From 5c61249cbdd1de5eaa6b1414f11a064b133721c0 Mon Sep 17 00:00:00 2001
From: Faxbot Agent <bot@faxbot.local>
Date: Fri, 26 Sep 2025 01:29:10 -0600
Subject: [PATCH 1/7] PR13: add hierarchical config models + Alembic migration
 (global/tenant/department/group/user + audit)

---
 .../versions/0002_hierarchical_config.py      | 131 ++++++++++++++++++
 api/app/models/config.py                      |  94 +++++++++++++
 2 files changed, 225 insertions(+)
 create mode 100644 api/alembic/versions/0002_hierarchical_config.py
 create mode 100644 api/app/models/config.py

diff --git a/api/alembic/versions/0002_hierarchical_config.py b/api/alembic/versions/0002_hierarchical_config.py
new file mode 100644
index 00000000..2a38d2b5
--- /dev/null
+++ b/api/alembic/versions/0002_hierarchical_config.py
@@ -0,0 +1,131 @@
+"""Hierarchical configuration tables
+
+Revision ID: 0002_hierarchical_config
+Revises: 0001_initial
+Create Date: 2025-09-26
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '0002_hierarchical_config'
+down_revision = '0001_initial'
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    # Global configuration
+    op.create_table(
+        'config_global',
+        sa.Column('key', sa.String(200), primary_key=True, nullable=False),
+        sa.Column('value_encrypted', sa.Text(), nullable=False),
+        sa.Column('value_type', sa.String(20), nullable=False, server_default='string'),
+        sa.Column('encrypted', sa.Boolean(), nullable=False, server_default=sa.true()),
+        sa.Column('description', sa.Text(), nullable=True),
+        sa.Column('category', sa.String(50), nullable=True),
+        sa.Column('created_at', sa.DateTime(), nullable=False, server_default=sa.func.now()),
+        sa.Column('updated_at', sa.DateTime(), nullable=False, server_default=sa.func.now()),
+    )
+
+    # Tenant-level configuration
+    op.create_table(
+        'config_tenant',
+        sa.Column('tenant_id', sa.String(100), nullable=False),
+        sa.Column('key', sa.String(200), nullable=False),
+        sa.Column('value_encrypted', sa.Text(), nullable=False),
+        sa.Column('value_type', sa.String(20), nullable=False, server_default='string'),
+        sa.Column('encrypted', sa.Boolean(), nullable=False, server_default=sa.true()),
+        sa.Column('created_at', sa.DateTime(), nullable=False, server_default=sa.func.now()),
+        sa.Column('updated_at', sa.DateTime(), nullable=False, server_default=sa.func.now()),
+        sa.PrimaryKeyConstraint('tenant_id', 'key'),
+    )
+    op.create_index('idx_tenant_key', 'config_tenant', ['tenant_id', 'key'])
+
+    # Department-level configuration
+    op.create_table(
+        'config_department',
+        sa.Column('tenant_id', sa.String(100), nullable=False),
+        sa.Column('department', sa.String(100), nullable=False),
+        sa.Column('key', sa.String(200), nullable=False),
+        sa.Column('value_encrypted', sa.Text(), nullable=False),
+        sa.Column('value_type', sa.String(20), nullable=False, server_default='string'),
+        sa.Column('encrypted', sa.Boolean(), nullable=False, server_default=sa.true()),
+        sa.Column('created_at', sa.DateTime(), nullable=False, server_default=sa.func.now()),
+        sa.Column('updated_at', sa.DateTime(), nullable=False, server_default=sa.func.now()),
+        sa.PrimaryKeyConstraint('tenant_id', 'department', 'key'),
+    )
+    op.create_index('idx_dept_key', 'config_department', ['tenant_id', 'department', 'key'])
+
+    # Group-level configuration
+    op.create_table(
+        'config_group',
+        sa.Column('group_id', sa.String(100), nullable=False),
+        sa.Column('key', sa.String(200), nullable=False),
+        sa.Column('value_encrypted', sa.Text(), nullable=False),
+        sa.Column('value_type', sa.String(20), nullable=False, server_default='string'),
+        sa.Column('encrypted', sa.Boolean(), nullable=False, server_default=sa.true()),
+        sa.Column('priority', sa.Integer(), nullable=False, server_default='0'),
+        sa.Column('created_at', sa.DateTime(), nullable=False, server_default=sa.func.now()),
+        sa.Column('updated_at', sa.DateTime(), nullable=False, server_default=sa.func.now()),
+        sa.PrimaryKeyConstraint('group_id', 'key'),
+    )
+    op.create_index('idx_group_key', 'config_group', ['group_id', 'key'])
+    op.create_index('idx_group_priority', 'config_group', ['group_id', 'priority'])
+
+    # User-level configuration
+    op.create_table(
+        'config_user',
+        sa.Column('user_id', sa.String(100), nullable=False),
+        sa.Column('key', sa.String(200), nullable=False),
+        sa.Column('value_encrypted', sa.Text(), nullable=False),
+        sa.Column('value_type', sa.String(20), nullable=False, server_default='string'),
+        sa.Column('encrypted', sa.Boolean(), nullable=False, server_default=sa.true()),
+        sa.Column('created_at', sa.DateTime(), nullable=False, server_default=sa.func.now()),
+        sa.Column('updated_at', sa.DateTime(), nullable=False, server_default=sa.func.now()),
+        sa.PrimaryKeyConstraint('user_id', 'key'),
+    )
+    op.create_index('idx_user_key', 'config_user', ['user_id', 'key'])
+
+    # Configuration audit trail (masked only; integrity fingerprint)
+    op.create_table(
+        'config_audit',
+        sa.Column('id', sa.String(40), primary_key=True, nullable=False),
+        sa.Column('level', sa.String(20), nullable=False),
+        sa.Column('level_id', sa.String(200), nullable=True),
+        sa.Column('key', sa.String(200), nullable=False),
+        sa.Column('old_value_masked', sa.Text(), nullable=True),
+        sa.Column('new_value_masked', sa.Text(), nullable=False),
+        sa.Column('value_hmac', sa.String(64), nullable=False),  # hex sha256
+        sa.Column('value_type', sa.String(20), nullable=False),
+        sa.Column('changed_by', sa.String(100), nullable=False),
+        sa.Column('changed_at', sa.DateTime(), nullable=False, server_default=sa.func.now()),
+        sa.Column('reason', sa.Text(), nullable=True),
+        sa.Column('ip_address', sa.String(45), nullable=True),
+        sa.Column('user_agent', sa.Text(), nullable=True),
+    )
+    op.create_index('idx_audit_level', 'config_audit', ['level', 'level_id'])
+    op.create_index('idx_audit_key', 'config_audit', ['key'])
+    op.create_index('idx_audit_time', 'config_audit', ['changed_at'])
+    op.create_index('idx_audit_user', 'config_audit', ['changed_by'])
+
+
+def downgrade() -> None:
+    op.drop_index('idx_audit_user', table_name='config_audit')
+    op.drop_index('idx_audit_time', table_name='config_audit')
+    op.drop_index('idx_audit_key', table_name='config_audit')
+    op.drop_index('idx_audit_level', table_name='config_audit')
+    op.drop_table('config_audit')
+    op.drop_index('idx_user_key', table_name='config_user')
+    op.drop_table('config_user')
+    op.drop_index('idx_group_priority', table_name='config_group')
+    op.drop_index('idx_group_key', table_name='config_group')
+    op.drop_table('config_group')
+    op.drop_index('idx_dept_key', table_name='config_department')
+    op.drop_table('config_department')
+    op.drop_index('idx_tenant_key', table_name='config_tenant')
+    op.drop_table('config_tenant')
+    op.drop_table('config_global')
+
diff --git a/api/app/models/config.py b/api/app/models/config.py
new file mode 100644
index 00000000..16f4ba36
--- /dev/null
+++ b/api/app/models/config.py
@@ -0,0 +1,94 @@
+from datetime import datetime
+from sqlalchemy import Column, String, Text, Boolean, DateTime, Integer
+from sqlalchemy.sql import func
+
+# Use the existing Base from the sync DB module so Alembic can import models
+from api.app.db import Base  # type: ignore
+
+
+class ConfigGlobal(Base):  # type: ignore
+    """Global configuration table (system-wide defaults)."""
+    __tablename__ = "config_global"
+
+    key = Column(String(200), primary_key=True, nullable=False)
+    value_encrypted = Column(Text(), nullable=False)
+    value_type = Column(String(20), nullable=False, default="string")
+    encrypted = Column(Boolean(), nullable=False, default=True)
+    description = Column(Text(), nullable=True)
+    category = Column(String(50), nullable=True)
+    created_at = Column(DateTime(), nullable=False, server_default=func.now())
+    updated_at = Column(DateTime(), nullable=False, server_default=func.now())
+
+
+class ConfigTenant(Base):  # type: ignore
+    """Tenant-level configuration."""
+    __tablename__ = "config_tenant"
+
+    tenant_id = Column(String(100), primary_key=True, nullable=False)
+    key = Column(String(200), primary_key=True, nullable=False)
+    value_encrypted = Column(Text(), nullable=False)
+    value_type = Column(String(20), nullable=False, default="string")
+    encrypted = Column(Boolean(), nullable=False, default=True)
+    created_at = Column(DateTime(), nullable=False, server_default=func.now())
+    updated_at = Column(DateTime(), nullable=False, server_default=func.now())
+
+
+class ConfigDepartment(Base):  # type: ignore
+    """Department-level configuration."""
+    __tablename__ = "config_department"
+
+    tenant_id = Column(String(100), primary_key=True, nullable=False)
+    department = Column(String(100), primary_key=True, nullable=False)
+    key = Column(String(200), primary_key=True, nullable=False)
+    value_encrypted = Column(Text(), nullable=False)
+    value_type = Column(String(20), nullable=False, default="string")
+    encrypted = Column(Boolean(), nullable=False, default=True)
+    created_at = Column(DateTime(), nullable=False, server_default=func.now())
+    updated_at = Column(DateTime(), nullable=False, server_default=func.now())
+
+
+class ConfigGroup(Base):  # type: ignore
+    """Group-level configuration with priority to decide first-match order."""
+    __tablename__ = "config_group"
+
+    group_id = Column(String(100), primary_key=True, nullable=False)
+    key = Column(String(200), primary_key=True, nullable=False)
+    value_encrypted = Column(Text(), nullable=False)
+    value_type = Column(String(20), nullable=False, default="string")
+    encrypted = Column(Boolean(), nullable=False, default=True)
+    priority = Column(Integer(), nullable=False, default=0)
+    created_at = Column(DateTime(), nullable=False, server_default=func.now())
+    updated_at = Column(DateTime(), nullable=False, server_default=func.now())
+
+
+class ConfigUser(Base):  # type: ignore
+    """User-level configuration."""
+    __tablename__ = "config_user"
+
+    user_id = Column(String(100), primary_key=True, nullable=False)
+    key = Column(String(200), primary_key=True, nullable=False)
+    value_encrypted = Column(Text(), nullable=False)
+    value_type = Column(String(20), nullable=False, default="string")
+    encrypted = Column(Boolean(), nullable=False, default=True)
+    created_at = Column(DateTime(), nullable=False, server_default=func.now())
+    updated_at = Column(DateTime(), nullable=False, server_default=func.now())
+
+
+class ConfigAudit(Base):  # type: ignore
+    """Configuration audit trail (masked values; integrity fingerprint only)."""
+    __tablename__ = "config_audit"
+
+    id = Column(String(40), primary_key=True, nullable=False)
+    level = Column(String(20), nullable=False)  # global|tenant|department|group|user
+    level_id = Column(String(200), nullable=True)
+    key = Column(String(200), nullable=False)
+    old_value_masked = Column(Text(), nullable=True)
+    new_value_masked = Column(Text(), nullable=False)
+    value_hmac = Column(String(64), nullable=False)
+    value_type = Column(String(20), nullable=False)
+    changed_by = Column(String(100), nullable=False)
+    changed_at = Column(DateTime(), nullable=False, server_default=func.now())
+    reason = Column(Text(), nullable=True)
+    ip_address = Column(String(45), nullable=True)
+    user_agent = Column(Text(), nullable=True)
+

From fac97ac7fd61a26649ec500644a267c294a95661 Mon Sep 17 00:00:00 2001
From: Faxbot Agent <bot@faxbot.local>
Date: Fri, 26 Sep 2025 01:32:38 -0600
Subject: [PATCH 2/7] PR14: add CacheManager + HierarchicalConfigProvider and
 wire optional bootstrap (no UI/API yet); add deps (cryptography, redis,
 sse-starlette)

---
 api/app/config/hierarchical_provider.py | 224 ++++++++++++++++++++++++
 api/app/main.py                         |  23 ++-
 api/app/services/cache_manager.py       | 118 +++++++++++++
 api/requirements.txt                    |   3 +
 4 files changed, 365 insertions(+), 3 deletions(-)
 create mode 100644 api/app/config/hierarchical_provider.py
 create mode 100644 api/app/services/cache_manager.py

diff --git a/api/app/config/hierarchical_provider.py b/api/app/config/hierarchical_provider.py
new file mode 100644
index 00000000..8520c0b5
--- /dev/null
+++ b/api/app/config/hierarchical_provider.py
@@ -0,0 +1,224 @@
+import json
+import uuid
+from dataclasses import dataclass
+from datetime import datetime
+from typing import Any, Dict, List, Literal, Optional
+
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from api.app.db.async_db import AsyncSessionLocal  # type: ignore
+from api.app.models.config import (
+    ConfigGlobal,
+    ConfigTenant,
+    ConfigDepartment,
+    ConfigGroup,
+    ConfigUser,
+    ConfigAudit,
+)
+
+from cryptography.fernet import Fernet  # type: ignore
+
+
+ConfigLevel = Literal["global", "tenant", "department", "group", "user"]
+ConfigSource = Literal["db", "env", "default", "cache"]
+
+
+@dataclass
+class UserContext:
+    user_id: Optional[str]
+    tenant_id: Optional[str] = None
+    department: Optional[str] = None
+    groups: List[str] = None  # type: ignore
+
+    def __post_init__(self) -> None:
+        if self.groups is None:
+            self.groups = []
+
+
+@dataclass
+class ConfigValue:
+    value: Any
+    source: ConfigSource
+    level: Optional[ConfigLevel] = None
+    level_id: Optional[str] = None
+    encrypted: bool = False
+    updated_at: Optional[datetime] = None
+
+
+class ConfigEncryption:
+    def __init__(self, master_key: str):
+        if not master_key or len(master_key) != 44:
+            raise ValueError("CONFIG_MASTER_KEY must be a 44-char base64 Fernet key")
+        self.fernet = Fernet(master_key.encode())
+
+    def encrypt(self, value: Any, encrypt_flag: bool) -> str:
+        as_json = json.dumps(value)
+        return (
+            self.fernet.encrypt(as_json.encode()).decode() if encrypt_flag else as_json
+        )
+
+    def decrypt(self, stored: str, is_encrypted: bool) -> Any:
+        try:
+            if is_encrypted:
+                dec = self.fernet.decrypt(stored.encode()).decode()
+                return json.loads(dec)
+            return json.loads(stored)
+        except Exception:
+            return stored
+
+
+class HierarchicalConfigProvider:
+    BUILT_IN_DEFAULTS: Dict[str, Any] = {
+        "fax.timeout_seconds": 30,
+        "fax.max_pages": 100,
+        "fax.retry_attempts": 3,
+        "api.rate_limit_rpm": 60,
+        "notifications.enable_sse": True,
+    }
+
+    ALWAYS_ENCRYPT_KEYS = {
+        "fax.provider.api_key",
+        "fax.provider.secret",
+        "oauth.client_secret",
+    }
+
+    def __init__(self, encryption_key: str, cache_manager=None):
+        self.enc = ConfigEncryption(encryption_key)
+        self.cache = cache_manager
+
+    async def get_effective(
+        self, key: str, user_ctx: UserContext, default: Any = None
+    ) -> ConfigValue:
+        # Cache first
+        if self.cache:
+            ckey = self._cache_key("eff", user_ctx, key)
+            cached = await self.cache.get(ckey)
+            if cached:
+                return ConfigValue(**cached, source="cache")
+
+        val = await self._resolve(key, user_ctx, default)
+
+        if self.cache and val.source == "db":
+            ckey = self._cache_key("eff", user_ctx, key)
+            await self.cache.set(
+                ckey,
+                {
+                    "value": val.value,
+                    "source": "db",
+                    "level": val.level,
+                    "level_id": val.level_id,
+                    "encrypted": val.encrypted,
+                    "updated_at": val.updated_at.isoformat() if val.updated_at else None,
+                },
+                ttl=300,
+            )
+
+        return val
+
+    async def _resolve(
+        self, key: str, user_ctx: UserContext, default: Any = None
+    ) -> ConfigValue:
+        async with AsyncSessionLocal() as db:  # type: ignore
+            # 1. User
+            if user_ctx.user_id:
+                q = await db.execute(
+                    select(ConfigUser).where(
+                        ConfigUser.user_id == user_ctx.user_id,
+                        ConfigUser.key == key,
+                    )
+                )
+                row = q.scalar_one_or_none()
+                if row:
+                    return ConfigValue(
+                        value=self.enc.decrypt(row.value_encrypted, row.encrypted),
+                        source="db",
+                        level="user",
+                        level_id=user_ctx.user_id,
+                        encrypted=row.encrypted,
+                        updated_at=row.updated_at,
+                    )
+
+            # 2. Group (first by priority desc)
+            if user_ctx.groups:
+                q = await db.execute(
+                    select(ConfigGroup)
+                    .where(ConfigGroup.group_id.in_(user_ctx.groups), ConfigGroup.key == key)
+                    .order_by(ConfigGroup.priority.desc())
+                )
+                grp = q.first()
+                if grp:
+                    grp = grp[0]
+                    return ConfigValue(
+                        value=self.enc.decrypt(grp.value_encrypted, grp.encrypted),
+                        source="db",
+                        level="group",
+                        level_id=grp.group_id,
+                        encrypted=grp.encrypted,
+                        updated_at=grp.updated_at,
+                    )
+
+            # 3. Department
+            if user_ctx.tenant_id and user_ctx.department:
+                q = await db.execute(
+                    select(ConfigDepartment).where(
+                        ConfigDepartment.tenant_id == user_ctx.tenant_id,
+                        ConfigDepartment.department == user_ctx.department,
+                        ConfigDepartment.key == key,
+                    )
+                )
+                dep = q.scalar_one_or_none()
+                if dep:
+                    return ConfigValue(
+                        value=self.enc.decrypt(dep.value_encrypted, dep.encrypted),
+                        source="db",
+                        level="department",
+                        level_id=f"{user_ctx.tenant_id}:{user_ctx.department}",
+                        encrypted=dep.encrypted,
+                        updated_at=dep.updated_at,
+                    )
+
+            # 4. Tenant
+            if user_ctx.tenant_id:
+                q = await db.execute(
+                    select(ConfigTenant).where(
+                        ConfigTenant.tenant_id == user_ctx.tenant_id,
+                        ConfigTenant.key == key,
+                    )
+                )
+                ten = q.scalar_one_or_none()
+                if ten:
+                    return ConfigValue(
+                        value=self.enc.decrypt(ten.value_encrypted, ten.encrypted),
+                        source="db",
+                        level="tenant",
+                        level_id=user_ctx.tenant_id,
+                        encrypted=ten.encrypted,
+                        updated_at=ten.updated_at,
+                    )
+
+            # 5. Global
+            q = await db.execute(select(ConfigGlobal).where(ConfigGlobal.key == key))
+            glob = q.scalar_one_or_none()
+            if glob:
+                return ConfigValue(
+                    value=self.enc.decrypt(glob.value_encrypted, glob.encrypted),
+                    source="db",
+                    level="global",
+                    encrypted=glob.encrypted,
+                    updated_at=glob.updated_at,
+                )
+
+        # 6. Built-in defaults
+        if key in self.BUILT_IN_DEFAULTS:
+            return ConfigValue(value=self.BUILT_IN_DEFAULTS[key], source="default")
+
+        # 7. fallback (unset)
+        if default is not None:
+            return ConfigValue(value=default, source="default")
+        raise KeyError(key)
+
+    def _cache_key(self, prefix: str, u: UserContext, key: str) -> str:
+        parts = [u.tenant_id or "null", u.department or "null", u.user_id or "null", ",".join(sorted(u.groups)) or "null"]
+        return f"cfg:{prefix}:{':'.join(parts)}:{key}"
+
diff --git a/api/app/main.py b/api/app/main.py
index bbc00db7..0c44c356 100644
--- a/api/app/main.py
+++ b/api/app/main.py
@@ -116,10 +116,27 @@ def _inbound_dedupe(provider_id: str, external_id: str, window_sec: int = 600) -
             _inbound_seen.pop(k, None)
         key = f"{provider_id}:{external_id}"
         ts = _inbound_seen.get(key)
-        if ts and ts >= cutoff:
-            return True
+    if ts and ts >= cutoff:
+        return True
         _inbound_seen[key] = now
-        return False
+    return False
+
+# ===== Phase 3: optional hierarchical config bootstrap (lazy) =====
+try:
+    from .services.cache_manager import CacheManager  # type: ignore
+    from .config.hierarchical_provider import HierarchicalConfigProvider  # type: ignore
+
+    _REDIS_URL = os.getenv("REDIS_URL")
+    _cmk = os.getenv("CONFIG_MASTER_KEY", "")
+    _cache = CacheManager(_REDIS_URL) if _REDIS_URL else None
+    if _cmk and len(_cmk) == 44:
+        app.state.hierarchical_config = HierarchicalConfigProvider(_cmk, cache_manager=_cache)  # type: ignore[attr-defined]
+    else:
+        # Expose None if not configured; Admin endpoints will be added in Phase 3 PRs
+        app.state.hierarchical_config = None  # type: ignore[attr-defined]
+except Exception:
+    # Do not block startup; Phase 3 endpoints will check availability
+    app.state.hierarchical_config = None  # type: ignore[attr-defined]
     except Exception:
         return False
 
