SECURITY
Row-Level Security, audit integrity, digital signatures, geofence enforcement — a zero-trust architecture where the database is the last line of defense.
The RLS Fortress (Jour 02)
168 Row-Level Security policies are embedded directly in the SQL engine. This is not application-layer security — it is database-engine security. Even if a malicious actor obtains a valid API token, they cannot access data outside their RLS-permitted scope.
Every query — SELECT, INSERT, UPDATE, DELETE — is evaluated against the authenticated user's digital fingerprint before any data is returned or modified. The fingerprint includes: user ID, organization ID, role claim, assignment context, and a millisecond-precision timestamp. If any element fails validation, the query returns zero rows and logs the attempt.
How RLS Works in Practice
Each RLS policy is a predicate attached to a table and operation. For example:
This predicate runs inside the database engine for every query. There is no way to bypass it from the application layer. A technician querying all work orders will only ever see their own — even if they construct the query manually.
Immutable Audit Trail
Every data modification in OPS Companion generates an immutable audit record. Audit records cannot be updated or deleted — not even by the Administrator. They are sealed with:
- ▸User identity (ID, role, organization)
- ▸Precise timestamp (millisecond resolution)
- ▸Action type (CREATE, UPDATE, DELETE, VIEW_SENSITIVE)
- ▸Before and after state (JSON diff)
- ▸Device telemetry (IP address, user agent, GPS if available)
- ▸Cryptographic seal linking to the previous audit record (chain integrity)
Digital Signatures
Three operational events require digital signatures, each sealed cryptographically:
Client signs via secure link — signature sealed with PKCS#7, timestamp locked, linked to the quote record permanently
Technician signs completed inspection — signature includes GPS coordinates and device timestamp, immutable once submitted
Recipient signature on delivery — photo evidence + signature sealed together in the secure document vault
Geofence Enforcement (Jour 10)
Geofence zone compliance is enforced at the SQL engine level — not the application layer. The geospatial collision calculation runs inside the database, comparing incoming GPS coordinates against restricted zone polygons on every GPS update event.
When a breach is detected, the SQL engine immediately:
- ▸Locks the machine's operational status (cannot accept new work orders)
- ▸Revokes active task authorizations for the device
- ▸Triggers a real-time WebSocket alert to the Dispatcher
- ▸Creates an immutable breach record in the audit trail
- ▸Notifies the Administrator via push notification
Encryption & Data Protection
AES-256TLS 1.3bcrypt (cost factor 12)JWT (RS256)PKCS#7Column-level AES-256 for PIIMulti-Tenant Isolation
Every table that contains organization-scoped data includes an organization_id column, and every RLS policy enforces organization_id = auth.org(). It is structurally impossible for one organization's data to be visible to another, even in the event of an application-layer bug.