From 020a0437eb9b80a8fe66d42563ad01b6ca8544d3 Mon Sep 17 00:00:00 2001
From: Shawn Jackson <shawn@resgrid.com>
Date: Wed, 25 Feb 2026 08:25:08 -0800
Subject: [PATCH 1/3] Adding workflow module and updating home view.

---
 docs/api/workflows.md                         | 433 ++++++++++++++
 docs/configuration/workflows.md               | 552 ++++++++++++++++++
 docs/reference/workflow-variables.md          | 518 ++++++++++++++++
 docs/web-app/overview.md                      |  24 +-
 docs/web-app/workflows.md                     | 349 +++++++++++
 src/components/HomepageFeatures/index.js      | 210 +++++--
 .../HomepageFeatures/styles.module.css        | 248 +++++++-
 src/pages/index.js                            |  51 +-
 src/pages/index.module.css                    | 150 ++++-
 9 files changed, 2470 insertions(+), 65 deletions(-)
 create mode 100644 docs/api/workflows.md
 create mode 100644 docs/configuration/workflows.md
 create mode 100644 docs/reference/workflow-variables.md
 create mode 100644 docs/web-app/workflows.md

diff --git a/docs/api/workflows.md b/docs/api/workflows.md
new file mode 100644
index 0000000..bf695ce
--- /dev/null
+++ b/docs/api/workflows.md
@@ -0,0 +1,433 @@
+---
+sidebar_position: 3
+---
+
+# Workflows API
+
+The Workflows API provides full CRUD operations for workflows, workflow steps, credentials, and access to execution history and health metrics. All endpoints are scoped to the authenticated user's department and require Department Admin permissions.
+
+**Base URL:** `/api/v4/workflows`
+
+## Authentication
+
+All Workflows API endpoints require a valid JWT token. See [API Authentication](authentication) for details.
+
+## Workflows
+
+### List Workflows
+
+Returns all workflows for the authenticated user's department.
+
+```
+GET /api/v4/workflows
+```
+
+**Response:** Array of `WorkflowResult` objects.
+
+### Get Workflow
+
+Returns a specific workflow by ID, including its steps.
+
+```
+GET /api/v4/workflows/{id}
+```
+
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `id` | int | Workflow ID |
+
+**Response:** `WorkflowResult` object with steps.
+
+### Create Workflow
+
+Creates a new workflow.
+
+```
+POST /api/v4/workflows
+```
+
+**Request Body:** `WorkflowInput`
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `Name` | string | Yes | Workflow name (max 250 characters) |
+| `Description` | string | No | Description (max 1000 characters) |
+| `TriggerEventType` | int | Yes | Event type enum value (see [Event Types](#event-types)) |
+| `IsEnabled` | bool | No | Enabled state (default: true) |
+| `MaxRetryCount` | int | No | Max retry attempts (default: 3) |
+| `RetryBackoffBaseSeconds` | int | No | Backoff base in seconds (default: 5) |
+
+**Response:** Created `WorkflowResult` object.
+
+### Update Workflow
+
+Updates an existing workflow.
+
+```
+PUT /api/v4/workflows/{id}
+```
+
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `id` | int | Workflow ID |
+
+**Request Body:** `WorkflowInput` (same as create).
+
+**Response:** Updated `WorkflowResult` object.
+
+### Delete Workflow
+
+Deletes a workflow and all its steps.
+
+```
+DELETE /api/v4/workflows/{id}
+```
+
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `id` | int | Workflow ID |
+
+**Response:** `200 OK` on success.
+
+## Workflow Steps
+
+### Add Step
+
+Adds a step to a workflow.
+
+```
+POST /api/v4/workflows/{id}/steps
+```
+
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `id` | int | Workflow ID |
+
+**Request Body:** `WorkflowStepInput`
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `ActionType` | int | Yes | Action type enum value (see [Action Types](#action-types)) |
+| `StepOrder` | int | Yes | Execution order |
+| `OutputTemplate` | string | Yes | Scriban template text |
+| `ActionConfig` | string | No | JSON action-specific settings |
+| `WorkflowCredentialId` | int | No | Credential ID to use |
+| `IsEnabled` | bool | No | Enabled state (default: true) |
+
+**Response:** Created `WorkflowStepResult` object.
+
+### Update Step
+
+Updates an existing workflow step.
+
+```
+PUT /api/v4/workflows/{id}/steps/{stepId}
+```
+
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `id` | int | Workflow ID |
+| `stepId` | int | Step ID |
+
+**Request Body:** `WorkflowStepInput` (same as add).
+
+**Response:** Updated `WorkflowStepResult` object.
+
+### Delete Step
+
+Deletes a workflow step.
+
+```
+DELETE /api/v4/workflows/{id}/steps/{stepId}
+```
+
+**Response:** `200 OK` on success.
+
+## Workflow Credentials
+
+### List Credentials
+
+Returns all credentials for the department. Secret values are masked.
+
+```
+GET /api/v4/workflows/credentials
+```
+
+**Response:** Array of `WorkflowCredentialResult` objects (secrets shown as `••••••`).
+
+### Get Credential
+
+Returns a specific credential by ID. Secret values are masked.
+
+```
+GET /api/v4/workflows/credentials/{id}
+```
+
+**Response:** `WorkflowCredentialResult` object.
+
+### Create Credential
+
+Creates a new credential. Accepts plaintext secret values which are encrypted before storage.
+
+```
+POST /api/v4/workflows/credentials
+```
+
+**Request Body:** `WorkflowCredentialInput`
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `Name` | string | Yes | Friendly name (max 250 characters) |
+| `CredentialType` | int | Yes | Credential type enum value (see [Credential Types](#credential-types)) |
+| `Data` | object | Yes | Plaintext credential data (type-specific fields) |
+
+**Response:** Created `WorkflowCredentialResult` object (secrets masked).
+
+:::warning Write-Only Secrets
+Credential secret values are encrypted at rest and never returned in API responses. You can only set them when creating or updating a credential.
+:::
+
+### Update Credential
+
+Updates an existing credential. Existing secrets are preserved unless new values are provided.
+
+```
+PUT /api/v4/workflows/credentials/{id}
+```
+
+**Response:** Updated `WorkflowCredentialResult` object.
+
+### Delete Credential
+
+Deletes a credential. Workflows referencing this credential will fail on next execution.
+
+```
+DELETE /api/v4/workflows/credentials/{id}
+```
+
+**Response:** `200 OK` on success.
+
+## Workflow Testing
+
+### Test Workflow
+
+Manually triggers a workflow with a sample event payload for testing purposes.
+
+```
+POST /api/v4/workflows/{id}/test
+```
+
+**Request Body:** `WorkflowTestInput`
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `EventPayloadJson` | string | No | Custom JSON payload (uses sample data if omitted) |
+
+**Response:** `WorkflowRunResult` object with execution details.
+
+## Workflow Runs
+
+### List Runs by Workflow
+
+Returns paginated runs for a specific workflow.
+
+```
+GET /api/v4/workflows/{id}/runs?page={page}&pageSize={pageSize}
+```
+
+| Parameter | Type | Default | Description |
+|-----------|------|---------|-------------|
+| `id` | int | — | Workflow ID |
+| `page` | int | 1 | Page number |
+| `pageSize` | int | 20 | Results per page |
+
+**Response:** Array of `WorkflowRunResult` objects.
+
+### List All Runs
+
+Returns paginated runs for the entire department.
+
+```
+GET /api/v4/workflows/runs?page={page}&pageSize={pageSize}
+```
+
+**Response:** Array of `WorkflowRunResult` objects.
+
+### List Pending Runs
+
+Returns all pending and in-progress runs for the department.
+
+```
+GET /api/v4/workflows/runs/pending
+```
+
+**Response:** Array of `WorkflowRunResult` objects.
+
+### Get Run Logs
+
+Returns detailed step-by-step logs for a specific run.
+
+```
+GET /api/v4/workflows/runs/{runId}/logs
+```
+
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `runId` | long | Workflow Run ID |
+
+**Response:** Array of `WorkflowRunLogResult` objects.
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `WorkflowRunLogId` | long | Log entry ID |
+| `WorkflowStepId` | int | Step that was executed |
+| `Status` | int | Step execution status |
+| `RenderedOutput` | string | The Scriban-rendered content |
+| `ActionResult` | string | HTTP status, SMTP response, etc. |
+| `ErrorMessage` | string | Error details (if failed) |
+| `StartedOn` | datetime | Step start time |
+| `CompletedOn` | datetime | Step completion time |
+| `DurationMs` | long | Step execution time in milliseconds |
+
+### Cancel Run
+
+Cancels a pending workflow run.
+
+```
+POST /api/v4/workflows/runs/{runId}/cancel
+```
+
+**Response:** `200 OK` on success. Returns error if the run is already completed.
+
+### Clear Pending Runs
+
+Cancels all pending runs for the department.
+
+```
+POST /api/v4/workflows/runs/clear
+```
+
+**Response:** `200 OK` with count of cancelled runs.
+
+## Workflow Health
+
+Returns health metrics for a specific workflow.
+
+```
+GET /api/v4/workflows/{id}/health
+```
+
+**Response:** `WorkflowHealthResult`
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `TotalRuns24h` | int | Total runs in last 24 hours |
+| `SuccessRuns24h` | int | Successful runs in last 24 hours |
+| `FailedRuns24h` | int | Failed runs in last 24 hours |
+| `TotalRuns7d` | int | Total runs in last 7 days |
+| `SuccessRuns7d` | int | Successful runs in last 7 days |
+| `FailedRuns7d` | int | Failed runs in last 7 days |
+| `TotalRuns30d` | int | Total runs in last 30 days |
+| `SuccessRuns30d` | int | Successful runs in last 30 days |
+| `FailedRuns30d` | int | Failed runs in last 30 days |
+| `SuccessRatePercent` | double | Overall success rate percentage |
+| `AverageDurationMs` | long | Average run duration in milliseconds |
+| `LastRunOn` | datetime | Timestamp of last execution |
+| `LastError` | string | Most recent error message |
+
+## Event Types
+
+Returns the list of available trigger event types with display names and descriptions.
+
+```
+GET /api/v4/workflows/eventtypes
+```
+
+**Response:** Array of event type descriptors with available template variables for each.
+
+### Event Type Enum Values
+
+| Value | Name | Description |
+|-------|------|-------------|
+| 0 | CallAdded | New call/dispatch created |
+| 1 | CallUpdated | Existing call updated |
+| 2 | CallClosed | Call closed |
+| 3 | UnitStatusChanged | Unit status changed |
+| 4 | PersonnelStaffingChanged | Personnel staffing level changed |
+| 5 | PersonnelStatusChanged | Personnel action status changed |
+| 6 | UserCreated | New user added to department |
+| 7 | UserAssignedToGroup | User assigned to a group |
+| 8 | DocumentAdded | Document uploaded |
+| 9 | NoteAdded | Note created |
+| 10 | UnitAdded | Unit created |
+| 11 | LogAdded | Log entry created |
+| 12 | CalendarEventAdded | Calendar event created |
+| 13 | CalendarEventUpdated | Calendar event updated |
+| 14 | ShiftCreated | Shift created |
+| 15 | ShiftUpdated | Shift updated |
+| 16 | ResourceOrderAdded | Resource order created |
+| 17 | ShiftTradeRequested | Shift trade requested |
+| 18 | ShiftTradeFilled | Shift trade filled |
+| 19 | MessageSent | New message sent |
+| 20 | TrainingAdded | Training created |
+| 21 | TrainingUpdated | Training updated |
+| 22 | InventoryAdjusted | Inventory quantity changed |
+| 23 | CertificationExpiring | Certification nearing expiry |
+| 24 | FormSubmitted | Form submitted |
+| 25 | PersonnelRoleChanged | User role assignment changed |
+| 26 | GroupAdded | Department group created |
+| 27 | GroupUpdated | Department group updated |
+
+## Action Types
+
+### Action Type Enum Values
+
+| Value | Name | Description |
+|-------|------|-------------|
+| 0 | SendEmail | Send email via SMTP |
+| 1 | SendSms | Send SMS via Twilio |
+| 2 | CallApiGet | HTTP GET request |
+| 3 | CallApiPost | HTTP POST request |
+| 4 | CallApiPut | HTTP PUT request |
+| 5 | CallApiDelete | HTTP DELETE request |
+| 6 | UploadFileFtp | Upload file via FTP |
+| 7 | UploadFileSftp | Upload file via SFTP |
+| 8 | UploadFileS3 | Upload file to Amazon S3 |
+| 9 | SendTeamsMessage | Post message to Microsoft Teams |
+| 10 | SendSlackMessage | Post message to Slack |
+| 11 | SendDiscordMessage | Post message to Discord |
+| 12 | UploadFileAzureBlob | Upload file to Azure Blob Storage |
+| 13 | UploadFileBox | Upload file to Box |
+| 14 | UploadFileDropbox | Upload file to Dropbox |
+
+## Credential Types
+
+### Credential Type Enum Values
+
+| Value | Name | Description |
+|-------|------|-------------|
+| 0 | Smtp | SMTP email server |
+| 1 | Twilio | Twilio SMS service |
+| 2 | Ftp | FTP server |
+| 3 | Sftp | SFTP server |
+| 4 | AwsS3 | Amazon S3 |
+| 5 | HttpBearer | HTTP Bearer token authentication |
+| 6 | HttpBasic | HTTP Basic authentication |
+| 7 | HttpApiKey | HTTP API Key authentication |
+| 8 | MicrosoftTeams | Microsoft Teams Incoming Webhook |
+| 9 | Slack | Slack Incoming Webhook |
+| 10 | Discord | Discord Webhook |
+| 11 | AzureBlobStorage | Azure Blob Storage |
+| 12 | Box | Box cloud storage |
+| 13 | Dropbox | Dropbox cloud storage |
+
+## Run Status Values
+
+| Value | Name | Description |
+|-------|------|-------------|
+| 0 | Pending | Queued for processing |
+| 1 | Running | Currently executing |
+| 2 | Completed | Finished successfully |
+| 3 | Failed | Failed after all retries |
+| 4 | Cancelled | Cancelled by user |
+| 5 | Retrying | Failed, waiting for retry |
diff --git a/docs/configuration/workflows.md b/docs/configuration/workflows.md
new file mode 100644
index 0000000..5959bd0
--- /dev/null
+++ b/docs/configuration/workflows.md
@@ -0,0 +1,552 @@
+---
+sidebar_position: 22
+---
+
+# Workflows
+
+Workflows in Resgrid provide an event-driven automation engine that connects system events to external actions. When something happens in the system — a call is created, a unit changes status, a personnel staffing level changes — workflows can automatically send emails, post messages to Slack or Teams, call external APIs, upload files to cloud storage, and more. Each workflow uses Scriban templates to transform event data into the exact output format your external systems require.
+
+## Why Workflows Matter
+
+Departments increasingly need to integrate Resgrid with external systems — CAD platforms, records management systems, alerting services, analytics dashboards, communication channels, and cloud storage. Without workflows, these integrations require custom development or manual processes. Workflows let department admins create these integrations through the web interface without writing code, using a visual template editor with preview capabilities.
+
+## Scope
+
+Workflows are department-wide. Each workflow subscribes to a specific system event type and runs for every occurrence of that event within the department. Multiple workflows can subscribe to the same event type. Workflow management is restricted to **Department Admins** by default.
+
+## How Workflows Work
+
+1. A system event occurs (e.g., a new call is dispatched)
+2. Resgrid checks for active workflows that subscribe to that event type
+3. For each matching workflow, the event data is enqueued for background processing
+4. Each workflow's steps are executed in order:
+   - The event data is merged with department and user context
+   - The step's Scriban template transforms the data into the desired output
+   - The configured action executes (send email, call API, etc.)
+5. Results are recorded — every execution and every step is fully logged
+
+:::info Asynchronous Processing
+Workflow execution happens asynchronously in the background via a message queue. This ensures workflows never slow down the core system — a new call is dispatched immediately, and the workflow processing happens separately.
+:::
+
+## Setting Up Your First Workflow
+
+### Step 1: Create Credentials (if needed)
+
+If your workflow needs to send emails, SMS messages, or connect to external services, you'll need to store the authentication credentials first.
+
+Navigate to **Department → Workflows → Credentials** and click **New Credential**.
+
+Select the credential type and fill in the required fields:
+
+| Credential Type | Required Fields |
+|----------------|-----------------|
+| SMTP | Host, Port, Username, Password, Use SSL, From Address |
+| Twilio | Account SID, Auth Token, From Number |
+| HTTP Bearer | Bearer Token |
+| HTTP Basic | Username, Password |
+| HTTP API Key | Header Name, API Key Value |
+| FTP | Host, Port, Username, Password |
+| SFTP | Host, Port, Username, Password or Private Key |
+| AWS S3 | Access Key, Secret Key, Region, Bucket |
+| Microsoft Teams | Incoming Webhook URL |
+| Slack | Incoming Webhook URL |
+| Discord | Webhook URL |
+| Azure Blob Storage | Connection String (or Account Name + Account Key), Container Name |
+| Box | Developer Token or JWT credentials (Client ID, Client Secret, Enterprise ID, Private Key) |
+| Dropbox | App Key, App Secret, OAuth2 Refresh Token |
+
+:::tip Credential Security
+All credential secret values are encrypted at rest using AES-256 encryption with department-specific key derivation. Each department's secrets are cryptographically isolated. Secret values are **write-only** — they are never displayed in the UI or returned via the API after creation.
+:::
+
+### Step 2: Create a Workflow
+
+Navigate to **Department → Workflows** and click **New Workflow**.
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| Name | Yes | A descriptive name (e.g., "Send call alerts to Slack") |
+| Description | No | Optional description of the workflow's purpose |
+| Trigger Event Type | Yes | The system event that triggers this workflow |
+| Enabled | Yes | Whether the workflow is active (default: enabled) |
+| Max Retry Count | No | Number of retry attempts on failure (default: 3) |
+| Retry Backoff Base | No | Base delay in seconds for exponential backoff (default: 5) |
+
+### Step 3: Add Steps
+
+After creating the workflow, add one or more steps. Each step defines a specific action to take with the event data.
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| Action Type | Yes | What to do (send email, call API, etc.) |
+| Credential | Conditional | The stored credential to use for authentication |
+| Output Template | Yes | A Scriban template that transforms the event data |
+| Action Configuration | Conditional | Action-specific settings (recipients, URLs, etc.) |
+| Step Order | Yes | Execution order when multiple steps exist |
+| Enabled | Yes | Whether this step is active |
+
+### Step 4: Write a Template
+
+The template editor provides:
+
+- **Scriban syntax highlighting** via the embedded Ace Editor
+- **Variable side panel** showing all available variables for the selected event type
+- **Preview** to render the template with sample data
+- **Test** to execute the workflow with sample data and see real results
+
+#### Example: Slack Notification for New Calls
+
+```
+🚨 *New Call: {{ call.name }}*
+
+*Nature:* {{ call.nature }}
+*Priority:* {{ call.priority_text }}
+*Address:* {{ call.address }}
+*Logged:* {{ call.logged_on | date.to_string "%Y-%m-%d %H:%M" }}
+*Reported By:* {{ user.full_name }}
+
+Department: {{ department.name }}
+```
+
+#### Example: JSON Payload for an API POST
+
+```json
+{
+  "event": "call_added",
+  "department": "{{ department.name }}",
+  "call": {
+    "id": {{ call.id }},
+    "name": "{{ call.name }}",
+    "nature": "{{ call.nature }}",
+    "priority": {{ call.priority }},
+    "address": "{{ call.address }}",
+    "loggedOn": "{{ call.logged_on | date.to_string "%Y-%m-%dT%H:%M:%SZ" }}"
+  },
+  "reportedBy": "{{ user.full_name }}"
+}
+```
+
+#### Example: Email Body for Unit Status Changes
+
+```html
+<h2>Unit Status Change</h2>
+<p><strong>Unit:</strong> {{ unit.name }} ({{ unit.type }})</p>
+<p><strong>New Status:</strong> {{ unit_status.state_text }}</p>
+<p><strong>Previous Status:</strong> {{ previous_unit_status.state_text }}</p>
+<p><strong>Time:</strong> {{ unit_status.timestamp | date.to_string "%H:%M:%S" }}</p>
+{% if unit_status.note != "" %}
+<p><strong>Note:</strong> {{ unit_status.note }}</p>
+{% end %}
+<hr>
+<p><em>{{ department.name }} — {{ timestamp.department_now | date.to_string "%Y-%m-%d %H:%M" }}</em></p>
+```
+
+#### Example: Conditional Template for Certification Expiration
+
+```
+{% if certification.days_until_expiry <= 7 %}
+⚠️ URGENT: {{ user.full_name }}'s certification "{{ certification.name }}" expires in {{ certification.days_until_expiry }} days!
+{% else %}
+📋 Reminder: {{ user.full_name }}'s certification "{{ certification.name }}" expires on {{ certification.expires_on | date.to_string "%Y-%m-%d" }} ({{ certification.days_until_expiry }} days remaining).
+{% end %}
+```
+
+## Trigger Event Types
+
+The following system events can trigger workflows:
+
+### Call Events
+
+| Event | Description | Key Variables |
+|-------|-------------|---------------|
+| Call Added | New call/dispatch created | `call.*`, `user.*` (reporting user) |
+| Call Updated | Existing call updated | `call.*`, `user.*` (reporting user) |
+| Call Closed | Call closed | `call.*`, `user.*` (reporting user) |
+
+### Personnel Events
+
+| Event | Description | Key Variables |
+|-------|-------------|---------------|
+| Personnel Staffing Changed | Staffing level changed | `staffing.*`, `previous_staffing.*`, `user.*` |
+| Personnel Status Changed | Action status changed | `status.*`, `previous_status.*`, `user.*` |
+| User Created | New user added to department | `new_user.*` |
+| User Assigned to Group | User assigned to a group | `assigned_user.*`, `group.*`, `previous_group.*` |
+| Personnel Role Changed | Role assignment changed | `role_change.*`, `user.*` |
+
+### Unit Events
+
+| Event | Description | Key Variables |
+|-------|-------------|---------------|
+| Unit Status Changed | Unit status changed | `unit_status.*`, `unit.*`, `previous_unit_status.*` |
+| Unit Added | New unit created | `unit.*` |
+
+### Group Events
+
+| Event | Description | Key Variables |
+|-------|-------------|---------------|
+| Group Added | Department group created | `group.*` |
+| Group Updated | Department group updated | `group.*` |
+
+### Scheduling Events
+
+| Event | Description | Key Variables |
+|-------|-------------|---------------|
+| Shift Created | Shift created | `shift.*` |
+| Shift Updated | Shift updated | `shift.*` |
+| Shift Trade Requested | Trade requested | `shift_trade.*` |
+| Shift Trade Filled | Trade completed | `shift_trade.*`, `user.*` |
+| Calendar Event Added | Calendar event created | `calendar.*`, `user.*` |
+| Calendar Event Updated | Calendar event updated | `calendar.*`, `user.*` |
+
+### Content Events
+
+| Event | Description | Key Variables |
+|-------|-------------|---------------|
+| Document Added | Document uploaded | `document.*`, `user.*` |
+| Note Added | Note created | `note.*`, `user.*` |
+| Log Added | Log entry created | `log.*`, `user.*` |
+| Message Sent | Message sent | `message.*`, `user.*` |
+| Training Added | Training created | `training.*`, `user.*` |
+| Training Updated | Training updated | `training.*`, `user.*` |
+| Form Submitted | Form submitted | `form.*`, `user.*` |
+
+### Operational Events
+
+| Event | Description | Key Variables |
+|-------|-------------|---------------|
+| Resource Order Added | Resource order created | `order.*` |
+| Inventory Adjusted | Inventory changed | `inventory.*`, `user.*` |
+| Certification Expiring | Certification nearing expiry | `certification.*`, `user.*` |
+
+## Template Variables
+
+Every workflow template has access to three categories of variables:
+
+### Common Variables (Always Available)
+
+These are available in every workflow regardless of trigger event type:
+
+#### Department Variables
+
+| Variable | Description |
+|----------|-------------|
+| `{{ department.id }}` | Department ID |
+| `{{ department.name }}` | Department name |
+| `{{ department.code }}` | 4-character department code |
+| `{{ department.type }}` | Department type (Fire, EMS, etc.) |
+| `{{ department.time_zone }}` | Department time zone |
+| `{{ department.use_24_hour_time }}` | 24-hour time preference (true/false) |
+| `{{ department.address.street }}` | Street address |
+| `{{ department.address.city }}` | City |
+| `{{ department.address.state }}` | State/Province |
+| `{{ department.address.postal_code }}` | Postal/ZIP code |
+| `{{ department.address.country }}` | Country |
+| `{{ department.address.full }}` | Full formatted address |
+| `{{ department.phone_number }}` | Department phone number |
+
+#### Timestamp Variables
+
+| Variable | Description |
+|----------|-------------|
+| `{{ timestamp.utc_now }}` | Current UTC timestamp |
+| `{{ timestamp.department_now }}` | Current time in department's time zone |
+| `{{ timestamp.date }}` | Current date (department TZ) as `yyyy-MM-dd` |
+| `{{ timestamp.time }}` | Current time (department TZ) |
+| `{{ timestamp.day_of_week }}` | Day name (e.g., "Monday") |
+
+#### User Variables (Triggering User)
+
+Populated from the user who triggered the event. Empty if no specific user is associated with the event.
+
+| Variable | Description |
+|----------|-------------|
+| `{{ user.id }}` | User ID |
+| `{{ user.first_name }}` | First name |
+| `{{ user.last_name }}` | Last name |
+| `{{ user.full_name }}` | Full name ("First Last") |
+| `{{ user.email }}` | Email address |
+| `{{ user.mobile_number }}` | Mobile phone number |
+| `{{ user.home_number }}` | Home phone number |
+| `{{ user.identification_number }}` | ID/badge number |
+| `{{ user.username }}` | Login username |
+| `{{ user.time_zone }}` | User's personal time zone |
+
+### Event-Specific Variables
+
+Each trigger event type adds its own set of variables. For the complete reference of all event-specific variables, see the [Workflow Template Variable Reference](../reference/workflow-variables) page.
+
+## Action Types
+
+### Send Email
+
+Sends an email via a department-supplied SMTP server. The Scriban template renders the **HTML email body**.
+
+**Credential:** SMTP  
+**Action Config:** To, CC (optional), Subject
+
+### Send SMS
+
+Sends an SMS via Twilio. The Scriban template renders the **message body**.
+
+**Credential:** Twilio  
+**Action Config:** To number(s)
+
+### Send Teams Message
+
+Posts a message to Microsoft Teams via an Incoming Webhook URL. The Scriban template renders the **message body** — either plain text or an Adaptive Card JSON payload.
+
+**Credential:** Microsoft Teams (webhook URL)  
+**Action Config:** Title (optional), Theme Color (optional)
+
+### Send Slack Message
+
+Posts a message to Slack via an Incoming Webhook URL. The Scriban template renders the **message text** (supports Slack mrkdwn formatting).
+
+**Credential:** Slack (webhook URL)  
+**Action Config:** Channel override (optional), Username (optional), Icon Emoji (optional)
+
+### Send Discord Message
+
+Posts a message to Discord via a Webhook URL. The Scriban template renders the **message content**. If the rendered content is valid embed JSON, it is sent as a rich embed.
+
+**Credential:** Discord (webhook URL)  
+**Action Config:** Username override (optional), Avatar URL (optional)
+
+### Call API (GET / POST / PUT / DELETE)
+
+Sends an HTTP request to an external API endpoint. For POST and PUT, the Scriban template renders the **request body**. For GET and DELETE, the template is not used as a body.
+
+**Credential:** Optional — HTTP Bearer, HTTP Basic, or HTTP API Key  
+**Action Config:** URL, Headers (optional), Content Type (optional, default: `application/json`)
+
+### Upload File (FTP / SFTP)
+
+Uploads a file to an FTP or SFTP server. The Scriban template renders the **file content**.
+