diff --git a/api/app/services/cache_manager.py b/api/app/services/cache_manager.py
new file mode 100644
index 00000000..67a91a2d
--- /dev/null
+++ b/api/app/services/cache_manager.py
@@ -0,0 +1,118 @@
+import json
+from datetime import datetime, timedelta
+from typing import Any, Optional, Dict
+
+try:
+    import redis.asyncio as redis  # type: ignore
+except Exception:  # pragma: no cover - optional runtime dep
+    redis = None  # type: ignore
+
+
+class CacheManager:
+    """Redis-backed cache with a simple local fallback.
+
+    - If REDIS_URL is provided and redis library is available, uses Redis for get/set.
+    - Always mirrors values into a local in-process cache with a short TTL so we
+      remain resilient if Redis blips.
+    """
+
+    def __init__(self, redis_url: Optional[str] = None):
+        self.redis_available = False
+        self.redis_client = None
+        self.local_cache: Dict[str, Any] = {}
+        self.local_expiry: Dict[str, datetime] = {}
+
+        if redis_url and redis is not None:
+            try:
+                self.redis_client = redis.from_url(redis_url)
+                self.redis_available = True
+            except Exception:
+                # Degrade gracefully; local cache only
+                self.redis_available = False
+
+    async def get(self, key: str) -> Optional[Any]:
+        # Try Redis first
+        if self.redis_available and self.redis_client:
+            try:
+                raw = await self.redis_client.get(key)
+                if raw:
+                    return json.loads(raw)
+            except Exception:
+                pass
+
+        # Fallback to local
+        exp = self.local_expiry.get(key)
+        if exp and exp > datetime.utcnow():
+            return self.local_cache.get(key)
+        # Expired
+        self.local_cache.pop(key, None)
+        self.local_expiry.pop(key, None)
+        return None
+
+    async def set(self, key: str, value: Any, ttl: int = 300) -> bool:
+        # Redis
+        if self.redis_available and self.redis_client:
+            try:
+                await self.redis_client.setex(key, ttl, json.dumps(value, default=str))
+            except Exception:
+                pass
+        # Local mirror with capped TTL (≤ 60s)
+        self.local_cache[key] = value
+        self.local_expiry[key] = datetime.utcnow() + timedelta(seconds=min(ttl, 60))
+        return True
+
+    async def delete(self, key: str) -> bool:
+        if self.redis_available and self.redis_client:
+            try:
+                await self.redis_client.delete(key)
+            except Exception:
+                pass
+        self.local_cache.pop(key, None)
+        self.local_expiry.pop(key, None)
+        return True
+
+    async def delete_pattern(self, pattern: str) -> int:
+        deleted = 0
+        # Redis pattern delete (SCAN based)
+        if self.redis_available and self.redis_client:
+            try:
+                async for key in self.redis_client.scan_iter(match=pattern):
+                    await self.redis_client.delete(key)
+                    deleted += 1
+            except Exception:
+                pass
+        # Local pattern delete
+        for key in list(self.local_cache.keys()):
+            if _pattern_match(key, pattern):
+                self.local_cache.pop(key, None)
+                self.local_expiry.pop(key, None)
+                deleted += 1
+        return deleted
+
+    async def flush_all(self) -> None:
+        # Clear local
+        self.local_cache.clear()
+        self.local_expiry.clear()
+        # Best-effort Redis flush for this DB only
+        if self.redis_available and self.redis_client:
+            try:
+                await self.redis_client.flushdb()
+            except Exception:
+                pass
+
+    async def get_stats(self) -> Dict[str, Any]:
+        return {
+            "redis_available": bool(self.redis_available),
+            "local_size": len(self.local_cache),
+        }
+
+
+def _pattern_match(key: str, pattern: str) -> bool:
+    # Very small helper; Redis pattern only used with '*' wildcards in our usage
+    if pattern == key:
+        return True
+    if "*" not in pattern:
+        return False
+    prefix = pattern.split("*")[0]
+    return key.startswith(prefix)
+
diff --git a/api/requirements.txt b/api/requirements.txt
index e35cfcbe..5b4e5453 100644
--- a/api/requirements.txt
+++ b/api/requirements.txt
@@ -19,3 +19,6 @@ pexpect==4.9.0
 segno==1.6.1
 qrcode==7.4.2
 Pillow==10.4.0
+cryptography==43.0.1
+redis==5.0.8
+sse-starlette==3.0.2

From 647d4bf8a5e1bbd89b2ee3d16bb837d196003aff Mon Sep 17 00:00:00 2001
From: Faxbot Agent <bot@faxbot.local>
Date: Fri, 26 Sep 2025 01:34:32 -0600
Subject: [PATCH 3/7] PR15: add v4 admin config endpoints (read-only) under
 /admin/config/v4; effective, hierarchy, safe-keys, flush-cache

---
 api/app/config/hierarchical_provider.py | 108 ++++++++++++++++++++++++
 api/app/main.py                         |  93 +++++++++++++++++++-
 2 files changed, 200 insertions(+), 1 deletion(-)

diff --git a/api/app/config/hierarchical_provider.py b/api/app/config/hierarchical_provider.py
index 8520c0b5..a9a075b4 100644
--- a/api/app/config/hierarchical_provider.py
+++ b/api/app/config/hierarchical_provider.py
@@ -83,6 +83,13 @@ class HierarchicalConfigProvider:
         "oauth.client_secret",
     }
 
+    SAFE_EDIT_KEYS: Dict[str, Dict[str, Any]] = {
+        "fax.timeout_seconds": {"type": "integer", "min": 5, "max": 300},
+        "fax.retry_attempts": {"type": "integer", "min": 0, "max": 10},
+        "api.rate_limit_rpm": {"type": "integer", "min": 1, "max": 10000},
+        "notifications.enable_sse": {"type": "boolean"},
+    }
+
     def __init__(self, encryption_key: str, cache_manager=None):
         self.enc = ConfigEncryption(encryption_key)
         self.cache = cache_manager
@@ -222,3 +229,104 @@ def _cache_key(self, prefix: str, u: UserContext, key: str) -> str:
         parts = [u.tenant_id or "null", u.department or "null", u.user_id or "null", ",".join(sorted(u.groups)) or "null"]
         return f"cfg:{prefix}:{':'.join(parts)}:{key}"
 
+    async def get_hierarchy(self, key: str, user_ctx: UserContext) -> List[ConfigValue]:
+        """Return layered values from highest to lowest priority present + default."""
+        layers: List[ConfigValue] = []
+        try:
+            # user
+            if user_ctx.user_id:
+                async with AsyncSessionLocal() as db:  # type: ignore
+                    q = await db.execute(select(ConfigUser).where(ConfigUser.user_id == user_ctx.user_id, ConfigUser.key == key))
+                    row = q.scalar_one_or_none()
+                    if row:
+                        layers.append(
+                            ConfigValue(
+                                value=self.enc.decrypt(row.value_encrypted, row.encrypted),
+                                source="db",
+                                level="user",
+                                level_id=user_ctx.user_id,
+                                encrypted=row.encrypted,
+                                updated_at=row.updated_at,
+                            )
+                        )
+            # group (first only reported)
+            if user_ctx.groups:
+                async with AsyncSessionLocal() as db:  # type: ignore
+                    q = await db.execute(
+                        select(ConfigGroup)
+                        .where(ConfigGroup.group_id.in_(user_ctx.groups), ConfigGroup.key == key)
+                        .order_by(ConfigGroup.priority.desc())
+                    )
+                    grp = q.first()
+                    if grp:
+                        grp = grp[0]
+                        layers.append(
+                            ConfigValue(
+                                value=self.enc.decrypt(grp.value_encrypted, grp.encrypted),
+                                source="db",
+                                level="group",
+                                level_id=grp.group_id,
+                                encrypted=grp.encrypted,
+                                updated_at=grp.updated_at,
+                            )
+                        )
+            # department
+            if user_ctx.tenant_id and user_ctx.department:
+                async with AsyncSessionLocal() as db:  # type: ignore
+                    q = await db.execute(
+                        select(ConfigDepartment).where(
+                            ConfigDepartment.tenant_id == user_ctx.tenant_id,
+                            ConfigDepartment.department == user_ctx.department,
+                            ConfigDepartment.key == key,
+                        )
+                    )
+                    dep = q.scalar_one_or_none()
+                    if dep:
+                        layers.append(
+                            ConfigValue(
+                                value=self.enc.decrypt(dep.value_encrypted, dep.encrypted),
+                                source="db",
+                                level="department",
+                                level_id=f"{user_ctx.tenant_id}:{user_ctx.department}",
+                                encrypted=dep.encrypted,
+                                updated_at=dep.updated_at,
+                            )
+                        )
+            # tenant
+            if user_ctx.tenant_id:
+                async with AsyncSessionLocal() as db:  # type: ignore
+                    q = await db.execute(select(ConfigTenant).where(ConfigTenant.tenant_id == user_ctx.tenant_id, ConfigTenant.key == key))
+                    ten = q.scalar_one_or_none()
+                    if ten:
+                        layers.append(
+                            ConfigValue(
+                                value=self.enc.decrypt(ten.value_encrypted, ten.encrypted),
+                                source="db",
+                                level="tenant",
+                                level_id=user_ctx.tenant_id,
+                                encrypted=ten.encrypted,
+                                updated_at=ten.updated_at,
+                            )
+                        )
+            # global
+            async with AsyncSessionLocal() as db:  # type: ignore
+                q = await db.execute(select(ConfigGlobal).where(ConfigGlobal.key == key))
+                glob = q.scalar_one_or_none()
+                if glob:
+                    layers.append(
+                        ConfigValue(
+                            value=self.enc.decrypt(glob.value_encrypted, glob.encrypted),
+                            source="db",
+                            level="global",
+                            encrypted=glob.encrypted,
+                            updated_at=glob.updated_at,
+                        )
+                    )
+        except Exception:
+            pass
+        if key in self.BUILT_IN_DEFAULTS:
+            layers.append(ConfigValue(value=self.BUILT_IN_DEFAULTS[key], source="default"))
+        return layers
+
+    async def get_safe_edit_keys(self) -> Dict[str, Dict[str, Any]]:
+        return dict(self.SAFE_EDIT_KEYS)
diff --git a/api/app/main.py b/api/app/main.py
index 0c44c356..ed3112b3 100644
--- a/api/app/main.py
+++ b/api/app/main.py
@@ -56,6 +56,7 @@
 from .middleware.traits import requires_traits
 from .security.permissions import require_permissions
 from .security.user_traits import pack_user_traits
+from fastapi import APIRouter
 
 
 app = FastAPI(
@@ -133,10 +134,100 @@ def _inbound_dedupe(provider_id: str, external_id: str, window_sec: int = 600) -
         app.state.hierarchical_config = HierarchicalConfigProvider(_cmk, cache_manager=_cache)  # type: ignore[attr-defined]
     else:
         # Expose None if not configured; Admin endpoints will be added in Phase 3 PRs
-        app.state.hierarchical_config = None  # type: ignore[attr-defined]
+    app.state.hierarchical_config = None  # type: ignore[attr-defined]
 except Exception:
     # Do not block startup; Phase 3 endpoints will check availability
     app.state.hierarchical_config = None  # type: ignore[attr-defined]
+
+# ===== Phase 3: Admin Config (v4) endpoints (read-only for now) =====
+router_cfg_v4 = APIRouter(prefix="/admin/config/v4", tags=["ConfigurationV4"], dependencies=[Depends(require_admin)])
+
+
+@router_cfg_v4.get("/effective")
+async def v4_config_effective(request: Request):
+    hc = getattr(app.state, "hierarchical_config", None)
+    if not hc:
+        raise HTTPException(503, "Hierarchical configuration not initialized")
+
+    # Use a minimal system context for now; later we can derive from auth
+    from .config import settings as _s
+    user_ctx = {
+        "user_id": "admin",
+        "tenant_id": None,
+        "department": None,
+        "groups": [],
+    }
+    # Common keys for initial surface
+    keys = [
+        "fax.timeout_seconds",
+        "fax.retry_attempts",
+        "api.rate_limit_rpm",
+        "notifications.enable_sse",
+    ]
+    out: dict[str, dict[str, Any]] = {}
+    # Resolve values
+    from .config.hierarchical_provider import UserContext  # type: ignore
+    for k in keys:
+        try:
+            cv = await hc.get_effective(k, UserContext(**user_ctx))
+            out[k] = {
+                "value": cv.value,
+                "source": cv.source,
+                "level": cv.level,
+                "level_id": cv.level_id,
+                "encrypted": cv.encrypted,
+                "updated_at": (cv.updated_at.isoformat() if cv.updated_at else None),
+            }
+        except Exception:
+            pass
+    # Cache stats if present
+    cache_stats = {}
+    if getattr(hc, "cache", None):
+        cache_stats = await hc.cache.get_stats()
+    return {"values": out, "cache_stats": cache_stats}
+
+
+@router_cfg_v4.get("/hierarchy")
+async def v4_config_hierarchy(key: str):
+    hc = getattr(app.state, "hierarchical_config", None)
+    if not hc:
+        raise HTTPException(503, "Hierarchical configuration not initialized")
+    from .config.hierarchical_provider import UserContext  # type: ignore
+    layers = await hc.get_hierarchy(key, UserContext(user_id="admin", tenant_id=None, department=None, groups=[]))
+    return {
+        "key": key,
+        "layers": [
+            {
+                "level": v.level,
+                "level_id": v.level_id,
+                "value": v.value,
+                "encrypted": v.encrypted,
+                "updated_at": (v.updated_at.isoformat() if v.updated_at else None),
+            }
+            for v in layers
+        ],
+    }
+
+
+@router_cfg_v4.get("/safe-keys")
+async def v4_config_safe_keys():
+    hc = getattr(app.state, "hierarchical_config", None)
+    if not hc:
+        raise HTTPException(503, "Hierarchical configuration not initialized")
+    return await hc.get_safe_edit_keys()
+
+
+@router_cfg_v4.post("/flush-cache")
+async def v4_config_flush_cache(scope: Optional[str] = None):
+    hc = getattr(app.state, "hierarchical_config", None)
+    if not hc or not getattr(hc, "cache", None):
+        raise HTTPException(503, "Cache manager not available")
+    # Basic flush-all for now; scope handling in later PRs
+    await hc.cache.flush_all()
+    return {"success": True, "scope": scope or "all"}
+
+
+app.include_router(router_cfg_v4)
     except Exception:
         return False
 

From 79fc275c0b23b03b95adcb71ff67637d22452c26 Mon Sep 17 00:00:00 2001
From: Faxbot Agent <bot@faxbot.local>
Date: Fri, 26 Sep 2025 01:35:45 -0600
Subject: [PATCH 4/7] PR18: canonical events emitter + admin diagnostics
 SSE/recent and main wiring

---
 api/app/main.py                      | 12 ++++
 api/app/routers/admin_diagnostics.py | 51 ++++++++++++++++
 api/app/services/events.py           | 88 ++++++++++++++++++++++++++++
 3 files changed, 151 insertions(+)
 create mode 100644 api/app/routers/admin_diagnostics.py
 create mode 100644 api/app/services/events.py

diff --git a/api/app/main.py b/api/app/main.py
index ed3112b3..5802e262 100644
--- a/api/app/main.py
+++ b/api/app/main.py
@@ -228,6 +228,18 @@ async def v4_config_flush_cache(scope: Optional[str] = None):
 
 
 app.include_router(router_cfg_v4)
+
+# Diagnostics router (SSE/recent events)
+try:
+    from .routers import admin_diagnostics as _diag
+    from .services.events import EventEmitter
+    # Attach emitter if not present
+    if not hasattr(app.state, "event_emitter") or app.state.event_emitter is None:  # type: ignore[attr-defined]
+        app.state.event_emitter = EventEmitter()  # type: ignore[attr-defined]
+    app.include_router(_diag.router)
+except Exception:
+    # Non-fatal if SSE deps missing
+    pass
     except Exception:
         return False
 
diff --git a/api/app/routers/admin_diagnostics.py b/api/app/routers/admin_diagnostics.py
new file mode 100644
index 00000000..0c76931d
--- /dev/null
+++ b/api/app/routers/admin_diagnostics.py
@@ -0,0 +1,51 @@
+from typing import Optional
+
+from fastapi import APIRouter, Depends, HTTPException
+from fastapi import Request
+from sse_starlette.sse import EventSourceResponse  # type: ignore
+
+from api.app.main import require_admin  # reuse admin dependency
+from api.app.services.events import EventEmitter
+
+
+router = APIRouter(prefix="/admin/diagnostics", tags=["Diagnostics"], dependencies=[Depends(require_admin)])
+
+
+@router.get("/events/recent")
+async def recent_events(request: Request, limit: int = 50, provider_id: Optional[str] = None):
+    emitter: EventEmitter = request.app.state.event_emitter  # type: ignore
+    events = await emitter.get_recent_events(limit=limit, provider_id=provider_id)
+    return {
+        "events": [
+            {
+                "id": e.id,
+                "type": e.type.value,
+                "occurred_at": e.occurred_at.isoformat(),
+                "provider_id": e.provider_id,
+                "external_id": e.external_id,
+                "job_id": e.job_id,
+                "payload_meta": e.payload_meta,
+            }
+            for e in events
+        ],
+        "total": len(events),
+    }
+
+
+@router.get("/events/sse")
+async def events_sse(request: Request):
+    emitter: EventEmitter = request.app.state.event_emitter  # type: ignore
+    queue = await emitter.add_subscriber()
+
+    async def event_stream():
+        try:
+            while True:
+                msg = await queue.get()
+                yield {"event": "event", "data": msg}
+        except Exception:
+            pass
+        finally:
+            await emitter.remove_subscriber(queue)
+
+    return EventSourceResponse(event_stream())
+
diff --git a/api/app/services/events.py b/api/app/services/events.py
new file mode 100644
index 00000000..cb3b7af3
--- /dev/null
+++ b/api/app/services/events.py
@@ -0,0 +1,88 @@
+import asyncio
+from dataclasses import dataclass, field
+from datetime import datetime
+from enum import Enum
+from typing import Any, Dict, List, Optional
+
+
+class EventType(str, Enum):
+    PROVIDER_HEALTH_CHANGED = "provider.health.changed"
+    WEBHOOK_RECEIVED = "webhook.received"
+    JOB_STATUS_CHANGED = "job.status.changed"
+
+
+@dataclass
+class CanonicalEvent:
+    id: str
+    type: EventType
+    occurred_at: datetime
+    job_id: Optional[str] = None
+    provider_id: Optional[str] = None
+    external_id: Optional[str] = None
+    user_id: Optional[str] = None
+    payload_meta: Dict[str, Any] = field(default_factory=dict)
+    correlation_id: Optional[str] = None
+
+
+class EventEmitter:
+    def __init__(self) -> None:
+        self._events: List[CanonicalEvent] = []
+        self._max_events = 200
+        self._subscribers: List[asyncio.Queue[str]] = []
+        self._lock = asyncio.Lock()
+
+    async def emit_event(self, etype: EventType, **kwargs: Any) -> None:
+        ev = CanonicalEvent(
+            id=str(kwargs.get("id") or datetime.utcnow().timestamp()),
+            type=etype,
+            occurred_at=datetime.utcnow(),
+            job_id=kwargs.get("job_id"),
+            provider_id=kwargs.get("provider_id"),
+            external_id=kwargs.get("external_id"),
+            user_id=kwargs.get("user_id"),
+            payload_meta=kwargs.get("payload_meta") or {},
+            correlation_id=kwargs.get("correlation_id"),
+        )
+        self._events.append(ev)
+        if len(self._events) > self._max_events:
+            self._events = self._events[-self._max_events :]
+        # SSE broadcast (sanitized json)
+        msg = {
+            "id": ev.id,
+            "type": ev.type.value,
+            "occurred_at": ev.occurred_at.isoformat(),
+            "provider_id": ev.provider_id,
+            "external_id": ev.external_id,
+            "job_id": ev.job_id,
+            "payload_meta": ev.payload_meta,
+        }
+        async with self._lock:
+            for q in list(self._subscribers):
+                try:
+                    q.put_nowait(json_dumps(msg))
+                except Exception:
+                    pass
+
+    async def get_recent_events(self, limit: int = 50, provider_id: Optional[str] = None) -> List[CanonicalEvent]:
+        items = list(self._events)
+        if provider_id:
+            items = [e for e in items if e.provider_id == provider_id]
+        return items[-limit:]
+
+    async def add_subscriber(self) -> asyncio.Queue[str]:
+        q: asyncio.Queue[str] = asyncio.Queue(maxsize=100)
+        async with self._lock:
+            self._subscribers.append(q)
+        return q
+
+    async def remove_subscriber(self, q: asyncio.Queue[str]) -> None:
+        async with self._lock:
+            if q in self._subscribers:
+                self._subscribers.remove(q)
+
+
+def json_dumps(obj: Any) -> str:
+    import json
+
+    return json.dumps(obj, separators=(",", ":"))
+

From 904c319b33c73084aa44c85787b086059bfa8a95 Mon Sep 17 00:00:00 2001
From: Faxbot Agent <bot@faxbot.local>
Date: Fri, 26 Sep 2025 01:51:20 -0600
Subject: [PATCH 5/7] fix(admin-ui): repair TS errors in
 Diagnostics/Inbound/ScriptsTests/SetupWizard (missing useTraits destructures,
 remove unused, recompute auth flags)

---
 api/admin_ui/src/components/Diagnostics.tsx  |  2 +-
 api/admin_ui/src/components/Inbound.tsx      | 11 +++--------
 api/admin_ui/src/components/ScriptsTests.tsx |  2 +-
 api/admin_ui/src/components/SetupWizard.tsx  |  4 ++++
 4 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/api/admin_ui/src/components/Diagnostics.tsx b/api/admin_ui/src/components/Diagnostics.tsx
index b835d4e6..6b8e9790 100644
--- a/api/admin_ui/src/components/Diagnostics.tsx
+++ b/api/admin_ui/src/components/Diagnostics.tsx
@@ -171,7 +171,7 @@ function Diagnostics({ client, onNavigate, docsBase }: DiagnosticsProps) {
   const theme = useTheme();
   const isMobile = useMediaQuery(theme.breakpoints.down('md'));
   const isSmallMobile = useMediaQuery(theme.breakpoints.down('sm'));
-  const { outboundTraits, inboundTraits } = useTraits();
+  const { active, registry, outboundTraits, inboundTraits } = useTraits();
 
