Cross-Cutting Concerns

This directory contains system-wide documentation that spans multiple features.

Security & Compliance

rbac-permissions.md

Role-Based Access Control - Permission matrix, role definitions, enforcement strategy

• Who can access what
• Role hierarchy (superadmin → admin → specialist → customer_support → patient)
• Field-level filtering rules
• API endpoint permissions

gdpr-compliance.md

GDPR Compliance - Data protection, privacy, user rights

• Consent model (consents ledger — see P17, Foundation 1B.9)
• Right to access (export endpoint)
• Right to erasure (anonymization + deletion)
• Breach notification (72-hour procedure)
• Data retention policies

encryption.md

Data Encryption - Infrastructure and application-level encryption

• Infrastructure: AWS RDS encryption, S3 encryption, TLS
• Application-level: AES-256-GCM for PHI fields (phone, API keys)
• Encryption key management
• What's encrypted vs plaintext (and why)

../architecture/data-classification.md

Column-Level Data Classification (P39) - Registry of every column's class + allowed egress targets

• Source-of-truth markdown registry; CI rejects PRs that add unclassified columns
• Runtime helper at internal/shared/classification/ that egress paths consult before sending data outside the tenant
• Default is block: missing entry or no matching target = no egress

file-storage.md

File Storage (S3) - Single-bucket object storage with org-scoped keys (P27)

• Single bucket, org-prefixed keys; cross-tenant isolation via app-level guard + bucket policy
• Surface registry: signatures, documents, forms-upload, logos, appointment-files, exercise-assets
• MIME allow-list with magic-byte sniffing; SSE-AES256 on every PutObject
• Signed URLs: 15-min read, 5-min write
• BYO bucket as future opt-in; staging bucket provisioning deferred to 1E.3

i18n.md

UI Internationalization - next-intl wired into all three Next.js apps (P21)

• Org-driven, cookie-resolved locale (no URL prefix); proxy.ts → language cookie → i18n/request.ts
• Per-app messages/{locale}.json; supported locales en, ro
• Convention: every new user-facing string goes through useTranslations / getTranslations
• Romanian translation conventions enforced via translate-ro skill

activity-tracking.md

Activity Timestamps - Best-effort "last seen" for humans, memberships, and patient sessions (P35)

• humans.last_activity, organization_memberships.last_used_at, and patients.last_used_at bumped by middleware (~once per minute per key, in-process throttle)
• organizations.last_activity_at derived from MAX(...) aggregation, not stored
• Best-effort: NEVER use as a substitute for the audit log

telemetry.md

Platform Telemetry - How telemetry flows through the system

• What gets tracked (audit, security, privacy, video, analytics, pose, errors, API metrics)
• How features integrate with the telemetry layer
• Consent model and data flow
• Feature integration checklist

---

Database & API

rls-policies.md

Row-Level Security - Consolidated RLS reference across all tables

• RLS strategy: organization_id = current_app_org_id()
• Session variable setup (app.current_user_id, app.current_org_id, app.current_role)
• Policy patterns by role
• Performance considerations

database-overview.md

Database Schema Overview - Index of all tables with links to feature docs

• All tables alphabetically
• Foreign key relationships
• Link to feature-specific schema docs
• ER diagram (future)

api-overview.md

API Endpoint Overview - Index of all endpoints with links to feature docs

• All endpoints alphabetically
• Grouped by resource
• Link to feature-specific API docs
• Authentication requirements

---

Infrastructure & Operations

Scaling Strategy

Scaling Strategy - Infrastructure evolution within the SMB-clinic scope

• Phase 1: Single instance (1-10 orgs, ECS Fargate + RDS Multi-AZ)
• Phase 2: Read replicas (10-50 orgs, scaled-out Fargate fleet)
• Cost projections, timeline, migration triggers

monitoring.md

Observability & Monitoring - Metrics, dashboards, alerts

• Critical metrics (connection pool, query latency, error rates)
• Datadog/CloudWatch dashboards
• Alert thresholds
• SLOs by feature

immediate-actions.md

Production Readiness - Pre-launch checklist, critical configurations

• Connection pool monitoring (CRITICAL)
• Query timeout middleware (CRITICAL)
• Health checks with pool metrics
• Security hardening
• BAA signing (Clerk, Daily.co, AWS)

key-rotation.md

Encryption Key Rotation - Quarterly key rotation procedure

• Rotation procedure (manual + automation)
• Backup and rollback
• Testing and validation
• Incident response

backup-disaster-recovery.md

Backup & Disaster Recovery - Multi-layer backup strategy for state-funded insurance compliance

• 3-2-1-1 backup architecture (RDS + S3 + cross-region + offline)
• 7-year retention for audit compliance
• Fraud prevention evidence requirements
• Disaster recovery scenarios and runbooks
• Monthly restore testing procedures
• State audit preparation

external-providers.md

External Service Providers - Complete inventory of all third-party services

• 13 active services (auth, video, storage, databases, geo, monitoring)
• 3 planned services (payment, email, SMS)
• Criticality levels and failure impact analysis
• BAA/compliance requirements per provider
• Complete environment variable reference

---

System Patterns

Common Patterns Across Features

Multi-tenancy:

• Every table has organization_id (except platform-level tables: principals, humans, patient_profiles, patient_caregivers, platform_memberships, plan/feature catalog)
• RLS enforces tenant isolation
• No sub-query RLS (except humans via organization_memberships, and patient-facing tables via current_human_patient_profile_ids())
• Organization context set per request

Timestamps:

• created_at and updated_at on every table
• Auto-update trigger: trigger_set_updated_at()

Foreign Keys:

• All relationships have explicit FK constraints
• ON DELETE behavior defined (CASCADE, SET NULL, RESTRICT)

Encryption:

• Infrastructure: Everything (AWS RDS encryption)
• Application-level: Targeted PHI fields only (phone, API keys → BYTEA)
• Form values: Plaintext JSONB (queryable for segments)

Audit:

• Every mutation logged to audit_log (local, synchronous)
• Forwarded to Telemetry service (async) for enrichment

UUIDs:

• Internal IDs: bigserial (fast, indexed)
• External-facing IDs: uid (UUID) for security

---

Quick Links

I need to...

• 🔐 Check permissions → rbac-permissions.md
• 🛡️ Understand GDPR → gdpr-compliance.md
• 🔒 See what's encrypted → encryption.md
• 💾 Understand backups → backup-disaster-recovery.md
• 🔍 Find a table → database-overview.md
• 📡 Find an endpoint → api-overview.md
• 📈 Plan for scale → Scaling Strategy
• 🚀 Prepare for launch → immediate-actions.md
• 📊 Understand telemetry → telemetry.md
• 🔌 External services? → external-providers.md

Feature-specific docs:

• See ../features/ for feature-based documentation