+**Credential:** FTP or SFTP  
+**Action Config:** Remote Path, Filename template
+
+### Upload File (S3)
+
+Uploads a file to Amazon S3. The Scriban template renders the **file content**.
+
+**Credential:** AWS S3  
+**Action Config:** S3 key/path
+
+### Upload File (Azure Blob)
+
+Uploads a file to Azure Blob Storage. The Scriban template renders the **file content**.
+
+**Credential:** Azure Blob Storage  
+**Action Config:** Blob name/path template, Content Type (optional)
+
+### Upload File (Box)
+
+Uploads a file to Box cloud storage. The Scriban template renders the **file content**.
+
+**Credential:** Box (JWT or Developer Token)  
+**Action Config:** Folder ID, Filename template
+
+### Upload File (Dropbox)
+
+Uploads a file to Dropbox. The Scriban template renders the **file content**.
+
+**Credential:** Dropbox (OAuth2)  
+**Action Config:** Target path, Filename template, Write Mode (optional, default: add)
+
+## Retry Behavior
+
+When a workflow step fails, automatic retries are attempted with exponential backoff:
+
+| Attempt | Delay |
+|---------|-------|
+| 1st retry | `base × 2⁰` = 5 seconds (default) |
+| 2nd retry | `base × 2¹` = 10 seconds |
+| 3rd retry | `base × 2²` = 20 seconds |
+
+- If retries are exhausted, the run is marked as **Failed** with the final error message.
+- All attempts are recorded in the run logs for auditing.
+- You can configure `Max Retry Count` and `Retry Backoff Base` per workflow.
+
+## Rate Limiting
+
+Workflow execution is rate-limited to **60 executions per minute per department** by default. If a department exceeds this limit, additional workflow events are skipped and a warning is logged. This prevents a single department from overwhelming the system.
+
+## Monitoring Workflow Runs
+
+### Viewing Run History
+
+Navigate to **Department → Workflows → Runs** to see a paginated list of all workflow executions. Each run shows:
+
+- Timestamp, workflow name, status (color-coded), duration, attempt number, and error summary
+- Click to expand and see per-step details (rendered output, action result, errors, duration)
+
+### Health Dashboard
+
+Navigate to **Department → Workflows** and click **Health** on a workflow to see:
+
+- Success/failure counts over 24h, 7d, and 30d
+- Success rate percentage
+- Average execution duration
+- Last run timestamp and last error
+- Recent run timeline
+
+### Managing Pending Runs
+
+Navigate to **Department → Workflows → Pending** to see all currently queued or in-progress executions. You can:
+
+- **Cancel** a specific pending run
+- **Clear All** pending runs for the entire department
+
+:::warning Clearing Pending Runs
+Clearing all pending runs is a destructive action. Cancelled runs are not retried and the associated events will not trigger the workflow again.
+:::
+
+## Scriban Template Syntax Reference
+
+Workflows use [Scriban](https://github.com/scriban/scriban) as the template engine. Here is a quick syntax reference:
+
+### Variable Output
+
+```
+{{ variable_name }}
+{{ object.property }}
+```
+
+### Conditionals
+
+```
+{% if call.is_critical %}
+CRITICAL ALERT
+{% else %}
+Standard notification
+{% end %}
+```
+
+### Loops
+
+```
+{% for item in collection %}
+- {{ item.name }}
+{% end %}
+```
+
+### Date Formatting
+
+```
+{{ call.logged_on | date.to_string "%Y-%m-%d %H:%M:%S" }}
+```
+
+### String Functions
+
+```
+{{ call.name | string.upcase }}
+{{ call.nature | string.truncate 100 }}
+{{ call.address | string.replace " " "+" }}
+```
+
+### Default Values
+
+```
+{{ call.notes | object.default "No notes provided" }}
+```
+
+For full Scriban documentation, see the [Scriban Language Reference](https://github.com/scriban/scriban/blob/master/doc/language.md).
+
+## Common Workflow Recipes
+
+### Send a Slack Alert for High-Priority Calls
+
+**Trigger:** Call Added  
+**Action:** Send Slack Message  
+
+```
+{% if call.priority <= 1 %}
+🚨 *HIGH PRIORITY CALL*
+
+*{{ call.name }}*
+Priority: {{ call.priority_text }}
+Nature: {{ call.nature }}
+Address: {{ call.address }}
+Reported by: {{ user.full_name }}
+Time: {{ call.logged_on | date.to_string "%H:%M" }}
+{% end %}
+```
+
+### Post Call Data to an External CAD System
+
+**Trigger:** Call Added  
+**Action:** Call API (POST)  
+
+```json
+{
+  "incidentId": "{{ call.incident_number }}",
+  "name": "{{ call.name }}",
+  "nature": "{{ call.nature }}",
+  "priority": {{ call.priority }},
+  "address": "{{ call.address }}",
+  "coordinates": "{{ call.geo_location }}",
+  "reportedBy": "{{ user.full_name }}",
+  "department": "{{ department.name }}",
+  "timestamp": "{{ call.logged_on | date.to_string "%Y-%m-%dT%H:%M:%SZ" }}"
+}
+```
+
+### Email Alert When Certification Is Expiring
+
+**Trigger:** Certification Expiring  
+**Action:** Send Email  
+**Subject:** `Certification Expiring: {{ certification.name }}`
+
+```html
+<h2>Certification Expiration Notice</h2>
+<p>The following certification is expiring soon:</p>
+<table>
+  <tr><td><strong>Person:</strong></td><td>{{ user.full_name }}</td></tr>
+  <tr><td><strong>Certification:</strong></td><td>{{ certification.name }}</td></tr>
+  <tr><td><strong>Number:</strong></td><td>{{ certification.number }}</td></tr>
+  <tr><td><strong>Expires:</strong></td><td>{{ certification.expires_on | date.to_string "%Y-%m-%d" }}</td></tr>
+  <tr><td><strong>Days Remaining:</strong></td><td>{{ certification.days_until_expiry }}</td></tr>
+</table>
+<p><em>This is an automated alert from {{ department.name }}.</em></p>
+```
+
+### Upload Call Report to S3
+
+**Trigger:** Call Closed  
+**Action:** Upload File (S3)  
+**S3 Key:** `reports/calls/{{ call.id }}-{{ call.logged_on | date.to_string "%Y%m%d" }}.json`
+
+```json
+{
+  "callId": {{ call.id }},
+  "name": "{{ call.name }}",
+  "nature": "{{ call.nature }}",
+  "address": "{{ call.address }}",
+  "priority": "{{ call.priority_text }}",
+  "loggedOn": "{{ call.logged_on | date.to_string "%Y-%m-%dT%H:%M:%SZ" }}",
+  "closedOn": "{{ call.closed_on | date.to_string "%Y-%m-%dT%H:%M:%SZ" }}",
+  "completedNotes": "{{ call.completed_notes }}",
+  "department": "{{ department.name }}"
+}
+```
+
+### Notify Discord When Inventory Runs Low
+
+**Trigger:** Inventory Adjusted  
+**Action:** Send Discord Message  
+
+```
+{% if inventory.amount < 10 %}
+⚠️ **Low Inventory Alert**
+
+**Item:** {{ inventory.type_name }}
+**Current Amount:** {{ inventory.amount }} {{ inventory.unit_of_measure }}
+**Previous Amount:** {{ inventory.previous_amount }}
+**Location:** {{ inventory.location }}
+**Adjusted by:** {{ user.full_name }}
+
+_{{ department.name }} — {{ timestamp.department_now | date.to_string "%Y-%m-%d %H:%M" }}_
+{% end %}
+```
diff --git a/docs/reference/workflow-variables.md b/docs/reference/workflow-variables.md
new file mode 100644
index 0000000..8bdb30d
--- /dev/null
+++ b/docs/reference/workflow-variables.md
@@ -0,0 +1,518 @@
+---
+sidebar_position: 7
+title: Workflow Template Variables
+---
+
+# Workflow Template Variable Reference
+
+This page provides the complete reference for all template variables available in Resgrid Workflows. Variables use [Scriban](https://github.com/scriban/scriban) syntax: `{{ variable.property }}`.
+
+Every workflow template has access to **common variables** (department, timestamp, user) plus **event-specific variables** that depend on the trigger event type.
+
+## Common Variables
+
+These variables are available in **every** workflow regardless of trigger event type.
+
+### Department Variables
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ department.id }}` | int | Department ID |
+| `{{ department.name }}` | string | Department name |
+| `{{ department.code }}` | string | 4-character department code |
+| `{{ department.type }}` | string | Department type (Fire, EMS, etc.) |
+| `{{ department.time_zone }}` | string | Department time zone ID |
+| `{{ department.use_24_hour_time }}` | bool | 24-hour time preference |
+| `{{ department.created_on }}` | datetime | Department creation date |
+| `{{ department.address.street }}` | string | Street address |
+| `{{ department.address.city }}` | string | City |
+| `{{ department.address.state }}` | string | State/Province |
+| `{{ department.address.postal_code }}` | string | Postal/ZIP code |
+| `{{ department.address.country }}` | string | Country |
+| `{{ department.address.full }}` | string | Full formatted address |
+| `{{ department.phone_number }}` | string | Department phone number (from settings) |
+
+### Timestamp Variables
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ timestamp.utc_now }}` | datetime | Current UTC timestamp |
+| `{{ timestamp.department_now }}` | datetime | Current time in department's time zone |
+| `{{ timestamp.date }}` | string | Current date (department TZ) as `yyyy-MM-dd` |
+| `{{ timestamp.time }}` | string | Current time (department TZ) as `HH:mm:ss` or `hh:mm tt` |
+| `{{ timestamp.day_of_week }}` | string | Day name (e.g., "Monday") |
+
+### User Variables (Triggering User)
+
+Populated from the user who triggered the event. If no specific user is associated with the event (e.g., Unit Added, Shift Created), these variables are empty/null.
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ user.id }}` | string | User ID |
+| `{{ user.first_name }}` | string | First name |
+| `{{ user.last_name }}` | string | Last name |
+| `{{ user.full_name }}` | string | Full name ("First Last") |
+| `{{ user.email }}` | string | Email address |
+| `{{ user.mobile_number }}` | string | Mobile phone number |
+| `{{ user.home_number }}` | string | Home phone number |
+| `{{ user.identification_number }}` | string | ID/badge number |
+| `{{ user.username }}` | string | Login username |
+| `{{ user.time_zone }}` | string | User's personal time zone |
+
+---
+
+## Event-Specific Variables
+
+### Call Added / Call Updated / Call Closed
+
+**Triggering user:** The reporting user (`Call.ReportingUserId`)
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ call.id }}` | int | Call ID |
+| `{{ call.number }}` | string | Call number |
+| `{{ call.name }}` | string | Call name |
+| `{{ call.nature }}` | string | Nature of call |
+| `{{ call.notes }}` | string | Call notes |
+| `{{ call.address }}` | string | Call address |
+| `{{ call.geo_location }}` | string | GPS coordinates |
+| `{{ call.type }}` | string | Call type |
+| `{{ call.incident_number }}` | string | Incident number |
+| `{{ call.reference_number }}` | string | Reference number |
+| `{{ call.map_page }}` | string | Map page reference |
+| `{{ call.priority }}` | int | Priority level |
+| `{{ call.priority_text }}` | string | Priority as text (Low, Medium, High, Emergency) |
+| `{{ call.is_critical }}` | bool | Whether the call is critical |
+| `{{ call.state }}` | int | Call state code |
+| `{{ call.state_text }}` | string | Call state as text (Active, Closed, etc.) |
+| `{{ call.source }}` | int | Call source code |
+| `{{ call.external_id }}` | string | External identifier |
+| `{{ call.logged_on }}` | datetime | When the call was logged |
+| `{{ call.closed_on }}` | datetime | When the call was closed (null if open) |
+| `{{ call.completed_notes }}` | string | Closure/completion notes |
+| `{{ call.contact_name }}` | string | Contact person name |
+| `{{ call.contact_number }}` | string | Contact phone number |
+| `{{ call.w3w }}` | string | What3Words location |
+| `{{ call.dispatch_count }}` | int | Number of dispatched resources |
+| `{{ call.dispatch_on }}` | datetime | When dispatch occurred |
+| `{{ call.form_data }}` | string | Custom form data |
+| `{{ call.is_deleted }}` | bool | Whether the call is deleted |
+| `{{ call.deleted_reason }}` | string | Deletion reason |
+
+---
+
+### Unit Status Changed
+
+**Triggering user:** None (unit-based event; `user.*` variables will be empty)
+
+#### Current Status
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ unit_status.id }}` | int | Unit state record ID |
+| `{{ unit_status.state }}` | int | Current state code |
+| `{{ unit_status.state_text }}` | string | Current state as text |
+| `{{ unit_status.timestamp }}` | datetime | When the status changed |
+| `{{ unit_status.note }}` | string | Status change note |
+| `{{ unit_status.latitude }}` | decimal | Latitude at time of change |
+| `{{ unit_status.longitude }}` | decimal | Longitude at time of change |
+| `{{ unit_status.destination_id }}` | int | Destination ID (if applicable) |
+
+#### Unit Details
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ unit.id }}` | int | Unit ID |
+| `{{ unit.name }}` | string | Unit name |
+| `{{ unit.type }}` | string | Unit type |
+| `{{ unit.vin }}` | string | Vehicle Identification Number |
+| `{{ unit.plate_number }}` | string | License plate number |
+| `{{ unit.station_group_id }}` | int | Assigned station group ID |
+
+#### Previous Status
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ previous_unit_status.state }}` | int | Previous state code |
+| `{{ previous_unit_status.state_text }}` | string | Previous state as text |
+| `{{ previous_unit_status.timestamp }}` | datetime | Previous status timestamp |
+
+---
+
+### Personnel Staffing Changed
+
+**Triggering user:** The user whose staffing changed (`UserState.UserId`)
+
+#### Current Staffing
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ staffing.id }}` | int | Staffing record ID |
+| `{{ staffing.state }}` | int | Current staffing state code |
+| `{{ staffing.state_text }}` | string | Staffing state as text (Available, Delayed, etc.) |
+| `{{ staffing.timestamp }}` | datetime | When the staffing changed |
+| `{{ staffing.note }}` | string | Staffing change note |
+
+#### Previous Staffing
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ previous_staffing.state }}` | int | Previous staffing state code |
+| `{{ previous_staffing.state_text }}` | string | Previous staffing state as text |
+| `{{ previous_staffing.timestamp }}` | datetime | Previous staffing timestamp |
+
+---
+
+### Personnel Status Changed
+
+**Triggering user:** The user whose status changed (`ActionLog.UserId`)
+
+#### Current Status
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ status.id }}` | int | Action log record ID |
+| `{{ status.action_type }}` | int | Action type code |
+| `{{ status.action_text }}` | string | Action as text (Standing By, Responding, etc.) |
+| `{{ status.timestamp }}` | datetime | When the status changed |
+| `{{ status.geo_location }}` | string | GPS coordinates at time of change |
+| `{{ status.destination_id }}` | int | Destination ID (if applicable) |
+| `{{ status.note }}` | string | Status change note |
+
+#### Previous Status
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ previous_status.action_type }}` | int | Previous action type code |
+| `{{ previous_status.action_text }}` | string | Previous action as text |
+| `{{ previous_status.timestamp }}` | datetime | Previous status timestamp |
+
+---
+
+### User Created
+
+**Triggering user:** The newly created user
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ new_user.id }}` | string | New user's ID |
+| `{{ new_user.username }}` | string | New user's username |
+| `{{ new_user.email }}` | string | New user's email |
+| `{{ new_user.name }}` | string | New user's display name |
+
+---
+
+### User Assigned to Group
+
+**Triggering user:** The user being assigned (`UserAssignedToGroupEvent.UserId`)
+
+#### Assigned User
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ assigned_user.id }}` | string | User ID |
+| `{{ assigned_user.name }}` | string | User name |
+
+#### New Group
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ group.id }}` | int | Group ID |
+| `{{ group.name }}` | string | Group name |
+| `{{ group.type }}` | int | Group type |
+| `{{ group.dispatch_email }}` | string | Group dispatch email |
+| `{{ group.latitude }}` | string | Group latitude |
+| `{{ group.longitude }}` | string | Group longitude |
+
+#### Previous Group
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ previous_group.id }}` | int | Previous group ID |
+| `{{ previous_group.name }}` | string | Previous group name |
+
+---
+
+### Document Added
+
+**Triggering user:** The user who uploaded the document (`Document.UserId`)
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ document.id }}` | int | Document ID |
+| `{{ document.name }}` | string | Document name |
+| `{{ document.category }}` | string | Document category |
+| `{{ document.description }}` | string | Document description |
+| `{{ document.type }}` | string | Document type |
+| `{{ document.filename }}` | string | Original filename |
+| `{{ document.admins_only }}` | bool | Whether restricted to admins |
+| `{{ document.added_on }}` | datetime | Upload timestamp |
+
+---
+
+### Note Added
+
+**Triggering user:** The user who created the note (`Note.UserId`)
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ note.id }}` | int | Note ID |
+| `{{ note.title }}` | string | Note title |
+| `{{ note.body }}` | string | Note body text |
+| `{{ note.color }}` | string | Note color |
+| `{{ note.category }}` | string | Note category |
+| `{{ note.is_admin_only }}` | bool | Whether restricted to admins |
+| `{{ note.added_on }}` | datetime | Creation timestamp |
+| `{{ note.expires_on }}` | datetime | Expiration date (if set) |
+
+---
+
+### Unit Added
+
+**Triggering user:** None
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ unit.id }}` | int | Unit ID |
+| `{{ unit.name }}` | string | Unit name |
+| `{{ unit.type }}` | string | Unit type |
+| `{{ unit.vin }}` | string | Vehicle Identification Number |
+| `{{ unit.plate_number }}` | string | License plate number |
+| `{{ unit.station_group_id }}` | int | Assigned station group ID |
+| `{{ unit.four_wheel }}` | bool | Four-wheel drive capability |
+| `{{ unit.special_permit }}` | bool | Special permit status |
+
+---
+
+### Log Added
+
+**Triggering user:** The user who created the log (`Log.LoggedByUserId`)
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ log.id }}` | int | Log ID |
+| `{{ log.narrative }}` | string | Log narrative |
+| `{{ log.type }}` | string | Log type name |
+| `{{ log.log_type }}` | int | Log type code |
+| `{{ log.external_id }}` | string | External identifier |
+| `{{ log.initial_report }}` | string | Initial report text |
+| `{{ log.course }}` | string | Training course name |
+| `{{ log.course_code }}` | string | Training course code |
+| `{{ log.instructors }}` | string | Instructor names |
+| `{{ log.cause }}` | string | Incident cause |
+| `{{ log.contact_name }}` | string | Contact person name |
+| `{{ log.contact_number }}` | string | Contact phone number |
+| `{{ log.location }}` | string | Log location |
+| `{{ log.started_on }}` | datetime | Activity start time |
+| `{{ log.ended_on }}` | datetime | Activity end time |
+| `{{ log.logged_on }}` | datetime | When the log was created |
+| `{{ log.other_agencies }}` | string | Other agencies involved |
+| `{{ log.other_units }}` | string | Other units involved |
+| `{{ log.other_personnel }}` | string | Other personnel involved |
+| `{{ log.call_id }}` | int | Associated call ID (if linked) |
+
+---
+
+### Calendar Event Added / Calendar Event Updated
+
+**Triggering user:** The event creator (`CalendarItem.CreatorUserId`)
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ calendar.id }}` | int | Calendar item ID |
+| `{{ calendar.title }}` | string | Event title |
+| `{{ calendar.description }}` | string | Event description |
+| `{{ calendar.location }}` | string | Event location |
+| `{{ calendar.start }}` | datetime | Start date/time |
+| `{{ calendar.end }}` | datetime | End date/time |
+| `{{ calendar.is_all_day }}` | bool | Whether it's an all-day event |
+| `{{ calendar.item_type }}` | int | Calendar item type code |
+| `{{ calendar.signup_type }}` | int | Signup type code |
+| `{{ calendar.is_public }}` | bool | Whether the event is public |
+
+---
+
+### Shift Created / Shift Updated
+
+**Triggering user:** None
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ shift.id }}` | int | Shift ID |
+| `{{ shift.name }}` | string | Shift name |
+| `{{ shift.code }}` | string | Shift code |
+| `{{ shift.schedule_type }}` | int | Schedule type code |
+| `{{ shift.assignment_type }}` | int | Assignment type code |
+| `{{ shift.color }}` | string | Display color |
+| `{{ shift.start_day }}` | datetime | Shift start day |
+| `{{ shift.start_time }}` | string | Shift start time |
+| `{{ shift.end_time }}` | string | Shift end time |
+| `{{ shift.hours }}` | int | Shift duration in hours |
+| `{{ shift.department_number }}` | string | Department number |
+
+---
+
+### Resource Order Added
+
+**Triggering user:** None (department-level event)
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ order.id }}` | int | Resource order ID |
+| `{{ order.title }}` | string | Order title |
+| `{{ order.incident_number }}` | string | Incident number |
+| `{{ order.incident_name }}` | string | Incident name |
+| `{{ order.incident_address }}` | string | Incident address |
+| `{{ order.summary }}` | string | Order summary |
+| `{{ order.open_date }}` | datetime | Order open date |
+| `{{ order.needed_by }}` | datetime | Resources needed by date |
+| `{{ order.contact_name }}` | string | Contact person name |
+| `{{ order.contact_number }}` | string | Contact phone number |
+| `{{ order.special_instructions }}` | string | Special instructions |
+| `{{ order.meetup_location }}` | string | Meetup location |
+| `{{ order.financial_code }}` | string | Financial/billing code |
+
+---
+
+### Shift Trade Requested
+
+**Triggering user:** None
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ shift_trade.id }}` | int | Shift trade ID |
+| `{{ shift_trade.department_number }}` | string | Department number |
+
+---
+
+### Shift Trade Filled
+
+**Triggering user:** The user who filled the trade (`ShiftTradeFilledEvent.UserId`)
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ shift_trade.id }}` | int | Shift trade ID |
+| `{{ shift_trade.filled_by_user_id }}` | string | User who filled the trade |
+| `{{ shift_trade.department_number }}` | string | Department number |
+
+---
+
+### Message Sent
+
+**Triggering user:** The user who sent the message (`Message.SendingUserId`)
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ message.id }}` | int | Message ID |
+| `{{ message.subject }}` | string | Message subject |
+| `{{ message.body }}` | string | Message body |
+| `{{ message.is_broadcast }}` | bool | Whether it's a broadcast message |
+| `{{ message.sent_on }}` | datetime | When the message was sent |
+| `{{ message.type }}` | int | Message type code |
+| `{{ message.recipients }}` | string | Message recipients |
+| `{{ message.expire_on }}` | datetime | Message expiration date (if set) |
+
+---
+
+### Training Added / Training Updated
+
+**Triggering user:** The user who created the training (`Training.CreatedByUserId`)
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ training.id }}` | int | Training ID |
+| `{{ training.name }}` | string | Training name |
+| `{{ training.description }}` | string | Training description |
+| `{{ training.training_text }}` | string | Training content text |
+| `{{ training.minimum_score }}` | double | Minimum passing score |
+| `{{ training.created_on }}` | datetime | Creation date |
+| `{{ training.to_be_completed_by }}` | datetime | Completion deadline (if set) |
+
+---
+
+### Inventory Adjusted
+
+**Triggering user:** The user who made the adjustment (`Inventory.AddedByUserId`)
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ inventory.id }}` | int | Inventory record ID |
+| `{{ inventory.type_name }}` | string | Inventory type name |
+| `{{ inventory.type_description }}` | string | Inventory type description |
+| `{{ inventory.unit_of_measure }}` | string | Unit of measure |
+| `{{ inventory.batch }}` | string | Batch identifier |
+| `{{ inventory.note }}` | string | Adjustment note |
+| `{{ inventory.location }}` | string | Storage location |
+| `{{ inventory.amount }}` | double | Current amount |
+| `{{ inventory.previous_amount }}` | double | Amount before adjustment |
+| `{{ inventory.timestamp }}` | datetime | Adjustment timestamp |
+| `{{ inventory.group_id }}` | int | Group/station ID |
+
+---
+
+### Certification Expiring
+
+**Triggering user:** The user whose certification is expiring (`PersonnelCertification.UserId`)
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ certification.id }}` | int | Certification record ID |
+| `{{ certification.name }}` | string | Certification name |
+| `{{ certification.number }}` | string | Certification number |
+| `{{ certification.type }}` | string | Certification type |
+| `{{ certification.area }}` | string | Certification area/specialty |
+| `{{ certification.issued_by }}` | string | Issuing authority |
+| `{{ certification.expires_on }}` | datetime | Expiration date |
+| `{{ certification.received_on }}` | datetime | Date received |
+| `{{ certification.days_until_expiry }}` | int | Days until expiration |
+
+---
+
+### Form Submitted
+
+**Triggering user:** The user who submitted the form (`FormSubmittedEvent.SubmittedByUserId`)
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ form.id }}` | string | Form ID |
+| `{{ form.name }}` | string | Form name |
+| `{{ form.type }}` | int | Form type code |
+| `{{ form.submitted_data }}` | string | Submitted form data (JSON) |
+| `{{ form.submitted_by_user_id }}` | string | Submitting user ID |
+| `{{ form.submitted_on }}` | datetime | Submission timestamp |
+
+---
+
+### Personnel Role Changed
+
+**Triggering user:** The user whose role changed (`PersonnelRoleChangedEvent.UserId`)
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ role_change.user_id }}` | string | Affected user ID |
+| `{{ role_change.role_id }}` | int | Personnel role ID |
+| `{{ role_change.role_name }}` | string | Role name |
+| `{{ role_change.role_description }}` | string | Role description |
+| `{{ role_change.action }}` | string | "Added" or "Removed" |
+
+---
+
+### Group Added / Group Updated
+
+**Triggering user:** None
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ group.id }}` | int | Group ID |
+| `{{ group.name }}` | string | Group name |
+| `{{ group.type }}` | int | Group type code |
+| `{{ group.dispatch_email }}` | string | Dispatch email address |
+| `{{ group.message_email }}` | string | Message email address |
+| `{{ group.latitude }}` | string | Latitude |
+| `{{ group.longitude }}` | string | Longitude |
+| `{{ group.what3words }}` | string | What3Words location |
+| `{{ group.address.street }}` | string | Street address |
+| `{{ group.address.city }}` | string | City |
+| `{{ group.address.state }}` | string | State/Province |
+| `{{ group.address.postal_code }}` | string | Postal/ZIP code |
+| `{{ group.address.country }}` | string | Country |
diff --git a/docs/web-app/overview.md b/docs/web-app/overview.md
index 077e5f0..3191539 100644
--- a/docs/web-app/overview.md
+++ b/docs/web-app/overview.md
@@ -83,6 +83,7 @@ The User Area is organized into the following major feature areas:
 | [Voice & Audio](voice-audio) | Voice channels and audio streams | `VoiceController` |
 | [Connect](connect) | Public department profile and posts | `ConnectController` |
 | [Search](search) | Quick navigation search | `SearchController` |
+| [Workflows](workflows) | Event-driven automation engine with templates and external actions | `WorkflowsController` |
 