   // const hrefFor = (topic: string): string | undefined => (anchors[topic] || thirdParty[topic]);
 
diff --git a/api/admin_ui/src/components/Inbound.tsx b/api/admin_ui/src/components/Inbound.tsx
index 9d5a839a..230d5d9d 100644
--- a/api/admin_ui/src/components/Inbound.tsx
+++ b/api/admin_ui/src/components/Inbound.tsx
@@ -49,7 +49,8 @@ interface InboundProps {
 }
 
 function Inbound({ client, docsBase }: InboundProps) {
-  const { active } = useTraits();
+  // Traits not currently used here; avoid TS unused binding error
+  useTraits();
   const [faxes, setFaxes] = useState<InboundFax[]>([]);
   const [loading, setLoading] = useState(true);
   const [error, setError] = useState<string | null>(null);
@@ -68,13 +69,7 @@ function Inbound({ client, docsBase }: InboundProps) {
     'sip-ami-setup': `${base}/backends/sipsetup.html#sip-ami-setup`,
     'sip-ami-security': `${base}/backends/sipsetup.html#sip-ami-security`,
   };
-  const thirdParty: Record<string,string> = {
-    'phaxio-webhook-hmac': 'https://www.phaxio.com/docs/security/callbacks',
-    'sinch-inbound-webhook': 'https://developers.sinch.com/docs/fax/api-reference/fax/tag/Notifications/#incoming-fax-event-webhook',
-    'sinch-inbound-basic-auth': 'https://developers.sinch.com/docs/voice/api-reference/voice/tag/Webhooks/#authentication',
-    'sip-ami-setup': 'https://medium.com/@lohaniprashant/asterisk-manager-interface-ami-setup-and-configuration-9b4f8d5bf9f9',
-    'sip-ami-security': 'https://medium.com/@lohaniprashant/asterisk-manager-interface-ami-setup-and-configuration-9b4f8d5bf9f9',
-  };
+  // third-party links unused here; keep anchors to our docs only
   
   const theme = useTheme();
   const isMobile = useMediaQuery(theme.breakpoints.down('md'));
diff --git a/api/admin_ui/src/components/ScriptsTests.tsx b/api/admin_ui/src/components/ScriptsTests.tsx
index 55acbcfa..947301c1 100644
--- a/api/admin_ui/src/components/ScriptsTests.tsx
+++ b/api/admin_ui/src/components/ScriptsTests.tsx
@@ -144,7 +144,7 @@ const ConsoleBox: React.FC<{ lines: string[]; loading?: boolean; title?: string
 };
 
 const ScriptsTests: React.FC<Props> = ({ client, docsBase, readOnly = false, canSend = false }) => {
-  const { outboundTraits } = useTraits();
+  const { outboundTraits, hasTrait } = useTraits();
   const [error, setError] = useState<string>('');
   const [busyAuth, setBusyAuth] = useState<boolean>(false);
   const [busyInbound, setBusyInbound] = useState<boolean>(false);
diff --git a/api/admin_ui/src/components/SetupWizard.tsx b/api/admin_ui/src/components/SetupWizard.tsx
index da0e75e0..db409827 100644
--- a/api/admin_ui/src/components/SetupWizard.tsx
+++ b/api/admin_ui/src/components/SetupWizard.tsx
@@ -246,6 +246,10 @@ function SetupWizard({ client, onDone, docsBase }: SetupWizardProps) {
     setEnvContent('');
     setValidationResults(null);
     try {
+      // Derive auth method hints for payload branching
+      const m = (traitValue('outbound','auth.methods') || []) as string[];
+      const basicOnly = Array.isArray(m) && m.includes('basic') && !m.includes('oauth2');
+      const hasOAuth = Array.isArray(m) && m.includes('oauth2');
       const effectiveBackend = (config.outbound_backend || config.backend);
       const payload: any = {
         backend: effectiveBackend,

From b3bdfb14a4612bbb1ff61c6a5a32f37783420015 Mon Sep 17 00:00:00 2001
From: Faxbot Agent <bot@faxbot.local>
Date: Fri, 26 Sep 2025 01:52:35 -0600
Subject: [PATCH 6/7] fix: admin UI build (add missing traits vars, remove
 unused, recompute flags); bump anyio to satisfy sse-starlette

---
 api/admin_ui/src/components/Inbound.tsx  | 3 +--
 api/admin_ui/src/components/Settings.tsx | 3 +--
 api/requirements.txt                     | 2 +-
 3 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/api/admin_ui/src/components/Inbound.tsx b/api/admin_ui/src/components/Inbound.tsx
index 230d5d9d..bd5822a9 100644
--- a/api/admin_ui/src/components/Inbound.tsx
+++ b/api/admin_ui/src/components/Inbound.tsx
@@ -49,8 +49,7 @@ interface InboundProps {
 }
 
 function Inbound({ client, docsBase }: InboundProps) {
-  // Traits not currently used here; avoid TS unused binding error
-  useTraits();
+  const { hasTrait } = useTraits();
   const [faxes, setFaxes] = useState<InboundFax[]>([]);
   const [loading, setLoading] = useState(true);
   const [error, setError] = useState<string | null>(null);
diff --git a/api/admin_ui/src/components/Settings.tsx b/api/admin_ui/src/components/Settings.tsx
index 5d2f33e4..fbd1299b 100644
--- a/api/admin_ui/src/components/Settings.tsx
+++ b/api/admin_ui/src/components/Settings.tsx
@@ -57,7 +57,7 @@ function Settings({ client, readOnly = false }: SettingsProps) {
   const [importingEnv, setImportingEnv] = useState<boolean>(false);
   const [importResult, setImportResult] = useState<{discovered:number; prefixes:string[]} | null>(null);
   const [lastGeneratedSecret, setLastGeneratedSecret] = useState<string>('');
-  const { hasTrait, active, traitValue, registry } = useTraits();
+  const { hasTrait, active, traitValue } = useTraits();
   const handleForm = (field: string, value: any) => setForm((prev: any) => ({ ...prev, [field]: value }));
   const isSmall = useMediaQuery('(max-width:900px)');
   const ctlStyle: React.CSSProperties = { background: 'transparent', color: 'inherit', borderColor: '#444', padding: '6px', borderRadius: 6, width: isSmall ? '100%' : 'auto', maxWidth: isSmall ? '100%' : undefined };
@@ -179,7 +179,6 @@ function Settings({ client, readOnly = false }: SettingsProps) {
       if (form.feature_plugin_install !== undefined) p.feature_plugin_install = !!form.feature_plugin_install;
 
       // Provider-specific settings (traits-aware)
-      const activeOutbound = active?.outbound;
       const methods = (traitValue('outbound', 'auth.methods') || []) as string[];
       // Providers with basic-only auth (e.g., Phaxio-like)
       if (Array.isArray(methods) && methods.includes('basic') && !methods.includes('oauth2')) {
diff --git a/api/requirements.txt b/api/requirements.txt
index 5b4e5453..bf9f806e 100644
--- a/api/requirements.txt
+++ b/api/requirements.txt
@@ -9,7 +9,7 @@ httpx==0.27.2
 tenacity==8.5.0
 pytest==8.3.2
 pytest-asyncio==0.23.8
-anyio==4.4.0
+anyio==4.11.0
 reportlab==4.2.2
 aiohttp==3.9.1
 boto3==1.34.162

From d99fc16647772ccbb5138e2bb143501d70293622 Mon Sep 17 00:00:00 2001
From: Faxbot Agent <bot@faxbot.local>
Date: Fri, 26 Sep 2025 05:02:20 -0600
Subject: [PATCH 7/7] feat: enhance admin diagnostics with real-time event
 streaming and provider health management; add recent events endpoint with
 filtering options and database persistence for events

---
 api/admin_ui/package-lock.json                |  11 +
 api/admin_ui/package.json                     |  25 +-
 api/admin_ui/src/api/client.ts                |  78 ++++
 api/admin_ui/src/components/Diagnostics.tsx   |  18 +
 api/admin_ui/src/components/EventStream.tsx   | 403 ++++++++++++++++++
 .../src/components/ProviderHealthStatus.tsx   | 322 ++++++++++++++
 api/alembic/versions/0003_webhook_dlq.py      |  47 ++
 api/app/db.py                                 |  67 +++
 api/app/main.py                               | 121 +++++-
 api/app/models/events.py                      |  45 ++
 api/app/models/webhook_dlq.py                 |  90 ++++
 api/app/monitoring/health.py                  | 379 +++++++++++++++-
 .../plugins/transport/shims/test/plugin.py    |  19 +
 api/app/plugins/transport/test/manifest.json  |  15 +
 api/app/routers/admin_diagnostics.py          |  52 ++-
 api/app/routers/admin_providers.py            | 153 +++++++
 api/app/routers/webhooks_v2.py                | 219 ++++++++++
 api/app/services/events.py                    | 134 +++++-
 api/app/services/webhook_processor.py         | 294 +++++++++++++
 v4_plans/implement/phase_3_runbook.md         | 389 +++++++++++++++++
 v4_plans/implement/phase_4_implement_plan.md  | 248 +----------
 v4_plans/implement/phase_5_implement_plan.md  |   2 +-
 v4_plans/implement/pr-gate.sh                 |  29 ++
 23 files changed, 2879 insertions(+), 281 deletions(-)
 create mode 100644 api/admin_ui/src/components/EventStream.tsx
 create mode 100644 api/admin_ui/src/components/ProviderHealthStatus.tsx
 create mode 100644 api/alembic/versions/0003_webhook_dlq.py
 create mode 100644 api/app/models/events.py
 create mode 100644 api/app/models/webhook_dlq.py
 create mode 100644 api/app/plugins/transport/shims/test/plugin.py
 create mode 100644 api/app/plugins/transport/test/manifest.json
 create mode 100644 api/app/routers/admin_providers.py
 create mode 100644 api/app/routers/webhooks_v2.py
 create mode 100644 api/app/services/webhook_processor.py
 create mode 100644 v4_plans/implement/phase_3_runbook.md
 create mode 100644 v4_plans/implement/pr-gate.sh

diff --git a/api/admin_ui/package-lock.json b/api/admin_ui/package-lock.json
index c1004845..7ab2e2cd 100644
--- a/api/admin_ui/package-lock.json
+++ b/api/admin_ui/package-lock.json
@@ -16,6 +16,7 @@
         "@xterm/addon-fit": "^0.10.0",
         "@xterm/addon-web-links": "^0.11.0",
         "@xterm/xterm": "^5.5.0",
+        "date-fns": "^4.1.0",
         "react": "^18.2.0",
         "react-dom": "^18.2.0",
         "react-hook-form": "^7.48.2",
@@ -2413,6 +2414,16 @@
       "integrity": "sha512-M1uQkMl8rQK/szD0LNhtqxIPLpimGm8sOBwU7lLnCpSbTyY3yeU1Vc7l4KT5zT4s/yOxHH5O7tIuuLOCnLADRw==",
       "license": "MIT"
     },
+    "node_modules/date-fns": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/date-fns/-/date-fns-4.1.0.tgz",
+      "integrity": "sha512-Ukq0owbQXxa/U3EGtsdVBkR1w7KOQ5gIBqdH2hkvknzZPYvBxb/aa6E8L7tmjFtkwZBu3UXBbjIgPo/Ez4xaNg==",
+      "license": "MIT",
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/kossnocorp"
+      }
+    },
     "node_modules/debug": {
       "version": "4.4.1",
       "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.1.tgz",
diff --git a/api/admin_ui/package.json b/api/admin_ui/package.json
index 6d7d9909..f8684e28 100644
--- a/api/admin_ui/package.json
+++ b/api/admin_ui/package.json
@@ -9,32 +9,33 @@
     "test": "vitest"
   },
   "dependencies": {
-    "react": "^18.2.0",
-    "react-dom": "^18.2.0",
-    "@mui/material": "^5.14.20",
-    "@mui/icons-material": "^5.14.19",
     "@emotion/react": "^11.11.1",
     "@emotion/styled": "^11.11.0",
-    "react-router-dom": "^6.20.1",
-    "react-hook-form": "^7.48.2",
-    "@xterm/xterm": "^5.5.0",
+    "@mui/icons-material": "^5.14.19",
+    "@mui/material": "^5.14.20",
+    "@xterm/addon-attach": "^0.11.0",
     "@xterm/addon-fit": "^0.10.0",
     "@xterm/addon-web-links": "^0.11.0",
-    "@xterm/addon-attach": "^0.11.0"
+    "@xterm/xterm": "^5.5.0",
+    "date-fns": "^4.1.0",
+    "react": "^18.2.0",
+    "react-dom": "^18.2.0",
+    "react-hook-form": "^7.48.2",
+    "react-router-dom": "^6.20.1"
   },
   "devDependencies": {
+    "@testing-library/react": "^14.1.2",
     "@types/react": "^18.2.43",
     "@types/react-dom": "^18.2.17",
     "@vitejs/plugin-react": "^4.2.0",
+    "msw": "^2.3.1",
     "typescript": "^5.3.3",
     "vite": "^5.0.8",
-    "vitest": "^1.0.4",
-    "@testing-library/react": "^14.1.2",
-    "msw": "^2.3.1"
+    "vitest": "^1.0.4"
   },
   "msw": {
     "workerDirectory": [
       "public"
     ]
   }
-}
\ No newline at end of file
+}
diff --git a/api/admin_ui/src/api/client.ts b/api/admin_ui/src/api/client.ts
index 68dbe44f..0ec97e91 100644
--- a/api/admin_ui/src/api/client.ts
+++ b/api/admin_ui/src/api/client.ts
@@ -157,6 +157,84 @@ export class AdminAPIClient {
     return res.json();
   }
 
+  // Events & Diagnostics
+  async getRecentEvents(params: {
+    limit?: number;
+    provider_id?: string;
+    event_type?: string;
+    from_db?: boolean
+  } = {}): Promise<{ events: any[]; total: number; source: string }> {
+    const search = new URLSearchParams();
+    Object.entries(params).forEach(([key, value]) => {
+      if (value !== undefined && value !== null) {
+        search.append(key, String(value));
+      }
+    });
+    const res = await this.fetch(`/admin/diagnostics/events/recent?${search}`);
+    return res.json();
+  }
+
+  async getEventTypes(): Promise<{ event_types: Array<{ value: string; label: string }> }> {
+    const res = await this.fetch('/admin/diagnostics/events/types');
+    return res.json();
+  }
+
+  createEventSSE(): EventSource {
+    // Note: EventSource doesn't support custom headers directly
+    // Pass API key as query parameter for authentication
+    const params = new URLSearchParams();
+    params.append('X-API-Key', this.apiKey);
+    return new EventSource(`${this.baseURL}/admin/diagnostics/events/sse?${params.toString()}`);
+  }
+
+  // Provider Health Management
+  async getProviderHealthStatus(): Promise<{
+    provider_statuses: Record<string, any>;
+    total_providers: number;
+    healthy_count: number;
+    degraded_count: number;
+    circuit_open_count: number;
+    disabled_count: number;
+  }> {
+    const res = await this.fetch('/admin/providers/health');
+    return res.json();
+  }
+
+  async enableProvider(providerId: string): Promise<{
+    success: boolean;
+    provider_id: string;
+    new_status: string;
+    message?: string;
+  }> {
+    const res = await this.fetch('/admin/providers/enable', {
+      method: 'POST',
+      body: JSON.stringify({ provider_id: providerId }),
+    });
+    return res.json();
+  }
+
+  async disableProvider(providerId: string): Promise<{
+    success: boolean;
+    provider_id: string;
+    new_status: string;
+    message?: string;
+  }> {
+    const res = await this.fetch('/admin/providers/disable', {
+      method: 'POST',
+      body: JSON.stringify({ provider_id: providerId }),
+    });
+    return res.json();
+  }
+
+  async shouldAllowRequests(providerId: string): Promise<{
+    provider_id: string;
+    allowed: boolean;
+    reason: string;
+  }> {
+    const res = await this.fetch(`/admin/providers/circuit-breaker/${encodeURIComponent(providerId)}/should-allow`);
+    return res.json();
+  }
+
   // Jobs
   async listJobs(params: { 
     status?: string; 
diff --git a/api/admin_ui/src/components/Diagnostics.tsx b/api/admin_ui/src/components/Diagnostics.tsx
index 6b8e9790..21cbfe0d 100644
--- a/api/admin_ui/src/components/Diagnostics.tsx
+++ b/api/admin_ui/src/components/Diagnostics.tsx
@@ -46,6 +46,8 @@ import AdminAPIClient from '../api/client';
 import type { DiagnosticsResult } from '../api/types';
 import { useTraits } from '../hooks/useTraits';
 import { ResponsiveFormSection } from './common/ResponsiveFormFields';
+import EventStream from './EventStream';
+import ProviderHealthStatus from './ProviderHealthStatus';
 
