How sender resolution works during migration
The email adapter (supabase/functions/_shared/email-provider.ts) resolves Gmail
credentials PF-101 first, legacy second:
- If the tenant has an active
pf_google_workspace_connectionsrow with thegmailcapability enabled, the adapter uses the PF-76 vault credential referenced by that connection (credential_vault_ref) and enforces the PF-101 gates — sender-domain allowlist (connectionprimary_domain) and the fail-closed BAA gate for PHI-capable sends (baa_attested_at IS NOT NULL). - Otherwise it falls back to the platform-wide
GMAIL_SERVICE_ACCOUNT_JSONedge-function secret (legacy path, shared across all tenants).
Per-tenant migration steps
- Connect the tenant. Follow Admin Setup
§1–2: service account with DWD, scopes authorized in the tenant’s Admin
Console, JSON key stored via the PF-76 vault (
pf_store_credential) from Settings → Integrations → Google Workspace. - Enable the
gmailcapability on the connection. If the tenant sends PHI-capable mail, record the BAA attestation first — the gate is fail-closed and unattested PHI sends are rejected with a policy error. - Verify sender identity. The configured sender must match the
connection’s
primary_domain(sender allowlist). Update the org’sgmail_sender_emailsetting if it still points at the shared legacy sender. - Run the connection test (Settings → Integrations → Google Workspace →
Test connection). The
gmailcapability must report healthy; apf_google_workspace_sync_runsrow records the result. - Smoke test (gating). Send a non-PHI test message through the platform
(e.g. a password-reset or test notification to an operator mailbox) and
confirm:
- the message arrives from the tenant’s domain sender;
- a
pf_google_workspace_sync_runsrow with capabilitygmailand a redactedcorrelation_idwas written; - edge-function logs show no
Gmail service account not configuredor scope errors (supabase functions logs email-send).
- Record completion. Note the tenant + date in the cutover tracker before moving to the next tenant.
Legacy secret retirement
Only after all tenants have an active PF-101 Gmail connection and a passed smoke test:- Confirm no fallback hits remain: search edge logs for the legacy-path warning over a full business cycle (7 days minimum).
- Remove the platform secret:
supabase secrets unset GMAIL_SERVICE_ACCOUNT_JSON. - Revoke the legacy shared service account’s DWD grant in the Google Admin Console and delete its key.
- Update EMAIL_SMS_SETUP and
EDGE_FUNCTIONS to drop the
GMAIL_SERVICE_ACCOUNT_JSONinstructions (they document the legacy path while it remains supported).
Rollback
A tenant can be rolled back instantly by disabling thegmail capability on
its connection — the adapter falls back to the legacy secret (while it still
exists). Do not retire the legacy secret until the rollback window has closed
for every tenant.
Current status
- Adapter precedence, BAA gate, and sender allowlist are implemented and contract-tested (WS4 T4.1–T4.4).
- Live per-tenant smoke tests are pending the BAA staging tenant
(tracked in
GOOGLE_WORKSPACE_SECURITY_REVIEW.md§8); no tenant has been migrated yet, and the legacy secret remains active.