 ## Event System
 
@@ -100,9 +101,25 @@ The application uses an event aggregation system (`IEventAggregator`) to decoupl
 | `ShiftTradeFilledEvent` | Completing a shift trade | Confirms trade |
 | `AuditEvent` | Most write operations | Audit trail recording |
 | `SecurityRefreshEvent` | Permission changes | Cache invalidation |
-| `UnitAddedEvent` | Creating a unit | System integration |
-| `DocumentAddedEvent` | Uploading a document | Notification delivery |
-| `LogAddedEvent` | Creating a work log | Notification delivery |
+| `UnitAddedEvent` | Creating a unit | System integration, workflow triggers |
+| `DocumentAddedEvent` | Uploading a document | Notification delivery, workflow triggers |
+| `LogAddedEvent` | Creating a work log | Notification delivery, workflow triggers |
+| `NoteAddedEvent` | Creating a note | Workflow triggers |
+| `UserCreatedEvent` | Adding a user to department | Workflow triggers |
+| `UserAssignedToGroupEvent` | Assigning user to a group | Workflow triggers |
+| `UserStaffingEvent` | Personnel staffing change | Workflow triggers |
+| `UserStatusEvent` | Personnel status change | Workflow triggers |
+| `UnitStatusEvent` | Unit status change | Workflow triggers |
+| `ResourceOrderAddedEvent` | Creating a resource order | Workflow triggers |
+| `MessageSentEvent` | Sending a message | Workflow triggers |
+| `TrainingAddedEvent` | Creating a training | Workflow triggers |
+| `TrainingUpdatedEvent` | Updating a training | Workflow triggers |
+| `InventoryAdjustedEvent` | Adjusting inventory | Workflow triggers |
+| `CertificationExpiringEvent` | Certification nearing expiry | Workflow triggers (daily scheduled check) |
+| `FormSubmittedEvent` | Submitting a form | Workflow triggers |
+| `PersonnelRoleChangedEvent` | Changing user role assignment | Workflow triggers |
+| `GroupAddedEvent` | Creating a department group | Workflow triggers |
+| `GroupUpdatedEvent` | Updating a department group | Workflow triggers |
 
 ## Queue System
 
@@ -110,3 +127,4 @@ Time-sensitive operations like call dispatch use the `IQueueService` to enqueue
 
 - **Call Broadcast Queue** — Sends push notifications, SMS, and email to dispatched personnel
 - **CQRS Event Queue** — Handles cache clearing and other eventual-consistency operations
+- **Workflow Queue** — Processes workflow executions asynchronously (event → template rendering → action execution)
diff --git a/docs/web-app/workflows.md b/docs/web-app/workflows.md
new file mode 100644
index 0000000..56f8888
--- /dev/null
+++ b/docs/web-app/workflows.md
@@ -0,0 +1,349 @@
+---
+sidebar_position: 37
+title: Workflows
+---
+
+# Workflows
+
+The Workflows module provides a powerful event-driven automation engine that lets departments subscribe to system events, transform event data using templates, and execute configurable actions such as sending emails, SMS messages, calling APIs, posting to chat platforms, or uploading files to cloud storage. It is managed by the `WorkflowsController`.
+
+**Authorization:** Department Admins only. Access is controlled via `ClaimsAuthorizationHelper.IsUserDepartmentAdmin()`.
+
+**Navigation:** Department Menu → Workflows
+
+## Overview
+
+Workflows follow an **Event → Transform → Action** pipeline:
+
+```
+System Event Occurs → Match Active Workflows → Render Scriban Templates → Execute Action Steps → Log Results
+```
+
+1. A system event fires (e.g., a new call is created, a unit changes status)
+2. Resgrid evaluates all active workflows for the department that subscribe to that event type
+3. For each matching workflow, the event data is transformed using user-defined [Scriban](https://github.com/scriban/scriban) templates
+4. The rendered output is passed to the configured action (send email, call API, etc.)
+5. Every execution is fully audited with run logs and per-step details
+
+Workflow execution is **asynchronous** — events are enqueued to a message queue and processed in the background, ensuring no impact on the responsiveness of the core system.
+
+## Workflow List (Index)
+
+Displays all workflows configured for the department with:
+
+- **Status indicators** — Enabled/disabled toggle
+- **Last run status** — Color-coded badge (green = success, yellow = retrying, red = failed)
+- **Success rate** — Percentage badge based on recent runs
+- Quick links to create, edit, view runs, and enable/disable workflows
+
+## Creating a Workflow
+
+Navigate to **Department → Workflows** and click **New Workflow**.
+
+### Workflow Fields
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| Name | Yes | A descriptive name for the workflow (max 250 characters) |
+| Description | No | Optional description of the workflow's purpose (max 1000 characters) |
+| Trigger Event Type | Yes | The system event that triggers this workflow (see [Trigger Event Types](#trigger-event-types)) |
+| Enabled | Yes | Whether the workflow is active (default: enabled) |
+| Max Retry Count | No | Number of retry attempts on failure (default: 3) |
+| Retry Backoff Base (seconds) | No | Base delay for exponential backoff between retries (default: 5) |
+
+## Editing a Workflow
+
+The edit view allows you to modify the workflow settings and manage its steps inline.
+
+### Workflow Steps
+
+Each workflow can have one or more **steps** that execute in sequence. Each step defines:
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| Action Type | Yes | The action to perform (see [Action Types](#action-types)) |
+| Credential | Conditional | The stored credential to use (filtered by compatible credential types) |
+| Output Template | Yes | A [Scriban template](#template-editor) that transforms event data into the action's input |
+| Action Config | Conditional | Action-specific settings (e.g., email subject/recipients, API URL, S3 bucket) |
+| Enabled | Yes | Whether this step is active (default: enabled) |
+| Step Order | Yes | Execution order when multiple steps exist |
+
+Steps are executed sequentially in `Step Order`. If a step fails, subsequent steps still execute (failures are logged per-step). Disabled steps are skipped.
+
+### Template Editor
+
+The workflow editor embeds an **Ace Editor** with Scriban syntax highlighting for editing output templates. Features include:
+
+- **Syntax highlighting** for Scriban template syntax (`{{ variable }}`, `{% if %}`, loops, etc.)
+- **Variable side panel** — Lists all available template variables for the selected trigger event type (e.g., for `CallAdded`: `{{ call.name }}`, `{{ call.nature }}`, `{{ call.address }}`, etc.)
+- **Preview button** — Renders the template with sample data and shows the output inline
+- **Test button** — Triggers a real execution with sample data and shows the run result
+
+See the [Workflows Configuration](../configuration/workflows) page for the full template variable reference.
+
+## Trigger Event Types
+
+Workflows can subscribe to any of the following system events:
+
+| Event | Description |
+|-------|-------------|
+| **Call Added** | New call/dispatch created |
+| **Call Updated** | Existing call updated |
+| **Call Closed** | Call closed |
+| **Unit Status Changed** | Unit status changed |
+| **Personnel Staffing Changed** | Personnel staffing level changed |
+| **Personnel Status Changed** | Personnel action status changed |
+| **User Created** | New user added to department |
+| **User Assigned to Group** | User assigned to a group |
+| **Document Added** | Document uploaded |
+| **Note Added** | Note created |
+| **Unit Added** | Unit created |
+| **Log Added** | Log entry created |
+| **Calendar Event Added** | Calendar event created |
+| **Calendar Event Updated** | Calendar event updated |
+| **Shift Created** | Shift created |
+| **Shift Updated** | Shift updated |
+| **Resource Order Added** | Resource order created |
+| **Shift Trade Requested** | Shift trade requested |
+| **Shift Trade Filled** | Shift trade filled |
+| **Message Sent** | New message sent |
+| **Training Added** | Training created |
+| **Training Updated** | Training updated |
+| **Inventory Adjusted** | Inventory quantity changed |
+| **Certification Expiring** | Personnel certification nearing expiry |
+| **Form Submitted** | Form submitted |
+| **Personnel Role Changed** | User role assignment changed |
+| **Group Added** | Department group created |
+| **Group Updated** | Department group updated |
+
+## Action Types
+
+Each workflow step supports one of the following action types:
+
+### Communication Actions
+
+| Action | Description | Credential Required |
+|--------|-------------|---------------------|
+| **Send Email** | Sends an email via SMTP. Template renders the HTML email body. | SMTP (host, port, username, password, from address) |
+| **Send SMS** | Sends an SMS message via Twilio. Template renders the message body. | Twilio (Account SID, Auth Token, from number) |
+| **Send Teams Message** | Posts a message to Microsoft Teams via Incoming Webhook. Template renders the message body (plain text or Adaptive Card JSON). | Microsoft Teams (webhook URL) |
+| **Send Slack Message** | Posts a message to Slack via Incoming Webhook. Template renders the message text (supports Slack mrkdwn). | Slack (webhook URL) |
+| **Send Discord Message** | Posts a message to Discord via Webhook. Template renders the message content (supports embed JSON). | Discord (webhook URL) |
+
+### API Actions
+
+| Action | Description | Credential Required |
+|--------|-------------|---------------------|
+| **Call API (GET)** | Sends an HTTP GET request to a URL. | Optional (Bearer, Basic, or API Key) |
+| **Call API (POST)** | Sends an HTTP POST request. Template renders the request body. | Optional |
+| **Call API (PUT)** | Sends an HTTP PUT request. Template renders the request body. | Optional |
+| **Call API (DELETE)** | Sends an HTTP DELETE request. | Optional |
+
+### File Upload Actions
+
+| Action | Description | Credential Required |
+|--------|-------------|---------------------|
+| **Upload File (FTP)** | Uploads a file via FTP. Template renders the file content. | FTP (host, port, username, password) |
+| **Upload File (SFTP)** | Uploads a file via SFTP. Template renders the file content. | SFTP (host, port, username, password/key) |
+| **Upload File (S3)** | Uploads a file to Amazon S3. Template renders the file content. | AWS S3 (Access Key, Secret Key, Region, Bucket) |
+| **Upload File (Azure Blob)** | Uploads a file to Azure Blob Storage. Template renders the file content. | Azure Blob Storage (Connection String, Container Name) |
+| **Upload File (Box)** | Uploads a file to Box. Template renders the file content. | Box (JWT credentials or Developer Token) |
+| **Upload File (Dropbox)** | Uploads a file to Dropbox. Template renders the file content. | Dropbox (OAuth2 refresh token, app key/secret) |
+
+### Action Configuration
+
+Each action type has specific configuration fields set via `Action Config`:
+
+#### Email Action Config
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| To | Yes | Recipient email address(es) |
+| CC | No | CC email address(es) |
+| Subject | Yes | Email subject line |
+
+#### SMS Action Config
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| To | Yes | Recipient phone number(s) |
+
+#### API Action Config
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| URL | Yes | The API endpoint URL |
+| Headers | No | Custom HTTP headers (key-value pairs) |
+| Content Type | No | Request content type (default: `application/json`) |
+
+#### Teams Action Config
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| Title | No | Optional message title |
+| Theme Color | No | Optional theme color (hex) |
+
+#### Slack Action Config
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| Channel | No | Channel override |
+| Username | No | Bot username override |
+| Icon Emoji | No | Bot icon emoji |
+
+#### Discord Action Config
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| Username | No | Username override |
+| Avatar URL | No | Avatar URL override |
+
+#### File Upload Action Config (FTP/SFTP)
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| Remote Path | Yes | Destination directory on the server |
+| Filename | Yes | Filename template for the uploaded file |
+
+#### S3 Action Config
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| Key/Path | Yes | S3 object key/path |
+
+#### Azure Blob Action Config
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| Blob Name/Path | Yes | Blob name or path template |
+| Content Type | No | Blob content type |
+
+#### Box Action Config
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| Folder ID | Yes | Target Box folder ID |
+| Filename | Yes | Filename template |
+
+#### Dropbox Action Config
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| Target Path | Yes | Destination path in Dropbox |
+| Filename | Yes | Filename template |
+| Write Mode | No | Overwrite or add (default: add) |
+
+## Workflow Credentials
+
+Credentials store the authentication details needed by workflow actions (SMTP passwords, API keys, webhook URLs, etc.). All credentials are **encrypted at rest** using AES-256 encryption with department-specific key derivation, ensuring each department's secrets are isolated.
+
+### Managing Credentials
+
+Navigate to **Department → Workflows → Credentials** to manage stored credentials.
+
+- Credentials are grouped by type for easy browsing
+- Secret values are always displayed as `••••••` — they are **write-only** and never returned in responses
+- When editing a credential, existing secret values are preserved unless you explicitly provide new values
+
+### Credential Types
+
+| Type | Fields |
+|------|--------|
+| **SMTP** | Host, Port, Username, Password, Use SSL, From Address |
+| **Twilio** | Account SID, Auth Token, From Number |
+| **FTP** | Host, Port, Username, Password |
+| **SFTP** | Host, Port, Username, Password/Private Key |
+| **AWS S3** | Access Key, Secret Key, Region, Bucket |
+| **HTTP Bearer** | Bearer Token |
+| **HTTP Basic** | Username, Password |
+| **HTTP API Key** | Header Name, API Key Value |
+| **Microsoft Teams** | Webhook URL |
+| **Slack** | Webhook URL |
+| **Discord** | Webhook URL |
+| **Azure Blob Storage** | Connection String (or Account Name + Account Key), Container Name |
+| **Box** | Developer Token or JWT credentials (Client ID, Client Secret, Enterprise ID, Private Key) |
+| **Dropbox** | App Key, App Secret, OAuth2 Refresh Token |
+
+### Creating a Credential
+
+Click **New Credential** and select the credential type. Fill in the type-specific fields — all secret fields are encrypted before storage.
+
+## Workflow Runs (Execution History)
+
+The **Runs** view provides a paginated audit trail of all workflow executions:
+
+| Column | Description |
+|--------|-------------|
+| Timestamp | When the workflow execution started |
+| Workflow Name | The workflow that was triggered |
+| Status | Color-coded badge: Pending, Running, Completed, Failed, Cancelled, Retrying |
+| Duration | Total execution time |
+| Attempt | Current attempt number (if retrying) |
+| Error Summary | Brief error description (if failed) |
+
+Click a run to expand and see per-step `WorkflowRunLog` detail, including:
+- Rendered template output
+- Action result (HTTP status, SMTP response, etc.)
+- Error messages
+- Duration per step
+
+### Filtering Runs
+
+Filter runs by:
+- **Status** — Pending, Running, Completed, Failed, Cancelled, Retrying
+- **Date range** — Start and end date
+- **Workflow** — Specific workflow
+
+## Workflow Health
+
+The **Health** view provides per-workflow health metrics:
+
+| Metric | Description |
+|--------|-------------|
+| Success/Failure counts | Broken down by 24h, 7d, and 30d windows |
+| Success rate | Percentage of successful runs |
+| Average duration | Mean execution time |
+| Last run timestamp | When the workflow last executed |
+| Last error | Most recent error message |
+| Recent run timeline | Visual timeline of recent executions |
+
+## Pending Runs
+
+The **Pending** view lists all currently pending and in-progress workflow runs for the department. Actions available:
+
+- **Cancel** — Cancel an individual pending run
+- **Clear All** — Cancel all pending runs for the department (with confirmation dialog)
+
+## Retry Behavior
+
+When a workflow step fails:
+
+1. If `Attempt Number < Max Retry Count`, the run is re-enqueued with exponential backoff delay (`Retry Backoff Base × 2^(attempt - 1)` seconds)
+2. Status is set to **Retrying** during the delay
+3. If max retries are exceeded, status is set to **Failed** with the final error message
+4. All retry attempts are visible in the run logs for auditing
+
+## Rate Limiting
+
+Workflow execution is rate-limited per department to prevent a single department from flooding the system. The default limit is **60 workflow executions per minute per department**. If the limit is exceeded, workflow events are skipped and a warning is logged.
+
+## Interactions with Other Modules
+
+| Module | Interaction |
+|--------|-------------|
+| **Dispatch & Calls** | Call Added, Call Updated, Call Closed events trigger workflows |
+| **Units** | Unit Status Changed, Unit Added events trigger workflows |
+| **Personnel** | Personnel Staffing/Status Changed, User Created, Role Changed events |
+| **Groups & Stations** | User Assigned to Group, Group Added/Updated events |
+| **Documents** | Document Added events trigger workflows |
+| **Notes** | Note Added events trigger workflows |
+| **Logs** | Log Added events trigger workflows |
+| **Calendar** | Calendar Event Added/Updated events trigger workflows |
+| **Shifts** | Shift Created/Updated, Trade Requested/Filled events |
+| **Messages** | Message Sent events trigger workflows |
+| **Trainings** | Training Added/Updated events trigger workflows |
+| **Inventory** | Inventory Adjusted events trigger workflows |
+| **Forms** | Form Submitted events trigger workflows |
+| **Notifications** | Workflows complement notifications — notifications handle push/SMS to personnel, while workflows enable external integrations |
+| **Resource Orders** | Resource Order Added events trigger workflows |
+| **Certifications** | Certification Expiring events trigger workflows (via daily scheduled check) |
diff --git a/src/components/HomepageFeatures/index.js b/src/components/HomepageFeatures/index.js
index 5f3f1cb..df45e6d 100644
--- a/src/components/HomepageFeatures/index.js
+++ b/src/components/HomepageFeatures/index.js
@@ -1,61 +1,193 @@
 import React from 'react';
 import clsx from 'clsx';
+import Link from '@docusaurus/Link';
 import styles from './styles.module.css';
 
-const FeatureList = [
+/* ── Quick-start navigation cards ── */
+const QuickLinks = [
   {
-    title: 'Easy to Use',
-    Svg: require('@site/static/img/undraw_docusaurus_mountain.svg').default,
-    description: (
-      <>
-        Easy to use, self service options to configure and manage your Resgrid instance at your own pace.
-      </>
-    ),
+    title: 'Getting Started',
+    icon: '🚀',
+    description: 'Set up your Resgrid account in minutes and start dispatching.',
+    link: '/get-started/start',
+    linkLabel: 'Quick Start',
   },
   {
-    title: 'Open Source CAD',
-    Svg: require('@site/static/img/undraw_docusaurus_tree.svg').default,
-    description: (
-      <>
-        Open source computer aided dispatch (CAD) solutions for Emergency Services, Businesses and Industry.
-      </>
-    ),
+    title: 'Self-Hosted',
+    icon: '🖥️',
+    description: 'Deploy Resgrid on your own infrastructure with Docker or bare-metal.',
+    link: '/get-started/hosted',
+    linkLabel: 'Installation Guide',
   },
   {
-    title: 'Run Anywhere',
-    Svg: require('@site/static/img/undraw_docusaurus_react.svg').default,
-    description: (
-      <>
-        From hosted to on-prem, mobile applications and more. Resgrid is flexible to meet your needs.
-      </>
-    ),
+    title: 'API Reference',
+    icon: '🔌',
+    description: 'Integrate Resgrid into your workflow with our REST API.',
+    link: '/api/information',
+    linkLabel: 'Explore APIs',
+  },
+  {
+    title: 'Configuration',
+    icon: '⚙️',
+    description: 'Fine-tune departments, roles, notifications and more.',
+    link: '/configuration/setup',
+    linkLabel: 'Configure',
+  },
+];
+
+/* ── Core platform capabilities ── */
+const Capabilities = [
+  {
+    title: 'Computer Aided Dispatch',
+    icon: '📡',
+    description:
+      'Create, manage and track calls with real-time status updates, mapping and automatic notifications.',
+  },
+  {
+    title: 'Personnel & Units',
+    icon: '👥',
+    description:
+      'Organize your team with roles, groups, stations and unit tracking across shifts.',
+  },
+  {
+    title: 'Real-Time Mapping',
+    icon: '🗺️',
+    description:
+      'Visualize calls, personnel and units on live maps with custom layers and geofencing.',
+  },
+  {
+    title: 'Mobile Applications',
+    icon: '📱',
+    description:
+      'Native iOS and Android apps for responders, dispatchers and unit commanders.',
+  },
+  {
+    title: 'Shifts & Scheduling',
+    icon: '📅',
+    description:
+      'Build recurring shift patterns, manage sign-ups and automate staffing coverage.',
+  },
+  {
+    title: 'Open Source',
+    icon: '🔓',
+    description:
+      'Fully open-source under the Apache 2.0 license — audit, extend and self-host with confidence.',
   },
 ];
 