 interface DiagnosticsProps {
   client: AdminAPIClient;
@@ -1031,6 +1033,22 @@ function Diagnostics({ client, onNavigate, docsBase }: DiagnosticsProps) {
                   renderCheckSection(title.charAt(0).toUpperCase() + title.slice(1), checks as Record<string, any>)
                 ))}
               </Box>
+
+              {/* Event Stream */}
+              <Box sx={{ mt: 4 }}>
+                <Typography variant="h6" fontWeight={600} sx={{ mb: 2 }}>
+                  Real-time Event Stream
+                </Typography>
+                <EventStream client={client} />
+              </Box>
+
+              {/* Provider Health Status */}
+              <Box sx={{ mt: 4 }}>
+                <Typography variant="h6" fontWeight={600} sx={{ mb: 2 }}>
+                  Provider Health Status
+                </Typography>
+                <ProviderHealthStatus client={client} />
+              </Box>
             </Box>
           </Fade>
         )}
diff --git a/api/admin_ui/src/components/EventStream.tsx b/api/admin_ui/src/components/EventStream.tsx
new file mode 100644
index 00000000..e82905c5
--- /dev/null
+++ b/api/admin_ui/src/components/EventStream.tsx
@@ -0,0 +1,403 @@
+import React, { useState, useEffect, useRef } from 'react';
+import {
+  Box,
+  Typography,
+  Paper,
+  Chip,
+  List,
+  ListItem,
+  ListItemText,
+  ListItemIcon,
+  Divider,
+  TextField,
+  MenuItem,
+  Stack,
+  IconButton,
+  Tooltip,
+  Alert,
+  Badge,
+  FormControlLabel,
+  Switch,
+  useTheme,
+  useMediaQuery,
+} from '@mui/material';
+import {
+  Circle as CircleIcon,
+  Pause as PauseIcon,
+  PlayArrow as PlayIcon,
+  Clear as ClearIcon,
+  Refresh as RefreshIcon,
+  FilterList as FilterIcon,
+  Timeline as TimelineIcon,
+  Event as EventIcon,
+  Storage as StorageIcon,
+  Memory as MemoryIcon,
+} from '@mui/icons-material';
+import AdminAPIClient from '../api/client';
+import { format } from 'date-fns';
+
+interface Event {
+  id: string;
+  type: string;
+  occurred_at: string;
+  provider_id?: string;
+  external_id?: string;
+  job_id?: string;
+  user_id?: string;
+  payload_meta?: Record<string, any>;
+  correlation_id?: string;
+}
+
+interface EventStreamProps {
+  client: AdminAPIClient;
+}
+
+const EventStream: React.FC<EventStreamProps> = ({ client }) => {
+  const theme = useTheme();
+  const isMobile = useMediaQuery(theme.breakpoints.down('md'));
+
+  // State
+  const [events, setEvents] = useState<Event[]>([]);
+  const [eventTypes, setEventTypes] = useState<Array<{ value: string; label: string }>>([]);
+  const [isConnected, setIsConnected] = useState(false);
+  const [isPaused, setIsPaused] = useState(false);
+  const [loading, setLoading] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+
+  // Filters
+  const [selectedEventType, setSelectedEventType] = useState<string>('');
+  const [selectedProvider, setSelectedProvider] = useState<string>('');
+  const [fromDatabase, setFromDatabase] = useState(false);
+  const [limit, setLimit] = useState(50);
+
+  // Refs
+  const eventSourceRef = useRef<EventSource | null>(null);
+  const eventsRef = useRef<HTMLDivElement>(null);
+
+  // Load initial data
+  useEffect(() => {
+    loadEventTypes();
+    loadRecentEvents();
+  }, [selectedEventType, selectedProvider, fromDatabase, limit]);
+
+  // SSE connection management
+  useEffect(() => {
+    if (!isPaused) {
+      connectSSE();
+    } else {
+      disconnectSSE();
+    }
+
+    return () => {
+      disconnectSSE();
+    };
+  }, [isPaused]);
+
+  const loadEventTypes = async () => {
+    try {
+      const response = await client.getEventTypes();
+      setEventTypes(response.event_types);
+    } catch (err) {
+      console.error('Failed to load event types:', err);
+    }
+  };
+
+  const loadRecentEvents = async () => {
+    setLoading(true);
+    setError(null);
+
+    try {
+      const response = await client.getRecentEvents({
+        limit,
+        provider_id: selectedProvider || undefined,
+        event_type: selectedEventType || undefined,
+        from_db: fromDatabase,
+      });
+
+      setEvents(response.events);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Failed to load events');
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  const connectSSE = () => {
+    if (eventSourceRef.current) return;
+
+    try {
+      const eventSource = client.createEventSSE();
+      eventSourceRef.current = eventSource;
+
+      eventSource.onopen = () => {
+        setIsConnected(true);
+        setError(null);
+      };
+
+      eventSource.addEventListener('connected', () => {
+        setIsConnected(true);
+      });
+
+      eventSource.addEventListener('event', (e) => {
+        try {
+          const eventData = JSON.parse(e.data) as Event;
+
+          // Apply filters
+          if (selectedEventType && eventData.type !== selectedEventType) return;
+          if (selectedProvider && eventData.provider_id !== selectedProvider) return;
+
+          setEvents(prev => [eventData, ...prev.slice(0, limit - 1)]);
+        } catch (err) {
+          console.error('Failed to parse event:', err);
+        }
+      });
+
+      eventSource.addEventListener('keepalive', () => {
+        // Keepalive received
+      });
+
+      eventSource.onerror = () => {
+        setIsConnected(false);
+        setError('Connection lost to event stream');
+        eventSourceRef.current = null;
+      };
+    } catch (err) {
+      setError('Failed to connect to event stream');
+    }
+  };
+
+  const disconnectSSE = () => {
+    if (eventSourceRef.current) {
+      eventSourceRef.current.close();
+      eventSourceRef.current = null;
+      setIsConnected(false);
+    }
+  };
+
+  const clearEvents = () => {
+    setEvents([]);
+  };
+
+  const getEventIcon = (eventType: string) => {
+    if (eventType.includes('fax')) return <EventIcon color="primary" />;
+    if (eventType.includes('provider') || eventType.includes('health')) return <TimelineIcon color="secondary" />;
+    if (eventType.includes('webhook')) return <CircleIcon color="success" />;
+    if (eventType.includes('config')) return <FilterIcon color="info" />;
+    return <CircleIcon />;
+  };
+
+  const getEventColor = (eventType: string): "default" | "primary" | "secondary" | "error" | "info" | "success" | "warning" => {
+    if (eventType.includes('failed') || eventType.includes('error')) return 'error';
+    if (eventType.includes('delivered') || eventType.includes('sent')) return 'success';
+    if (eventType.includes('queued') || eventType.includes('retrying')) return 'warning';
+    if (eventType.includes('health')) return 'info';
+    return 'default';
+  };
+
+  const formatPayloadMeta = (meta?: Record<string, any>) => {
+    if (!meta || Object.keys(meta).length === 0) return null;
+
+    return Object.entries(meta).map(([key, value]) => (
+      <Chip
+        key={key}
+        label={`${key}: ${String(value)}`}
+        size="small"
+        variant="outlined"
+        sx={{ mr: 0.5, mb: 0.5 }}
+      />
+    ));
+  };
+
+  const uniqueProviders = Array.from(new Set(events.map(e => e.provider_id).filter(Boolean)));
+
+  return (
+    <Paper sx={{ p: 2, height: isMobile ? 'auto' : '600px', display: 'flex', flexDirection: 'column' }}>
+      {/* Header */}
+      <Box sx={{ mb: 2, display: 'flex', alignItems: 'center', gap: 1, flexWrap: 'wrap' }}>
+        <Typography variant="h6" sx={{ display: 'flex', alignItems: 'center', gap: 1 }}>
+          <EventIcon />
+          Event Stream
+          <Badge color={isConnected ? 'success' : 'error'} variant="dot">
+            <Chip
+              size="small"
+              label={isConnected ? 'Live' : 'Disconnected'}
+              color={isConnected ? 'success' : 'error'}
+            />
+          </Badge>
+        </Typography>
+
+        <Box sx={{ flexGrow: 1 }} />
+
+        {/* Controls */}
+        <Stack direction="row" spacing={1} alignItems="center">
+          <Tooltip title={isPaused ? 'Resume stream' : 'Pause stream'}>
+            <IconButton onClick={() => setIsPaused(!isPaused)} color={isPaused ? 'primary' : 'default'}>
+              {isPaused ? <PlayIcon /> : <PauseIcon />}
+            </IconButton>
+          </Tooltip>
+
+          <Tooltip title="Refresh events">
+            <IconButton onClick={loadRecentEvents} disabled={loading}>
+              <RefreshIcon />
+            </IconButton>
+          </Tooltip>
+
+          <Tooltip title="Clear events">
+            <IconButton onClick={clearEvents}>
+              <ClearIcon />
+            </IconButton>
+          </Tooltip>
+        </Stack>
+      </Box>
+
+      {/* Filters */}
+      <Stack direction={isMobile ? 'column' : 'row'} spacing={2} sx={{ mb: 2 }}>
+        <TextField
+          select
+          size="small"
+          label="Event Type"
+          value={selectedEventType}
+          onChange={(e) => setSelectedEventType(e.target.value)}
+          sx={{ minWidth: 150 }}
+        >
+          <MenuItem value="">All Types</MenuItem>
+          {eventTypes.map((type) => (
+            <MenuItem key={type.value} value={type.value}>
+              {type.label}
+            </MenuItem>
+          ))}
+        </TextField>
+
+        <TextField
+          select
+          size="small"
+          label="Provider"
+          value={selectedProvider}
+          onChange={(e) => setSelectedProvider(e.target.value)}
+          sx={{ minWidth: 120 }}
+        >
+          <MenuItem value="">All Providers</MenuItem>
+          {uniqueProviders.map((provider) => (
+            <MenuItem key={provider} value={provider}>
+              {provider}
+            </MenuItem>
+          ))}
+        </TextField>
+
+        <TextField
+          type="number"
+          size="small"
+          label="Limit"
+          value={limit}
+          onChange={(e) => setLimit(parseInt(e.target.value) || 50)}
+          InputProps={{ inputProps: { min: 1, max: 200 } }}
+          sx={{ width: 80 }}
+        />
+
+        <FormControlLabel
+          control={
+            <Switch
+              checked={fromDatabase}
+              onChange={(e) => setFromDatabase(e.target.checked)}
+              size="small"
+            />
+          }
+          label={
+            <Box sx={{ display: 'flex', alignItems: 'center', gap: 0.5 }}>
+              {fromDatabase ? <StorageIcon fontSize="small" /> : <MemoryIcon fontSize="small" />}
+              {fromDatabase ? 'Database' : 'Memory'}
+            </Box>
+          }
+        />
+      </Stack>
+
+      {/* Error Alert */}
+      {error && (
+        <Alert severity="error" sx={{ mb: 2 }} onClose={() => setError(null)}>
+          {error}
+        </Alert>
+      )}
+
+      {/* Events List */}
+      <Box
+        ref={eventsRef}
+        sx={{
+          flexGrow: 1,
+          overflow: 'auto',
+          border: 1,
+          borderColor: 'divider',
+          borderRadius: 1,
+        }}
+      >
+        {events.length === 0 ? (
+          <Box sx={{ p: 4, textAlign: 'center', color: 'text.secondary' }}>
+            <EventIcon sx={{ fontSize: 48, mb: 1, opacity: 0.5 }} />
+            <Typography variant="body1">
+              {loading ? 'Loading events...' : 'No events to display'}
+            </Typography>
+            <Typography variant="body2">
+              {isPaused ? 'Stream is paused' : 'Events will appear here in real-time'}
+            </Typography>
+          </Box>
+        ) : (
+          <List dense>
+            {events.map((event, index) => (
+              <React.Fragment key={event.id}>
+                <ListItem alignItems="flex-start">
+                  <ListItemIcon sx={{ minWidth: 40 }}>
+                    {getEventIcon(event.type)}
+                  </ListItemIcon>
+                  <ListItemText
+                    primary={
+                      <Box sx={{ display: 'flex', alignItems: 'center', gap: 1, mb: 0.5 }}>
+                        <Chip
+                          label={event.type}
+                          size="small"
+                          color={getEventColor(event.type)}
+                          variant="outlined"
+                        />
+                        {event.provider_id && (
+                          <Chip
+                            label={event.provider_id}
+                            size="small"
+                            variant="outlined"
+                          />
+                        )}
+                      </Box>
+                    }
+                    secondary={
+                      <Box>
+                        <Typography variant="caption" color="text.secondary" display="block">
+                          {format(new Date(event.occurred_at), 'MMM dd, HH:mm:ss.SSS')}
+                          {event.job_id && ` • Job: ${event.job_id}`}
+                          {event.external_id && ` • Ext: ${event.external_id}`}
+                          {event.correlation_id && ` • Correlation: ${event.correlation_id}`}
+                        </Typography>
+                        {event.payload_meta && (
+                          <Box sx={{ mt: 0.5 }}>
+                            {formatPayloadMeta(event.payload_meta)}
+                          </Box>
+                        )}
+                      </Box>
+                    }
+                  />
+                </ListItem>
+                {index < events.length - 1 && <Divider component="li" />}
+              </React.Fragment>
+            ))}
+          </List>
+        )}
+      </Box>
+
+      {/* Footer */}
+      <Box sx={{ mt: 1, pt: 1, borderTop: 1, borderColor: 'divider' }}>
+        <Typography variant="caption" color="text.secondary">
+          Showing {events.length} events • Source: {fromDatabase ? 'Database' : 'Memory'} •
+          Stream: {isConnected ? 'Connected' : 'Disconnected'}
+        </Typography>
+      </Box>
+    </Paper>
+  );
+};
+
+export default EventStream;
\ No newline at end of file
diff --git a/api/admin_ui/src/components/ProviderHealthStatus.tsx b/api/admin_ui/src/components/ProviderHealthStatus.tsx
new file mode 100644
index 00000000..38c0502d
--- /dev/null
+++ b/api/admin_ui/src/components/ProviderHealthStatus.tsx
@@ -0,0 +1,322 @@
+import React, { useState, useEffect } from 'react';
+import {
+  Box,
+  Card,
+  CardContent,
+  Typography,
+  Chip,
+  Button,
+  IconButton,
+  Grid,
+  Alert,
+  CircularProgress,
+  Tooltip,
+  Stack,
+} from '@mui/material';
+import {
+  Refresh as RefreshIcon,
+  CheckCircle as HealthyIcon,
+  Warning as DegradedIcon,
+  Error as ErrorIcon,
+  Block as DisabledIcon,
+  PlayArrow as EnableIcon,
+  Pause as DisableIcon,
+  Timeline as ChartIcon,
+} from '@mui/icons-material';
+import { format } from 'date-fns';
+import AdminAPIClient from '../api/client';
+
+interface ProviderStatus {
+  provider_id: string;
+  provider_type: string;
+  status: 'healthy' | 'degraded' | 'circuit_open' | 'disabled';
+  failure_count: number;
+  last_success: string | null;
+  last_failure: string | null;
+  next_retry_at?: string;
+}
+
+interface HealthStatusData {
+  provider_statuses: Record<string, ProviderStatus>;
+  total_providers: number;
+  healthy_count: number;
+  degraded_count: number;
+  circuit_open_count: number;
+  disabled_count: number;
+}
+
+interface ProviderHealthStatusProps {
+  client: AdminAPIClient;
+}
+
+const ProviderHealthStatus: React.FC<ProviderHealthStatusProps> = ({ client }) => {
+
+  const [healthData, setHealthData] = useState<HealthStatusData | null>(null);
+  const [loading, setLoading] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+  const [actionLoading, setActionLoading] = useState<string | null>(null);
+
+  const loadHealthStatus = async () => {
+    setLoading(true);
+    setError(null);
+
+    try {
+      const data = await client.getProviderHealthStatus();
+      setHealthData(data);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Failed to load provider health status');
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  const handleProviderAction = async (providerId: string, action: 'enable' | 'disable') => {
+    setActionLoading(providerId);
+
+    try {
+      if (action === 'enable') {
+        await client.enableProvider(providerId);
+      } else {
+        await client.disableProvider(providerId);
+      }
+
+      // Refresh health status
+      await loadHealthStatus();
+    } catch (err) {
+      setError(err instanceof Error ? err.message : `Failed to ${action} provider`);
+    } finally {
+      setActionLoading(null);
+    }
+  };
+
+  useEffect(() => {
+    loadHealthStatus();
+
+    // Auto-refresh every 30 seconds
+    const interval = setInterval(loadHealthStatus, 30000);
+    return () => clearInterval(interval);
+  }, []);
+
+  const getStatusIcon = (status: ProviderStatus['status']) => {
+    switch (status) {
+      case 'healthy':
+        return <HealthyIcon color="success" />;
+      case 'degraded':
+        return <DegradedIcon color="warning" />;
+      case 'circuit_open':
+        return <ErrorIcon color="error" />;
+      case 'disabled':
+        return <DisabledIcon color="disabled" />;
+      default:
+        return <HealthyIcon />;
+    }
+  };
+
+  const getStatusColor = (status: ProviderStatus['status']): "default" | "primary" | "secondary" | "error" | "info" | "success" | "warning" => {
+    switch (status) {
+      case 'healthy':
+        return 'success';
+      case 'degraded':
+        return 'warning';
+      case 'circuit_open':
+        return 'error';
+      case 'disabled':
+        return 'default';
+      default:
+        return 'default';
+    }
+  };
+
+  const getStatusText = (status: ProviderStatus['status']) => {
+    switch (status) {
+      case 'healthy':
+        return 'Healthy';
+      case 'degraded':
+        return 'Degraded';
+      case 'circuit_open':
+        return 'Circuit Open';
+      case 'disabled':
+        return 'Disabled';
+      default:
+        return 'Unknown';
+    }
+  };
+
+  const formatTimestamp = (timestamp: string | null) => {
+    if (!timestamp) return 'Never';
+    try {
+      return format(new Date(timestamp), 'MMM dd, HH:mm:ss');
+    } catch {
+      return 'Invalid date';
+    }
+  };
+
+  if (loading && !healthData) {
+    return (
+      <Card>
+        <CardContent sx={{ display: 'flex', justifyContent: 'center', py: 4 }}>
+          <CircularProgress />
+        </CardContent>
+      </Card>
+    );
+  }
+
+  return (
+    <Box>
+      {/* Summary Cards */}
+      {healthData && (
+        <Grid container spacing={2} sx={{ mb: 3 }}>
+          <Grid item xs={6} sm={3}>
+            <Card>
+              <CardContent sx={{ textAlign: 'center', py: 2 }}>
+                <Typography variant="h4" color="text.secondary">
+                  {healthData.total_providers}
+                </Typography>
+                <Typography variant="body2" color="text.secondary">
+                  Total Providers
+                </Typography>
+              </CardContent>
+            </Card>
+          </Grid>
+          <Grid item xs={6} sm={3}>
+            <Card>
+              <CardContent sx={{ textAlign: 'center', py: 2 }}>
+                <Typography variant="h4" color="success.main">
+                  {healthData.healthy_count}
+                </Typography>
+                <Typography variant="body2" color="text.secondary">
+                  Healthy
+                </Typography>
+              </CardContent>
+            </Card>
+          </Grid>
+          <Grid item xs={6} sm={3}>
+            <Card>
+              <CardContent sx={{ textAlign: 'center', py: 2 }}>
+                <Typography variant="h4" color="warning.main">
+                  {healthData.degraded_count}
+                </Typography>
+                <Typography variant="body2" color="text.secondary">
+                  Degraded
+                </Typography>
+              </CardContent>
+            </Card>
+          </Grid>
+          <Grid item xs={6} sm={3}>
+            <Card>
+              <CardContent sx={{ textAlign: 'center', py: 2 }}>
+                <Typography variant="h4" color="error.main">
+                  {healthData.circuit_open_count + healthData.disabled_count}
+                </Typography>
+                <Typography variant="body2" color="text.secondary">
+                  Unavailable
+                </Typography>
+              </CardContent>
+            </Card>
+          </Grid>
+        </Grid>
+      )}
+
+      {/* Controls */}
+      <Box sx={{ display: 'flex', justifyContent: 'space-between', alignItems: 'center', mb: 2 }}>
+        <Typography variant="subtitle1" fontWeight={600}>
+          Provider Details
+        </Typography>
+        <Tooltip title="Refresh health status">
+          <IconButton onClick={loadHealthStatus} disabled={loading}>
+            <RefreshIcon />
+          </IconButton>
+        </Tooltip>
+      </Box>
+
+      {/* Error Alert */}
+      {error && (
+        <Alert severity="error" sx={{ mb: 2 }} onClose={() => setError(null)}>
+          {error}
+        </Alert>
+      )}
+
+      {/* Provider Details */}
+      {healthData && Object.keys(healthData.provider_statuses).length === 0 ? (
+        <Card>
+          <CardContent sx={{ textAlign: 'center', py: 4, color: 'text.secondary' }}>
+            <ChartIcon sx={{ fontSize: 48, mb: 1, opacity: 0.5 }} />
+            <Typography variant="h6">No Providers Found</Typography>
+            <Typography variant="body2">
+              Health monitoring will start when providers are available
+            </Typography>
+          </CardContent>
+        </Card>
+      ) : (
+        <Grid container spacing={2}>
+          {healthData && Object.entries(healthData.provider_statuses).map(([providerId, status]) => (
+            <Grid item xs={12} md={6} lg={4} key={providerId}>
+              <Card>
+                <CardContent>
+                  <Box sx={{ display: 'flex', alignItems: 'center', justifyContent: 'space-between', mb: 2 }}>
+                    <Box sx={{ display: 'flex', alignItems: 'center', gap: 1 }}>
+                      {getStatusIcon(status.status)}
+                      <Typography variant="h6" noWrap>
+                        {providerId}
+                      </Typography>
+                    </Box>
+                    <Chip
+                      label={getStatusText(status.status)}
+                      color={getStatusColor(status.status)}
+                      size="small"
+                    />
+                  </Box>
+
+                  <Stack spacing={1} sx={{ mb: 2 }}>
+                    <Typography variant="body2" color="text.secondary">
+                      <strong>Type:</strong> {status.provider_type}
+                    </Typography>
+                    <Typography variant="body2" color="text.secondary">
+                      <strong>Failures:</strong> {status.failure_count}
+                    </Typography>
+                    <Typography variant="body2" color="text.secondary">
+                      <strong>Last Success:</strong> {formatTimestamp(status.last_success)}
+                    </Typography>
+                    <Typography variant="body2" color="text.secondary">
+                      <strong>Last Failure:</strong> {formatTimestamp(status.last_failure)}
+                    </Typography>
+                    {status.next_retry_at && (
+                      <Typography variant="body2" color="warning.main">
+                        <strong>Next Retry:</strong> {formatTimestamp(status.next_retry_at)}
+                      </Typography>
+                    )}
+                  </Stack>
+
+                  <Stack direction="row" spacing={1}>
+                    <Button
+                      size="small"
+                      variant="outlined"
+                      color="success"
+                      disabled={status.status === 'healthy' || actionLoading === providerId}
+                      startIcon={actionLoading === providerId ? <CircularProgress size={16} /> : <EnableIcon />}
+                      onClick={() => handleProviderAction(providerId, 'enable')}
+                    >
+                      Enable
+                    </Button>
+                    <Button
+                      size="small"
+                      variant="outlined"
+                      color="error"
+                      disabled={status.status === 'disabled' || actionLoading === providerId}
+                      startIcon={<DisableIcon />}
+                      onClick={() => handleProviderAction(providerId, 'disable')}
+                    >
+                      Disable
+                    </Button>
+                  </Stack>
+                </CardContent>
+              </Card>
+            </Grid>
+          ))}
+        </Grid>
+      )}
+    </Box>
+  );
+};
+
+export default ProviderHealthStatus;
\ No newline at end of file
diff --git a/api/alembic/versions/0003_webhook_dlq.py b/api/alembic/versions/0003_webhook_dlq.py
new file mode 100644
index 00000000..d705de83
--- /dev/null
+++ b/api/alembic/versions/0003_webhook_dlq.py
@@ -0,0 +1,47 @@
+"""webhook DLQ table
+
+Revision ID: 0003
+Revises: 0002
+Create Date: 2025-09-26 10:45:00.000000
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '0003'
+down_revision = '0002'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    """Create webhook_dlq table for dead letter queue."""
+    op.create_table('webhook_dlq',
+        sa.Column('id', sa.String(40), nullable=False, primary_key=True),
+        sa.Column('provider_id', sa.String(40), nullable=False),
+        sa.Column('external_id', sa.String(100), nullable=True),
+        sa.Column('received_at', sa.DateTime(), nullable=False, server_default=sa.func.now()),
+        sa.Column('status', sa.String(20), nullable=False, server_default='queued'),
+        sa.Column('error', sa.Text(), nullable=True),
+        sa.Column('headers_meta', sa.Text(), nullable=True),
+        sa.Column('retry_count', sa.String(10), nullable=False, server_default='0'),
+        sa.Column('last_retry_at', sa.DateTime(), nullable=True),
+        sa.Column('next_retry_at', sa.DateTime(), nullable=True),
+    )
+
+    # Create indexes for efficient queries
+    op.create_index('ix_webhook_dlq_provider_id', 'webhook_dlq', ['provider_id'])
+    op.create_index('ix_webhook_dlq_status', 'webhook_dlq', ['status'])
+    op.create_index('ix_webhook_dlq_external_id', 'webhook_dlq', ['external_id'])
+    op.create_index('ix_webhook_dlq_next_retry_at', 'webhook_dlq', ['next_retry_at'])
+
+
+def downgrade():
+    """Drop webhook_dlq table."""
+    op.drop_index('ix_webhook_dlq_next_retry_at', table_name='webhook_dlq')
+    op.drop_index('ix_webhook_dlq_external_id', table_name='webhook_dlq')
+    op.drop_index('ix_webhook_dlq_status', table_name='webhook_dlq')
+    op.drop_index('ix_webhook_dlq_provider_id', table_name='webhook_dlq')
+    op.drop_table('webhook_dlq')
\ No newline at end of file
diff --git a/api/app/db.py b/api/app/db.py
index bf5089f1..9d39c21a 100644
--- a/api/app/db.py
+++ b/api/app/db.py
@@ -113,6 +113,7 @@ def init_db():
     _rebind_engine_if_needed()
     Base.metadata.create_all(engine)
     _ensure_optional_columns()
+    _ensure_dlq_table()
 
 
 def _ensure_optional_columns() -> None:
@@ -171,3 +172,69 @@ def _ensure_optional_columns() -> None:
     except Exception:
         # Do not block startup on migration best-effort failures
         pass
+
+
+def _ensure_dlq_table() -> None:
+    """Ensure webhook_dlq table exists (Phase 3 PR20)."""
+    try:
+        with engine.begin() as conn:
+            dialect = engine.dialect.name
+            if dialect == 'sqlite':
+                # Check if table exists
+                result = conn.exec_driver_sql("SELECT name FROM sqlite_master WHERE type='table' AND name='webhook_dlq'")
+                if not result.fetchone():
+                    # Create table
+                    conn.exec_driver_sql("""
+                        CREATE TABLE webhook_dlq (
+                            id VARCHAR(40) NOT NULL PRIMARY KEY,
+                            provider_id VARCHAR(40) NOT NULL,
+                            external_id VARCHAR(100),
+                            received_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+                            status VARCHAR(20) NOT NULL DEFAULT 'queued',
+                            error TEXT,
+                            headers_meta TEXT,
+                            retry_count VARCHAR(10) NOT NULL DEFAULT '0',
+                            last_retry_at DATETIME,
+                            next_retry_at DATETIME
+                        )
+                    """)
+                    # Create indexes
+                    conn.exec_driver_sql("CREATE INDEX ix_webhook_dlq_provider_id ON webhook_dlq (provider_id)")
+                    conn.exec_driver_sql("CREATE INDEX ix_webhook_dlq_status ON webhook_dlq (status)")
+                    conn.exec_driver_sql("CREATE INDEX ix_webhook_dlq_external_id ON webhook_dlq (external_id)")
+                    conn.exec_driver_sql("CREATE INDEX ix_webhook_dlq_next_retry_at ON webhook_dlq (next_retry_at)")
+            else:
+                # PostgreSQL - best effort
+                try:
+                    conn.exec_driver_sql("""
+                        CREATE TABLE IF NOT EXISTS webhook_dlq (
+                            id VARCHAR(40) NOT NULL PRIMARY KEY,
+                            provider_id VARCHAR(40) NOT NULL,
+                            external_id VARCHAR(100),
+                            received_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+                            status VARCHAR(20) NOT NULL DEFAULT 'queued',
+                            error TEXT,
+                            headers_meta TEXT,
+                            retry_count VARCHAR(10) NOT NULL DEFAULT '0',
+                            last_retry_at TIMESTAMP,
+                            next_retry_at TIMESTAMP
+                        )
+                    """)
+                    # Create indexes if not exists
+                    conn.exec_driver_sql("CREATE INDEX IF NOT EXISTS ix_webhook_dlq_provider_id ON webhook_dlq (provider_id)")
+                    conn.exec_driver_sql("CREATE INDEX IF NOT EXISTS ix_webhook_dlq_status ON webhook_dlq (status)")
+                    conn.exec_driver_sql("CREATE INDEX IF NOT EXISTS ix_webhook_dlq_external_id ON webhook_dlq (external_id)")
+                    conn.exec_driver_sql("CREATE INDEX IF NOT EXISTS ix_webhook_dlq_next_retry_at ON webhook_dlq (next_retry_at)")
+                except Exception:
+                    pass
+    except Exception:
+        # Don't fail startup if DLQ table creation fails
+        pass
+
+
+# Import models for alembic auto-detection
+try:
+    from .models.webhook_dlq import WebhookDLQ  # noqa: F401
+except ImportError:
+    # Model not available in all environments
+    pass
diff --git a/api/app/main.py b/api/app/main.py
index 5802e262..b5353c23 100644
--- a/api/app/main.py
+++ b/api/app/main.py
@@ -24,6 +24,9 @@
 from .db import init_db, SessionLocal, FaxJob
 from .db import InboundEvent  # for idempotency (provider_sid + event_type)
 from .models import FaxJobOut
+from .models.events import CanonicalEventDB  # Import to register with metadata
+from .models.config import ConfigGlobal, ConfigTenant, ConfigDepartment, ConfigGroup, ConfigUser, ConfigAudit  # Import to register with metadata
+from .monitoring.health import ProviderHealthMonitor
 from .conversion import ensure_dir, txt_to_pdf, pdf_to_tiff
 from .ami import ami_client
 from .phaxio_service import get_phaxio_service
@@ -117,10 +120,12 @@ def _inbound_dedupe(provider_id: str, external_id: str, window_sec: int = 600) -
             _inbound_seen.pop(k, None)
         key = f"{provider_id}:{external_id}"
         ts = _inbound_seen.get(key)
-    if ts and ts >= cutoff:
-        return True
+        if ts and ts >= cutoff:
+            return True
         _inbound_seen[key] = now
-    return False
+        return False
+    except Exception:
+        return False
 
