ | ✅ | ✅ | |
| Table | SELECT | INSERT | UPDATE | DELETE | WITH CHECK | Notes |
|---|
| fw_forms | ✅ | ✅ | ✅ | ✅ | ✅ | |
| fw_form_versions | ✅ | ✅ | - | - | - | Version table |
| fw_form_submissions | ✅ | ✅ | ✅ | ✅ | ✅ | |
| fw_workflows | ✅ | ✅ | ✅ | ✅ | ✅ | |
| fw_workflow_versions | ✅ | ✅ | - | - | - | Version table |
| fw_approval_history | ✅ | ✅ | - | - | - | Audit table |
| fw_signature_audit_log | ✅ | ✅ | - | - | - | Audit table |
| fw_portal_rate_limits | ✅ | - | - | - | - | Public read (rate limiting) |
| fw_automation_logs | ✅ | ✅ | - | - | - | Audit table |
Tables with Special Access Patterns
These tables intentionally have non-standard RLS configurations:
| Table | Pattern | Reason |
|---|
| pf_integration_credentials | Deny-all | Service-only access via SECURITY DEFINER functions |
| pf_marketplace_ratings | Public SELECT | Ratings are publicly visible for transparency |
| fw_portal_rate_limits | Public SELECT | Rate limits must be readable for client-side enforcement |
| pf_health_metrics | Platform admin only | System metrics restricted to platform admins |
| pf_platforms | System table | Platform-level configuration |
Audit/Version Tables (Intentional Partial Coverage)
These tables are intentionally limited to SELECT + INSERT (append-only):
Audit Tables
pf_audit_logspf_index_cleanup_audithr_document_access_logshr_payroll_audit_loghr_ssn_access_logfw_approval_historyfw_domain_eventsfw_signature_audit_logfw_automation_logsfm_asset_maintenance_historyfm_work_order_historyfm_inventory_transactions
Version Tables (Immutable)
pf_document_versionsfw_form_versionsfw_workflow_versionsgr_policy_versionslo_knowledge_article_versionsit_kb_article_versions
Validation Queries
Check Tables Without RLS
SELECT tablename
FROM pg_tables
WHERE schemaname = 'public'
AND tablename NOT LIKE 'pg_%'
AND tablename NOT IN (
SELECT tablename FROM pg_policies WHERE schemaname = 'public'
);
Check UPDATE Policies Without WITH CHECK
SELECT tablename, policyname
FROM pg_policies
WHERE schemaname = 'public'
AND cmd = 'UPDATE'
AND with_check IS NULL;
Check Policy Coverage Count
SELECT tablename, COUNT(*) as policy_count
FROM pg_policies
WHERE schemaname = 'public'
GROUP BY tablename
ORDER BY policy_count, tablename;