-function Feature({Svg, title, description}) {
+/* ── Explore section cards ── */
+const ExploreLinks = [
+  {
+    title: 'Apps',
+    description: 'Big Board, Dispatch, Responder, Unit and more.',
+    link: '/apps/dispatch',
+    icon: '📋',
+  },
+  {
+    title: 'Modules',
+    description: 'Calls, Personnel, Units, Mapping, Shifts, Reports and more.',
+    link: '/category/modules',
+    icon: '🧩',
+  },
+  {
+    title: 'How-To Guides',
+    description: 'Step-by-step walkthroughs for common tasks.',
+    link: '/category/how-tos',
+    icon: '📖',
+  },
+  {
+    title: 'Development',
+    description: 'Prerequisites, solution architecture and contributing.',
+    link: '/development/prerequisites',
+    icon: '💻',
+  },
+];
+
+/* ── Components ── */
+
+function QuickLinkCard({title, icon, description, link, linkLabel}) {
   return (
-    <div className={clsx('col col--4')}>
-      <div className="text--center">
-        <Svg className={styles.featureSvg} role="img" />
-      </div>
-      <div className="text--center padding-horiz--md">
-        <h3>{title}</h3>
-        <p>{description}</p>
-      </div>
+    <Link to={link} className={styles.quickLinkCard}>
+      <span className={styles.cardIcon}>{icon}</span>
+      <h3 className={styles.cardTitle}>{title}</h3>
+      <p className={styles.cardDescription}>{description}</p>
+      <span className={styles.cardLink}>
+        {linkLabel} <span aria-hidden="true">&rarr;</span>
+      </span>
+    </Link>
+  );
+}
+
+function CapabilityCard({title, icon, description}) {
+  return (
+    <div className={styles.capabilityCard}>
+      <span className={styles.capIcon}>{icon}</span>
+      <h4 className={styles.capTitle}>{title}</h4>
+      <p className={styles.capDescription}>{description}</p>
     </div>
   );
 }
 
+function ExploreCard({title, icon, description, link}) {
+  return (
+    <Link to={link} className={styles.exploreCard}>
+      <span className={styles.exploreIcon}>{icon}</span>
+      <div>
+        <h4 className={styles.exploreTitle}>{title}</h4>
+        <p className={styles.exploreDescription}>{description}</p>
+      </div>
+      <span className={styles.exploreArrow} aria-hidden="true">&rarr;</span>
+    </Link>
+  );
+}
+
 export default function HomepageFeatures() {
   return (
-    <section className={styles.features}>
-      <div className="container">
-        <div className="row">
-          {FeatureList.map((props, idx) => (
-            <Feature key={idx} {...props} />
-          ))}
+    <>
+      {/* ── Quick-start cards ── */}
+      <section className={styles.quickLinks}>
+        <div className="container">
+          <div className={styles.quickLinksGrid}>
+            {QuickLinks.map((props, idx) => (
+              <QuickLinkCard key={idx} {...props} />
+            ))}
+          </div>
         </div>
-      </div>
-    </section>
+      </section>
+
+      {/* ── Platform capabilities ── */}
+      <section className={styles.capabilities}>
+        <div className="container">
+          <div className={styles.sectionHeader}>
+            <h2 className={styles.sectionTitle}>Platform Capabilities</h2>
+            <p className={styles.sectionSubtitle}>
+              Everything you need to manage emergency and non-emergency operations — out of the box.
+            </p>
+          </div>
+          <div className={styles.capabilitiesGrid}>
+            {Capabilities.map((props, idx) => (
+              <CapabilityCard key={idx} {...props} />
+            ))}
+          </div>
+        </div>
+      </section>
+
+      {/* ── Explore section ── */}
+      <section className={styles.explore}>
+        <div className="container">
+          <div className={styles.sectionHeader}>
+            <h2 className={styles.sectionTitle}>Explore the Docs</h2>
+            <p className={styles.sectionSubtitle}>
+              Dive deeper into specific areas of the platform.
+            </p>
+          </div>
+          <div className={styles.exploreGrid}>
+            {ExploreLinks.map((props, idx) => (
+              <ExploreCard key={idx} {...props} />
+            ))}
+          </div>
+        </div>
+      </section>
+    </>
   );
 }
diff --git a/src/components/HomepageFeatures/styles.module.css b/src/components/HomepageFeatures/styles.module.css
index b248eb2..20af6ce 100644
--- a/src/components/HomepageFeatures/styles.module.css
+++ b/src/components/HomepageFeatures/styles.module.css
@@ -1,11 +1,247 @@
-.features {
+/* ─────────────────────────────────────────────
+   Quick-start navigation cards
+   ───────────────────────────────────────────── */
+
+.quickLinks {
+  padding: 3rem 0 2rem;
+}
+
+.quickLinksGrid {
+  display: grid;
+  grid-template-columns: repeat(4, 1fr);
+  gap: 1.25rem;
+}
+
+@media screen and (max-width: 996px) {
+  .quickLinksGrid {
+    grid-template-columns: repeat(2, 1fr);
+  }
+}
+
+@media screen and (max-width: 600px) {
+  .quickLinksGrid {
+    grid-template-columns: 1fr;
+  }
+}
+
+.quickLinkCard {
+  display: flex;
+  flex-direction: column;
+  padding: 1.5rem;
+  border-radius: 12px;
+  border: 1px solid var(--docs-color-border, #dadde1);
+  background: var(--docs-color-background, #fff);
+  text-decoration: none !important;
+  color: inherit !important;
+  transition: box-shadow 0.2s ease, border-color 0.2s ease, transform 0.15s ease;
+}
+
+.quickLinkCard:hover {
+  border-color: #2160fd;
+  box-shadow: 0 4px 20px rgba(33, 96, 253, 0.08);
+  transform: translateY(-2px);
+}
+
+:global(html[data-theme='dark']) .quickLinkCard:hover {
+  border-color: #1a90ff;
+  box-shadow: 0 4px 20px rgba(26, 144, 255, 0.12);
+}
+
+.cardIcon {
+  font-size: 1.75rem;
+  margin-bottom: 0.75rem;
+}
+
+.cardTitle {
+  font-size: 1rem;
+  font-weight: 700;
+  margin: 0 0 0.5rem;
+  color: var(--docs-color-text, #000);
+}
+
+.cardDescription {
+  font-size: 0.875rem;
+  line-height: 1.55;
+  color: var(--docs-color-text-100, #646464);
+  flex: 1;
+  margin: 0 0 1rem;
+}
+
+.cardLink {
+  font-size: 0.85rem;
+  font-weight: 600;
+  color: #2160fd;
+  display: inline-flex;
+  align-items: center;
+  gap: 0.3rem;
+}
+
+:global(html[data-theme='dark']) .cardLink {
+  color: #1a90ff;
+}
+
+/* ─────────────────────────────────────────────
+   Section headers (shared)
+   ───────────────────────────────────────────── */
+
+.sectionHeader {
+  text-align: center;
+  margin-bottom: 2.5rem;
+}
+
+.sectionTitle {
+  font-size: 1.75rem;
+  font-weight: 800;
+  letter-spacing: -0.02em;
+  margin-bottom: 0.5rem;
+  color: var(--docs-color-text, #000);
+}
+
+.sectionSubtitle {
+  font-size: 1.05rem;
+  color: var(--docs-color-text-100, #646464);
+  max-width: 520px;
+  margin: 0 auto;
+}
+
+/* ─────────────────────────────────────────────
+   Platform capabilities
+   ───────────────────────────────────────────── */
+
+.capabilities {
+  padding: 3rem 0;
+  background: var(--docs-color-background-100, #f8f8f8);
+}
+
+.capabilitiesGrid {
+  display: grid;
+  grid-template-columns: repeat(3, 1fr);
+  gap: 1.5rem;
+}
+
+@media screen and (max-width: 996px) {
+  .capabilitiesGrid {
+    grid-template-columns: repeat(2, 1fr);
+  }
+}
+
+@media screen and (max-width: 600px) {
+  .capabilitiesGrid {
+    grid-template-columns: 1fr;
+  }
+}
+
+.capabilityCard {
+  padding: 1.5rem;
+  border-radius: 12px;
+  background: var(--docs-color-background, #fff);
+  border: 1px solid var(--docs-color-border, #dadde1);
+  transition: box-shadow 0.2s ease;
+}
+
+.capabilityCard:hover {
+  box-shadow: 0 2px 12px rgba(0, 0, 0, 0.06);
+}
+
+:global(html[data-theme='dark']) .capabilityCard:hover {
+  box-shadow: 0 2px 12px rgba(255, 255, 255, 0.04);
+}
+
+.capIcon {
+  font-size: 1.5rem;
+  display: block;
+  margin-bottom: 0.65rem;
+}
+
+.capTitle {
+  font-size: 0.95rem;
+  font-weight: 700;
+  margin: 0 0 0.35rem;
+  color: var(--docs-color-text, #000);
+}
+
+.capDescription {
+  font-size: 0.85rem;
+  line-height: 1.55;
+  color: var(--docs-color-text-100, #646464);
+  margin: 0;
+}
+
+/* ─────────────────────────────────────────────
+   Explore the docs
+   ───────────────────────────────────────────── */
+
+.explore {
+  padding: 3rem 0 4rem;
+}
+
+.exploreGrid {
+  display: grid;
+  grid-template-columns: repeat(2, 1fr);
+  gap: 1rem;
+}
+
+@media screen and (max-width: 600px) {
+  .exploreGrid {
+    grid-template-columns: 1fr;
+  }
+}
+
+.exploreCard {
   display: flex;
   align-items: center;
-  padding: 2rem 0;
-  width: 100%;
+  gap: 1rem;
+  padding: 1.15rem 1.35rem;
+  border-radius: 10px;
+  border: 1px solid var(--docs-color-border, #dadde1);
+  background: var(--docs-color-background, #fff);
+  text-decoration: none !important;
+  color: inherit !important;
+  transition: border-color 0.2s ease, box-shadow 0.2s ease;
+}
+
+.exploreCard:hover {
+  border-color: #2160fd;
+  box-shadow: 0 2px 12px rgba(33, 96, 253, 0.06);
+}
+
+:global(html[data-theme='dark']) .exploreCard:hover {
+  border-color: #1a90ff;
+  box-shadow: 0 2px 12px rgba(26, 144, 255, 0.1);
+}
+
+.exploreIcon {
+  font-size: 1.65rem;
+  flex-shrink: 0;
+}
+
+.exploreTitle {
+  font-size: 0.95rem;
+  font-weight: 700;
+  margin: 0 0 0.15rem;
+  color: var(--docs-color-text, #000);
+}
+
+.exploreDescription {
+  font-size: 0.82rem;
+  line-height: 1.45;
+  color: var(--docs-color-text-100, #646464);
+  margin: 0;
+}
+
+.exploreArrow {
+  margin-left: auto;
+  font-size: 1.1rem;
+  color: var(--docs-color-text-100, #646464);
+  flex-shrink: 0;
+  transition: transform 0.15s ease;
+}
+
+.exploreCard:hover .exploreArrow {
+  transform: translateX(3px);
+  color: #2160fd;
 }
 
-.featureSvg {
-  height: 200px;
-  width: 200px;
+:global(html[data-theme='dark']) .exploreCard:hover .exploreArrow {
+  color: #1a90ff;
 }
diff --git a/src/pages/index.js b/src/pages/index.js
index ee6210a..f18fbca 100644
--- a/src/pages/index.js
+++ b/src/pages/index.js
@@ -10,16 +10,45 @@ import styles from './index.module.css';
 function HomepageHeader() {
   const {siteConfig} = useDocusaurusContext();
   return (
-    <header className={clsx('hero hero--primary', styles.heroBanner)}>
+    <header className={styles.heroBanner}>
       <div className="container">
-        <h1 className="hero__title">{siteConfig.title}</h1>
-        <p className="hero__subtitle">{siteConfig.tagline}</p>
-        <div className={styles.buttons}>
-          <Link
-            className="button button--secondary button--lg"
-            to="/intro">
-            View The Docs
-          </Link>
+        <div className={styles.heroInner}>
+          <span className={styles.heroBadge}>Open Source</span>
+          <h1 className={styles.heroTitle}>Resgrid Documentation</h1>
+          <p className={styles.heroSubtitle}>
+            Open-source computer-aided dispatch &amp; emergency management
+            platform. Learn how to deploy, configure and extend Resgrid for
+            your organization.
+          </p>
+          <div className={styles.heroCtas}>
+            <Link
+              className={clsx('button button--lg', styles.ctaPrimary)}
+              to="/get-started/start">
+              Get Started
+            </Link>
+            <Link
+              className={clsx('button button--lg', styles.ctaSecondary)}
+              to="/api/information">
+              API Reference
+            </Link>
+          </div>
+          <div className={styles.heroMeta}>
+            <a
+              href="https://github.com/Resgrid"
+              target="_blank"
+              rel="noopener noreferrer"
+              className={styles.heroMetaLink}>
+              GitHub
+            </a>
+            <span className={styles.heroMetaDivider}>·</span>
+            <Link to="/get-started/support" className={styles.heroMetaLink}>
+              Support
+            </Link>
+            <span className={styles.heroMetaDivider}>·</span>
+            <Link to="/category/get-started" className={styles.heroMetaLink}>
+              Guides
+            </Link>
+          </div>
         </div>
       </div>
     </header>
@@ -30,8 +59,8 @@ export default function Home() {
   const {siteConfig} = useDocusaurusContext();
   return (
     <Layout
-      title={`Hello from ${siteConfig.title}`}
-      description="Description will go into a meta tag in <head />">
+      title="Resgrid Documentation"
+      description="Official documentation for Resgrid — open-source computer-aided dispatch and emergency management platform.">
       <HomepageHeader />
       <main>
         <HomepageFeatures />
diff --git a/src/pages/index.module.css b/src/pages/index.module.css
index 9f71a5d..5569d86 100644
--- a/src/pages/index.module.css
+++ b/src/pages/index.module.css
@@ -3,21 +3,159 @@
  * and scoped locally.
  */
 
+/* ── Hero ── */
 .heroBanner {
-  padding: 4rem 0;
+  padding: 5rem 0 4rem;
   text-align: center;
   position: relative;
   overflow: hidden;
+  background: linear-gradient(170deg, #f0f4ff 0%, #ffffff 50%, #f8faff 100%);
 }
 
-@media screen and (max-width: 996px) {
-  .heroBanner {
-    padding: 2rem;
-  }
+:global(html[data-theme='dark']) .heroBanner {
+  background: linear-gradient(170deg, #0d1117 0%, #161b22 50%, #0d1117 100%);
+}
+
+.heroInner {
+  max-width: 680px;
+  margin: 0 auto;
+}
+
+.heroBadge {
+  display: inline-block;
+  padding: 0.25rem 0.85rem;
+  font-size: 0.75rem;
+  font-weight: 600;
+  text-transform: uppercase;
+  letter-spacing: 0.06em;
+  border-radius: 999px;
+  background: rgba(33, 96, 253, 0.1);
+  color: #2160fd;
+  margin-bottom: 1.25rem;
+}
+
+:global(html[data-theme='dark']) .heroBadge {
+  background: rgba(26, 144, 255, 0.15);
+  color: #1a90ff;
+}
+
+.heroTitle {
+  font-size: 2.75rem;
+  font-weight: 800;
+  line-height: 1.15;
+  letter-spacing: -0.025em;
+  margin-bottom: 1rem;
+  color: #111827;
+}
+
+:global(html[data-theme='dark']) .heroTitle {
+  color: #f0f0f0;
 }
 
-.buttons {
+.heroSubtitle {
+  font-size: 1.15rem;
+  line-height: 1.65;
+  color: #4b5563;
+  margin-bottom: 2rem;
+  max-width: 560px;
+  margin-left: auto;
+  margin-right: auto;
+}
+
+:global(html[data-theme='dark']) .heroSubtitle {
+  color: #9ca3af;
+}
+
+.heroCtas {
   display: flex;
   align-items: center;
   justify-content: center;
+  gap: 0.75rem;
+  margin-bottom: 2rem;
+  flex-wrap: wrap;
+}
+
+.ctaPrimary {
+  background: #2160fd !important;
+  color: #fff !important;
+  border: none !important;
+  border-radius: 8px !important;
+  font-weight: 600;
+  padding: 0.7rem 1.8rem !important;
+  transition: background 0.2s ease, transform 0.15s ease;
+}
+
+.ctaPrimary:hover {
+  background: #174fd6 !important;
+  transform: translateY(-1px);
+  text-decoration: none;
+  color: #fff !important;
+}
+
+.ctaSecondary {
+  background: transparent !important;
+  color: #2160fd !important;
+  border: 1.5px solid #2160fd !important;
+  border-radius: 8px !important;
+  font-weight: 600;
+  padding: 0.7rem 1.8rem !important;
+  transition: background 0.2s ease, transform 0.15s ease;
+}
+
+:global(html[data-theme='dark']) .ctaSecondary {
+  color: #1a90ff !important;
+  border-color: #1a90ff !important;
+}
+
+.ctaSecondary:hover {
+  background: rgba(33, 96, 253, 0.06) !important;
+  transform: translateY(-1px);
+  text-decoration: none;
+}
+
+.heroMeta {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  gap: 0.5rem;
+  font-size: 0.875rem;
+}
+
+.heroMetaLink {
+  color: #6b7280;
+  text-decoration: none;
+  transition: color 0.15s;
+}
+
+.heroMetaLink:hover {
+  color: #2160fd;
+  text-decoration: none;
+}
+
+:global(html[data-theme='dark']) .heroMetaLink {
+  color: #9ca3af;
+}
+
+:global(html[data-theme='dark']) .heroMetaLink:hover {
+  color: #1a90ff;
+}
+
+.heroMetaDivider {
+  color: #d1d5db;
+}
+
+:global(html[data-theme='dark']) .heroMetaDivider {
+  color: #4b5563;
+}
+
+@media screen and (max-width: 996px) {
+  .heroBanner {
+    padding: 3rem 1.25rem 2.5rem;
+  }
+  .heroTitle {
+    font-size: 2rem;
+  }
+  .heroSubtitle {
+    font-size: 1rem;
+  }
 }

From 2dfa30f9b28f4e6f7cc89e16e585c6f3355478d9 Mon Sep 17 00:00:00 2001
From: Shawn Jackson <shawn@resgrid.com>
Date: Wed, 25 Feb 2026 19:38:25 -0800
Subject: [PATCH 2/3] Adding verification changes and updating workflow docs

---
 docs/api/contact-verification.md           | 158 +++++++++++++++++
 docs/api/workflows.md                      |  83 ++++++++-
 docs/configuration/adding-personnel.md     |  12 +-
 docs/configuration/contact-verification.md | 143 +++++++++++++++
 docs/configuration/notifications.md        |   3 +-
 docs/configuration/text-messaging.md       |   7 +
 docs/configuration/workflows.md            | 197 ++++++++++++++++++++-
 docs/reference/localization.md             |  25 +++
 docs/reference/workflow-variables.md       | 104 +++++++++++
 docs/web-app/dispatch-calls.md             |   5 +
 docs/web-app/messages.md                   |   1 +
 docs/web-app/notifications.md              |   1 +
 docs/web-app/overview.md                   |   1 +
 docs/web-app/personnel.md                  |   5 +
 docs/web-app/profile-account.md            |  30 ++++
 docs/web-app/voice-audio.md                |   1 +
 docs/web-app/workflows.md                  | 113 ++++++++++--
 17 files changed, 869 insertions(+), 20 deletions(-)
 create mode 100644 docs/api/contact-verification.md
 create mode 100644 docs/configuration/contact-verification.md

diff --git a/docs/api/contact-verification.md b/docs/api/contact-verification.md
new file mode 100644
index 0000000..0ede2b3
--- /dev/null
+++ b/docs/api/contact-verification.md
@@ -0,0 +1,158 @@
+---
+sidebar_position: 4
+---
+
+# Contact Verification API
+
+The Contact Verification API allows clients to programmatically send verification codes and confirm contact methods for the authenticated user. These endpoints are used by the profile UI to manage email, mobile number, and home number verification inline.
+
+## Authentication
+
+All Contact Verification API endpoints require a valid JWT token. See [API Authentication](authentication) for details.
+
+**Base URL:** `/api/v4/ContactVerification`
+
+## Send Verification Code
+
+Sends a verification code to the specified contact method for the authenticated user. For email, a verification email is sent. For mobile and home numbers, an SMS is sent.
+
+```
+POST /api/v4/ContactVerification/SendVerificationCode
+```
+
+**Request Body:**
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `Type` | int | Yes | Contact verification type: `0` = Email, `1` = MobileNumber, `2` = HomeNumber |
+
+**Response:**
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `Success` | bool | Whether the code was sent successfully |
+| `Message` | string | Descriptive message (e.g., "A verification code has been sent." or an error message) |
+
+**Error Scenarios:**
+
+| HTTP Status | Condition |
+|-------------|-----------|
+| `200 OK` | Code sent successfully, or a descriptive error in the response body |
+| `429 Too Many Requests` | Rate limit exceeded (max 3 sends per contact method per hour) |
+| `400 Bad Request` | Invalid contact type or no contact value on file |
+
+**Example Request:**
+
+```bash
+curl -X POST \
+  -H "Authorization: Bearer <access_token>" \
+  -H "Content-Type: application/json" \
+  "https://api.resgrid.com/api/v4/ContactVerification/SendVerificationCode" \
+  -d '{"Type": 0}'
+```
+
+**Example Response:**
+
+```json
+{
+  "Data": {
+    "Success": true,
+    "Message": "A verification code has been sent."
+  },
+  "Status": "success"
+}
+```
+
+## Confirm Verification Code
+
+Validates a verification code entered by the user and, if correct and not expired, marks the contact method as verified.
+
+```
+POST /api/v4/ContactVerification/ConfirmVerificationCode
+```
+
+**Request Body:**
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `Type` | int | Yes | Contact verification type: `0` = Email, `1` = MobileNumber, `2` = HomeNumber |
+| `Code` | string | Yes | The 6-digit numeric verification code |
+
+**Response:**
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `Success` | bool | Whether the verification was successful |
+| `Message` | string | Descriptive message (e.g., "Verification successful." or an error message) |
+
+**Error Scenarios:**
+
+| HTTP Status | Condition |
+|-------------|-----------|
+| `200 OK` | Verification confirmed or a descriptive error in the response body |
+| `429 Too Many Requests` | Daily attempt limit exceeded (max 5 attempts per contact method per day) |
+| `400 Bad Request` | Invalid contact type or missing code |
+
+**Example Request:**
+
+```bash
+curl -X POST \
+  -H "Authorization: Bearer <access_token>" \
+  -H "Content-Type: application/json" \
+  "https://api.resgrid.com/api/v4/ContactVerification/ConfirmVerificationCode" \
+  -d '{"Type": 1, "Code": "482910"}'
+```
+
+**Example Response (Success):**
+
+```json
+{
+  "Data": {
+    "Success": true,
+    "Message": "Verification successful."
+  },
+  "Status": "success"
+}
+```
+
+**Example Response (Failure):**
+
+```json
+{
+  "Data": {
+    "Success": false,
+    "Message": "Verification failed. Please check the code and try again."
+  },
+  "Status": "success"
+}
+```
+
+## Contact Verification Types
+
+| Value | Name | Description |
+|-------|------|-------------|
+| `0` | Email | Email address verification (sends verification email) |
+| `1` | MobileNumber | Mobile number verification (sends SMS) |
+| `2` | HomeNumber | Home number verification (sends SMS) |
+
+## Rate Limits
+
+| Limit | Default | Description |
+|-------|---------|-------------|
+| Max sends per hour | 3 | Maximum verification code sends per contact method per hour |
+| Max attempts per day | 5 | Maximum verification code entry attempts per contact method per day |
+| Code expiry | 30 minutes | How long a verification code remains valid |
+
+When a rate limit is reached, the API returns an appropriate error message. Daily attempt counters reset at midnight UTC.
+
+## Verification State Model
+
+Each contact method on a user profile has a tri-state verification value:
+
+| Value | State | Communications |
+|-------|-------|---------------|
+| `null` | Grandfathered | Allowed (pre-existing users) |
+| `false` | Pending | Blocked until verified |
+| `true` | Verified | Allowed |
+
+For more details on how verification affects dispatches, notifications, and messaging, see the [Contact Method Verification](../configuration/contact-verification) configuration guide.
diff --git a/docs/api/workflows.md b/docs/api/workflows.md
index bf695ce..139ed75 100644
--- a/docs/api/workflows.md
+++ b/docs/api/workflows.md
@@ -54,11 +54,15 @@ POST /api/v4/workflows
 | `Description` | string | No | Description (max 1000 characters) |
 | `TriggerEventType` | int | Yes | Event type enum value (see [Event Types](#event-types)) |
 | `IsEnabled` | bool | No | Enabled state (default: true) |
-| `MaxRetryCount` | int | No | Max retry attempts (default: 3) |
+| `MaxRetryCount` | int | No | Max retry attempts (default: 3, maximum: 5) |
 | `RetryBackoffBaseSeconds` | int | No | Backoff base in seconds (default: 5) |
 