 # ===== Phase 3: optional hierarchical config bootstrap (lazy) =====
 try:
@@ -134,7 +139,7 @@ def _inbound_dedupe(provider_id: str, external_id: str, window_sec: int = 600) -
         app.state.hierarchical_config = HierarchicalConfigProvider(_cmk, cache_manager=_cache)  # type: ignore[attr-defined]
     else:
         # Expose None if not configured; Admin endpoints will be added in Phase 3 PRs
-    app.state.hierarchical_config = None  # type: ignore[attr-defined]
+        app.state.hierarchical_config = None  # type: ignore[attr-defined]
 except Exception:
     # Do not block startup; Phase 3 endpoints will check availability
     app.state.hierarchical_config = None  # type: ignore[attr-defined]
@@ -240,8 +245,22 @@ async def v4_config_flush_cache(scope: Optional[str] = None):
 except Exception:
     # Non-fatal if SSE deps missing
     pass
-    except Exception:
-        return False
+
+# Provider health management router
+try:
+    from .routers import admin_providers as _providers
+    app.include_router(_providers.router)
+except Exception:
+    # Non-fatal if health monitoring deps missing
+    pass
+
+# Webhook hardening router (DLQ + idempotency)
+try:
+    from .routers import webhooks_v2 as _webhooks_v2
+    app.include_router(_webhooks_v2.router)
+except Exception:
+    # Non-fatal if webhook processor deps missing
+    pass
 
 # Send-side idempotency (Idempotency-Key header) — 10 minute window
 _send_idempotency: dict[str, tuple[str, int]] = {}
@@ -564,6 +583,77 @@ async def on_startup():
     except Exception:
         pass
 
+    # Initialize and start provider health monitoring (Phase 3)
+    try:
+        from .config.hierarchical_provider import get_hierarchical_config_provider
+
+        # Get or create event emitter
+        event_emitter = getattr(app.state, "event_emitter", None)
+
+        # Get hierarchical config provider if available
+        config_provider = None
+        try:
+            config_provider = get_hierarchical_config_provider()
+        except Exception:
+            pass
+
+        # Initialize health monitor
+        health_monitor = ProviderHealthMonitor(
+            plugin_manager=None,  # Plugin manager integration will come in later phases
+            event_emitter=event_emitter,
+            config_provider=config_provider
+        )
+
+        # Store in app state for access by other components
+        app.state.health_monitor = health_monitor
+
+        # Start monitoring
+        asyncio.create_task(health_monitor.start_monitoring())
+
+    except Exception as e:
+        # Don't fail startup if health monitoring can't be initialized
+        print(f"[warn] Provider health monitoring initialization failed: {e}")
+        pass
+
+    # Initialize DLQ processor for webhook retries
+    try:
+        from .services.webhook_processor import WebhookProcessor
+        webhook_processor = WebhookProcessor(
+            plugin_manager=plugin_manager,
+            event_emitter=get_event_emitter(),
+            config_provider=get_config_provider()
+        )
+        app.state.webhook_processor = webhook_processor
+
+        # Start DLQ retry processing (runs every 5 minutes)
+        async def dlq_retry_loop():
+            import asyncio
+            while True:
+                try:
+                    await webhook_processor.retry_dlq_entries(max_retries=3)
+                    webhook_processor.clear_idempotency_cache(older_than_minutes=60)
+                except Exception as e:
+                    print(f"[warn] DLQ retry processing error: {e}")
+                await asyncio.sleep(300)  # 5 minutes
+
+        asyncio.create_task(dlq_retry_loop())
+    except Exception as e:
+        # Don't fail startup if DLQ processing can't be initialized
+        print(f"[warn] Webhook DLQ processor initialization failed: {e}")
+        pass
+
+
+@app.on_event("shutdown")
+async def on_shutdown():
+    """Clean shutdown of background services."""
+    # Stop health monitoring
+    try:
+        health_monitor = getattr(app.state, "health_monitor", None)
+        if health_monitor:
+            await health_monitor.stop_monitoring()
+    except Exception as e:
+        print(f"[warn] Error stopping health monitor: {e}")
+
 
 def _handle_fax_result(event):
     job_id = event.get("JobID") or event.get("jobid")
@@ -922,6 +1012,25 @@ async def admin_import_env(request: Request):
     return {"ok": True, "discovered": count, "prefixes": prefixes}
 
 
+# Dependency functions for webhook processor
+def get_plugin_manager():
+    """Get the plugin manager instance."""
+    return plugin_manager
+
+def get_event_emitter():
+    """Get the event emitter instance."""
+    if not hasattr(app.state, "event_emitter") or app.state.event_emitter is None:
+        from .services.events import EventEmitter
+        app.state.event_emitter = EventEmitter()
+    return app.state.event_emitter
+
+def get_config_provider():
+    """Get the hierarchical config provider instance."""
+    if hasattr(app.state, "hierarchical_config") and app.state.hierarchical_config:
+        return app.state.hierarchical_config
+    # Fallback to basic HybridConfigProvider
+    return settings
+
 # Provider traits and active backends — lightweight helper for clients
 @app.get("/admin/providers", dependencies=[Depends(require_admin)])
 def get_admin_providers():
diff --git a/api/app/models/events.py b/api/app/models/events.py
new file mode 100644
index 00000000..08adac9d
--- /dev/null
+++ b/api/app/models/events.py
@@ -0,0 +1,45 @@
+"""
+Database models for canonical events with PHI-safe audit trail.
+
+Events capture system state changes without sensitive data,
+enabling diagnostics and monitoring while maintaining HIPAA compliance.
+"""
+
+from datetime import datetime
+from sqlalchemy import Column, String, Text, DateTime, JSON, Index
+from sqlalchemy.sql import func
+
+# Import Base from the same module that other models use
+from ..db import Base
+
+
+class CanonicalEventDB(Base):  # type: ignore
+    """Persistent storage for canonical events (PHI-free)."""
+    __tablename__ = "canonical_events"
+
+    # Event identification
+    id = Column(String(40), primary_key=True, nullable=False)
+    type = Column(String(50), nullable=False)
+    occurred_at = Column(DateTime(), nullable=False, server_default=func.now())
+
+    # Event context (no PHI)
+    job_id = Column(String(40), nullable=True)
+    provider_id = Column(String(50), nullable=True)
+    external_id = Column(String(100), nullable=True)
+    user_id = Column(String(100), nullable=True)
+
+    # Correlation and metadata (PHI-free JSON)
+    correlation_id = Column(String(40), nullable=True)
+    payload_meta = Column(JSON, nullable=True)
+
+    # Audit tracking
+    created_at = Column(DateTime(), nullable=False, server_default=func.now())
+
+    __table_args__ = (
+        Index('idx_events_type', 'type'),
+        Index('idx_events_provider', 'provider_id'),
+        Index('idx_events_job', 'job_id'),
+        Index('idx_events_occurred', 'occurred_at'),
+        Index('idx_events_correlation', 'correlation_id'),
+        Index('idx_events_user', 'user_id'),
+    )
\ No newline at end of file
diff --git a/api/app/models/webhook_dlq.py b/api/app/models/webhook_dlq.py
new file mode 100644
index 00000000..4663f648
--- /dev/null
+++ b/api/app/models/webhook_dlq.py
@@ -0,0 +1,90 @@
+"""
+Webhook Dead Letter Queue (DLQ) model for failed webhook processing.
+
+The DLQ captures webhook callbacks that fail to process after retry attempts,
+storing essential metadata for debugging and reprocessing.
+"""
+
+from sqlalchemy import Column, String, Text, DateTime, func
+import uuid
+from datetime import datetime
+from typing import Dict, Any, Optional
+import json
+
+from api.app.db import Base
+
+
+class WebhookDLQ(Base):
+    """
+    Dead Letter Queue entry for failed webhook processing.
+
+    This table stores webhook callbacks that could not be processed
+    successfully after exhausting retry attempts. Only safe header
+    metadata is persisted - no Authorization headers or sensitive data.
+    """
+    __tablename__ = "webhook_dlq"
+
+    id = Column(String(40), primary_key=True, nullable=False)
+    provider_id = Column(String(40), nullable=False)
+    external_id = Column(String(100), nullable=True)
+    received_at = Column(DateTime(), nullable=False, server_default=func.now())
+    status = Column(String(20), nullable=False, default='queued')  # queued|retrying|failed
+    error = Column(Text(), nullable=True)
+    headers_meta = Column(Text(), nullable=True)  # JSON; ALLOWLIST ONLY
+
+    # Retry tracking
+    retry_count = Column(String(10), nullable=False, default='0')
+    last_retry_at = Column(DateTime(), nullable=True)
+    next_retry_at = Column(DateTime(), nullable=True)
+
+    def __init__(self, provider_id: str, external_id: Optional[str] = None,
+                 error: Optional[str] = None, headers_meta: Optional[Dict[str, Any]] = None,
+                 **kwargs):
+        self.id = kwargs.get('id', f'dlq_{uuid.uuid4().hex}')
+        self.provider_id = provider_id
+        self.external_id = external_id
+        self.error = error
+        self.headers_meta = json.dumps(headers_meta) if headers_meta else None
+        self.status = kwargs.get('status', 'queued')
+        self.retry_count = str(kwargs.get('retry_count', 0))
+
+    @classmethod
+    def create_safe_headers_meta(cls, headers: Dict[str, str]) -> Dict[str, str]:
+        """
+        Create safe headers metadata by allowlisting only non-sensitive headers.
+
+        Security: Never persist Authorization, secrets, or other sensitive headers.
+        """
+        ALLOWED_HEADERS = {
+            "user-agent", "content-type", "content-length",
+            "x-request-id", "x-signature", "x-timestamp",
+            "x-phaxio-signature", "x-sinch-signature"
+        }
+
+        return {
+            k: v for k, v in headers.items()
+            if k.lower() in ALLOWED_HEADERS
+        }
+
+    def get_headers_meta(self) -> Dict[str, Any]:
+        """Get parsed headers metadata."""
+        if not self.headers_meta:
+            return {}
+        try:
+            return json.loads(self.headers_meta)
+        except (json.JSONDecodeError, TypeError):
+            return {}
+
+    def increment_retry(self, next_retry_at: Optional[datetime] = None):
+        """Increment retry count and update retry timestamps."""
+        self.retry_count = str(int(self.retry_count) + 1)
+        self.last_retry_at = datetime.utcnow()
+        if next_retry_at:
+            self.next_retry_at = next_retry_at
+            self.status = 'retrying'
+
+    def mark_failed(self, error: str):
+        """Mark the DLQ entry as permanently failed."""
+        self.status = 'failed'
+        self.error = error
+        self.next_retry_at = None
\ No newline at end of file
diff --git a/api/app/monitoring/health.py b/api/app/monitoring/health.py
index dbfe0af1..38be7033 100644
--- a/api/app/monitoring/health.py
+++ b/api/app/monitoring/health.py
@@ -1,9 +1,378 @@
+import asyncio
+import logging
+from datetime import datetime, timedelta
+from typing import Dict, List, Optional, Literal, Any
+from dataclasses import dataclass, field
+from enum import Enum
+
+from api.app.services.events import EventEmitter, EventType
+from api.app.config.hierarchical_provider import HierarchicalConfigProvider
+
+logger = logging.getLogger(__name__)
+
+ProviderStatus = Literal['healthy', 'degraded', 'circuit_open', 'disabled']
+
+
+@dataclass
+class HealthCheck:
+    """Provider health check result."""
+    provider_id: str
+    provider_type: str
+    success: bool
+    response_time_ms: float
+    details: Dict[str, Any] = field(default_factory=dict)
+    error: Optional[str] = None
+    checked_at: datetime = field(default_factory=datetime.utcnow)
+
+
+@dataclass
+class CircuitBreakerState:
+    """Circuit breaker state for a provider."""
+    provider_id: str
+    status: ProviderStatus = 'healthy'
+    failure_count: int = 0
+    last_failure_time: Optional[datetime] = None
+    last_success_time: Optional[datetime] = None
+    circuit_opened_at: Optional[datetime] = None
+    next_retry_at: Optional[datetime] = None
+    failure_threshold: int = 5
+    recovery_timeout_seconds: int = 60
+    health_check_interval_seconds: int = 300
+
+    def should_allow_request(self) -> bool:
+        """Check if requests should be allowed through circuit breaker."""
+        now = datetime.utcnow()
+
+        if self.status == 'healthy':
+            return True
+        elif self.status == 'degraded':
+            return True  # Allow with warnings
+        elif self.status == 'circuit_open':
+            # Check if we should try to recover
+            if self.next_retry_at and now >= self.next_retry_at:
+                return True  # Try one request
+            return False
+        elif self.status == 'disabled':
+            return False
+
+        return False
+
+    def record_success(self):
+        """Record successful request."""
+        self.last_success_time = datetime.utcnow()
+        if self.status == 'circuit_open':
+            # Circuit breaker recovery
+            self.status = 'healthy'
+            self.failure_count = 0
+            self.circuit_opened_at = None
+            self.next_retry_at = None
+        elif self.status == 'degraded' and self.failure_count > 0:
+            self.failure_count = max(0, self.failure_count - 1)
+            if self.failure_count == 0:
+                self.status = 'healthy'
+
+    def record_failure(self, error: str):
+        """Record failed request."""
+        now = datetime.utcnow()
+        self.last_failure_time = now
+        self.failure_count += 1
+
+        if self.failure_count >= self.failure_threshold:
+            if self.status != 'circuit_open':
+                self.status = 'circuit_open'
+                self.circuit_opened_at = now
+                self.next_retry_at = now + timedelta(seconds=self.recovery_timeout_seconds)
+        elif self.failure_count >= self.failure_threshold // 2:
+            if self.status == 'healthy':
+                self.status = 'degraded'
+
+
 class ProviderHealthMonitor:
-    """Minimal health monitor stub for CI guardrail checks.
+    """Monitor provider health with circuit breaker functionality."""
+
+    def __init__(
+        self,
+        plugin_manager=None,
+        event_emitter: Optional[EventEmitter] = None,
+        config_provider: Optional[HierarchicalConfigProvider] = None
+    ):
+        self.plugin_manager = plugin_manager
+        self.event_emitter = event_emitter
+        self.config_provider = config_provider
+        self.circuit_states: Dict[str, CircuitBreakerState] = {}
+        self.health_check_task: Optional[asyncio.Task] = None
+        self.running = False
+
+    async def start_monitoring(self):
+        """Start background health monitoring."""
+        if self.running:
+            return
+
+        self.running = True
+        self.health_check_task = asyncio.create_task(self._health_check_loop())
+        logger.info("Provider health monitoring started")
+
+    async def stop_monitoring(self):
+        """Stop background health monitoring."""
+        self.running = False
+        if self.health_check_task:
+            self.health_check_task.cancel()
+            try:
+                await self.health_check_task
+            except asyncio.CancelledError:
+                pass
+        logger.info("Provider health monitoring stopped")
+
+    async def _health_check_loop(self):
+        """Background loop for health checks."""
+        while self.running:
+            try:
+                await self._perform_health_checks()
+
+                # Get check interval from config
+                interval = await self._get_health_check_interval()
+                await asyncio.sleep(interval)
+
+            except asyncio.CancelledError:
+                break
+            except Exception as e:
+                logger.error(f"Health check loop error: {e}")
+                await asyncio.sleep(60)  # Back off on error
+
+    async def _perform_health_checks(self):
+        """Perform health checks on all providers."""
+        if not self.plugin_manager:
+            return
+
+        try:
+            # Get transport plugins from plugin manager
+            transport_plugins = getattr(self.plugin_manager, 'get_plugins_by_type', lambda x: {})('transport')
+
+            if not transport_plugins:
+                # Fallback: simulate providers for testing
+                transport_plugins = {
+                    'test': type('TestPlugin', (), {
+                        'plugin_type': 'transport',
+                        'check_health': lambda: {'ok': True, 'details': {'method': 'test'}}
+                    })()
+                }
+
+            for provider_id, plugin in transport_plugins.items():
+                try:
+                    health_check = await self._check_provider_health(provider_id, plugin)
+                    await self._update_circuit_breaker(health_check)
+
+                except Exception as e:
+                    logger.error(f"Provider health check error for {provider_id}: {e}")
+        except Exception as e:
+            logger.error(f"Failed to get transport plugins: {e}")
+
+    async def _check_provider_health(self, provider_id: str, plugin) -> HealthCheck:
+        """Check health of a specific provider."""
+        start_time = datetime.utcnow()
+
+        try:
+            # Check if provider has health check method
+            if hasattr(plugin, 'check_health'):
+                if asyncio.iscoroutinefunction(plugin.check_health):
+                    result = await plugin.check_health()
+                else:
+                    result = plugin.check_health()
+                response_time = (datetime.utcnow() - start_time).total_seconds() * 1000
+
+                return HealthCheck(
+                    provider_id=provider_id,
+                    provider_type=getattr(plugin, 'plugin_type', 'transport'),
+                    success=result.get('ok', False),
+                    response_time_ms=response_time,
+                    details=result.get('details', {}),
+                    error=result.get('error')
+                )
+            else:
+                # No health check method - assume healthy if plugin loaded
+                return HealthCheck(
+                    provider_id=provider_id,
+                    provider_type=getattr(plugin, 'plugin_type', 'transport'),
+                    success=True,
+                    response_time_ms=0,
+                    details={'method': 'plugin_loaded_check'}
+                )
+
+        except Exception as e:
+            response_time = (datetime.utcnow() - start_time).total_seconds() * 1000
+            return HealthCheck(
+                provider_id=provider_id,
+                provider_type=getattr(plugin, 'plugin_type', 'transport'),
+                success=False,
+                response_time_ms=response_time,
+                error=str(e)
+            )
+
+    async def _update_circuit_breaker(self, health_check: HealthCheck):
+        """Update circuit breaker state based on health check."""
+        provider_id = health_check.provider_id
+
+        # Get or create circuit breaker state
+        if provider_id not in self.circuit_states:
+            self.circuit_states[provider_id] = CircuitBreakerState(
+                provider_id=provider_id,
+                failure_threshold=await self._get_circuit_breaker_threshold(provider_id),
+                recovery_timeout_seconds=await self._get_circuit_breaker_timeout(provider_id)
+            )
+
+        circuit_state = self.circuit_states[provider_id]
+        old_status = circuit_state.status
+
+        if health_check.success:
+            circuit_state.record_success()
+        else:
+            circuit_state.record_failure(health_check.error or 'Health check failed')
+
+        # Emit event if status changed
+        if circuit_state.status != old_status and self.event_emitter:
+            await self.event_emitter.emit_event(
+                EventType.PROVIDER_HEALTH_CHANGED,
+                provider_id=provider_id,
+                payload_meta={
+                    'old_status': old_status,
+                    'new_status': circuit_state.status,
+                    'failure_count': circuit_state.failure_count,
+                    'response_time_ms': health_check.response_time_ms
+                }
+            )
+
+            logger.info(f"Provider {provider_id} status changed: {old_status} -> {circuit_state.status}")
+
+    async def _get_health_check_interval(self) -> int:
+        """Get health check interval from configuration."""
+        try:
+            if self.config_provider:
+                system_ctx = {'user_id': 'system', 'groups': [], 'department': None, 'tenant_id': None}
+                result = await self.config_provider.get_effective('provider.health_check_interval', system_ctx)
+                return int(result.value) if result else 300
+        except Exception:
+            pass
+        return 300  # 5 minutes default
+
+    async def _get_circuit_breaker_threshold(self, provider_id: str) -> int:
+        """Get circuit breaker threshold for provider."""
+        try:
+            if self.config_provider:
+                system_ctx = {'user_id': 'system', 'groups': [], 'department': None, 'tenant_id': None}
+                key = f'provider.{provider_id}.circuit_breaker_threshold'
+                result = await self.config_provider.get_effective(key, system_ctx)
+                return int(result.value) if result else 5
+        except Exception:
+            pass
+        return 5  # Default threshold
+
+    async def _get_circuit_breaker_timeout(self, provider_id: str) -> int:
+        """Get circuit breaker recovery timeout for provider."""
+        try:
+            if self.config_provider:
+                system_ctx = {'user_id': 'system', 'groups': [], 'department': None, 'tenant_id': None}
+                key = f'provider.{provider_id}.circuit_breaker_timeout'
+                result = await self.config_provider.get_effective(key, system_ctx)
+                return int(result.value) if result else 60
+        except Exception:
+            pass
+        return 60  # Default 1 minute
+
+    def should_allow_request(self, provider_id: str) -> bool:
+        """Check if provider should receive requests."""
+        if provider_id not in self.circuit_states:
+            return True  # No circuit breaker info, allow by default
+
+        return self.circuit_states[provider_id].should_allow_request()
+
+    def record_request_result(self, provider_id: str, success: bool, error: str = None):
+        """Record result of provider request (for circuit breaker)."""
+        if provider_id not in self.circuit_states:
+            self.circuit_states[provider_id] = CircuitBreakerState(provider_id=provider_id)
+
+        circuit_state = self.circuit_states[provider_id]
+        old_status = circuit_state.status
+
+        if success:
+            circuit_state.record_success()
+        else:
+            circuit_state.record_failure(error or 'Request failed')
+
+        # Emit event if status changed (async fire-and-forget)
+        if circuit_state.status != old_status and self.event_emitter:
+            asyncio.create_task(self.event_emitter.emit_event(
+                EventType.PROVIDER_HEALTH_CHANGED,
+                provider_id=provider_id,
+                payload_meta={
+                    'old_status': old_status,
+                    'new_status': circuit_state.status,
+                    'trigger': 'request_result'
+                }
+            ))
+
+    async def get_provider_statuses(self) -> Dict[str, Dict]:
+        """Get current status of all providers."""
+        statuses = {}
+
+        # Include all known providers from circuit states
+        for provider_id, circuit_state in self.circuit_states.items():
+            status_info = {
+                'provider_id': provider_id,
+                'provider_type': 'transport',
+                'status': circuit_state.status,
+                'failure_count': circuit_state.failure_count,
+                'last_success': circuit_state.last_success_time.isoformat() if circuit_state.last_success_time else None,
+                'last_failure': circuit_state.last_failure_time.isoformat() if circuit_state.last_failure_time else None,
+            }
+
+            if circuit_state.status == 'circuit_open':
+                status_info['next_retry_at'] = circuit_state.next_retry_at.isoformat() if circuit_state.next_retry_at else None
+
+            statuses[provider_id] = status_info
+
+        return statuses
+
+    async def manual_enable_provider(self, provider_id: str):
+        """Manually enable a provider (admin action)."""
+        if provider_id in self.circuit_states:
+            old_status = self.circuit_states[provider_id].status
+            self.circuit_states[provider_id].status = 'healthy'
+            self.circuit_states[provider_id].failure_count = 0
+            self.circuit_states[provider_id].circuit_opened_at = None
+            self.circuit_states[provider_id].next_retry_at = None
+
+            if self.event_emitter:
+                await self.event_emitter.emit_event(
+                    EventType.PROVIDER_ENABLED,
+                    provider_id=provider_id,
+                    payload_meta={
+                        'old_status': old_status,
+                        'new_status': 'healthy',
+                        'trigger': 'manual_enable'
+                    }
+                )
+
+            logger.info(f"Provider {provider_id} manually enabled")
+
+    async def manual_disable_provider(self, provider_id: str):
+        """Manually disable a provider (admin action)."""
+        if provider_id not in self.circuit_states:
+            self.circuit_states[provider_id] = CircuitBreakerState(provider_id=provider_id)
+
+        old_status = self.circuit_states[provider_id].status
+        self.circuit_states[provider_id].status = 'disabled'
+
+        if self.event_emitter:
+            await self.event_emitter.emit_event(
+                EventType.PROVIDER_DISABLED,
+                provider_id=provider_id,
+                payload_meta={
+                    'old_status': old_status,
+                    'new_status': 'disabled',
+                    'trigger': 'manual_disable'
+                }
+            )
 