 **Response:** Created `WorkflowResult` object.
 
+:::info Plan-Based Limits
+The number of workflows per department is capped by subscription plan (3 for free, 28 for paid). If you exceed the limit, the API returns `400 Bad Request` with a descriptive error message. The `MaxRetryCount` field is capped at a server-side ceiling of **5** regardless of the value provided.
+:::
+
 ### Update Workflow
 
 Updates an existing workflow.
@@ -109,13 +113,17 @@ POST /api/v4/workflows/{id}/steps
 |-------|------|----------|-------------|
 | `ActionType` | int | Yes | Action type enum value (see [Action Types](#action-types)) |
 | `StepOrder` | int | Yes | Execution order |
-| `OutputTemplate` | string | Yes | Scriban template text |
+| `OutputTemplate` | string | Yes | Scriban template text (max 64 KB) |
 | `ActionConfig` | string | No | JSON action-specific settings |
 | `WorkflowCredentialId` | int | No | Credential ID to use |
 | `IsEnabled` | bool | No | Enabled state (default: true) |
 
 **Response:** Created `WorkflowStepResult` object.
 
+:::info Plan-Based Step Limits
+The number of steps per workflow is capped by subscription plan (5 for free, 20 for paid). If you exceed the limit, the API returns `400 Bad Request` with a descriptive error message.
+:::
+
 ### Update Step
 
 Updates an existing workflow step.
@@ -183,6 +191,10 @@ POST /api/v4/workflows/credentials
 
 **Response:** Created `WorkflowCredentialResult` object (secrets masked).
 
+:::info Plan-Based Credential Limits
+The number of stored credentials per department is capped by subscription plan (2 for free, 20 for paid). If you exceed the limit, the API returns `400 Bad Request`.
+:::
+
 :::warning Write-Only Secrets
 Credential secret values are encrypted at rest and never returned in API responses. You can only set them when creating or updating a credential.
 :::
@@ -400,6 +412,73 @@ GET /api/v4/workflows/eventtypes
 | 13 | UploadFileBox | Upload file to Box |
 | 14 | UploadFileDropbox | Upload file to Dropbox |
 
+## Security & Rate Limits
+
+### Rate Limits
+
+Workflow execution is rate-limited per department based on subscription plan:
+
+| Limit | Free Plan | Paid Plans |
+|-------|-----------|------------|
+| Executions per minute | 5 | 60 |
+| Daily run limit | 50 | Unlimited |
+
+Free-plan rate limits are strictly enforced with no exemptions for any event type.
+
+### Workflow & Step Caps
+
+| Limit | Free Plan | Paid Plans |
+|-------|-----------|------------|
+| Workflows per department | 3 | 28 |
+| Steps per workflow | 5 | 20 |
+| Credentials per department | 2 | 20 |
+| Max retry count (ceiling) | 5 | 5 |
+
+### Daily Send Limits
+
+| Channel | Free Plan | Paid Plans |
+|---------|-----------|------------|
+| Emails per day | 10 | 500 |
+| SMS per day | 5 | 200 |
+
+### Recipient Caps
+
+| Action | Free Plan | Paid Plans |
+|--------|-----------|------------|
+| Email (To + CC) | 1 (no CC) | 10 |
+| SMS (To) | 1 | 5 |
+
+### SSRF Protection
+
+- HTTP API calls require **HTTPS** only
+- Private/internal IPs (RFC 1918, loopback, link-local, cloud metadata `169.254.169.254`) are blocked
+- FTP/SFTP hosts are subject to the same private-IP restrictions
+
+### Webhook URL Validation
+
+- **Teams:** hostname must end with `.webhook.office.com` or `.logic.azure.com`
+- **Slack:** hostname must be `hooks.slack.com`
+- **Discord:** hostname must be `discord.com` or `discordapp.com` with path starting `/api/webhooks/`
+
+### Template Sandboxing
+
+| Protection | Limit |
+|------------|-------|
+| Loop iterations | 500 max |
+| Recursion depth | 50 max |
+| Regex timeout | Enforced |
+| Output template size (save) | 64 KB |
+| Rendered content size | 256 KB |
+| `import`/`include` built-ins | Disabled |
+
+### Email HTML Sanitization
+
+Rendered email body HTML is sanitized before sending. Dangerous elements (`<script>`, `<iframe>`, `<object>`, `<embed>`, `<form>`), `on*` event attributes, and `javascript:` URLs are stripped.
+
+### Dynamic Action Config Rendering
+
+All action config text fields (Subject, To, CC, filenames, URLs) are rendered through the Scriban template engine at execution time, allowing `{{ }}` expressions. The same 256 KB rendered content size cap applies.
+
 ## Credential Types
 
 ### Credential Type Enum Values
diff --git a/docs/configuration/adding-personnel.md b/docs/configuration/adding-personnel.md
index 63fe59f..fe3a0eb 100644
--- a/docs/configuration/adding-personnel.md
+++ b/docs/configuration/adding-personnel.md
@@ -55,8 +55,13 @@ If you provide a mobile number, you must also select the mobile carrier. For UK-
 2. The person is added to your department
 3. They are assigned to the selected group (if any)
 4. They are assigned to the selected roles (if any)
-5. If "Send Account Notification" is checked, a welcome email is sent
-6. The person can now log in and access the department's web and mobile apps
+5. All contact methods (email, mobile number, home number) are set to **Pending** verification status
+6. If "Send Account Notification" is checked, a welcome email is sent
+7. The person can now log in and access the department's web and mobile apps
+
+:::warning Contact Verification Required
+Newly added personnel will **not** receive dispatches, notifications, or SMS messages until they verify their contact methods. When the new user first logs in and visits their profile, they will see verification prompts next to each contact field. They must complete verification for each channel to begin receiving communications. See [Contact Method Verification](contact-verification) for details.
+:::
 
 ## Manage Invites
 
@@ -107,4 +112,5 @@ If you attempt to add a person whose email was previously associated with a dele
 | "Mobile carrier is required"                        | Select a carrier when providing a mobile number                      |
 | "SMS notification requires a mobile number"         | Provide a mobile number before enabling SMS notifications            |
 | "Cannot delete the Managing User"                   | The managing user cannot be removed; change the managing user in Department Settings first |
-| Person not receiving notifications                  | Verify they are in the correct group, have the app installed, and notification preferences are set |
\ No newline at end of file
+| Person not receiving notifications                  | Verify they are in the correct group, have the app installed, and notification preferences are set |
+| New person not receiving dispatches/notifications    | The user must log in and verify their contact methods from their profile page. See [Contact Verification](contact-verification). |
\ No newline at end of file
diff --git a/docs/configuration/contact-verification.md b/docs/configuration/contact-verification.md
new file mode 100644
index 0000000..48c5a17
--- /dev/null
+++ b/docs/configuration/contact-verification.md
@@ -0,0 +1,143 @@
+---
+sidebar_position: 16
+---
+
+# Contact Method Verification
+
+Contact Method Verification is an anti-spam protection feature that requires users to validate their email addresses, mobile numbers, and home phone numbers before the system sends dispatches, notifications, and messages through those channels. This ensures that outbound communications only reach confirmed, valid contact methods and protects against misrouted messages.
+
+## Why Contact Verification Matters
+
+Without verification, a mistyped email address or phone number in a user's profile could cause dispatch notifications, alerts, and messages to be sent to the wrong person — or to no one at all. In emergency operations, missed notifications can have serious consequences. Contact verification ensures that every communication channel attached to a user has been confirmed by that user, reducing delivery failures and preventing spam to unintended recipients.
+
+## Scope
+
+Contact verification applies to all personnel in a department. Each user is responsible for verifying their own contact methods. The verification status of each contact method determines whether outbound communications (dispatches, notifications, messages) are sent through that channel.
+
+## Verification States
+
+Each contact method (email, mobile number, home number) has one of three verification states:
+
+| State | Stored Value | Description |
+|-------|-------------|-------------|
+| **Grandfathered** | `NULL` | The contact method existed before verification was introduced. Communications are **allowed**. The user is encouraged to verify but not required. |
+| **Pending** | `false` | The contact method has been added or changed but not yet verified. Communications are **blocked** until verified. |
+| **Verified** | `true` | The contact method has been confirmed by the user. Communications are **allowed**. |
+
+:::info Grandfathered Users
+Existing users whose contact information was entered before the verification feature was introduced are automatically in the Grandfathered state. Their communications continue to flow normally. They will see a recommendation banner on their profile encouraging them to verify, but no action is forced.
+:::
+
+## How Verification Works
+
+### Email Verification
+1. The user clicks **Verify** next to their email address on their profile page.
+2. The system sends a verification email containing a numeric code to the email address on file.
+3. The user enters the code in the inline verification input on their profile page.
+4. If the code is correct and not expired, the email is marked as **Verified**.
+
+### Mobile Number Verification
+1. The user clicks **Verify** next to their mobile number on their profile page.
+2. The system sends an SMS containing a numeric code to the mobile number on file.
+3. The user enters the code in the inline verification input on their profile page.
+4. If the code is correct and not expired, the mobile number is marked as **Verified**.
+
+### Home Number Verification
+1. The user clicks **Verify** next to their home number on their profile page.
+2. The system sends an SMS containing a numeric code to the home number on file.
+3. The user enters the code in the inline verification input on their profile page.
+4. If the code is correct and not expired, the home number is marked as **Verified**.
+
+:::tip Voice Call Numbers
+If a voice call number shares the same value as the user's mobile number, verification of the mobile number also verifies the voice call channel. Otherwise, the home number follows the same SMS verification pattern.
+:::
+
+## Verification Code Rules
+
+| Setting | Default | Description |
+|---------|---------|-------------|
+| Code Length | 6 digits | The length of the numeric verification code |
+| Code Expiry | 30 minutes | How long a verification code remains valid after being sent |
+| Max Sends Per Hour | 3 | Maximum number of verification codes that can be sent per contact method per hour |
+| Max Attempts Per Day | 5 | Maximum number of verification attempts (code entries) per contact method per day |
+
+All of these values are configurable by system administrators via the `VerificationConfig` configuration class.
+
+:::warning Rate Limiting
+If you exceed the maximum number of sends per hour or attempts per day, you will receive a rate-limited error and must wait before trying again. Daily attempt counters reset at midnight UTC.
+:::
+
+## What Happens When Contact Information Changes
+
+When a user (or an administrator) changes a contact method value on a user's profile:
+
+- The corresponding verification status is reset to **Pending** (`false`).
+- Any existing verification code and expiry are cleared.
+- The verification attempt counter is reset to zero.
+- The user must re-verify the new contact method before communications resume on that channel.
+
+This applies to changes made through:
+- The user editing their own profile
+- An administrator editing a user's profile
+- Any API-based profile update
+
+## Admin-Created Personnel
+
+When an administrator creates a new user via **Personnel → Add Person**, the new user's contact methods (email, mobile number, home number) are initialized in the **Pending** state. The new user must verify their contact methods upon their first login or when they view their profile.
+
+:::note
+Unlike grandfathered users, newly created users will not receive dispatches, notifications, or messages via unverified channels until they complete verification.
+:::
+
+## Impact on Communications
+
+Contact verification gates the following outbound communication channels:
+
+| Communication Type | Gated Channel | Verification Required |
+|-------------------|---------------|----------------------|
+| Call Dispatch (email) | Email | Email must be Verified or Grandfathered |
+| Call Dispatch (SMS) | SMS | Mobile Number must be Verified or Grandfathered |
+| Call Dispatch (voice) | Voice Call | Home or Mobile Number must be Verified or Grandfathered |
+| Notifications (email) | Email | Email must be Verified or Grandfathered |
+| Notifications (SMS) | SMS | Mobile Number must be Verified or Grandfathered |
+| Calendar Alerts | Email / SMS | Corresponding method must be Verified or Grandfathered |
+| Trouble Alerts | Email / SMS | Corresponding method must be Verified or Grandfathered |
+| Text Messages | SMS | Mobile Number must be Verified or Grandfathered |
+| Chat Messages | Email / SMS | Corresponding method must be Verified or Grandfathered |
+
+If a contact method is in the **Pending** state, the system silently skips that communication channel for the user. The dispatch or notification is not failed — it simply does not send via the unverified channel. Other verified channels for the same user still function normally.
+
+## Profile UI Indicators
+
+On the user profile page, each contact field displays a verification indicator:
+
+| Indicator | Condition | Description |
+|-----------|-----------|-------------|
+| **Green verified badge** | Verified (`true`) | The contact method has been confirmed |
+| **Yellow warning banner with Verify button** | Pending (`false`) | The contact method needs verification; communications are blocked on this channel |
+| **Subtle info banner** | Grandfathered (`NULL`) with a value present | Recommends the user verify to ensure uninterrupted delivery |
+
+The **Verify** button triggers the verification flow inline — sending a code and presenting an input field and **Confirm** button without navigating away from the profile page.
+
+## How Contact Verification Connects to Other Features
+
+| Feature | Connection |
+|---------|------------|
+| [Dispatch & Calls](../web-app/dispatch-calls) | Email, SMS, and voice call dispatches are gated by verification status |
+| [Notifications](notifications) | Notification delivery channels are gated by verification status |
+| [Messages](../web-app/messages) | SMS message delivery is gated by mobile verification status |
+| [Text Messaging](text-messaging) | SMS-based features require a verified mobile number for outbound delivery |
+| [Adding Personnel](adding-personnel) | Admin-created personnel start with Pending verification status |
+| [Profile & Account](../web-app/profile-account) | Verification status is displayed and managed on the profile page |
+| [Voice & Audio](../web-app/voice-audio) | Voice call dispatch is gated by home/mobile number verification |
+
+## Common Errors and Resolutions
+
+| Error | Resolution |
+|-------|------------|
+| "Too many verification attempts. Please try again later." | You have exceeded the daily attempt limit (default: 5). Wait until the next day or contact your administrator. |
+| "A verification code has been sent." followed by no code received | Check your spam/junk folder (email) or ensure the phone number on file is correct. Wait a few minutes for SMS delivery. |
+| "Verification failed. Please check the code and try again." | Double-check the code you entered. Codes are 6 digits. Ensure you are entering the most recently sent code. |
+| Verification code expired | Codes expire after 30 minutes (default). Click Verify again to send a new code. |
+| Not receiving dispatches or notifications | Check your profile for yellow warning banners next to your contact methods. Verify any Pending contact methods. |
+| Admin-created user not receiving communications | The user must log in and verify their contact methods from their profile page. |
diff --git a/docs/configuration/notifications.md b/docs/configuration/notifications.md
index cb0bea9..e79dd67 100644
--- a/docs/configuration/notifications.md
+++ b/docs/configuration/notifications.md
@@ -99,12 +99,13 @@ From the Notifications page, you can:
 | Units             | Unit type availability can trigger notification alerts               |
 | Custom Statuses   | Current status states are used to determine availability counts      |
 | Personnel         | Individual users can be targeted as notification recipients          |
+| Contact Verification | Notification delivery is gated by each user's contact verification status. Unverified (Pending) channels are skipped. See [Contact Verification](contact-verification). |
 
 ## Common Errors and Resolutions
 
 | Error                                      | Resolution                                                              |
 | ------------------------------------------ | ----------------------------------------------------------------------- |
 | Notification not triggering                | Verify the event type matches the event occurring in the system         |
-| Recipients not receiving notifications     | Check recipient targeting (roles, groups, users) and user notification preferences |
+| Recipients not receiving notifications     | Check recipient targeting (roles, groups, users) and user notification preferences. Also verify the user's contact methods are **Verified** or **Grandfathered** — Pending contact methods block delivery. See [Contact Verification](contact-verification). |
 | Availability alert not firing              | Verify the lower/upper limits, selected role/unit type, and current states are configured correctly |
 | Too many notifications being sent          | Review notification rules for overlapping triggers and consolidate      |
diff --git a/docs/configuration/text-messaging.md b/docs/configuration/text-messaging.md
index f758c87..543a4c8 100644
--- a/docs/configuration/text-messaging.md
+++ b/docs/configuration/text-messaging.md
@@ -58,6 +58,12 @@ Personnel can text commands to the department number to update their status with
 - The system parses the command and updates the person's status or staffing accordingly
 - Confirmation is typically sent back via the notification system
 
+## Contact Verification and SMS
+
+Outbound SMS notifications and text message delivery are gated by each user's mobile number verification status. Users whose mobile number is in the **Pending** verification state will not receive SMS dispatches, notifications, or text message delivery. Users with **Verified** or **Grandfathered** mobile numbers continue to receive SMS normally.
+
+If personnel report not receiving text messages, verify that their mobile number is verified on their profile page. See [Contact Method Verification](contact-verification) for details.
+
 ## Common Errors and Resolutions
 
 | Error                                              | Resolution                                                                               |
@@ -67,3 +73,4 @@ Personnel can text commands to the department number to update their status with
 | Calls not being created from texts                 | Ensure the sending number is listed in the Text-to-Call Source Numbers                   |
 | Cannot provision a number                          | Check that your subscription plan supports phone number provisioning                     |
 | Personnel receiving no response to commands        | Verify text commands are enabled and the department phone number is correctly provisioned |
+| Personnel not receiving outbound SMS               | Verify the person's mobile number is **Verified** or **Grandfathered** on their profile. See [Contact Verification](contact-verification). |
diff --git a/docs/configuration/workflows.md b/docs/configuration/workflows.md
index 5959bd0..f8f7294 100644
--- a/docs/configuration/workflows.md
+++ b/docs/configuration/workflows.md
@@ -70,7 +70,7 @@ Navigate to **Department → Workflows** and click **New Workflow**.
 | Description | No | Optional description of the workflow's purpose |
 | Trigger Event Type | Yes | The system event that triggers this workflow |
 | Enabled | Yes | Whether the workflow is active (default: enabled) |
-| Max Retry Count | No | Number of retry attempts on failure (default: 3) |
+| Max Retry Count | No | Number of retry attempts on failure (default: 3, maximum: 5) |
 | Retry Backoff Base | No | Base delay in seconds for exponential backoff (default: 5) |
 
 ### Step 3: Add Steps
@@ -285,6 +285,16 @@ Sends an email via a department-supplied SMTP server. The Scriban template rende
 **Credential:** SMTP  
 **Action Config:** To, CC (optional), Subject
 
+:::info Recipient Caps
+To prevent bulk abuse, the number of recipients per email is capped by plan:
+- **Free plan:** Maximum **1** recipient in To, **no CC** allowed
+- **Paid plans:** Maximum **10** recipients (To + CC combined)
+:::
+
+:::info HTML Sanitization
+All rendered email body content is automatically sanitized before sending. Dangerous HTML elements and attributes — including `<script>`, `<iframe>`, `<object>`, `<embed>`, `<form>`, `on*` event attributes, and `javascript:` URLs — are stripped. Standard formatting tags (`<p>`, `<br>`, `<b>`, `<i>`, `<table>`, `<a href>` with `http`/`https` only, etc.) are preserved.
+:::
+
 ### Send SMS
 
 Sends an SMS via Twilio. The Scriban template renders the **message body**.
@@ -292,6 +302,12 @@ Sends an SMS via Twilio. The Scriban template renders the **message body**.
 **Credential:** Twilio  
 **Action Config:** To number(s)
 
+:::info Recipient Caps
+SMS recipients are capped by plan:
+- **Free plan:** Maximum **1** phone number
+- **Paid plans:** Maximum **5** phone numbers
+:::
+
 ### Send Teams Message
 
 Posts a message to Microsoft Teams via an Incoming Webhook URL. The Scriban template renders the **message body** — either plain text or an Adaptive Card JSON payload.
@@ -299,6 +315,10 @@ Posts a message to Microsoft Teams via an Incoming Webhook URL. The Scriban temp
 **Credential:** Microsoft Teams (webhook URL)  
 **Action Config:** Title (optional), Theme Color (optional)
 
+:::info Webhook URL Validation
+The webhook URL hostname must end with `.webhook.office.com` or `.logic.azure.com`. URLs targeting other domains are rejected to prevent misuse as a generic HTTP proxy.
+:::
+
 ### Send Slack Message
 
 Posts a message to Slack via an Incoming Webhook URL. The Scriban template renders the **message text** (supports Slack mrkdwn formatting).
@@ -306,6 +326,10 @@ Posts a message to Slack via an Incoming Webhook URL. The Scriban template rende
 **Credential:** Slack (webhook URL)  
 **Action Config:** Channel override (optional), Username (optional), Icon Emoji (optional)
 
+:::info Webhook URL Validation
+The webhook URL hostname must be `hooks.slack.com`. URLs targeting other domains are rejected.
+:::
+
 ### Send Discord Message
 
 Posts a message to Discord via a Webhook URL. The Scriban template renders the **message content**. If the rendered content is valid embed JSON, it is sent as a rich embed.
@@ -313,6 +337,10 @@ Posts a message to Discord via a Webhook URL. The Scriban template renders the *
 **Credential:** Discord (webhook URL)  
 **Action Config:** Username override (optional), Avatar URL (optional)
 
+:::info Webhook URL Validation
+The webhook URL hostname must be `discord.com` or `discordapp.com`, and the path must start with `/api/webhooks/`. URLs that do not match this pattern are rejected.
+:::
+
 ### Call API (GET / POST / PUT / DELETE)
 
 Sends an HTTP request to an external API endpoint. For POST and PUT, the Scriban template renders the **request body**. For GET and DELETE, the template is not used as a body.
@@ -320,6 +348,15 @@ Sends an HTTP request to an external API endpoint. For POST and PUT, the Scriban
 **Credential:** Optional — HTTP Bearer, HTTP Basic, or HTTP API Key  
 **Action Config:** URL, Headers (optional), Content Type (optional, default: `application/json`)
 
+:::warning SSRF Protection
+HTTP API calls enforce the following security restrictions:
+- **HTTPS only** — plaintext HTTP URLs are rejected
+- **No private/internal IPs** — requests to RFC 1918 addresses (10.x.x.x, 172.16–31.x.x, 192.168.x.x), loopback (127.x.x.x), link-local (169.254.x.x), and cloud metadata endpoints (e.g. `169.254.169.254`) are blocked
+- **Domain allowlist/blocklist** — administrators can configure allowed and blocked domain lists
+
+These protections prevent workflows from being used to probe internal infrastructure.
+:::
+
 ### Upload File (FTP / SFTP)
 
 Uploads a file to an FTP or SFTP server. The Scriban template renders the **file content**.
@@ -327,6 +364,10 @@ Uploads a file to an FTP or SFTP server. The Scriban template renders the **file
 **Credential:** FTP or SFTP  
 **Action Config:** Remote Path, Filename template
 
+:::warning SSRF Protection
+FTP and SFTP hosts are subject to the same private-IP and localhost restrictions as HTTP API calls. Connections to internal/loopback addresses are blocked.
+:::
+
 ### Upload File (S3)
 
 Uploads a file to Amazon S3. The Scriban template renders the **file content**.
@@ -367,11 +408,53 @@ When a workflow step fails, automatic retries are attempted with exponential bac
 
 - If retries are exhausted, the run is marked as **Failed** with the final error message.
 - All attempts are recorded in the run logs for auditing.
-- You can configure `Max Retry Count` and `Retry Backoff Base` per workflow.
+- You can configure `Max Retry Count` (up to a maximum of **5**) and `Retry Backoff Base` per workflow.
+
+## Workflow and Step Limits
+
+To ensure system stability, the number of workflows and steps per department is capped based on subscription plan:
+
+| Limit | Free Plan | Paid Plans |
+|-------|-----------|------------|
+| Workflows per department | 3 | 28 |
+| Steps per workflow | 5 | 20 |
+| Max retry count (ceiling) | 5 | 5 |
+
+If you attempt to create a workflow or step that exceeds these limits, the operation will be rejected with a clear error message.
+
+## Credential Limits
+
+The number of stored credentials per department is capped by plan:
+
+| Limit | Free Plan | Paid Plans |
+|-------|-----------|------------|
+| Credentials per department | 2 | 20 |
+
+## Daily Send Limits
+
+Outbound email and SMS messages sent via workflows are subject to daily send limits to prevent abuse:
+
+| Channel | Free Plan | Paid Plans |
+|---------|-----------|------------|
+| Emails per day | 10 | 500 |
+| SMS per day | 5 | 200 |
+
+When the daily limit is reached, further email or SMS workflow steps will fail with a clear error indicating the limit has been exhausted. Limits reset at midnight UTC each day.
 
 ## Rate Limiting
 
-Workflow execution is rate-limited to **60 executions per minute per department** by default. If a department exceeds this limit, additional workflow events are skipped and a warning is logged. This prevents a single department from overwhelming the system.
+Workflow execution is rate-limited per department to prevent abuse and ensure fair resource usage. Limits are **tiered by subscription plan**:
+
+| Limit | Free Plan | Paid Plans |
+|-------|-----------|------------|
+| Executions per minute | 5 | 60 |
+| Daily run limit | 50 | Unlimited |
+
+If a department exceeds these limits, additional workflow events are skipped and a warning is logged.
+
+:::warning Free Plan Rate Limits
+Free-plan rate limits are strictly enforced with **no exemptions**. Unlike paid plans, call events and other normally exempt event types still count against the free-plan rate limit. This prevents abuse of the free tier.
+:::
 
 ## Monitoring Workflow Runs
 
@@ -403,6 +486,33 @@ Navigate to **Department → Workflows → Pending** to see all currently queued
 Clearing all pending runs is a destructive action. Cancelled runs are not retried and the associated events will not trigger the workflow again.
 :::
 
+## Template Sandboxing
+
+Scriban templates are executed in a sandboxed environment with the following safeguards:
+
+| Protection | Limit |
+|------------|-------|
+| Loop iterations | 500 maximum |
+| Recursion depth | 50 maximum |
+| Regex timeout | Enforced to prevent ReDoS attacks |
+| Output template size (at save time) | 64 KB maximum |
+| Rendered content size | 256 KB maximum |
+| `import` / `include` built-ins | Disabled |
+
+These limits prevent infinite loops, excessive resource consumption, and template injection attacks. If a template exceeds any limit, the step fails with a descriptive error.
+
+## Dynamic Action Config Fields
+
+All text fields in the action configuration — including email **Subject**, **To**, **CC**, filenames, and URLs — are rendered through the Scriban template engine at execution time. This means you can use template variables in any action config field, not just the output template body.
+
+#### Examples
+
+- **Email subject:** `New Call: {{ call.name }}` resolves to `New Call: Structure Fire on Main St`
+- **Dynamic filename:** `report_{{ timestamp.date }}.csv` resolves to `report_2026-02-25.csv`
+- **Dynamic recipient:** `{{ user.email }}` resolves to the triggering user’s email address
+
+The same rendered content size cap (256 KB) applies to the rendered action config to prevent abuse.
+
 ## Scriban Template Syntax Reference
 
 Workflows use [Scriban](https://github.com/scriban/scriban) as the template engine. Here is a quick syntax reference:
@@ -454,6 +564,87 @@ Standard notification
 
 For full Scriban documentation, see the [Scriban Language Reference](https://github.com/scriban/scriban/blob/master/doc/language.md).
 
+## Collection Variables (Arrays)
+
+In addition to scalar properties, workflow templates can access **collection variables** on event objects. These are exposed as arrays that you can iterate over using Scriban's `for` loops.
+
+### Call Collections
+
+Available on **Call Added**, **Call Updated**, and **Call Closed** events:
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ call.dispatches }}` | array | List of dispatched personnel |
+| `{{ call.unit_dispatches }}` | array | List of dispatched units |
+| `{{ call.group_dispatches }}` | array | List of dispatched groups |
+| `{{ call.role_dispatches }}` | array | List of dispatched roles |
+| `{{ call.notes_list }}` | array | List of call notes |
+| `{{ call.contacts }}` | array | List of call contacts |
+
+#### Dispatch entry properties
+
+| Property | Available On | Description |
+|----------|-------------|-------------|
+| `user_id` | `dispatches` | Dispatched user ID |
+| `dispatch_count` | `dispatches`, `unit_dispatches`, `group_dispatches`, `role_dispatches` | Dispatch count |
+| `dispatched_on` | `dispatches`, `unit_dispatches`, `group_dispatches`, `role_dispatches` | Dispatch timestamp |
+| `unit_id` | `unit_dispatches` | Unit ID |
+| `unit_name` | `unit_dispatches` | Unit name |
+| `group_id` | `group_dispatches` | Group ID |
+| `group_name` | `group_dispatches` | Group name |
+| `role_id` | `role_dispatches` | Role ID |
+| `role_name` | `role_dispatches` | Role name |
+
+#### Call note properties
+
+| Property | Description |
+|----------|-------------|
+| `note` | Note text |
+| `source` | Note source |
+| `timestamp` | Note timestamp |
+| `user_id` | Author user ID |
+
+#### Contact properties
+
+| Property | Description |
+|----------|-------------|
+| `name` | Contact name |
+| `number` | Contact number |
+| `type` | Contact type |
+
+#### Example: List Dispatched Units
+
+```
+Dispatched Units:
+{{ for unit in call.unit_dispatches }}
+  - {{ unit.unit_name }} (dispatched {{ unit.dispatched_on | date.to_string "%H:%M" }})
+{{ end }}
+```
+
+#### Example: Include Call Notes
+
+```
+{{ if call.notes_list.size > 0 }}
+Notes:
+{{ for n in call.notes_list }}
+  [{{ n.timestamp | date.to_string "%H:%M" }}] {{ n.note }}
+{{ end }}
+{{ end }}
+```
+
+### Other Event Collections
+
+Collection variables are also available on other event types:
+
+| Event Type | Variable | Description |
+|------------|----------|-------------|
+| Resource Order Added | `{{ order.items }}` | Order line items |
+| Shift Created/Updated | `{{ shift.groups }}` | Shift group assignments |
+| Training Added/Updated | `{{ training.questions }}` | Training quiz questions |
+| Log Added | `{{ log.entries }}` | Log entries |
+
+For the complete variable reference including all collection properties, see the [Workflow Template Variable Reference](../reference/workflow-variables) page.
+
 ## Common Workflow Recipes
 
 ### Send a Slack Alert for High-Priority Calls
diff --git a/docs/reference/localization.md b/docs/reference/localization.md
index 94b3d6e..8869b40 100644
--- a/docs/reference/localization.md
+++ b/docs/reference/localization.md
@@ -14,6 +14,31 @@ Resgrid's website and applications can support multiple languages.
 
 We will be unable to support any Right-To-Left languages, for example Arabic, in the system at this time.
 
+## Localization Resources
+
+Resgrid uses `.resx` resource files with a marker-class pattern in the `Resgrid.Localization` project. Localized strings are organized by area and view. For example, the Edit Profile page has resources in `Areas/User/Home/EditProfile.en.resx` (English) and `EditProfile.es.resx` (Spanish).
+
+### Contact Verification Localization Strings
+
+The following localization keys are available for the contact verification feature:
+
+| Key | English (en) | Description |
+|-----|-------------|-------------|
+| `EmailNotVerifiedWarning` | "Your email address has not been verified. Verify it to ensure you receive dispatches and notifications." | Shown next to a pending email field |
+| `MobileNotVerifiedWarning` | "Your mobile number has not been verified. Verify it to ensure you receive SMS dispatches and notifications." | Shown next to a pending mobile number field |
+| `HomeNotVerifiedWarning` | "Your home number has not been verified. Verify it to ensure you receive voice call dispatches." | Shown next to a pending home number field |
+| `VerifyButtonLabel` | "Verify" | Label for the verify button |
+| `VerificationCodePlaceholder` | "Enter verification code" | Placeholder text for the code input |
+| `VerificationCodeSent` | "A verification code has been sent." | Confirmation after sending a code |
+| `VerificationSuccessful` | "Verification successful." | Shown after successful verification |
+| `VerificationFailed` | "Verification failed. Please check the code and try again." | Shown after a failed attempt |
+| `VerificationRateLimited` | "Too many verification attempts. Please try again later." | Shown when rate limit is exceeded |
+| `GrandfatheredEmailWarning` | "We recommend verifying your email address to ensure uninterrupted delivery of dispatches and notifications." | Info banner for grandfathered email |
+| `GrandfatheredMobileWarning` | "We recommend verifying your mobile number to ensure uninterrupted delivery of SMS dispatches and notifications." | Info banner for grandfathered mobile number |
+| `GrandfatheredHomeWarning` | "We recommend verifying your home number to ensure uninterrupted delivery of voice call dispatches." | Info banner for grandfathered home number |
+
+These strings are defined in `EditProfile.en.resx` and `EditProfile.es.resx` and follow the existing marker-class localization pattern.
+
 ## Localization Gaps
 
 The following areas or parts of the system may not be properly localized for your specific language:
diff --git a/docs/reference/workflow-variables.md b/docs/reference/workflow-variables.md
index 8bdb30d..d8b57a7 100644
--- a/docs/reference/workflow-variables.md
+++ b/docs/reference/workflow-variables.md
@@ -99,6 +99,76 @@ Populated from the user who triggered the event. If no specific user is associat
 | `{{ call.is_deleted }}` | bool | Whether the call is deleted |
 | `{{ call.deleted_reason }}` | string | Deletion reason |
 
+#### Call Collection Variables
+
+The following array variables are available on call events. Use Scriban `for` loops to iterate over them.
+
+##### Dispatched Personnel (`call.dispatches`)
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ call.dispatches }}` | array | List of dispatched personnel |
+| `{{ call.dispatches[n].user_id }}` | string | Dispatched user ID |
+| `{{ call.dispatches[n].dispatch_count }}` | int | Dispatch count |
+| `{{ call.dispatches[n].dispatched_on }}` | datetime | Dispatch timestamp |
+
+##### Dispatched Units (`call.unit_dispatches`)
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ call.unit_dispatches }}` | array | List of dispatched units |
+| `{{ call.unit_dispatches[n].unit_id }}` | int | Unit ID |
+| `{{ call.unit_dispatches[n].unit_name }}` | string | Unit name |
+| `{{ call.unit_dispatches[n].dispatch_count }}` | int | Dispatch count |
+| `{{ call.unit_dispatches[n].dispatched_on }}` | datetime | Dispatch timestamp |
+
+##### Dispatched Groups (`call.group_dispatches`)
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ call.group_dispatches }}` | array | List of dispatched groups |
+| `{{ call.group_dispatches[n].group_id }}` | int | Group ID |
+| `{{ call.group_dispatches[n].group_name }}` | string | Group name |
+| `{{ call.group_dispatches[n].dispatch_count }}` | int | Dispatch count |
+| `{{ call.group_dispatches[n].dispatched_on }}` | datetime | Dispatch timestamp |
+
+##### Dispatched Roles (`call.role_dispatches`)
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ call.role_dispatches }}` | array | List of dispatched roles |
+| `{{ call.role_dispatches[n].role_id }}` | int | Role ID |
+| `{{ call.role_dispatches[n].role_name }}` | string | Role name |
+| `{{ call.role_dispatches[n].dispatch_count }}` | int | Dispatch count |
+| `{{ call.role_dispatches[n].dispatched_on }}` | datetime | Dispatch timestamp |
+
+##### Call Notes (`call.notes_list`)
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ call.notes_list }}` | array | List of call notes |
+| `{{ call.notes_list[n].note }}` | string | Note text |
+| `{{ call.notes_list[n].source }}` | string | Note source |
+| `{{ call.notes_list[n].timestamp }}` | datetime | Note timestamp |
+| `{{ call.notes_list[n].user_id }}` | string | Note author user ID |
+
+##### Call Contacts (`call.contacts`)
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ call.contacts }}` | array | List of call contacts |
+| `{{ call.contacts[n].name }}` | string | Contact name |
+| `{{ call.contacts[n].number }}` | string | Contact number |
+| `{{ call.contacts[n].type }}` | string | Contact type |
+
+##### Example: Iterating Over Dispatched Units
+
+```
+{{ for unit in call.unit_dispatches }}
+  - {{ unit.unit_name }} (dispatched {{ unit.dispatched_on | date.to_string "%H:%M" }})
+{{ end }}
+```
+
 ---
 
 ### Unit Status Changed
@@ -311,6 +381,15 @@ Populated from the user who triggered the event. If no specific user is associat
 | `{{ log.other_personnel }}` | string | Other personnel involved |
 | `{{ log.call_id }}` | int | Associated call ID (if linked) |
 
+#### Log Collection Variables
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ log.entries }}` | array | List of log entries |
+| `{{ log.entries[n].narrative }}` | string | Entry narrative |
+| `{{ log.entries[n].timestamp }}` | datetime | Entry timestamp |
+| `{{ log.entries[n].user_id }}` | string | Entry author user ID |
+
 ---
 
 ### Calendar Event Added / Calendar Event Updated
@@ -350,6 +429,14 @@ Populated from the user who triggered the event. If no specific user is associat
 | `{{ shift.hours }}` | int | Shift duration in hours |
 | `{{ shift.department_number }}` | string | Department number |
 
+#### Shift Collection Variables
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ shift.groups }}` | array | List of shift group assignments |
+| `{{ shift.groups[n].group_id }}` | int | Group ID |
+| `{{ shift.groups[n].group_name }}` | string | Group name |
+
 ---
 
 ### Resource Order Added
@@ -372,6 +459,15 @@ Populated from the user who triggered the event. If no specific user is associat
 | `{{ order.meetup_location }}` | string | Meetup location |
 | `{{ order.financial_code }}` | string | Financial/billing code |
 
+#### Resource Order Collection Variables
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ order.items }}` | array | List of order line items |
+| `{{ order.items[n].resource }}` | string | Requested resource |
+| `{{ order.items[n].quantity }}` | int | Requested quantity |
+| `{{ order.items[n].status }}` | string | Item status |
+
 ---
 
 ### Shift Trade Requested
@@ -428,6 +524,14 @@ Populated from the user who triggered the event. If no specific user is associat
 | `{{ training.created_on }}` | datetime | Creation date |
 | `{{ training.to_be_completed_by }}` | datetime | Completion deadline (if set) |
 
+#### Training Collection Variables
+
+| Variable | Type | Description |
+|----------|------|-------------|
+| `{{ training.questions }}` | array | List of training quiz questions |
+| `{{ training.questions[n].question }}` | string | Question text |
+| `{{ training.questions[n].answer }}` | string | Correct answer |
+
 ---
 
 ### Inventory Adjusted
diff --git a/docs/web-app/dispatch-calls.md b/docs/web-app/dispatch-calls.md
index 1f83a35..cfcf733 100644
--- a/docs/web-app/dispatch-calls.md
+++ b/docs/web-app/dispatch-calls.md
@@ -69,6 +69,10 @@ After a call is saved:
 3. The call is enqueued via `IQueueService.EnqueueCallBroadcastAsync`
 4. The queue processor sends push notifications, SMS, and email to all dispatched personnel
 
+:::info Contact Verification Gating
+Outbound dispatch communications are gated by each user's contact verification status. Email dispatches are only sent if the user's email is **Verified** or **Grandfathered**. SMS dispatches are only sent if the user's mobile number is **Verified** or **Grandfathered**. Voice call dispatches are only sent if the relevant phone number (home or mobile) is **Verified** or **Grandfathered**. Users with **Pending** contact methods will not receive dispatches on those channels. See [Contact Method Verification](../configuration/contact-verification) for details.
+:::
+
 ### Location Handling
 
 The system supports multiple location input methods:
@@ -232,3 +236,4 @@ The dispatch area includes a chat view for real-time communication with departme
 | **Logs** | Work logs reference calls |
 | **Reports** | Call analytics and reports |
 | **Queue** | Async notification broadcast |
+| **Contact Verification** | Email, SMS, and voice call dispatches are gated by each user's contact verification status |
diff --git a/docs/web-app/messages.md b/docs/web-app/messages.md
index 82e8112..6e6321f 100644
--- a/docs/web-app/messages.md
+++ b/docs/web-app/messages.md
@@ -105,3 +105,4 @@ Recipients can respond to messages with:
 | **Shifts** | Shift personnel can be excluded from messages |
 | **Dashboard** | Unread count displayed in top icons |
 | **Department** | Module can be enabled/disabled |
+| **Contact Verification** | SMS message delivery is gated by mobile number verification status. Users with Pending mobile verification will not receive SMS messages. |
diff --git a/docs/web-app/notifications.md b/docs/web-app/notifications.md
index 6a99722..ec56a98 100644
--- a/docs/web-app/notifications.md
+++ b/docs/web-app/notifications.md
@@ -69,3 +69,4 @@ The notification list performs extensive resolution to display human-readable in
 | **Units** | Unit type availability alerts |
 | **Custom Statuses** | Current state data references custom states |
 | **Department Settings** | Notification delivery channels |
+| **Contact Verification** | Notification delivery is gated by each user's contact verification status per channel |
diff --git a/docs/web-app/overview.md b/docs/web-app/overview.md
index 3191539..2e37152 100644
--- a/docs/web-app/overview.md
+++ b/docs/web-app/overview.md
@@ -84,6 +84,7 @@ The User Area is organized into the following major feature areas:
 | [Connect](connect) | Public department profile and posts | `ConnectController` |
 | [Search](search) | Quick navigation search | `SearchController` |
 | [Workflows](workflows) | Event-driven automation engine with templates and external actions | `WorkflowsController` |
+| [Contact Verification](../configuration/contact-verification) | Contact method verification for anti-spam protection | `ContactVerificationController` (API) |
 
 ## Event System
 
diff --git a/docs/web-app/personnel.md b/docs/web-app/personnel.md
index 6a63560..6ffd3a0 100644
--- a/docs/web-app/personnel.md
+++ b/docs/web-app/personnel.md
@@ -75,6 +75,10 @@ A sidebar tree view allows filtering personnel by group/station.
 7. Optionally sends a welcome/creation notification email
 8. Fires an `AuditEvent`
 
+:::info Contact Verification
+When an administrator creates a new user, all contact methods (email, mobile number, home number) are initialized in the **Pending** verification state. The new user must verify their contact methods from their profile page before they will receive dispatches, notifications, or messages via those channels. See [Contact Method Verification](../configuration/contact-verification) for details.
+:::
+
 ## Viewing Personnel
 
 **Authorization:** `Personnel_View` policy + `CanUserViewUser` runtime check
@@ -159,3 +163,4 @@ When displaying personnel for a call, the system calculates **Estimated Time of
 | **Trainings** | Personnel assigned to trainings |
 | **Profile** | Certifications and schedules managed per person |
 | **Security** | Visibility matrix controls who can see whom |
+| **Contact Verification** | Admin-created personnel start with Pending verification; communications are gated by verification status |
diff --git a/docs/web-app/profile-account.md b/docs/web-app/profile-account.md
index e5046e6..0204430 100644
--- a/docs/web-app/profile-account.md
+++ b/docs/web-app/profile-account.md
@@ -151,6 +151,35 @@ The `AccountController` handles permanent account deletion:
 3. Audit trail records IP address and user-agent
 4. Redirects to LogOff
 
+## Contact Method Verification
+
+Each contact method on a user's profile (email, mobile number, home number) has a verification status that determines whether the system will send dispatches, notifications, and messages through that channel. For full details, see [Contact Method Verification](../configuration/contact-verification).
+
+### Verification Status Indicators
+
+When viewing or editing a profile, each contact field displays a verification indicator:
+
+| Indicator | Meaning | Action |
+|-----------|---------|--------|
+| **Green verified badge** | Contact method is verified | No action needed |
+| **Yellow warning + Verify button** | Contact method is pending verification; communications are blocked | Click **Verify** to send a verification code |
+| **Subtle info banner** | Contact method is grandfathered (pre-existing); communications still work | Recommended to verify for uninterrupted delivery |
+
+### Verifying a Contact Method
+
+1. Click the **Verify** button next to the unverified contact field.
+2. A verification code is sent to the contact method (email for email addresses, SMS for phone numbers).
+3. Enter the 6-digit code in the inline input that appears.
+4. Click **Confirm** to complete verification.
+
+:::warning
+Verification codes expire after 30 minutes. You can request up to 3 codes per hour per contact method, and attempt up to 5 verifications per day per contact method.
+:::
+
+### Automatic Verification Reset
+
+If you change your email address, mobile number, or home number, the verification status for the changed field is automatically reset to **Pending**. You must re-verify the new contact information before communications resume on that channel.
+
 ## Interactions with Other Modules
 
 | Module | Interaction |
@@ -161,3 +190,4 @@ The `AccountController` handles permanent account deletion:
 | **Department** | Multi-department membership management |
 | **Security** | Password reset subject to admin permissions |
 | **Dashboard** | Active department determines dashboard context |
+| **Contact Verification** | Verification status gates outbound communications per channel |
diff --git a/docs/web-app/voice-audio.md b/docs/web-app/voice-audio.md
index 56c98ce..9bd7ecb 100644
--- a/docs/web-app/voice-audio.md
+++ b/docs/web-app/voice-audio.md
@@ -80,3 +80,4 @@ Removes an audio stream. Validates department ownership.
 | **Subscription** | PTT addon enables voice features |
 | **Personnel** | Users synced with VoIP provider |
 | **Dashboard** | Voice channels accessible from main interface |
+| **Contact Verification** | Voice call dispatches are gated by home/mobile number verification status |
diff --git a/docs/web-app/workflows.md b/docs/web-app/workflows.md
index 56f8888..6200725 100644
--- a/docs/web-app/workflows.md
+++ b/docs/web-app/workflows.md
@@ -48,7 +48,7 @@ Navigate to **Department → Workflows** and click **New Workflow**.
 | Description | No | Optional description of the workflow's purpose (max 1000 characters) |
 | Trigger Event Type | Yes | The system event that triggers this workflow (see [Trigger Event Types](#trigger-event-types)) |
 | Enabled | Yes | Whether the workflow is active (default: enabled) |
-| Max Retry Count | No | Number of retry attempts on failure (default: 3) |
+| Max Retry Count | No | Number of retry attempts on failure (default: 3, maximum: 5) |
 | Retry Backoff Base (seconds) | No | Base delay for exponential backoff between retries (default: 5) |
 
 ## Editing a Workflow
@@ -75,10 +75,20 @@ Steps are executed sequentially in `Step Order`. If a step fails, subsequent ste
 The workflow editor embeds an **Ace Editor** with Scriban syntax highlighting for editing output templates. Features include:
 
 - **Syntax highlighting** for Scriban template syntax (`{{ variable }}`, `{% if %}`, loops, etc.)
-- **Variable side panel** — Lists all available template variables for the selected trigger event type (e.g., for `CallAdded`: `{{ call.name }}`, `{{ call.nature }}`, `{{ call.address }}`, etc.)
+- **Variable side panel** — Lists all available template variables for the selected trigger event type (e.g., for `CallAdded`: `{{ call.name }}`, `{{ call.nature }}`, `{{ call.address }}`, etc.). **Array variables** are visually distinguished with a list icon and an "array" badge. Clicking an array variable inserts a Scriban `for` loop snippet instead of a simple variable reference.
 - **Preview button** — Renders the template with sample data and shows the output inline
 - **Test button** — Triggers a real execution with sample data and shows the run result
 
+:::tip Iterating Over Collections
+Some event variables are arrays (e.g., `call.unit_dispatches`, `call.notes_list`). When you click an array variable in the side panel, a `for` loop snippet is inserted automatically:
+```
+{{ for unit in call.unit_dispatches }}
+  {{ unit.unit_name }}
+{{ end }}
+```
+Hover over an array variable to see the child properties available inside each iteration.
+:::
+
 See the [Workflows Configuration](../configuration/workflows) page for the full template variable reference.
 