-    In Phase-3 this will be replaced by the real monitor/circuit breaker.
-    """
+        logger.info(f"Provider {provider_id} manually disabled")
 
-    def __init__(self) -> None:
-        pass
 
diff --git a/api/app/plugins/transport/shims/test/plugin.py b/api/app/plugins/transport/shims/test/plugin.py
new file mode 100644
index 00000000..d73a6546
--- /dev/null
+++ b/api/app/plugins/transport/shims/test/plugin.py
@@ -0,0 +1,19 @@
+from typing import Dict, Any
+from datetime import datetime
+
+class Plugin:
+    plugin_type = "transport"
+    plugin_id = "test"
+
+    async def initialize(self, config: Dict[str, Any]) -> None:
+        return
+
+    async def send_fax(self, to_number: str, file_path: str, **kwargs) -> Dict[str, Any]:
+        return {
+            "job_id": f"test-{int(datetime.utcnow().timestamp())}",
+            "provider_sid": "test-sid",
+            "status": "queued",
+            "to_number": to_number,
+            "provider": "test",
+            "metadata": {"note": "dummy-transport"}
+        }
diff --git a/api/app/plugins/transport/test/manifest.json b/api/app/plugins/transport/test/manifest.json
new file mode 100644
index 00000000..40eae0a4
--- /dev/null
+++ b/api/app/plugins/transport/test/manifest.json
@@ -0,0 +1,15 @@
+{
+    "id": "test",
+    "name": "Test Transport",
+    "version": "1.0.0",
+    "type": "transport",
+    "traits": {
+      "send_fax": true,
+      "status_callback": false,
+      "inbound_supported": false,
+      "webhook": { "path": "/callbacks/test", "verification": "none" },
+      "auth": { "methods": [] }
+    },
+    "config_schema": { "type": "object", "properties": {} }
+  }
+  
\ No newline at end of file
diff --git a/api/app/routers/admin_diagnostics.py b/api/app/routers/admin_diagnostics.py
index 0c76931d..9558c120 100644
--- a/api/app/routers/admin_diagnostics.py
+++ b/api/app/routers/admin_diagnostics.py
@@ -1,6 +1,7 @@
+import asyncio
 from typing import Optional
 
-from fastapi import APIRouter, Depends, HTTPException
+from fastapi import APIRouter, Depends, HTTPException, Query
 from fastapi import Request
 from sse_starlette.sse import EventSourceResponse  # type: ignore
 
@@ -12,9 +13,21 @@
 
 
 @router.get("/events/recent")
-async def recent_events(request: Request, limit: int = 50, provider_id: Optional[str] = None):
+async def recent_events(
+    request: Request,
+    limit: int = 50,
+    provider_id: Optional[str] = None,
+    event_type: Optional[str] = None,
+    from_db: bool = False
+):
+    """Get recent events with filtering options."""
     emitter: EventEmitter = request.app.state.event_emitter  # type: ignore
-    events = await emitter.get_recent_events(limit=limit, provider_id=provider_id)
+    events = await emitter.get_recent_events(
+        limit=limit,
+        provider_id=provider_id,
+        event_type=event_type,
+        from_db=from_db
+    )
     return {
         "events": [
             {
@@ -24,24 +37,38 @@ async def recent_events(request: Request, limit: int = 50, provider_id: Optional
                 "provider_id": e.provider_id,
                 "external_id": e.external_id,
                 "job_id": e.job_id,
+                "user_id": e.user_id,
                 "payload_meta": e.payload_meta,
+                "correlation_id": e.correlation_id,
             }
             for e in events
         ],
         "total": len(events),
+        "source": "database" if from_db else "memory",
     }
 
 
 @router.get("/events/sse")
-async def events_sse(request: Request):
+async def events_sse(
+    request: Request,
+    admin_auth = Depends(require_admin)
+):
+    """Server-Sent Events stream for real-time event monitoring."""
     emitter: EventEmitter = request.app.state.event_emitter  # type: ignore
     queue = await emitter.add_subscriber()
 
     async def event_stream():
         try:
+            # Send initial keepalive
+            yield {"event": "connected", "data": '{"status": "connected"}'}
+
             while True:
-                msg = await queue.get()
-                yield {"event": "event", "data": msg}
+                try:
+                    msg = await asyncio.wait_for(queue.get(), timeout=30.0)
+                    yield {"event": "event", "data": msg}
+                except asyncio.TimeoutError:
+                    # Send keepalive every 30 seconds
+                    yield {"event": "keepalive", "data": '{"ping": true}'}
         except Exception:
             pass
         finally:
@@ -49,3 +76,16 @@ async def event_stream():
 
     return EventSourceResponse(event_stream())
 
+
+@router.get("/events/types")
+async def get_event_types():
+    """Get available event types for filtering."""
+    from api.app.services.events import EventType
+
+    return {
+        "event_types": [
+            {"value": event_type.value, "label": event_type.value.replace(".", " ").title()}
+            for event_type in EventType
+        ]
+    }
+
diff --git a/api/app/routers/admin_providers.py b/api/app/routers/admin_providers.py
new file mode 100644
index 00000000..562e7d0c
--- /dev/null
+++ b/api/app/routers/admin_providers.py
@@ -0,0 +1,153 @@
+"""
+Admin endpoints for provider health monitoring and circuit breaker management.
+
+Provides APIs for:
+- Getting provider health status
+- Manual enable/disable controls
+- Circuit breaker configuration
+"""
+
+from typing import Optional, Dict, Any
+from fastapi import APIRouter, Depends, HTTPException, Request
+from pydantic import BaseModel
+
+from api.app.main import require_admin
+from api.app.monitoring.health import ProviderHealthMonitor
+
+
+router = APIRouter(prefix="/admin/providers", tags=["Provider Health"], dependencies=[Depends(require_admin)])
+
+
+class ProviderStatusResponse(BaseModel):
+    provider_statuses: Dict[str, Dict[str, Any]]
+    total_providers: int
+    healthy_count: int
+    degraded_count: int
+    circuit_open_count: int
+    disabled_count: int
+
+
+class ProviderActionRequest(BaseModel):
+    provider_id: str
+
+
+class ProviderActionResponse(BaseModel):
+    success: bool
+    provider_id: str
+    new_status: str
+    message: Optional[str] = None
+
+
+@router.get("/health", response_model=ProviderStatusResponse)
+async def get_provider_health_status(request: Request):
+    """Get health status of all providers."""
+    health_monitor: ProviderHealthMonitor = getattr(request.app.state, "health_monitor", None)
+
+    if not health_monitor:
+        raise HTTPException(status_code=503, detail="Health monitor not available")
+
+    provider_statuses = await health_monitor.get_provider_statuses()
+
+    # Calculate summary stats
+    status_counts = {
+        'healthy': 0,
+        'degraded': 0,
+        'circuit_open': 0,
+        'disabled': 0
+    }
+
+    for status_info in provider_statuses.values():
+        status = status_info.get('status', 'healthy')
+        if status in status_counts:
+            status_counts[status] += 1
+
+    return ProviderStatusResponse(
+        provider_statuses=provider_statuses,
+        total_providers=len(provider_statuses),
+        healthy_count=status_counts['healthy'],
+        degraded_count=status_counts['degraded'],
+        circuit_open_count=status_counts['circuit_open'],
+        disabled_count=status_counts['disabled']
+    )
+
+
+@router.post("/enable", response_model=ProviderActionResponse)
+async def enable_provider(request: Request, action_request: ProviderActionRequest):
+    """Manually enable a provider (reset circuit breaker)."""
+    health_monitor: ProviderHealthMonitor = getattr(request.app.state, "health_monitor", None)
+
+    if not health_monitor:
+        raise HTTPException(status_code=503, detail="Health monitor not available")
+
+    try:
+        await health_monitor.manual_enable_provider(action_request.provider_id)
+
+        return ProviderActionResponse(
+            success=True,
+            provider_id=action_request.provider_id,
+            new_status="healthy",
+            message=f"Provider {action_request.provider_id} has been enabled and circuit breaker reset"
+        )
+    except Exception as e:
+        raise HTTPException(status_code=500, detail=f"Failed to enable provider: {str(e)}")
+
+
+@router.post("/disable", response_model=ProviderActionResponse)
+async def disable_provider(request: Request, action_request: ProviderActionRequest):
+    """Manually disable a provider."""
+    health_monitor: ProviderHealthMonitor = getattr(request.app.state, "health_monitor", None)
+
+    if not health_monitor:
+        raise HTTPException(status_code=503, detail="Health monitor not available")
+
+    try:
+        await health_monitor.manual_disable_provider(action_request.provider_id)
+
+        return ProviderActionResponse(
+            success=True,
+            provider_id=action_request.provider_id,
+            new_status="disabled",
+            message=f"Provider {action_request.provider_id} has been manually disabled"
+        )
+    except Exception as e:
+        raise HTTPException(status_code=500, detail=f"Failed to disable provider: {str(e)}")
+
+
+@router.get("/circuit-breaker/{provider_id}/should-allow")
+async def should_allow_requests(request: Request, provider_id: str):
+    """Check if circuit breaker allows requests for a provider."""
+    health_monitor: ProviderHealthMonitor = getattr(request.app.state, "health_monitor", None)
+
+    if not health_monitor:
+        return {"allowed": True, "reason": "Health monitor not available"}
+
+    allowed = health_monitor.should_allow_request(provider_id)
+
+    return {
+        "provider_id": provider_id,
+        "allowed": allowed,
+        "reason": "Circuit breaker state" if not allowed else "Provider healthy"
+    }
+
+
+@router.post("/circuit-breaker/{provider_id}/record-result")
+async def record_request_result(
+    request: Request,
+    provider_id: str,
+    success: bool,
+    error: Optional[str] = None
+):
+    """Record the result of a provider request for circuit breaker tracking."""
+    health_monitor: ProviderHealthMonitor = getattr(request.app.state, "health_monitor", None)
+
+    if not health_monitor:
+        return {"recorded": False, "reason": "Health monitor not available"}
+
+    health_monitor.record_request_result(provider_id, success, error)
+
+    return {
+        "provider_id": provider_id,
+        "recorded": True,
+        "success": success,
+        "error": error
+    }
\ No newline at end of file
diff --git a/api/app/routers/webhooks_v2.py b/api/app/routers/webhooks_v2.py
new file mode 100644
index 00000000..02097691
--- /dev/null
+++ b/api/app/routers/webhooks_v2.py
@@ -0,0 +1,219 @@
+"""
+Enhanced webhook router with verification, DLQ, and idempotency support.
+
+This router provides enterprise-grade webhook handling:
+- Signature verification for all providers
+- Dead Letter Queue for failed processing
+- Idempotency key support
+- Structured audit logging
+"""
+
+import logging
+from typing import Dict, Any, Optional
+from fastapi import APIRouter, Request, HTTPException, Depends, Header
+from fastapi.responses import JSONResponse
+from pydantic import BaseModel
+
+from api.app.services.webhook_processor import WebhookProcessor
+from api.app.plugins.manager import PluginManager
+from api.app.services.events import EventEmitter
+from api.app.config.provider import HybridConfigProvider
+from api.app.main import get_plugin_manager, get_event_emitter, get_config_provider
+
+
+logger = logging.getLogger(__name__)
+
+router = APIRouter(prefix="/webhooks/v2", tags=["Webhooks V2"])
+
+
+class WebhookResponse(BaseModel):
+    success: bool
+    message: str
+    job_id: Optional[str] = None
+    status: str
+
+
+def get_webhook_processor(
+    plugin_manager: PluginManager = Depends(get_plugin_manager),
+    event_emitter: EventEmitter = Depends(get_event_emitter),
+    config_provider: HybridConfigProvider = Depends(get_config_provider)
+) -> WebhookProcessor:
+    """Dependency to get webhook processor."""
+    return WebhookProcessor(plugin_manager, event_emitter, config_provider)
+
+
+async def extract_headers(request: Request) -> Dict[str, str]:
+    """Extract headers from request for webhook processing."""
+    return {k.lower(): v for k, v in request.headers.items()}
+
+
+@router.post("/{provider_id}", response_model=WebhookResponse)
+async def process_provider_webhook(
+    provider_id: str,
+    request: Request,
+    processor: WebhookProcessor = Depends(get_webhook_processor),
+    idempotency_key: Optional[str] = Header(None, alias="Idempotency-Key")
+):
+    """
+    Process webhook from any provider with unified handling.
+
+    This endpoint provides enterprise-grade webhook processing:
+    - Signature verification using provider-specific methods
+    - Job lookup by (provider_id, external_id)
+    - Dead Letter Queue for failed processing
+    - Idempotency key support for duplicate prevention
+    """
+    try:
+        # Extract request data
+        headers = await extract_headers(request)
+        body = await request.body()
+
+        logger.info(f"Processing webhook from {provider_id}, size: {len(body)} bytes")
+
+        # Process webhook
+        result = await processor.process_webhook(
+            provider_id=provider_id,
+            headers=headers,
+            body=body,
+            idempotency_key=idempotency_key
+        )
+
+        # Return appropriate response
+        status_code = result.get("status", 500)
+        if not result.get("success", False):
+            logger.warning(f"Webhook processing failed for {provider_id}: {result.get('error')}")
+            raise HTTPException(status_code=status_code, detail=result.get("error", "Unknown error"))
+
+        return WebhookResponse(
+            success=True,
+            message=f"Webhook processed successfully for {provider_id}",
+            job_id=result.get("job_id"),
+            status=result.get("new_status", "processed")
+        )
+
+    except HTTPException:
+        raise
+    except Exception as e:
+        logger.exception(f"Unexpected error processing webhook from {provider_id}")
+        raise HTTPException(status_code=500, detail=f"Internal server error: {str(e)}")
+
+
+@router.post("/phaxio", response_model=WebhookResponse)
+async def phaxio_webhook(
+    request: Request,
+    processor: WebhookProcessor = Depends(get_webhook_processor),
+    idempotency_key: Optional[str] = Header(None, alias="Idempotency-Key")
+):
+    """Legacy Phaxio webhook endpoint - redirects to unified handler."""
+    return await process_provider_webhook("phaxio", request, processor, idempotency_key)
+
+
+@router.post("/sinch", response_model=WebhookResponse)
+async def sinch_webhook(
+    request: Request,
+    processor: WebhookProcessor = Depends(get_webhook_processor),
+    idempotency_key: Optional[str] = Header(None, alias="Idempotency-Key")
+):
+    """Legacy Sinch webhook endpoint - redirects to unified handler."""
+    return await process_provider_webhook("sinch", request, processor, idempotency_key)
+
+
+@router.post("/signalwire", response_model=WebhookResponse)
+async def signalwire_webhook(
+    request: Request,
+    processor: WebhookProcessor = Depends(get_webhook_processor),
+    idempotency_key: Optional[str] = Header(None, alias="Idempotency-Key")
+):
+    """Legacy SignalWire webhook endpoint - redirects to unified handler."""
+    return await process_provider_webhook("signalwire", request, processor, idempotency_key)
+
+
+# Health check endpoint
+@router.get("/health")
+async def webhook_health():
+    """Health check for webhook service."""
+    return {"status": "healthy", "service": "webhooks_v2"}
+
+
+# DLQ management endpoints (admin only)
+from api.app.main import require_admin
+
+@router.get("/admin/dlq", dependencies=[Depends(require_admin)])
+async def get_dlq_entries(
+    limit: int = 50,
+    provider_id: Optional[str] = None,
+    status: Optional[str] = None
+):
+    """Get DLQ entries for admin review."""
+    from sqlalchemy import select
+    from api.app.database import AsyncSessionLocal
+    from api.app.models.webhook_dlq import WebhookDLQ
+
+    try:
+        async with AsyncSessionLocal() as session:
+            stmt = select(WebhookDLQ).order_by(WebhookDLQ.received_at.desc()).limit(limit)
+
+            if provider_id:
+                stmt = stmt.where(WebhookDLQ.provider_id == provider_id)
+            if status:
+                stmt = stmt.where(WebhookDLQ.status == status)
+
+            result = await session.execute(stmt)
+            entries = result.scalars().all()
+
+            return {
+                "entries": [
+                    {
+                        "id": entry.id,
+                        "provider_id": entry.provider_id,
+                        "external_id": entry.external_id,
+                        "received_at": entry.received_at.isoformat(),
+                        "status": entry.status,
+                        "error": entry.error,
+                        "retry_count": entry.retry_count,
+                        "headers_meta": entry.get_headers_meta()
+                    }
+                    for entry in entries
+                ],
+                "total": len(entries)
+            }
+
+    except Exception as e:
+        logger.exception("Error retrieving DLQ entries")
+        raise HTTPException(status_code=500, detail=str(e))
+
+
+@router.post("/admin/dlq/{dlq_id}/retry", dependencies=[Depends(require_admin)])
+async def retry_dlq_entry(dlq_id: str):
+    """Manually retry a specific DLQ entry."""
+    from sqlalchemy import select
+    from api.app.database import AsyncSessionLocal
+    from api.app.models.webhook_dlq import WebhookDLQ
+    from datetime import datetime
+
+    try:
+        async with AsyncSessionLocal() as session:
+            stmt = select(WebhookDLQ).where(WebhookDLQ.id == dlq_id)
+            result = await session.execute(stmt)
+            entry = result.scalar_one_or_none()
+
+            if not entry:
+                raise HTTPException(status_code=404, detail="DLQ entry not found")
+
+            # Reset for immediate retry
+            entry.status = 'retrying'
+            entry.next_retry_at = datetime.utcnow()
+
+            await session.commit()
+
+            return {
+                "success": True,
+                "message": f"DLQ entry {dlq_id} scheduled for retry",
+                "entry_id": dlq_id
+            }
+
+    except HTTPException:
+        raise
+    except Exception as e:
+        logger.exception(f"Error retrying DLQ entry {dlq_id}")
+        raise HTTPException(status_code=500, detail=str(e))
\ No newline at end of file
diff --git a/api/app/services/events.py b/api/app/services/events.py
index cb3b7af3..ce98c9e1 100644
--- a/api/app/services/events.py
+++ b/api/app/services/events.py
@@ -1,13 +1,36 @@
 import asyncio
+import uuid
 from dataclasses import dataclass, field
 from datetime import datetime
 from enum import Enum
 from typing import Any, Dict, List, Optional
 
+from api.app.db.async_db import AsyncSessionLocal
+from api.app.models.events import CanonicalEventDB
+
 
 class EventType(str, Enum):
+    # Provider health events
     PROVIDER_HEALTH_CHANGED = "provider.health.changed"
+    PROVIDER_ENABLED = "provider.enabled"
+    PROVIDER_DISABLED = "provider.disabled"
+
+    # Fax lifecycle events
+    FAX_QUEUED = "fax.queued"
+    FAX_SENT = "fax.sent"
+    FAX_DELIVERED = "fax.delivered"
+    FAX_FAILED = "fax.failed"
+    FAX_RETRYING = "fax.retrying"
+
+    # Webhook events
     WEBHOOK_RECEIVED = "webhook.received"
+    WEBHOOK_VERIFIED = "webhook.verified"
+    WEBHOOK_FAILED = "webhook.failed"
+
+    # Configuration events
+    CONFIG_CHANGED = "config.changed"
+
+    # System events
     JOB_STATUS_CHANGED = "job.status.changed"
 