 ## Trigger Event Types
@@ -124,20 +134,20 @@ Each workflow step supports one of the following action types:
 
 | Action | Description | Credential Required |
 |--------|-------------|---------------------|
-| **Send Email** | Sends an email via SMTP. Template renders the HTML email body. | SMTP (host, port, username, password, from address) |
+| **Send Email** | Sends an email via SMTP. Template renders the HTML email body. Rendered HTML is automatically sanitized (scripts, iframes, event handlers, etc. are stripped). | SMTP (host, port, username, password, from address) |
 | **Send SMS** | Sends an SMS message via Twilio. Template renders the message body. | Twilio (Account SID, Auth Token, from number) |
-| **Send Teams Message** | Posts a message to Microsoft Teams via Incoming Webhook. Template renders the message body (plain text or Adaptive Card JSON). | Microsoft Teams (webhook URL) |
-| **Send Slack Message** | Posts a message to Slack via Incoming Webhook. Template renders the message text (supports Slack mrkdwn). | Slack (webhook URL) |
-| **Send Discord Message** | Posts a message to Discord via Webhook. Template renders the message content (supports embed JSON). | Discord (webhook URL) |
+| **Send Teams Message** | Posts a message to Microsoft Teams via Incoming Webhook. Template renders the message body (plain text or Adaptive Card JSON). Webhook URL must target `.webhook.office.com` or `.logic.azure.com`. | Microsoft Teams (webhook URL) |
+| **Send Slack Message** | Posts a message to Slack via Incoming Webhook. Template renders the message text (supports Slack mrkdwn). Webhook URL must target `hooks.slack.com`. | Slack (webhook URL) |
+| **Send Discord Message** | Posts a message to Discord via Webhook. Template renders the message content (supports embed JSON). Webhook URL must target `discord.com` or `discordapp.com` with path `/api/webhooks/`. | Discord (webhook URL) |
 
 ### API Actions
 
 | Action | Description | Credential Required |
 |--------|-------------|---------------------|
-| **Call API (GET)** | Sends an HTTP GET request to a URL. | Optional (Bearer, Basic, or API Key) |
-| **Call API (POST)** | Sends an HTTP POST request. Template renders the request body. | Optional |
-| **Call API (PUT)** | Sends an HTTP PUT request. Template renders the request body. | Optional |
-| **Call API (DELETE)** | Sends an HTTP DELETE request. | Optional |
+| **Call API (GET)** | Sends an HTTP GET request to a URL. HTTPS only; private/internal IPs blocked. | Optional (Bearer, Basic, or API Key) |
+| **Call API (POST)** | Sends an HTTP POST request. Template renders the request body. HTTPS only; private/internal IPs blocked. | Optional |
+| **Call API (PUT)** | Sends an HTTP PUT request. Template renders the request body. HTTPS only; private/internal IPs blocked. | Optional |
+| **Call API (DELETE)** | Sends an HTTP DELETE request. HTTPS only; private/internal IPs blocked. | Optional |
 
 ### File Upload Actions
 
@@ -323,9 +333,90 @@ When a workflow step fails:
 3. If max retries are exceeded, status is set to **Failed** with the final error message
 4. All retry attempts are visible in the run logs for auditing
 
+The `Max Retry Count` has a server-side ceiling of **5** to prevent infinite retry abuse.
+
+## Template Sandboxing
+
+Scriban templates are executed in a sandboxed environment to prevent abuse:
+
+| Protection | Limit |
+|------------|-------|
+| Loop iterations | 500 maximum |
+| Recursion depth | 50 maximum |
+| Regex timeout | Enforced to prevent ReDoS |
+| Output template size (save time) | 64 KB |
+| Rendered content size | 256 KB |
+| `import` / `include` built-ins | Disabled |
+
+## Dynamic Action Config Fields
+
+All text fields in action configuration (email Subject, To, CC, filenames, URLs, etc.) are rendered through the Scriban template engine at execution time. You can use `{{ }}` expressions in any config field:
+
+- **Subject:** `New Call: {{ call.name }}`
+- **Filename:** `report_{{ timestamp.date }}.csv`
+- **Recipient:** `{{ user.email }}`
+
+## Security Protections
+
+### SSRF Prevention
+
+HTTP API calls, FTP, and SFTP actions enforce:
+- **HTTPS only** for HTTP calls
+- Blocking of private/internal IP ranges (RFC 1918, loopback, link-local, cloud metadata `169.254.169.254`)
+- Configurable domain allowlist/blocklist
+
+### Webhook URL Validation
+
+Chat platform webhook URLs are validated against expected vendor domains:
+- **Teams:** `.webhook.office.com` or `.logic.azure.com`
+- **Slack:** `hooks.slack.com`
+- **Discord:** `discord.com` or `discordapp.com` with `/api/webhooks/` path
+
+### Email HTML Sanitization
+
+Rendered email body HTML is sanitized before sending. Dangerous elements (`<script>`, `<iframe>`, `<object>`, `<embed>`, `<form>`), `on*` event attributes, and `javascript:` URLs are stripped. Standard formatting tags are preserved.
+
 ## Rate Limiting
 
-Workflow execution is rate-limited per department to prevent a single department from flooding the system. The default limit is **60 workflow executions per minute per department**. If the limit is exceeded, workflow events are skipped and a warning is logged.
+Workflow execution is rate-limited per department to prevent a single department from flooding the system. Limits are **tiered by subscription plan**:
+
+| Limit | Free Plan | Paid Plans |
+|-------|-----------|------------|
+| Executions per minute | 5 | 60 |
+| Daily run limit | 50 | Unlimited |
+
+Free-plan rate limits are strictly enforced with **no exemptions** — no event types bypass the limit.
+
+## Workflow and Step Limits
+
+The number of workflows and steps per department is capped based on subscription plan:
+
+| Limit | Free Plan | Paid Plans |
+|-------|-----------|------------|
+| Workflows per department | 3 | 28 |
+| Steps per workflow | 5 | 20 |
+| Credentials per department | 2 | 20 |
+| Max retry count (ceiling) | 5 | 5 |
+
+## Daily Send Limits
+
+Outbound email and SMS messages sent via workflows are subject to daily limits:
+
+| Channel | Free Plan | Paid Plans |
+|---------|-----------|------------|
+| Emails per day | 10 | 500 |
+| SMS per day | 5 | 200 |
+
+When the daily limit is reached, further email/SMS steps will fail with a clear error. Limits reset at midnight UTC.
+
+## Recipient Caps
+
+To prevent bulk messaging abuse, the number of recipients per outbound step is capped:
+
+| Action | Free Plan | Paid Plans |
+|--------|-----------|------------|
+| Email To + CC | 1 (no CC) | 10 |
+| SMS To | 1 | 5 |
 
 ## Interactions with Other Modules
 

From a7e73e50293201c266b1260ea45c6237ee3a9ef1 Mon Sep 17 00:00:00 2001
From: Shawn Jackson <shawn@resgrid.com>
Date: Sat, 28 Feb 2026 17:12:52 -0800
Subject: [PATCH 3/3] Updated docs with SSO and SCIM info

---
 docs/enterprise/_category_.json      |   8 +
 docs/enterprise/scim-provisioning.md | 325 +++++++++++++++++
 docs/enterprise/security-policies.md | 254 ++++++++++++++
 docs/enterprise/sso-api-reference.md | 500 +++++++++++++++++++++++++++
 docs/enterprise/sso-overview.md      | 120 +++++++
 docs/enterprise/sso-setup.md         | 356 +++++++++++++++++++
 6 files changed, 1563 insertions(+)
 create mode 100644 docs/enterprise/_category_.json
 create mode 100644 docs/enterprise/scim-provisioning.md
 create mode 100644 docs/enterprise/security-policies.md
 create mode 100644 docs/enterprise/sso-api-reference.md
 create mode 100644 docs/enterprise/sso-overview.md
 create mode 100644 docs/enterprise/sso-setup.md