 
@@ -25,17 +48,24 @@ class CanonicalEvent:
 
 
 class EventEmitter:
+    """Enhanced event emitter with database persistence and SSE streaming."""
+
     def __init__(self) -> None:
         self._events: List[CanonicalEvent] = []
         self._max_events = 200
         self._subscribers: List[asyncio.Queue[str]] = []
         self._lock = asyncio.Lock()
+        self._db_enabled = True
 
     async def emit_event(self, etype: EventType, **kwargs: Any) -> None:
+        """Emit event with database persistence and SSE broadcasting."""
+        event_id = kwargs.get("id") or str(uuid.uuid4())
+        occurred_at = datetime.utcnow()
+
         ev = CanonicalEvent(
-            id=str(kwargs.get("id") or datetime.utcnow().timestamp()),
+            id=event_id,
             type=etype,
-            occurred_at=datetime.utcnow(),
+            occurred_at=occurred_at,
             job_id=kwargs.get("job_id"),
             provider_id=kwargs.get("provider_id"),
             external_id=kwargs.get("external_id"),
@@ -43,9 +73,16 @@ async def emit_event(self, etype: EventType, **kwargs: Any) -> None:
             payload_meta=kwargs.get("payload_meta") or {},
             correlation_id=kwargs.get("correlation_id"),
         )
+
+        # Store in memory for SSE
         self._events.append(ev)
         if len(self._events) > self._max_events:
             self._events = self._events[-self._max_events :]
+
+        # Persist to database (fire-and-forget)
+        if self._db_enabled:
+            asyncio.create_task(self._persist_event(ev))
+
         # SSE broadcast (sanitized json)
         msg = {
             "id": ev.id,
@@ -55,31 +92,120 @@ async def emit_event(self, etype: EventType, **kwargs: Any) -> None:
             "external_id": ev.external_id,
             "job_id": ev.job_id,
             "payload_meta": ev.payload_meta,
+            "correlation_id": ev.correlation_id,
         }
+
         async with self._lock:
             for q in list(self._subscribers):
                 try:
                     q.put_nowait(json_dumps(msg))
                 except Exception:
-                    pass
+                    # Remove failed subscribers
+                    try:
+                        self._subscribers.remove(q)
+                    except ValueError:
+                        pass
+
+    async def _persist_event(self, event: CanonicalEvent) -> None:
+        """Persist event to database (non-blocking)."""
+        try:
+            async with AsyncSessionLocal() as session:
+                db_event = CanonicalEventDB(
+                    id=event.id,
+                    type=event.type.value,
+                    occurred_at=event.occurred_at,
+                    job_id=event.job_id,
+                    provider_id=event.provider_id,
+                    external_id=event.external_id,
+                    user_id=event.user_id,
+                    correlation_id=event.correlation_id,
+                    payload_meta=event.payload_meta,
+                )
+                session.add(db_event)
+                await session.commit()
+        except Exception:
+            # Silently fail to avoid disrupting main flow
+            # In production, this should be logged
+            pass
+
+    async def get_recent_events(
+        self,
+        limit: int = 50,
+        provider_id: Optional[str] = None,
+        event_type: Optional[str] = None,
+        from_db: bool = False
+    ) -> List[CanonicalEvent]:
+        """Get recent events from memory or database."""
+        if from_db and self._db_enabled:
+            return await self._get_events_from_db(limit, provider_id, event_type)
 
-    async def get_recent_events(self, limit: int = 50, provider_id: Optional[str] = None) -> List[CanonicalEvent]:
+        # Get from memory
         items = list(self._events)
         if provider_id:
             items = [e for e in items if e.provider_id == provider_id]
+        if event_type:
+            items = [e for e in items if e.type.value == event_type]
         return items[-limit:]
 
+    async def _get_events_from_db(
+        self,
+        limit: int,
+        provider_id: Optional[str] = None,
+        event_type: Optional[str] = None
+    ) -> List[CanonicalEvent]:
+        """Get events from database with filters."""
+        try:
+            async with AsyncSessionLocal() as session:
+                from sqlalchemy import select, desc
+
+                query = select(CanonicalEventDB).order_by(desc(CanonicalEventDB.occurred_at))
+
+                if provider_id:
+                    query = query.where(CanonicalEventDB.provider_id == provider_id)
+                if event_type:
+                    query = query.where(CanonicalEventDB.type == event_type)
+
+                query = query.limit(limit)
+
+                result = await session.execute(query)
+                db_events = result.scalars().all()
+
+                # Convert to CanonicalEvent objects
+                return [
+                    CanonicalEvent(
+                        id=db_event.id,
+                        type=EventType(db_event.type),
+                        occurred_at=db_event.occurred_at,
+                        job_id=db_event.job_id,
+                        provider_id=db_event.provider_id,
+                        external_id=db_event.external_id,
+                        user_id=db_event.user_id,
+                        payload_meta=db_event.payload_meta or {},
+                        correlation_id=db_event.correlation_id,
+                    )
+                    for db_event in reversed(db_events)
+                ]
+        except Exception:
+            # Fall back to memory events
+            return await self.get_recent_events(limit, provider_id, event_type, from_db=False)
+
     async def add_subscriber(self) -> asyncio.Queue[str]:
+        """Add SSE subscriber queue."""
         q: asyncio.Queue[str] = asyncio.Queue(maxsize=100)
         async with self._lock:
             self._subscribers.append(q)
         return q
 
     async def remove_subscriber(self, q: asyncio.Queue[str]) -> None:
+        """Remove SSE subscriber queue."""
         async with self._lock:
             if q in self._subscribers:
                 self._subscribers.remove(q)
 
+    def disable_db_persistence(self) -> None:
+        """Disable database persistence (testing/fallback)."""
+        self._db_enabled = False
+
 
 def json_dumps(obj: Any) -> str:
     import json
diff --git a/api/app/services/webhook_processor.py b/api/app/services/webhook_processor.py
new file mode 100644
index 00000000..3cbd4ccd
--- /dev/null
+++ b/api/app/services/webhook_processor.py
@@ -0,0 +1,294 @@
+"""
+Webhook processing service with verification, routing, and DLQ support.
+
+This service provides enterprise-grade webhook handling:
+- Signature verification using plugin-specific methods
+- Job lookup by (provider_id, external_id)
+- Retry logic with exponential backoff
+- Dead Letter Queue for failed processing
+- Idempotency key support
+"""
+
+import asyncio
+import json
+import logging
+from datetime import datetime, timedelta
+from typing import Dict, Any, Optional, Tuple
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlalchemy import select
+from sqlalchemy.orm import selectinload
+
+from api.app.database import AsyncSessionLocal
+from api.app.models.webhook_dlq import WebhookDLQ
+from api.app.models.jobs import Job
+from api.app.plugins.manager import PluginManager
+from api.app.services.events import EventEmitter, EventType
+from api.app.config.provider import HybridConfigProvider
+
+
+logger = logging.getLogger(__name__)
+
+
+class WebhookProcessor:
+    """
+    Processes incoming webhooks with verification, routing, and DLQ support.
+    """
+
+    def __init__(self, plugin_manager: PluginManager, event_emitter: EventEmitter,
+                 config_provider: HybridConfigProvider):
+        self.plugin_manager = plugin_manager
+        self.event_emitter = event_emitter
+        self.config_provider = config_provider
+        self._idempotency_cache: Dict[str, Any] = {}
+
+    async def process_webhook(self, provider_id: str, headers: Dict[str, str],
+                            body: bytes, idempotency_key: Optional[str] = None) -> Dict[str, Any]:
+        """
+        Process an incoming webhook with full verification and error handling.
+
+        Args:
+            provider_id: Provider that sent the webhook
+            headers: HTTP headers from webhook request
+            body: Raw webhook body
+            idempotency_key: Optional idempotency key for duplicate prevention
+
+        Returns:
+            Dict with processing result and status
+        """
+        try:
+            # Check idempotency
+            if idempotency_key and idempotency_key in self._idempotency_cache:
+                return self._idempotency_cache[idempotency_key]
+
+            # Get provider plugin
+            plugin = self.plugin_manager.get_provider_plugin(provider_id)
+            if not plugin:
+                error = f"No plugin found for provider: {provider_id}"
+                logger.error(error)
+                return {"success": False, "error": error, "status": 404}
+
+            # Verify webhook signature
+            try:
+                if hasattr(plugin, 'verify_webhook'):
+                    is_valid = await plugin.verify_webhook(headers, body)
+                    if not is_valid:
+                        error = f"Webhook signature verification failed for provider: {provider_id}"
+                        logger.warning(error)
+                        return {"success": False, "error": error, "status": 401}
+            except Exception as e:
+                logger.error(f"Webhook verification error for {provider_id}: {str(e)}")
+                return {"success": False, "error": f"Verification failed: {str(e)}", "status": 500}
+
+            # Parse webhook payload
+            try:
+                payload_str = body.decode('utf-8')
+                payload = json.loads(payload_str)
+            except (UnicodeDecodeError, json.JSONDecodeError) as e:
+                error = f"Invalid webhook payload from {provider_id}: {str(e)}"
+                logger.error(error)
+                await self._add_to_dlq(provider_id, None, error, headers)
+                return {"success": False, "error": error, "status": 400}
+
+            # Extract external_id from payload
+            external_id = await self._extract_external_id(plugin, payload, provider_id)
+            if not external_id:
+                error = f"Could not extract external_id from {provider_id} webhook"
+                logger.error(error)
+                await self._add_to_dlq(provider_id, None, error, headers)
+                return {"success": False, "error": error, "status": 400}
+
+            # Find job by provider_id and external_id
+            job = await self._find_job(provider_id, external_id)
+            if not job:
+                error = f"No job found for {provider_id} external_id: {external_id}"
+                logger.warning(error)
+                await self._add_to_dlq(provider_id, external_id, error, headers)
+                return {"success": False, "error": error, "status": 404}
+
+            # Process status callback
+            result = await self._process_status_callback(plugin, job, payload)
+
+            # Cache result for idempotency
+            if idempotency_key:
+                self._idempotency_cache[idempotency_key] = result
+
+            return result
+
+        except Exception as e:
+            error = f"Unexpected error processing webhook from {provider_id}: {str(e)}"
+            logger.exception(error)
+            await self._add_to_dlq(provider_id, None, error, headers)
+            return {"success": False, "error": error, "status": 500}
+
+    async def _extract_external_id(self, plugin: Any, payload: Dict[str, Any],
+                                 provider_id: str) -> Optional[str]:
+        """Extract external_id from webhook payload using provider-specific logic."""
+        try:
+            if hasattr(plugin, 'extract_external_id'):
+                return await plugin.extract_external_id(payload)
+
+            # Fallback logic for common providers
+            if provider_id == 'phaxio':
+                return payload.get('fax', {}).get('id')
+            elif provider_id == 'sinch':
+                return payload.get('id')
+            elif provider_id.startswith('sip_'):
+                return payload.get('job_id') or payload.get('external_id')
+
+            # Generic fallback
+            return payload.get('id') or payload.get('external_id') or payload.get('job_id')
+
+        except Exception as e:
+            logger.error(f"Error extracting external_id from {provider_id}: {str(e)}")
+            return None
+
+    async def _find_job(self, provider_id: str, external_id: str) -> Optional[Job]:
+        """Find job by provider_id and external_id."""
+        try:
+            async with AsyncSessionLocal() as session:
+                stmt = select(Job).where(
+                    Job.provider_id == provider_id,
+                    Job.external_id == external_id
+                )
+                result = await session.execute(stmt)
+                return result.scalar_one_or_none()
+        except Exception as e:
+            logger.error(f"Error finding job for {provider_id}/{external_id}: {str(e)}")
+            return None
+
+    async def _process_status_callback(self, plugin: Any, job: Job,
+                                     payload: Dict[str, Any]) -> Dict[str, Any]:
+        """Process status callback and emit events."""
+        try:
+            old_status = job.status
+
+            # Let plugin handle the status update
+            if hasattr(plugin, 'handle_status_callback'):
+                await plugin.handle_status_callback(job, payload)
+            else:
+                # Default status mapping
+                await self._update_job_status_default(job, payload)
+
+            # Emit status change event
+            if job.status != old_status:
+                await self.event_emitter.emit_event(
+                    EventType.FAX_STATUS_CHANGED,
+                    job_id=job.id,
+                    provider_id=job.provider_id,
+                    payload_meta={
+                        'old_status': old_status,
+                        'new_status': job.status,
+                        'external_id': job.external_id
+                    }
+                )
+
+            return {
+                "success": True,
+                "job_id": job.id,
+                "old_status": old_status,
+                "new_status": job.status,
+                "status": 200
+            }
+
+        except Exception as e:
+            error = f"Error processing status callback: {str(e)}"
+            logger.exception(error)
+            return {"success": False, "error": error, "status": 500}
+
+    async def _update_job_status_default(self, job: Job, payload: Dict[str, Any]):
+        """Default job status update logic."""
+        # This is a fallback - plugins should implement handle_status_callback
+        status_field = payload.get('status') or payload.get('state')
+        if status_field:
+            # Map provider-specific statuses to canonical ones
+            status_map = {
+                'success': 'SUCCESS',
+                'completed': 'SUCCESS',
+                'delivered': 'SUCCESS',
+                'failed': 'FAILED',
+                'error': 'FAILED',
+                'pending': 'QUEUED',
+                'queued': 'QUEUED',
+                'processing': 'SENDING'
+            }
+            canonical_status = status_map.get(status_field.lower(), status_field.upper())
+            job.status = canonical_status
+
+        async with AsyncSessionLocal() as session:
+            session.add(job)
+            await session.commit()
+
+    async def _add_to_dlq(self, provider_id: str, external_id: Optional[str],
+                         error: str, headers: Dict[str, str]):
+        """Add failed webhook to Dead Letter Queue."""
+        try:
+            safe_headers = WebhookDLQ.create_safe_headers_meta(headers)
+            dlq_entry = WebhookDLQ(
+                provider_id=provider_id,
+                external_id=external_id,
+                error=error,
+                headers_meta=safe_headers
+            )
+
+            async with AsyncSessionLocal() as session:
+                session.add(dlq_entry)
+                await session.commit()
+
+            logger.info(f"Added webhook to DLQ: provider={provider_id}, external_id={external_id}")
+
+        except Exception as e:
+            logger.error(f"Failed to add webhook to DLQ: {str(e)}")
+
+    async def retry_dlq_entries(self, max_retries: int = 3):
+        """
+        Process DLQ entries that are ready for retry.
+
+        This should be called periodically by a background task.
+        """
+        try:
+            async with AsyncSessionLocal() as session:
+                # Find DLQ entries ready for retry
+                now = datetime.utcnow()
+                stmt = select(WebhookDLQ).where(
+                    WebhookDLQ.status == 'retrying',
+                    WebhookDLQ.next_retry_at <= now,
+                    WebhookDLQ.retry_count.cast(int) < max_retries
+                )
+                result = await session.execute(stmt)
+                dlq_entries = result.scalars().all()
+
+                for entry in dlq_entries:
+                    await self._retry_dlq_entry(session, entry, max_retries)
+
+                await session.commit()
+
+        except Exception as e:
+            logger.error(f"Error processing DLQ retries: {str(e)}")
+
+    async def _retry_dlq_entry(self, session: AsyncSession, entry: WebhookDLQ, max_retries: int):
+        """Retry a single DLQ entry."""
+        try:
+            retry_count = int(entry.retry_count)
+            if retry_count >= max_retries:
+                entry.mark_failed(f"Max retries ({max_retries}) exceeded")
+                return
+
+            # Calculate exponential backoff
+            backoff_seconds = min(300, 30 * (2 ** retry_count))  # Max 5 minutes
+            next_retry = datetime.utcnow() + timedelta(seconds=backoff_seconds)
+
+            entry.increment_retry(next_retry)
+
+            logger.info(f"Scheduled DLQ entry for retry: {entry.id}, attempt {retry_count + 1}")
+
+        except Exception as e:
+            logger.error(f"Error retrying DLQ entry {entry.id}: {str(e)}")
+            entry.mark_failed(f"Retry error: {str(e)}")
+
+    def clear_idempotency_cache(self, older_than_minutes: int = 60):
+        """Clear old idempotency cache entries to prevent memory leaks."""
+        # In production, this should use Redis with TTL
+        # For now, we'll keep it simple
+        if len(self._idempotency_cache) > 1000:
+            self._idempotency_cache.clear()
+            logger.info("Cleared idempotency cache due to size limit")
\ No newline at end of file
diff --git a/v4_plans/implement/phase_3_runbook.md b/v4_plans/implement/phase_3_runbook.md
new file mode 100644
index 00000000..3b3f8556
--- /dev/null
+++ b/v4_plans/implement/phase_3_runbook.md
@@ -0,0 +1,389 @@
+Phase 3 Runbook — Hierarchical Config, Diagnostics, Reliability
+
+Branch: auto-tunnel (all v4 work stays here)
+Scope: DB-first hierarchical config, Redis caching + invalidation, canonical events + SSE, webhook hardening + DLQ, provider health + circuit breaker, rate limiting, HIPAA-aligned logging
+
+0) Pre-flight (once per machine)
+
+Checklist
+
+ Git on the right branch and clean working tree
+
+ Python 3.11+ / Node 20+ / Redis 7 / Postgres 14+ reachable
+
+ Uvicorn + Alembic available
+
+ Strong crypto key present (44-char Fernet)
+
+Commands (copy/paste)
+
+echo "== ensure branch auto-tunnel and clean tree" && git fetch --all --tags && git checkout -B auto-tunnel origin/auto-tunnel && git status && \
+echo "== versions" && python3 --version && node --version && npm --version && psql --version && redis-server --version && \
+echo "== install server deps (uvicorn/alembic/cryptography)" && pip3 install -U pip wheel && pip3 install -r requirements.txt || true && \
+echo "== install admin UI deps" && cd api/admin_ui && npm ci && cd - && \
+echo "== start local Redis if not present" && (docker ps --format '{{.Names}}' | grep -q '^faxbot-redis$' || docker run -d --name faxbot-redis -p 6379:6379 redis:7-alpine) && \
+echo "== generate CONFIG_MASTER_KEY if missing and write .env.local" && python3 - <<'PY'
+import os,base64,sys
+from pathlib import Path
+env = Path(".env.local")
+if env.exists(): txt = env.read_text()
+else: txt = ""
+if "CONFIG_MASTER_KEY=" in txt:
+    print("CONFIG_MASTER_KEY already present")
+else:
+    try:
+        from cryptography.fernet import Fernet
+        key = Fernet.generate_key().decode()
+    except Exception:
+        key = base64.urlsafe_b64encode(os.urandom(32)).decode()[:44]
+    with env.open("a") as f:
+        f.write(f"\nCONFIG_MASTER_KEY={key}\n")
+    print("CONFIG_MASTER_KEY created")
+PY
+
+
+Stop-check
+
+ git status shows On branch auto-tunnel, no uncommitted changes needed for this run
+
+ .env.local now contains CONFIG_MASTER_KEY= with 44 characters
+
+1) Database migration — hierarchical config + audit + events + DLQ
+
+Checklist
+
+ Migration 003 applied (config tables + audit + events + dlq)
+
+ Alembic heads consistent (no divergence)
+
+Commands
+
+echo "== run Phase 3 migrations" && alembic -c api/db/alembic.ini upgrade head && \
+echo "== confirm tables exist" && psql "$DATABASE_URL" -c "\dt+" | egrep -i "config_(global|tenant|department|group|user)|config_audit|events|webhook_dlq"
+
+
+Stop-check
+
+ Tables config_global/tenant/department/group/user, config_audit, events, webhook_dlq all listed
+
+2) Boot with safe defaults (no PHI, DB-first reads)
+
+Checklist
+
+ Server starts and refuses to boot if CONFIG_MASTER_KEY is invalid
+
+ Admin Console reachable
+
+Commands
+
+echo "== export baseline env (safe defaults)" && \
+export FAXBOT_ENV="dev" && export ENABLE_LOCAL_ADMIN="true" && export REDIS_URL="redis://localhost:6379/2" && \
+export REQUIRE_API_KEY="true" && export API_KEY="devkey-devkey-devkey" && \
+echo "== start server (foreground)" && uvicorn api.app.main:app --host 0.0.0.0 --port 8080
+
+
+(Open a second terminal for the next steps.)
+
+Stop-check
+
+ http://localhost:8080/health returns 200
+
+ Admin Console loads at http://localhost:8080/admin/
+
+3) Hierarchical Config — effective resolution + safe writes
+
+Checklist
+
+ Effective read works (db/default/cache source indicated)
+
+ Safe key write at tenant and user levels reflects in effective resolution
+
+ Cache invalidation works after write
+
+Commands
+
+echo "== show effective config (admin-capable required; using API key header)" && \
+curl -sS -H "X-API-Key: devkey-devkey-devkey" "http://localhost:8080/admin/config/effective" | jq '.values|keys' && \
+echo "== set tenant override for api.rate_limit_rpm=60" && \
+curl -sS -H "X-API-Key: devkey-devkey-devkey" -H "Content-Type: application/json" \
+  -X POST "http://localhost:8080/admin/config/set" \
+  -d '{"key":"api.rate_limit_rpm","value":60,"level":"tenant","level_id":"tenant_demo","reason":"Phase3 tenant default"}' | jq && \
+echo "== set user override for api.rate_limit_rpm=5" && \
+curl -sS -H "X-API-Key: devkey-devkey-devkey" -H "Content-Type: application/json" \
+  -X POST "http://localhost:8080/admin/config/set" \
+  -d '{"key":"api.rate_limit_rpm","value":5,"level":"user","level_id":"user_demo","reason":"tight user test"}' | jq && \
+echo "== query hierarchy for key" && \
+curl -sS -H "X-API-Key: devkey-devkey-devkey" \
+  "http://localhost:8080/admin/config/hierarchy?key=api.rate_limit_rpm" | jq && \
+echo "== flush config cache" && \
+curl -sS -H "X-API-Key: devkey-devkey-devkey" -X POST "http://localhost:8080/admin/config/flush-cache" | jq
+
+
+Stop-check
+
+ hierarchy.layers[0] shows user value 5 when asking from that user context
+
+ After flush-cache, re-query reflects latest DB values
+
+ No secrets displayed; masked in UI
+
+4) Redis Cache — stats + fallback
+
+Checklist
+
+ Redis stats visible; local cache present
+
+ Service keeps running if Redis is killed (falls back to local)
+
+Commands
+
+echo "== get effective + cache stats" && \
+curl -sS -H "X-API-Key: devkey-devkey-devkey" "http://localhost:8080/admin/config/effective" | jq '.cache_stats' && \
+echo "== simulate Redis outage (container stop)" && docker stop faxbot-redis && sleep 2 && \
+echo "== re-query effective (should still work using local cache)" && \
+curl -sS -H "X-API-Key: devkey-devkey-devkey" "http://localhost:8080/admin/config/effective" | jq '.cache_stats' && \
+echo "== restore Redis" && docker start faxbot-redis && sleep 2
+
+
+Stop-check
+
+ With Redis down, effective config endpoint still works (warning allowed)
+
+ After restart, stats show Redis again
+
+5) Canonical Events + SSE diagnostics (no PHI)
+
+Checklist
+
+ Events table persists entries
+
+ SSE stream shows recent + live events (admin-only)
+
+ Payload metadata contains no PHI
+
+Commands
+
+echo "== tail SSE (keep this running; Ctrl+C to exit later)" && \
+curl -N -H "X-API-Key: devkey-devkey-devkey" "http://localhost:8080/admin/diagnostics/events" &
+echo "== emit a test event via helper endpoint (if present) or trigger by sending a test fax job" && \
+curl -sS -H "X-API-Key: devkey-devkey-devkey" "http://localhost:8080/admin/diagnostics/events/recent?limit=5" | jq
+
+
+Stop-check
+
+ SSE stream prints recent events, then heartbeats; fields are IDs + metadata only
+
+ No names, numbers, or documents appear in payload_meta
+
+6) Provider Health + Circuit Breaker
+
+Checklist
+
+ Health monitor loop running
+
+ Circuit opens after threshold failures and recovers after timeout/success
+
+ Admin Diagnostics reflects status transitions
+
+Commands (force a failure with bogus creds, low threshold)
+
+echo "== lower CB threshold to 1 for provider 'phaxio' (example)" && \
+curl -sS -H "X-API-Key: devkey-devkey-devkey" -H "Content-Type: application/json" \
+  -X POST "http://localhost:8080/admin/config/set" \
+  -d '{"key":"provider.phaxio.circuit_breaker_threshold","value":1,"level":"global","reason":"test trip"}' | jq && \
+echo "== attempt a send with intentionally bad creds to trip the circuit" && \
+curl -sS -H "X-API-Key: devkey-devkey-devkey" -F to=+15551234567 -F file=@./example.pdf \
+  -X POST "http://localhost:8080/fax" | jq || true && \
+echo "== check recent events include PROVIDER_HEALTH_CHANGED" && \
+curl -sS -H "X-API-Key: devkey-devkey-devkey" "http://localhost:8080/admin/diagnostics/events/recent?limit=20" | jq '.events[]|select(.type=="PROVIDER_HEALTH_CHANGED")'
+
+
+Stop-check
+
+ A PROVIDER_HEALTH_CHANGED event shows new_status: "circuit_open"
+
+ After timeout or a successful call, status returns to healthy
+
+7) Webhook Hardening + DLQ
+
+Checklist
+
+ Unverified callback is rejected (401/403)
+
+ Bad payload lands in DLQ with allowlisted headers only
+
+ Lookup of job uses (provider_id, external_id)
+
+Commands (simulate bad callback; provider route may vary)
+
+echo "== send bogus callback to provider route to trigger DLQ (adjust path to an enabled provider)" && \
+curl -sS -H "Content-Type: application/json" \
+  -d '{"fake":"payload","external_id":"does-not-exist"}' \
+  "http://localhost:8080/callbacks/phaxio" | jq || true && \
+echo "== inspect DLQ entries (via SQL; adjust table/schema if needed)" && \
+psql "$DATABASE_URL" -c "SELECT id,provider_id,external_id,status,substr(headers_meta,1,120) AS headers_sample FROM webhook_dlq ORDER BY received_at DESC LIMIT 5;"
+
+
+Stop-check
+
+ Callback returns 401/403 or handled with DLQ store (no Authorization headers saved)
+
+ DLQ contains sanitized header metadata only
+
+8) Rate Limiting (per key/endpoint)
+
+Checklist
+
+ 429 returned with Retry-After when limit exceeded
+
+ Limits are hierarchical (tenant/user can override)
+
+Commands
+
+echo "== set global rate limit for fax send to 1 rpm" && \
+curl -sS -H "X-API-Key: devkey-devkey-devkey" -H "Content-Type: application/json" \
+  -X POST "http://localhost:8080/admin/config/set" \
+  -d '{"key":"api.rate_limit_rpm","value":1,"level":"global","reason":"limit test"}' | jq && \
+echo "== send two requests quickly; second should 429" && \
+BASE="http://localhost:8080" && \
+curl -sS -H "X-API-Key: devkey-devkey-devkey" -F to=+15551234567 -F file=@./example.pdf -X POST "$BASE/fax" | jq && \
+curl -i -sS -H "X-API-Key: devkey-devkey-devkey" -F to=+15551234567 -F file=@./example.pdf -X POST "$BASE/fax" | sed -n '1,20p'
+
+
+Stop-check
+
+ Second response shows HTTP/1.1 429 and a Retry-After header
+
+9) Admin Console — Configuration Manager & Diagnostics UI
+
+Checklist
+
+ “Configuration Manager” screen renders effective values with source badges
+
+ Safe keys editable; secrets masked
+
+ Diagnostics shows provider states and SSE status
+
+Manual UI actions
+
+Settings → Configuration Manager: verify source chips (db/env/default/cache)
+
+Diagnostics → Events: live SSE updates appear; no PHI
+
+Diagnostics → Providers: status chips reflect health/circuit state
+
+10) Acceptance Sweep (tick all)
+
+Configuration
+
+ User→Group→Department→Tenant→Global→Default resolution verified
+
+ Writes persist without restart; audit entries created
+
+ Safe keys only editable via Admin Console; validation enforced
+
+ Secrets encrypted at rest; masked in UI
+
+Caching
+
+ Redis on; cache hits observed; invalidation works
+
+ Redis off; service continues with local cache
+
+Events & SSE
+
+ Canonical events persisted; SSE streams IDs/metadata only (no PHI)
+
+ Recent events endpoint filters by type/provider
+
+Provider Health
+
+ Health checks run; circuit opens on failures; recovers as configured
+
+ Manual enable/disable reflected in events + UI
+
+Webhooks
+
+ Signature/verification enforced when provider supports it
+
+ Bad callbacks routed to DLQ; headers allowlisted; no secrets persisted
+
+Rate Limiting
+
+ 429 with Retry-After for exceeded limits; hierarchical overrides honored
+
+Security
+
+ All admin endpoints require admin_capable trait
+
+ CONFIG_MASTER_KEY length 44; boot fails fast if invalid
+
+ No PHI in logs/streams/events
+
+11) Troubleshooting (one step at a time)
+
+A. Boot fails with crypto errors
+
+echo "== verify CONFIG_MASTER_KEY length is 44 and valid base64" && \
+python3 - <<'PY'
+import os,base64
+k=os.getenv("CONFIG_MASTER_KEY","")
+print(len(k),"chars")
+base64.urlsafe_b64decode(k.encode())
+print("OK: decodable")
+PY
+
+
+If not 44 or decode fails: regenerate key (Section 0) → restart → re-test.
+
+B. Effective config not changing after set()
+
+echo "== flush cache and re-read" && \
+curl -sS -H "X-API-Key: devkey-devkey-devkey" -X POST "http://localhost:8080/admin/config/flush-cache" | jq && \
+curl -sS -H "X-API-Key: devkey-devkey-devkey" "http://localhost:8080/admin/config/hierarchy?key=api.rate_limit_rpm" | jq
+
+
+If still stale: verify you wrote to the correct level_id; check audit log row exists.
+
+C. SSE seems silent
+
+echo "== fetch recent events directly" && \
+curl -sS -H "X-API-Key: devkey-devkey-devkey" "http://localhost:8080/admin/diagnostics/events/recent?limit=10" | jq
+
+
+If empty: trigger a fax send (success or failure) to generate lifecycle events.
+
+D. Circuit never opens
+
+Lower threshold to 1 (Section 6) and force a failing request. Confirm PROVIDER_HEALTH_CHANGED.
+
+E. 429 not returned
+
+Confirm middleware is enabled and api.rate_limit_rpm not overridden by user/tenant to a higher value.
+
+12) Go/No-Go & Rollback
+
+Go
+
+ All Acceptance Sweep boxes ticked
+
+ Load test: config resolution p95 ≤ 5ms with warm cache
+
+ No PHI observed in any logs/streams
+
+Rollback (quick)
+
+echo "== rollback code to previous tag" && \
+git fetch --tags && git checkout <previous_stable_tag> && \
+echo "== downgrade DB to pre-003 if necessary" && \
+alembic -c api/db/alembic.ini downgrade -1 && \
+echo "== restore .env/.env.local backups" && ls -la
+
+
+(If you need exact step counts for downgrade, run alembic history --verbose first.)
+
+13) Quick Audits (hygiene)
+echo "== async ORM anti-patterns" && rg -n "await\s+.*\.merge\(" api/app || true && \
+echo "== accidental env fallbacks in provider" && rg -n "os\.getenv\(" api/app/config || true && \
+echo "== cache key shapes" && rg -n "cfg:eff" api/app | sort || true && \
+echo "== SSE usage sites" && rg -n "Event
\ No newline at end of file
diff --git a/v4_plans/implement/phase_4_implement_plan.md b/v4_plans/implement/phase_4_implement_plan.md
index d46aabdd..9fc7efa9 100644
--- a/v4_plans/implement/phase_4_implement_plan.md
+++ b/v4_plans/implement/phase_4_implement_plan.md
@@ -4,253 +4,7 @@
 **Status**: Comprehensive implementation plan including all existing infrastructure
 **Timeline**: 7-8 weeks
 
-## Executive Summary
-
-Phase 4 transforms Faxbot into an enterprise integration powerhouse by building upon all existing infrastructure while adding advanced capabilities. This phase consolidates and extends the current plugin ecosystem (transport, storage, identity, messaging), implements a secure marketplace, advanced webhook system, enterprise integrations (LDAP, SAML, ERP), and provides a complete plugin development SDK.
-
-**Critical Philosophy**: Build upon, don't replace. Every existing service, plugin, and provider must remain functional while gaining new capabilities.
-
-## Current Infrastructure Inventory (Must Preserve & Extend)
-
-### 🔌 **Existing Transport Providers** (Phase 4 Enhanced)
-**Current Providers** (from `config/provider_traits.json` and `config/plugin_registry.json`):
-- **Phaxio Cloud Fax** - HIPAA-ready, webhook support, HMAC verification
-- **Sinch Fax API v3** - Direct upload model, basic auth inbound
-- **SignalWire** - Twilio-compatible API, cloud-based
-- **SIP/Asterisk** - Self-hosted, T.38 protocol, AMI interface
-- **FreeSWITCH** - Self-hosted via mod_spandsp, ESL integration
-- **Test/Disabled Mode** - Development testing
-
-**Phase 4 Enhancements**:
-```python
-# Existing providers get marketplace integration
-class PhaxioTransportPlugin(FaxPlugin):
-    # Current functionality preserved
-    # + Marketplace metadata
-    # + Enhanced webhook handling
-    # + Circuit breaker integration
-    # + Usage analytics
-```
-
-### 💾 **Existing Storage Backends** (Phase 4 Extended)
-**Current Storage** (from plugin registry):
-- **Local Storage** - Development/single-node deployments
-- **S3/S3-Compatible** - Production with SSE-KMS encryption
-
-**Phase 4 Additions**:
-- **Azure Blob Storage** with managed identities
-- **Google Cloud Storage** with service accounts
-- **Multi-cloud replication** for disaster recovery
-- **Compliance-aware retention** policies per tenant
-
-### 🔐 **Authentication Infrastructure** (Phase 4 Enterprise)
-**Current Auth** (from Phase 2):
-- API key authentication (existing)
-- Session-based authentication (Phase 2)
-- SQLAlchemy identity provider (Phase 2)
-- Trait-based permissions (Phase 2)
-
-**Phase 4 Enterprise Extensions**:
-- LDAP/Active Directory integration
-- SAML 2.0 SSO providers
-- OAuth2/OIDC providers (Google, Microsoft, Okta)
-- Multi-tenant identity isolation
-
-### 🌐 **MCP Server Infrastructure** (Phase 4 Enhanced)
-**Current MCP Servers**:
-- **Node MCP** (`node_mcp/`) - stdio/HTTP/SSE/WebSocket transports
-- **Python MCP** (`python_mcp/`) - stdio/SSE transports
-- Multiple transport support with OAuth2/JWT for SSE
-
-**Phase 4 Enhancements**:
-- Plugin-aware MCP tools
-- Enterprise integration MCP extensions
-- Webhook event streaming via MCP
-- Advanced rate limiting per tenant
-
-### 🛠️ **Plugin Development Kit** (Phase 4 Complete)
-**Current Plugin SDK** (`plugin-dev-kit/python/`):
-- Base plugin classes (FaxPlugin, StoragePlugin, AuthPlugin)
-- Plugin manifest system
-- Testing framework foundation
-
-**Phase 4 SDK Completion**:
-- CLI scaffolding tools (`faxbot-sdk init`, `validate`, `test`)
-- Local development server
-- Automated testing harness
-- CI/CD templates and deployment tools
-
-## Dependencies & Integration Points
-
-### Phase 1-3 Foundation Requirements:
-- ✅ **Phase 1**: Plugin architecture, SecurityCore, CanonicalMessage, PluginManager
-- ✅ **Phase 2**: Trait-based auth, user management, identity providers
-- ✅ **Phase 3**: Hierarchical configuration, Redis caching, webhook hardening
-
-### Phase 3 → Phase 4 Evolution:
-```python
-# Phase 3: Hierarchical config with reliability
-config_value = hierarchical_config.get_effective('fax.provider.endpoint', user_context)
-
-# Phase 4: Enterprise multi-tenant with marketplace
-plugin = marketplace.get_tenant_plugin('transport', 'phaxio', tenant_context)
-await plugin.send_with_analytics(message, tenant_analytics)
-```
-
-## Week 1-2: Plugin Marketplace & Registry Service
-
-### 1. Advanced Plugin Registry Architecture (with Out-of-Process Host for third-party)
-
-P0: Third-party (marketplace) plugins MUST run out-of-process (OOP host) with resource limits and no PHI/secret access; first-party built-ins remain in-process.
-
-Marketplace defaults (security by default):
-- `admin.marketplace.enabled = false` (search UI can render, installs disabled)
-- `admin.marketplace.remote_install_enabled = false` (explicit admin toggle required)
-- `admin.marketplace.trust_tier = 'curated_only'` (HIPAA tenants see HIPAA-compliant plugins only)
-
-Admin Console constraints:
-- Show marketplace UI with disabled “Install” buttons until both flags are enabled.
-- Provide warnings and docsBase links (“Learn more”) when enabling remote installs.
-- All marketplace screens must be trait-gated (admin_capable), mobile-first, and avoid global CSS.
-
-**Extend `api/app/plugins/registry/service.py`** (don't replace):
-```python
-class EnterprisePluginRegistry:
-    """Enterprise plugin registry with signature verification and marketplace"""
-
-    def __init__(self, base_registry, security_core, hierarchical_config):
-        self.base_registry = base_registry  # Preserve existing functionality
-        self.security_core = security_core
-        self.config = hierarchical_config
-        self.signature_validator = PluginSignatureValidator()
-
-    async def publish_plugin(self, manifest: Dict, signature: str, tenant_id: str) -> Dict[str, Any]:
-        """Publish plugin to marketplace with signature verification"""
-        # Verify plugin signature (Sigstore preferred; GPG fallback)
-        if not await self.signature_validator.verify(manifest, signature):
-            raise SecurityError("Invalid plugin signature")
-
-        # Validate against existing plugin-dev-kit schema
-        validation = await self.base_registry.validate_manifest(manifest)
-        if not validation['valid']:
-            raise ValidationError(validation['errors'])
-
-        # Store in marketplace with tenant isolation
-        return await self.store_plugin(manifest, tenant_id)
-
-    async def search_plugins(self, query: str, filters: Dict, tenant_context: Dict) -> List[Dict]:
-        """Search marketplace with tenant-aware filtering"""
-        base_results = await self.base_registry.search(query, filters)
-
-        # Apply tenant compliance filtering
-        compliance_mode = tenant_context.get('compliance_mode', 'standard')
-        if compliance_mode == 'hipaa':
-            base_results = [p for p in base_results if p.get('hipaa_compliant', False)]
-
-        return self._apply_tenant_permissions(base_results, tenant_context)
-
-    async def install_plugin(self, plugin_id: str, tenant_context: Dict) -> Dict[str, Any]:
-        """Install plugin with dependency resolution"""
-        plugin = await self.get_plugin_metadata(plugin_id)
-
-        # Check compatibility with current platform version
-        platform_version = await self.get_platform_version()
-        if not self._check_version_compatibility(plugin, platform_version):
-            raise CompatibilityError(f"Plugin requires platform {plugin['min_platform_version']}")
-
-        # Resolve and install dependencies
-        await self._resolve_dependencies(plugin, tenant_context)
-
-        # Sandbox installation with resource limits (out-of-process host)
-        return await self._sandboxed_install_oop(plugin, tenant_context)
-
-    async def effective_marketplace_flags(self, tenant_context):
-        # Use hierarchical config (Phase 3) to get per-tenant flags
-        enabled = await self.config.get_effective('admin.marketplace.enabled', tenant_context) or False
-        remote_install = await self.config.get_effective('admin.marketplace.remote_install_enabled', tenant_context) or False
-        trust_tier = await self.config.get_effective('admin.marketplace.trust_tier', tenant_context) or 'curated_only'
-        return enabled, remote_install, trust_tier
-```
-
-### 2. Plugin Signature & Security System (Sigstore/GPG)
-
-**Create `api/app/plugins/security/signature.py`**:
-```python
-import gnupg
-from cryptography.hazmat.primitives import hashes, serialization
-from cryptography.hazmat.primitives.asymmetric import rsa, padding
-from typing import Dict, Any, Optional
-import json
-import hashlib
-
-class PluginSignatureValidator:
-    """Validates plugin signatures for marketplace security"""
-
-    def __init__(self):
-        self.gpg = gnupg.GPG()
-        self.trusted_keys = self._load_trusted_keys()
-
-    async def verify_plugin_signature(self, manifest: Dict[str, Any], signature: str) -> bool:
-        """Verify plugin manifest signature"""
-
-        # Create canonical manifest hash
-        canonical_manifest = self._canonicalize_manifest(manifest)
-        manifest_hash = hashlib.sha256(canonical_manifest.encode()).digest()
-
-        try:
-            # Try Sigstore first (when configured); fallback to GPG
-            if await self._verify_sigstore(canonical_manifest, signature):
-                return True
-            if await self._verify_gpg_signature(canonical_manifest, signature):
-                return True
-
-            # Fallback to RSA signature verification
-            return await self._verify_rsa_signature(manifest_hash, signature)
-
-        except Exception as e:
-            audit_event('plugin_signature_verification_failed',
-                       plugin_id=manifest.get('id'),
-                       error=str(e))
-            return False
-
-    def _canonicalize_manifest(self, manifest: Dict[str, Any]) -> str:
-        """Create canonical JSON representation for signing"""
-        # Remove signature-related fields and sort keys
-        clean_manifest = {k: v for k, v in manifest.items()
-                         if k not in ['signature', '_signature_meta']}
-        return json.dumps(clean_manifest, sort_keys=True, separators=(',', ':'))
-
-    async def _verify_gpg_signature(self, content: str, signature: str) -> bool:
-        """Verify GPG signature from trusted keyring"""
-        try:
-            # Correct parameter order for detached verify
-            verified = self.gpg.verify_data(content.encode(), signature.encode())
-            return verified.valid and verified.key_id in self.trusted_keys
-        except Exception:
-            return False
-
-    async def _verify_sigstore(self, content: str, signature: str) -> bool:
-        """Verify Sigstore signature (Fulcio/Rekor) when available."""
-        try:
-            # Placeholder; real implementation to call sigstore-python APIs
-            return False
-        except Exception:
-            return False
-
-### 4. Current State Integration Map (Phase 4)
-
-- Registry/ingestor: extend existing registry (`api/app/plugins/registry/*`) for marketplace metadata and signature verification; do not fork a parallel system.
-- Marketplace defaults: both `admin.marketplace.enabled` and `admin.marketplace.remote_install_enabled` default to false; search works with curated registry; install buttons disabled with explicit admin approval flow.
-- Out‑of‑process host (OOP): required for third‑party plugins; built‑ins continue in‑process. Enforce resource limits; no PHI/secret access; audit everything.
-- HIPAA filtering: tenant compliance filters marketplace results (only HIPAA‑compliant plugins for HIPAA tenants); trust tiers applied.
-- Admin Console: marketplace UI added as a Tab; install buttons disabled until flags enabled; every screen has docsBase links and help texts; mobile‑first; no global CSS.
-- Migration stability: existing plugins remain functional if marketplace disabled; manifests and provider traits continue to work; marketplace metadata optional.
-
-### 5. Security Posture
-
-- Mandatory signature verification (Sigstore or GPG) for any third‑party plugin.
-- OOP host isolation for untrusted plugins; no network egress without policy; logs scrubbed for PHI/secrets.
-- Audit: installs, updates, uninstalls recorded with actor, tenant, correlation ID.
+1
 
 ```
 
diff --git a/v4_plans/implement/phase_5_implement_plan.md b/v4_plans/implement/phase_5_implement_plan.md
index f69dc74c..4a8dac96 100644
--- a/v4_plans/implement/phase_5_implement_plan.md
+++ b/v4_plans/implement/phase_5_implement_plan.md
@@ -12,7 +12,7 @@ Phase 5 is the FINAL phase completing the v4 platform transformation. This phase
 1. **Sinch** - Most widely used, OAuth2 + Basic Auth, regional endpoints
 2. **Phaxio** - HIPAA-ready with BAA, HMAC verification
 3. **SignalWire** - Twilio-compatible (NOTE: Twilio fax API is sunset)
-4. **HumbleFax** - Complex webhook + email inbound, IMAP integration
+4. **HumbleFax** - Most widely used by non-HIPAA customers, Complex webhook + email inbound, IMAP integration
 5. **SIP/Asterisk** - Self-hosted T.38, AMI interface
 6. **FreeSWITCH** - ESL integration, mod_spandsp
 7. **Test/Disabled** - Development and CI/CD
diff --git a/v4_plans/implement/pr-gate.sh b/v4_plans/implement/pr-gate.sh
new file mode 100644
index 00000000..2d0baaf0
--- /dev/null
+++ b/v4_plans/implement/pr-gate.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "[build]"
+docker compose build
+
+echo "[up]"
+docker compose up -d
+
+echo "[health check (best effort)]"
+curl -fsS http://localhost:8080/health || true
+
+echo "[/metrics exists]"
+curl -fsS http://localhost:8080/metrics | head -n 3 >/dev/null
+
+echo "[providers endpoint shape]"
+curl -fsS -H "X-API-Key: ${API_KEY:-dev}" http://localhost:8080/admin/providers | jq -e 'type=="object"' >/dev/null
+
+echo "[callbacks return 202 (idempotent no-op is fine)]"
+code=$(curl -sS -o /dev/null -w "%{http_code}" -X POST http://localhost:8080/phaxio-callback \
+  -H "Content-Type: application/json" -H "X-Phaxio-Signature: test" -d '{"id":"smoke-pr","status":"success"}')
+test "$code" -eq 202
+
+code=$(curl -sS -o /dev/null -w "%{http_code}" -X POST http://localhost:8080/sinch-inbound \
+  -H "Authorization: Basic dGVzdDp0ZXN0" -H "Content-Type: application/json" -d '{"id":"smoke-pr"}')
+test "$code" -eq 202
+
+echo "[openapi diff + traits schema are separate CI jobs]"
+echo "OK"