diff --git a/docs/enterprise/_category_.json b/docs/enterprise/_category_.json
new file mode 100644
index 0000000..5cb9727
--- /dev/null
+++ b/docs/enterprise/_category_.json
@@ -0,0 +1,8 @@
+{
+  "label": "Enterprise SSO & SCIM",
+  "position": 6,
+  "link": {
+    "type": "generated-index",
+    "description": "Enterprise Single Sign-On (SSO), SCIM user provisioning, and security policy configuration for organizations and government agencies."
+  }
+}
diff --git a/docs/enterprise/scim-provisioning.md b/docs/enterprise/scim-provisioning.md
new file mode 100644
index 0000000..bcb6e54
--- /dev/null
+++ b/docs/enterprise/scim-provisioning.md
@@ -0,0 +1,325 @@
+---
+sidebar_position: 3
+---
+
+# SCIM 2.0 Provisioning
+
+SCIM (System for Cross-domain Identity Management) 2.0 allows your identity provider to automatically create, update, and deactivate Resgrid user accounts when changes are made in your corporate directory. This eliminates manual user management and ensures that access is revoked promptly when personnel leave the organization.
+
+## How It Works
+
+When SCIM is enabled for a department, your identity provider pushes user lifecycle events to Resgrid's SCIM endpoint:
+
+```
+IdP Directory ──► SCIM Connector ──► Resgrid SCIM API ──► User Account Changes
+                                     /scim/v2/Users
+```
+
+| IdP Event | Resgrid Action |
+| --- | --- |
+| User assigned to Resgrid app | Create `IdentityUser` + `UserProfile` + `DepartmentMember` |
+| User profile updated (name, email) | Update `UserProfile` and linked fields |
+| User unassigned / disabled | Deactivate account (`IsDisabled` / `IsDeleted` on `DepartmentMember`) |
+
+All SCIM operations are authenticated using a per-department bearer token. Each operation is logged to the Resgrid audit system.
+
+## Prerequisites
+
+- An active SSO configuration for the department (OIDC or SAML 2.0)
+- An identity provider that supports SCIM 2.0 provisioning (e.g., Okta, Microsoft Entra ID, OneLogin, JumpCloud)
+- Department administrator access to Resgrid (web application or API)
+
+## Setup
+
+### Step 1 — Enable SCIM and Generate a Bearer Token
+
+#### Using the Web Application
+
+1. Navigate to **Department Settings** → **Security** → **SSO & SCIM**
+2. Click **SCIM Setup** next to your SSO configuration
+3. Click the **Rotate / Generate SCIM Token** button
+4. The token is displayed **once** in a highlighted yellow warning banner at the top of the page. The token field is auto-selected for easy copying. Use the **Copy** button to copy it to your clipboard.
+
+:::danger One-Time Display
+The SCIM bearer token is shown in plaintext **once only** on the SCIM Setup page immediately after generation. It is stored encrypted and no subsequent page load will reveal it. If you navigate away without copying the token, you must rotate again to generate a new one.
+:::
+
+#### Using the API
+
+Call the rotate token endpoint. This enables SCIM on the SSO configuration and returns a new bearer token:
+
+```bash
+POST /api/v4/SsoAdmin/RotateScimToken/oidc
+Authorization: Bearer <admin-token>
+```
+
+**Response:**
+
+```json
+{
+  "status": "success",
+  "scimBearerToken": "abc123...very-long-random-token...",
+  ...
+}
+```
+
+:::danger Copy the Token Immediately
+The SCIM bearer token is returned in **plaintext once only** and stored encrypted. If you lose it, call the rotate endpoint again to generate a new one (this invalidates the previous token).
+:::
+
+### Step 2 — Configure SCIM in Your Identity Provider
+
+The SCIM Setup page in the web application displays all the connector settings you need in a convenient table with **copy buttons** for each value. It also includes **tabbed step-by-step guides** with specific instructions for each major identity provider.
+
+Use the following values when setting up the SCIM connector in your IdP:
+
+| IdP SCIM Field | Value |
+| --- | --- |
+| SCIM connector base URL | `https://{your-api-host}/scim/v2` |
+| Authentication method | HTTP Header |
+| Authorization header | `Bearer <scimBearerToken from Step 1>` |
+| Custom header | `X-Department-Id: {your departmentId (integer)}` |
+| Supported resources | Users |
+| Update method | PUT (full replace) or PATCH (partial) |
+
+#### IdP-Specific Setup Guides
+
+The web application’s SCIM Setup page includes tabbed instructions for each provider. Below is a summary of the key steps for each.
+
+##### Okta
+
+1. In your Okta admin console, go to **Applications** → your Resgrid app → **Provisioning** tab
+2. Click **Configure API Integration** and check **Enable API Integration**
+3. Set **SCIM connector base URL** to `https://{your-api-host}/scim/v2`
+4. Set **Authentication Mode** to **HTTP Header**
+5. Paste your SCIM bearer token in the **Authorization** field (prefixed with `Bearer `)
+6. Add a custom header `X-Department-Id` with your department ID
+7. Click **Test API Credentials** to verify connectivity
+8. Enable the provisioning features you want: Create Users, Update User Attributes, Deactivate Users
+
+##### Microsoft Entra ID (Azure AD)
+
+1. In the Azure portal, go to **Enterprise Applications** → your Resgrid app → **Provisioning**
+2. Set **Provisioning Mode** to **Automatic**
+3. Under **Admin Credentials**, set **Tenant URL** to `https://{your-api-host}/scim/v2`
+4. Set **Secret Token** to your SCIM bearer token
+5. Add HTTP header `X-Department-Id: {your departmentId}`
+6. Click **Test Connection** to verify
+7. Configure **Mappings** to map Entra user attributes to SCIM fields
+8. Set the provisioning scope and turn provisioning **On**
+
+##### Google Workspace
+
+1. In the Google Admin console, go to **Apps** → **SAML apps** (or use a third-party SCIM bridge)
+2. Google Workspace does not natively support outbound SCIM. Use a SCIM bridge service or configure via the Google Cloud Identity API
+3. Set the SCIM endpoint to `https://{your-api-host}/scim/v2`
+4. Configure bearer token authentication with your SCIM token
+5. Include the `X-Department-Id` header in all requests
+
+##### Generic / Other IdPs
+
+| Setting | Value |
+| --- | --- |
+| SCIM Base URL | `https://{your-api-host}/scim/v2` |
+| Auth Method | Bearer Token |
+| Bearer Token | `<your SCIM token>` |
+| Required Header | `X-Department-Id: <departmentId>` |
+| Supported Operations | Create, Read, Update (PUT & PATCH), Delete/Deactivate |
+| Schema | `urn:ietf:params:scim:schemas:core:2.0:User` |
+
+### Step 3 — Verify Connectivity
+
+#### Using the Web Application
+
+The SCIM Setup page includes a **Test Connection** section. If SCIM is enabled and a token is stored, the page shows a green success indicator.
+
+#### Using the API
+
+Test that SCIM is properly configured:
+
+```bash
+GET /api/v4/SsoAdmin/TestScimConnection/oidc
+Authorization: Bearer <admin-token>
+```
+
+Returns `success: true` when SCIM is enabled and a token is stored.
+
+You can also test directly from your IdP's SCIM test tool — most IdPs provide a "Test Connection" button that sends a `GET /scim/v2/Users` request.
+
+---
+
+## SCIM Endpoints
+
+Resgrid implements the following SCIM 2.0 endpoints under `/scim/v2`:
+
+| Method | Endpoint | Description |
+| --- | --- | --- |
+| `GET` | `/scim/v2/Users` | List users (supports filtering and pagination) |
+| `POST` | `/scim/v2/Users` | Create a new user |
+| `GET` | `/scim/v2/Users/{id}` | Get a specific user |
+| `PUT` | `/scim/v2/Users/{id}` | Replace a user (full update) |
+| `PATCH` | `/scim/v2/Users/{id}` | Partially update a user |
+| `DELETE` | `/scim/v2/Users/{id}` | Deactivate a user |
+| `GET` | `/scim/v2/Groups` | List groups (returns department roles) |
+
+All requests must include:
+- `Authorization: Bearer <scimBearerToken>` header
+- `X-Department-Id: <departmentId>` header
+
+### SCIM Schema
+
+Resgrid maps the standard SCIM `User` schema (`urn:ietf:params:scim:schemas:core:2.0:User`) to internal entities:
+
+| SCIM User Field | Resgrid Field | Entity |
+| --- | --- | --- |
+| `userName` | Email address | `IdentityUser.Email` |
+| `name.givenName` | First name | `UserProfile.FirstName` |
+| `name.familyName` | Last name | `UserProfile.LastName` |
+| `emails[0].value` | Email address | `IdentityUser.Email` |
+| `active` | Account active status | `DepartmentMember.IsDisabled` (inverted) |
+| `externalId` | External IdP identifier | `DepartmentMember.ExternalSsoId` |
+
+### Example: Create User (POST)
+
+**Request from IdP:**
+
+```json
+POST /scim/v2/Users
+Authorization: Bearer <scim-token>
+X-Department-Id: 42
+Content-Type: application/scim+json
+
+{
+  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
+  "userName": "jane.doe@example.com",
+  "name": {
+    "givenName": "Jane",
+    "familyName": "Doe"
+  },
+  "emails": [
+    {
+      "primary": true,
+      "value": "jane.doe@example.com",
+      "type": "work"
+    }
+  ],
+  "externalId": "abc-123-ext",
+  "active": true
+}
+```
+
+**Response:**
+
+```json
+{
+  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
+  "id": "usr-guid-...",
+  "externalId": "abc-123-ext",
+  "userName": "jane.doe@example.com",
+  "name": {
+    "givenName": "Jane",
+    "familyName": "Doe"
+  },
+  "emails": [
+    {
+      "primary": true,
+      "value": "jane.doe@example.com",
+      "type": "work"
+    }
+  ],
+  "active": true,
+  "meta": {
+    "resourceType": "User",
+    "created": "2026-02-28T12:00:00Z",
+    "lastModified": "2026-02-28T12:00:00Z",
+    "location": "https://api.resgrid.com/scim/v2/Users/usr-guid-..."
+  }
+}
+```
+
+### Example: Deactivate User (PATCH)
+
+When a user is removed from the Resgrid application in your IdP, the IdP typically sends a PATCH request to set `active` to `false`:
+
+```json
+PATCH /scim/v2/Users/usr-guid-...
+Authorization: Bearer <scim-token>
+X-Department-Id: 42
+Content-Type: application/scim+json
+
+{
+  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+  "Operations": [
+    {
+      "op": "replace",
+      "path": "active",
+      "value": false
+    }
+  ]
+}
+```
+
+This sets `IsDisabled = true` on the `DepartmentMember` record. The user's Resgrid account is preserved but they can no longer log in or access department resources.
+
+---
+
+## Token Rotation
+
+To rotate the SCIM bearer token (e.g., for security compliance or if the token is compromised):
+
+### Using the Web Application
+
+1. Navigate to the **SCIM Setup** page
+2. Click **Rotate / Generate SCIM Token**
+3. The old token is immediately invalidated
+4. Copy the new token from the one-time display banner
+5. Update the bearer token in your IdP's SCIM connector settings
+
+### Using the API
+
+1. Call `POST /api/v4/SsoAdmin/RotateScimToken/{providerType}` to generate a new token
+2. The old token is immediately invalidated
+3. Update the bearer token in your IdP's SCIM connector settings with the new token
+
+:::warning
+Rotating the token will cause all SCIM operations from your IdP to fail until the new token is configured in the IdP. Plan for a brief interruption when rotating tokens.
+:::
+
+---
+
+## Audit Logging
+
+All SCIM operations are recorded in the Resgrid audit log:
+
+| Audit Event | Trigger |
+| --- | --- |
+| `ScimUserCreated` | A new user was created via SCIM `POST /Users` |
+| `ScimUserUpdated` | A user was updated via SCIM `PUT` or `PATCH /Users/{id}` |
+| `ScimUserDeactivated` | A user was deactivated via SCIM `PATCH` or `DELETE /Users/{id}` |
+
+---
+
+## Troubleshooting
+
+### IdP reports "401 Unauthorized" on SCIM requests
+
+- Verify the SCIM bearer token was copied correctly (no extra whitespace)
+- Check that the `Authorization` header is formatted as `Bearer <token>` (with a space)
+- Ensure the `X-Department-Id` header is included and contains the correct integer department ID
+- If the token was rotated, update the IdP with the new token
+
+### Users are created but not linked to SSO
+
+- Ensure the `externalId` field is populated in the SCIM request from your IdP
+- This value is stored as `ExternalSsoId` on the `DepartmentMember` and used for SSO account linking
+
+### SCIM creates duplicate users
+
+- Resgrid matches incoming SCIM users by email address first
+- If a user with the same email already exists, their account is linked rather than duplicated
+- Ensure your IdP is sending the correct email address in the `userName` or `emails` field
+
+### User deactivation does not work
+
+- Verify your IdP sends a `PATCH` with `active: false` or a `DELETE` request when unassigning users
+- Check the Resgrid audit log for `ScimUserDeactivated` events to confirm the request was received
diff --git a/docs/enterprise/security-policies.md b/docs/enterprise/security-policies.md
new file mode 100644
index 0000000..1339822
--- /dev/null
+++ b/docs/enterprise/security-policies.md
@@ -0,0 +1,254 @@
+---
+sidebar_position: 4
+---
+
+# Security Policies
+
+The Department Security Policy feature allows administrators to enforce compliance-oriented controls across their entire department. These policies govern authentication requirements, session behavior, network restrictions, and password rules — designed to meet the needs of enterprise organizations and government agencies operating under frameworks like NIST, CJIS, or FedRAMP.
+
+## Overview
+
+Security policies are stored per-department in the `DepartmentSecurityPolicies` table and enforced at login time by the Resgrid API. When a user attempts to authenticate (via password or SSO), the system checks the department's security policy and blocks access if any requirement is not met.
+
+Security policies can be managed through the **web application** or the **REST API**.
+
+## Managing via the Web Application
+
+Navigate to **Department Settings** → **Security** → **Security Policy** (or click the **Security Policy** button on the Security index page).
+
+The Security Policy page provides:
+
+- **Authentication controls** — toggle MFA requirement and SSO-only mode
+- **Session settings** — configure timeout and concurrent session limits
+- **IP range restrictions** — enter allowed CIDR blocks
+- **Password policy** — set minimum length, complexity, and expiration
+- **Data classification** — select the classification level for the department
+- **Preset buttons** — one-click templates to apply common configurations:
+  - **Government / CUI** — applies strict settings suitable for CJIS, NIST 800-171, and FedRAMP
+  - **Enterprise** — applies balanced settings with MFA but optional SSO
+  - **Minimal** — resets all fields to defaults (no restrictions)
+
+After selecting a preset or manually adjusting settings, click **Save** to apply the policy.
+
+:::tip Preset Buttons
+Preset buttons populate the form with recommended values but do not save automatically. Review the settings and click **Save** to apply. You can modify individual fields after applying a preset.
+:::
+
+## Managing via the API
+
+### Reading the Current Policy
+
+```bash
+GET /api/v4/SsoAdmin/GetSecurityPolicy
+Authorization: Bearer <admin-token>
+```
+
+Returns the current security policy for the administrator's department, or a default (empty) policy if none has been configured.
+
+## Saving / Updating the Policy
+
+```bash
+POST /api/v4/SsoAdmin/SaveSecurityPolicy
+Content-Type: application/json
+Authorization: Bearer <admin-token>
+```
+
+```json
+{
+  "requireMfa": true,
+  "requireSso": false,
+  "sessionTimeoutMinutes": 480,
+  "maxConcurrentSessions": 3,
+  "allowedIpRanges": "10.0.0.0/8,192.168.1.0/24",
+  "passwordExpirationDays": 90,
+  "minPasswordLength": 12,
+  "requirePasswordComplexity": true,
+  "dataClassificationLevel": 1
+}
+```
+
+---
+
+## Policy Fields
+
+| Field | Type | Default | Description |
+| --- | --- | --- | --- |
+| `requireMfa` | bool | `false` | Require multi-factor authentication for all department members |
+| `requireSso` | bool | `false` | Force all users through SSO, disabling password-based login |
+| `sessionTimeoutMinutes` | int | `0` (disabled) | Automatically expire sessions after this many minutes of inactivity |
+| `maxConcurrentSessions` | int | `0` (unlimited) | Maximum number of simultaneous active sessions per user |
+| `allowedIpRanges` | string | `""` (all IPs) | Comma-separated list of CIDR blocks; only these IP ranges can access the department |
+| `passwordExpirationDays` | int | `0` (disabled) | Force password resets after this many days |
+| `minPasswordLength` | int | `0` (system default) | Minimum password length for department members |
+| `requirePasswordComplexity` | bool | `false` | Require passwords to include uppercase, lowercase, digits, and special characters |
+| `dataClassificationLevel` | int | `0` | Data classification tag for the department |
+
+### Data Classification Levels
+
+| Value | Level | Description |
+| --- | --- | --- |
+| `0` | Unclassified | Default. No special handling required |
+| `1` | CUI | Controlled Unclassified Information — subject to NIST SP 800-171 controls |
+| `2` | Confidential | Requires enhanced access controls and audit logging |
+
+---
+
+## Common Policy Presets
+
+### Government / CUI Environment
+
+For departments handling Controlled Unclassified Information (CUI) or operating under CJIS, NIST 800-171, or similar frameworks:
+
+```json
+{
+  "requireMfa": true,
+  "requireSso": true,
+  "sessionTimeoutMinutes": 240,
+  "maxConcurrentSessions": 1,
+  "allowedIpRanges": "10.0.0.0/8",
+  "passwordExpirationDays": 60,
+  "minPasswordLength": 14,
+  "requirePasswordComplexity": true,
+  "dataClassificationLevel": 1
+}
+```
+
+Key characteristics:
+- SSO is mandatory — no password-based login
+- MFA is required on every login
+- Sessions expire after 4 hours
+- Only one concurrent session per user
+- Access restricted to internal network (`10.0.0.0/8`)
+- Passwords expire every 60 days with 14-character minimum
+
+### Standard Enterprise (SSO Optional, MFA Required)
+
+For corporate departments that want stronger security without fully locking down to SSO:
+
+```json
+{
+  "requireMfa": true,
+  "requireSso": false,
+  "sessionTimeoutMinutes": 480,
+  "maxConcurrentSessions": 5,
+  "allowedIpRanges": "",
+  "passwordExpirationDays": 90,
+  "minPasswordLength": 12,
+  "requirePasswordComplexity": true,
+  "dataClassificationLevel": 0
+}
+```
+
+Key characteristics:
+- MFA is required but SSO is optional
+- Sessions expire after 8 hours
+- Up to 5 concurrent sessions per user
+- No IP restrictions (access from anywhere)
+- Passwords expire every 90 days with 12-character minimum
+
+### Minimal (Default Behavior)
+
+For departments that do not need additional security controls:
+
+```json
+{
+  "requireMfa": false,
+  "requireSso": false,
+  "sessionTimeoutMinutes": 0,
+  "maxConcurrentSessions": 0,
+  "allowedIpRanges": "",
+  "passwordExpirationDays": 0,
+  "minPasswordLength": 0,
+  "requirePasswordComplexity": false,
+  "dataClassificationLevel": 0
+}
+```
+
+---
+
+## How Policies Are Enforced
+
+Security policies are checked at login time (both password and SSO authentication) and enforced as follows:
+
+### At Authentication
+
+| Check | Behavior |
+| --- | --- |
+| `requireSso` | If `true`, password-based login attempts are rejected with a message directing the user to SSO |
+| `requireMfa` | If `true`, the user must complete MFA after primary authentication; login is blocked if MFA is not configured |
+| `allowedIpRanges` | The client's IP address is checked against the CIDR list; requests from disallowed IPs are rejected |
+| `maxConcurrentSessions` | If the user already has the maximum number of active sessions, the oldest session is invalidated |
+| `sessionTimeoutMinutes` | The issued token's expiration is capped to the configured timeout |
+
+### At Password Change
+
+| Check | Behavior |
+| --- | --- |
+| `minPasswordLength` | New passwords shorter than the minimum are rejected |
+| `requirePasswordComplexity` | New passwords must include uppercase, lowercase, digit, and special character |
+| `passwordExpirationDays` | Users are forced to change their password when the expiration period elapses |
+
+---
+
+## IP Range Configuration
+
+The `allowedIpRanges` field accepts a comma-separated list of CIDR blocks. Examples:
+
+| Value | Meaning |
+| --- | --- |
+| `""` (empty) | All IP addresses are allowed |
+| `10.0.0.0/8` | Only class A private network |
+| `10.0.0.0/8,172.16.0.0/12,192.168.0.0/16` | All RFC 1918 private networks |
+| `203.0.113.0/24` | A specific public subnet |
+| `203.0.113.42/32` | A single IP address |
+
+:::warning
+If you configure IP restrictions incorrectly, you may lock yourself out of the API. Ensure your current IP address is within the allowed ranges before saving the policy. If locked out, contact Resgrid support to reset the policy.
+:::
+
+---
+
+## Important Warnings
+
+### RequireSso
+
+Setting `requireSso: true` **disables password-based login for all department members**, including administrators. Both the web application and the API enforce a safety guard:
+
+- **Web UI**: The Security Policy page checks whether an active SSO configuration exists before allowing `RequireSso` to be enabled. If no active config is found, a validation error is displayed with a link to the SSO configuration page.
+- **API**: The `POST /api/v4/SsoAdmin/SaveSecurityPolicy` endpoint returns a `400 Bad Request` with an error message if `requireSso: true` is submitted without an active SSO configuration.
+
+Before enabling this:
+1. Ensure your SSO configuration is fully tested and working
+2. Verify that all department administrators can log in via SSO
+3. Consider keeping at least one emergency admin account with `allowLocalLogin: true` in the SSO config
+
+### Session Timeout
+
+Setting a very low `sessionTimeoutMinutes` (e.g., less than 30 minutes) may cause poor user experience, especially on mobile devices where background app refresh is common. Recommended minimum values:
+
+| Environment | Recommended Timeout |
+| --- | --- |
+| Government / high-security | 240 minutes (4 hours) |
+| Standard enterprise | 480 minutes (8 hours) |
+| Field operations | 720 minutes (12 hours) |
+
+---
+
+## Troubleshooting
+
+### "Access denied: IP not in allowed range"
+
+- Check that your current IP is in the `allowedIpRanges` CIDR list
+- If using a VPN, verify the VPN's egress IP is included
+- Mobile devices on cellular networks have dynamic IPs — consider whether IP restrictions are appropriate for mobile users
+
+### "MFA required" but user has not set up MFA
+
+- When `requireMfa` is `true`, users who have not enrolled in MFA will be blocked at login
+- Direct affected users to set up MFA in their Resgrid account settings before the policy is enabled
+- Consider rolling out MFA enrollment before enabling the `requireMfa` policy
+
+### Cannot disable SSO-only mode
+
+- You must be able to authenticate to change the security policy
+- If locked out, contact Resgrid support for assistance with policy reset
diff --git a/docs/enterprise/sso-api-reference.md b/docs/enterprise/sso-api-reference.md
new file mode 100644
index 0000000..7379042
--- /dev/null
+++ b/docs/enterprise/sso-api-reference.md
@@ -0,0 +1,500 @@
+---
+sidebar_position: 5
+---
+
+# SSO & SCIM API Reference
+
+Complete reference for all SSO administration, SCIM provisioning, and SSO authentication endpoints in the Resgrid v4 API.
+
+---
+
+## SSO Administration Endpoints
+
+All SSO administration endpoints require a valid Resgrid admin bearer token and that the caller is a department administrator. The SSO policy claims (`Sso_View`, `Sso_Create`, `Sso_Update`, `Sso_Delete`) are enforced in addition to the admin role check.
+
+### List SSO Configurations
+
+Returns all SSO configurations for the administrator's department. Secret values (client secrets, certificates, SCIM tokens) are never included in the response.
+
+```
+GET /api/v4/SsoAdmin/GetSsoConfigs
+```
+
+**Headers:**
+
+| Header | Value |
+| --- | --- |
+| `Authorization` | `Bearer <admin-token>` |
+
+**Required Permission:** `Sso_View` + department admin
+
+**Response:** Array of SSO configuration objects (without secrets).
+
+---
+
+### Get Single SSO Configuration
+
+Returns a single SSO configuration by ID. Secret values are replaced with boolean indicators (e.g., `hasIdpCertificate: true`).
+
+```
+GET /api/v4/SsoAdmin/GetSsoConfig/{departmentSsoConfigId}
+```
+
+**Headers:**
+
+| Header | Value |
+| --- | --- |
+| `Authorization` | `Bearer <admin-token>` |
+
+**Path Parameters:**
+
+| Parameter | Type | Description |
+| --- | --- | --- |
+| `departmentSsoConfigId` | string | The ID of the SSO configuration |
+
+**Required Permission:** `Sso_View` + department admin
+
+---
+
+### Create SSO Configuration
+
+Creates a new SSO configuration for the department. Only one configuration per provider type (OIDC or SAML2) is allowed per department.
+
+```
+POST /api/v4/SsoAdmin/CreateSsoConfig
+```
+
+**Headers:**
+
+| Header | Value |
+| --- | --- |
+| `Authorization` | `Bearer <admin-token>` |
+| `Content-Type` | `application/json` |
+
+**Required Permission:** `Sso_Create` + department admin
+
+**Request Body:**
+
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `providerType` | string | Yes | `oidc` or `saml2` |
+| `isEnabled` | bool | Yes | Whether this configuration is active |
+| `clientId` | string | OIDC | OIDC client/application ID |
+| `clientSecret` | string | No | OIDC client secret (encrypted before storage) |
+| `authority` | string | OIDC | OIDC issuer/authority URL |
+| `metadataUrl` | string | SAML | SAML IdP metadata URL |
+| `entityId` | string | SAML | SAML SP entity ID |
+| `assertionConsumerServiceUrl` | string | SAML | SAML Assertion Consumer Service URL |
+| `idpCertificate` | string | SAML | IdP signing certificate in PEM format (encrypted before storage) |
+| `signingCertificate` | string | No | SP signing certificate in PEM format (encrypted before storage) |
+| `attributeMappingJson` | string | Yes | JSON mapping of IdP claims to Resgrid fields |
+| `allowLocalLogin` | bool | No | Allow password login alongside SSO (default: `true`) |
+| `autoProvisionUsers` | bool | No | Auto-create users on first SSO login (default: `false`) |
+| `defaultRankId` | int | No | Default rank for auto-provisioned users |
+| `scimEnabled` | bool | No | Enable SCIM provisioning (default: `false`) |
+
+**Response:** `201 Created` with the created configuration object.
+
+---
+
+### Update SSO Configuration
+
+Updates an existing SSO configuration. Omit secret fields or send `null` to leave them unchanged.
+
+```
+PUT /api/v4/SsoAdmin/UpdateSsoConfig/{departmentSsoConfigId}
+```
+
+**Headers:**
+
+| Header | Value |
+| --- | --- |
+| `Authorization` | `Bearer <admin-token>` |
+| `Content-Type` | `application/json` |
+
+**Path Parameters:**
+
+| Parameter | Type | Description |
+| --- | --- | --- |
+| `departmentSsoConfigId` | string | The ID of the SSO configuration to update |
+
+**Required Permission:** `Sso_Update` + department admin
+
+**Request Body:** Same fields as Create. Only include fields you want to change.
+
+**Response:** `200 OK` with the updated configuration object.
+
+---
+
+### Delete SSO Configuration
+
+Deletes an SSO configuration by provider type.
+
+```
+DELETE /api/v4/SsoAdmin/DeleteSsoConfig/{providerType}
+```
+
+**Headers:**
+
+| Header | Value |
+| --- | --- |
+| `Authorization` | `Bearer <admin-token>` |
+
+**Path Parameters:**
+
+| Parameter | Type | Description |
+| --- | --- | --- |
+| `providerType` | string | `oidc` or `saml2` |
+
+**Required Permission:** `Sso_Delete` + department admin
+
+**Response:** `200 OK` on success.
+
+:::warning
+Deleting an SSO configuration will immediately prevent users from authenticating via that provider. If `requireSso` is enabled in the security policy, this may lock users out. Disable `requireSso` first.
+:::
+
+---
+
+### Rotate SCIM Token
+
+Generates a new SCIM bearer token for the specified provider type. Enables SCIM if not already enabled. The previous token is immediately invalidated.
+
+```
+POST /api/v4/SsoAdmin/RotateScimToken/{providerType}
+```
+
+**Headers:**
+
+| Header | Value |
+| --- | --- |
+| `Authorization` | `Bearer <admin-token>` |
+
+**Path Parameters:**
+
+| Parameter | Type | Description |
+| --- | --- | --- |
+| `providerType` | string | `oidc` or `saml2` |
+
+**Required Permission:** `Sso_Update` + department admin
+
+**Response:**
+
+```json
+{
+  "status": "success",
+  "scimBearerToken": "abc123...very-long-random-token..."
+}
+```
+
+:::danger
+The token is returned in plaintext **once only**. Copy it immediately. It is stored encrypted and cannot be retrieved again.
+:::
+
+---
+
+### Test SCIM Connection
+
+Verifies that SCIM is enabled and a bearer token is configured for the specified provider type.
+
+```
+GET /api/v4/SsoAdmin/TestScimConnection/{providerType}
+```
+
+**Headers:**
+
+| Header | Value |
+| --- | --- |
+| `Authorization` | `Bearer <admin-token>` |
+
+**Path Parameters:**
+
+| Parameter | Type | Description |
+| --- | --- | --- |
+| `providerType` | string | `oidc` or `saml2` |
+
+**Required Permission:** `Sso_View` + department admin
+
+**Response:**
+
+```json
+{
+  "success": true
+}
+```
+
+---
+
+### Get Security Policy
+
+Returns the department's current security policy.
+
+```
+GET /api/v4/SsoAdmin/GetSecurityPolicy
+```
+
+**Headers:**
+
+| Header | Value |
+| --- | --- |
+| `Authorization` | `Bearer <admin-token>` |
+
+**Required Permission:** `Sso_View` + department admin
+
+**Response:** Security policy object (see [Security Policies](security-policies) for field details).
+
+---
+
+### Save Security Policy
+
+Creates or updates the department's security policy.
+
+```
+POST /api/v4/SsoAdmin/SaveSecurityPolicy
+```
+
+**Headers:**
+
+| Header | Value |
+| --- | --- |
+| `Authorization` | `Bearer <admin-token>` |
+| `Content-Type` | `application/json` |
+
+**Required Permission:** `Sso_Update` + department admin
+
+**Request Body:**
+
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `requireMfa` | bool | No | Require MFA for all users |
+| `requireSso` | bool | No | Force all login through SSO (rejected if no active SSO config) |
+| `sessionTimeoutMinutes` | int | No | Session inactivity timeout (0 = disabled) |
+| `maxConcurrentSessions` | int | No | Max simultaneous sessions per user (0 = unlimited) |
+| `allowedIpRanges` | string | No | CSV of CIDR blocks (empty = all IPs allowed) |
+| `passwordExpirationDays` | int | No | Days until password expires (0 = disabled) |
+| `minPasswordLength` | int | No | Minimum password length (0 = system default) |
+| `requirePasswordComplexity` | bool | No | Require mixed case, digits, and special characters |
+| `dataClassificationLevel` | int | No | `0` = Unclassified, `1` = CUI, `2` = Confidential |
+
+**Response:** `200 OK` with the saved security policy object.
+
+---
+
+## Public SSO Endpoints
+
+These endpoints are used by mobile and web apps to discover SSO configuration and exchange external tokens. They do **not** require Resgrid authentication.
+
+### SSO Discovery
+
+Returns the public SSO configuration for a department, used by apps to determine if SSO is available and how to initiate the flow.
+
+```
+GET /api/v4/connect/sso-config?departmentToken={encryptedToken}
+```
+
+Or with the plain department code (backward-compatible):
+
+```
+GET /api/v4/connect/sso-config?departmentCode={code}
+```
+
+**Query Parameters:**
+
+| Parameter | Type | Required | Description |
+| --- | --- | --- | --- |
+| `departmentToken` | string | Preferred | Encrypted department token (generated by the web UI and shown on the SSO index page). Format: URL-escaped result of `EncryptForDepartment("{id}:{code}", id, code)` |
+| `departmentCode` | string | Fallback | The department's unique code. Used when `departmentToken` is not provided (backward compatibility) |
+
+**Response:** Public SSO configuration (provider type, authority/metadata URL, client ID, entity ID). No secrets are included.
+
+---
+
+### External Token Exchange
+
+Exchanges an external IdP token or SAML assertion for a Resgrid OpenIddict access token.
+
+```
+POST /api/v4/connect/external-token
+Content-Type: application/x-www-form-urlencoded
+```
+
+**Form Fields:**
+
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `grant_type` | string | Yes | Must be `external_token` |
+| `provider` | string | Yes | `oidc` or `saml2` |
+| `external_token` | string | Yes | The token or assertion from the IdP |
+| `department_token` | string | Preferred | Encrypted department token |
+| `department_code` | string | Fallback | The department's unique code (used when `department_token` is not provided) |
+
+**Response:** Standard OpenIddict token response:
+
+```json
+{
+  "access_token": "eyJhbGciOiJSU0Et...",
+  "token_type": "Bearer",
+  "refresh_token": "eyJhbGciOiJSU0EtT0FFUC...",
+  "expires_in": 86398,
+  "id_token": "eyJhbGciOiJSUzI1N..."
+}
+```
+
+**Error Responses:**
+
+| HTTP Status | Error | Cause |
+| --- | --- | --- |
+| `400` | `invalid_grant` | The external token is invalid or expired |
+| `400` | `invalid_request` | Missing required fields |
+| `403` | `access_denied` | Security policy violation (IP restriction, MFA required, etc.) |
+| `404` | `department_not_found` | No department matches the provided code |
+| `404` | `sso_not_configured` | No active SSO configuration for the department/provider |
+
+---
+
+### SAML Mobile Callback
+
+The SAML Assertion Consumer Service (ACS) endpoint for mobile app flows. This is configured as the ACS URL in the SAML IdP.
+
+```
+POST /api/v4/connect/saml-mobile-callback?departmentToken={encryptedToken}
+```
+
+Or with the plain department code (backward-compatible):
+
+```
+POST /api/v4/connect/saml-mobile-callback?departmentCode={code}
+```
+
+**Query Parameters:**
+
+| Parameter | Type | Required | Description |
+| --- | --- | --- | --- |
+| `departmentToken` | string | Preferred | Encrypted department token (the web UI generates this for SAML ACS URLs) |
+| `departmentCode` | string | Fallback | Plain department code for backward compatibility |
+
+This endpoint receives the SAML response from the IdP, validates the assertion, and redirects the mobile app with the authentication result.
+
+:::info Encrypted Department Token
+The web application generates the SAML ACS URL with an encrypted department token so that the plain department code is never exposed in public-facing URLs. The API decrypts the token to resolve the department. If no token is provided, it falls back to the `departmentCode` parameter.
+:::
+
+---
+
+## SCIM 2.0 Endpoints
+
+SCIM endpoints are served under `/scim/v2` and authenticated via the per-department SCIM bearer token. All requests must include the `X-Department-Id` header.
+
+**Required Headers:**
+
+| Header | Value |
+| --- | --- |
+| `Authorization` | `Bearer <scim-bearer-token>` |
+| `X-Department-Id` | Department ID (integer) |
+| `Content-Type` | `application/scim+json` (for POST/PUT/PATCH) |
+
+### List Users
+
+```
+GET /scim/v2/Users
+```
+
+Supports SCIM filtering (`filter=userName eq "user@example.com"`) and pagination (`startIndex`, `count`).
+
+---
+
+### Create User
+
+```
+POST /scim/v2/Users
+```
+
+Creates a new Resgrid user (`IdentityUser` + `UserProfile` + `DepartmentMember`).
+
+---
+
+### Get User
+
+```
+GET /scim/v2/Users/{id}
+```
+
+Returns a single user in SCIM schema format.
+
+---
+
+### Replace User (Full Update)
+
+```
+PUT /scim/v2/Users/{id}
+```
+
+Replaces all mutable fields of the user with the provided values.
+
+---
+
+### Update User (Partial)
+
+```
+PATCH /scim/v2/Users/{id}
+```
+
+Applies partial updates using SCIM `PatchOp` operations.
+
+---
+
+### Delete / Deactivate User
+
+```
+DELETE /scim/v2/Users/{id}
+```
+
+Sets `IsDisabled = true` on the `DepartmentMember`. The user account is preserved but deactivated.
+
+---
+
+### List Groups
+
+```
+GET /scim/v2/Groups
+```
+
+Returns department roles mapped to SCIM Group resources.
+
+---
+
+## Endpoint Summary Table
+
+### Admin Endpoints (Authenticated)
+
+| Method | Endpoint | Permission | Description |
+| --- | --- | --- | --- |
+| `GET` | `/api/v4/SsoAdmin/GetSsoConfigs` | `Sso_View` + admin | List all SSO configs |
+| `GET` | `/api/v4/SsoAdmin/GetSsoConfig/{id}` | `Sso_View` + admin | Get single SSO config (no secrets) |
+| `POST` | `/api/v4/SsoAdmin/CreateSsoConfig` | `Sso_Create` + admin | Create new SSO config |
+| `PUT` | `/api/v4/SsoAdmin/UpdateSsoConfig/{id}` | `Sso_Update` + admin | Update existing SSO config |
+| `DELETE` | `/api/v4/SsoAdmin/DeleteSsoConfig/{providerType}` | `Sso_Delete` + admin | Delete SSO config |
+| `POST` | `/api/v4/SsoAdmin/RotateScimToken/{providerType}` | `Sso_Update` + admin | Generate new SCIM bearer token |
+| `GET` | `/api/v4/SsoAdmin/TestScimConnection/{providerType}` | `Sso_View` + admin | Verify SCIM is configured |
+| `GET` | `/api/v4/SsoAdmin/GetSecurityPolicy` | `Sso_View` + admin | Get security policy |
+| `POST` | `/api/v4/SsoAdmin/SaveSecurityPolicy` | `Sso_Update` + admin | Create/update security policy |
+
+### Public Endpoints (No Auth Required)
+
+| Method | Endpoint | Description |
+| --- | --- | --- |
+| `GET` | `/api/v4/connect/sso-config?departmentToken=X` | Mobile app SSO discovery (encrypted token preferred; `departmentCode=X` as fallback) |
+| `POST` | `/api/v4/connect/external-token` | Exchange IdP token for Resgrid token (`department_token` preferred; `department_code` as fallback) |
+| `POST` | `/api/v4/connect/saml-mobile-callback` | SAML ACS relay for mobile apps (`departmentToken` preferred; `departmentCode` as fallback) |
+
+### SCIM Endpoints (SCIM Token Auth)
+
+| Method | Endpoint | Description |
+| --- | --- | --- |
+| `GET` | `/scim/v2/Users` | List users |
+| `POST` | `/scim/v2/Users` | Create user |
+| `GET` | `/scim/v2/Users/{id}` | Get user |
+| `PUT` | `/scim/v2/Users/{id}` | Replace user |
+| `PATCH` | `/scim/v2/Users/{id}` | Partial update user |
+| `DELETE` | `/scim/v2/Users/{id}` | Deactivate user |
+| `GET` | `/scim/v2/Groups` | List groups |
diff --git a/docs/enterprise/sso-overview.md b/docs/enterprise/sso-overview.md
new file mode 100644
index 0000000..4da41d0
--- /dev/null
+++ b/docs/enterprise/sso-overview.md
@@ -0,0 +1,120 @@
+---
+sidebar_position: 1
+---
+
+# Enterprise SSO & SCIM Overview
+
+Resgrid supports enterprise-grade Single Sign-On (SSO) and automated user provisioning for organizations and government agencies that require centralized identity management. This feature set allows departments to authenticate users through their existing identity provider (IdP) using industry-standard protocols, automatically provision and deprovision user accounts, and enforce compliance-oriented security policies.
+
+## Management Options
+
+SSO, SCIM, and security policies can be managed through two interfaces:
+
+| Interface | Access | Best For |
+| --- | --- | --- |
+| **Web Application** | Department Settings → Security → SSO & SCIM | Administrators who prefer a guided UI with wizard-style setup, built-in IdP documentation, and quick-fill presets |
+| **REST API** | `/api/v4/SsoAdmin/*` endpoints | Automation, CI/CD pipelines, and programmatic configuration |
+
+Both interfaces provide identical functionality. The web application is available to department administrators via the **SSO & Security** link in the Security section of the sidebar navigation.
+
+## Supported Protocols
+
+| Protocol | Use Case | Library / Stack |
+| --- | --- | --- |
+| **OIDC (OpenID Connect)** | Microsoft Entra ID, Okta, Auth0, Google Workspace | OpenIddict (built-in) |
+| **SAML 2.0** | Enterprise IdPs, ADFS, government IdPs | Sustainsys.Saml2.AspNetCore2 |
+| **SCIM 2.0** | Automated user lifecycle management | Custom implementation |
+
+## Key Capabilities
+
+### Single Sign-On (SSO)
+
+- **OIDC and SAML 2.0** — connect to any standards-compliant identity provider
+- **Automatic user provisioning** — new users authenticated via SSO can be automatically created in Resgrid with the correct department membership
+- **Account linking** — existing Resgrid users are linked to their external identity by email match
+- **Flexible local login** — optionally allow or disallow password-based login alongside SSO
+- **Attribute mapping** — map IdP claims (email, name, subject) to Resgrid user profile fields
+- **Per-department configuration** — each department maintains its own SSO configuration independent of other departments
+- **Web-based management** — wizard-style setup with built-in IdP documentation, quick-fill attribute presets for Entra ID/Okta/Google/ADFS, and inline field hints
+
+### SCIM 2.0 Provisioning
+
+- **Automated user creation** — when a user is assigned access in your IdP, they are automatically created in Resgrid
+- **Automated deactivation** — when a user is removed or disabled in your IdP, their Resgrid account is deactivated
+- **Profile synchronization** — user profile updates (name, email) in the IdP are pushed to Resgrid
+- **Secure token authentication** — each department has its own encrypted SCIM bearer token
+
+### Security Policies
+
+- **Mandatory MFA** — require multi-factor authentication for all department members
+- **SSO-only mode** — disable password-based login entirely and force all users through SSO
+- **Session controls** — configure session timeouts and limit concurrent sessions per user
+- **IP restrictions** — restrict access to specific CIDR ranges (e.g., corporate VPN or government networks)
+- **Password policies** — enforce minimum length, complexity requirements, and expiration periods
+- **Data classification** — tag the department with a classification level (Unclassified, CUI, Confidential)
+
+## Architecture
+
+SSO configuration is stored per-department in the `DepartmentSsoConfigs` table. All sensitive values — client secrets, IdP certificates, signing certificates, and SCIM bearer tokens — are encrypted at rest using the internal `IEncryptionService` with department-specific keys. Secrets are never returned by any GET API endpoint or pre-filled in web UI forms; the web interface shows a "Secret stored" badge when a value exists and accepts new values as write-only inputs.
+
+### Encrypted Department Tokens
+
+All public-facing SSO URLs (SSO discovery, SAML ACS callback) use an **encrypted department token** instead of exposing the plain department code. The token is generated via `IEncryptionService.EncryptForDepartment("{id}:{code}", id, code)` and URL-escaped before embedding in URLs. The API decrypts the token to resolve the department, falling back to a plain `departmentCode` query parameter for backward compatibility.
+
+```
+┌─────────────┐         ┌──────────────────┐         ┌─────────────┐
+│  Mobile App  │◄───────►│  Resgrid API v4  │◄───────►│   Your IdP  │
+│  or Web App  │  token  │  (OpenIddict +   │  OIDC/  │  (Entra,    │
+│              │  exchange│  Sustainsys)     │  SAML   │  Okta, etc) │
+└─────────────┘         └──────────────────┘         └─────────────┘
+                               ▲
+                               │ SCIM 2.0
+                               │ (push from IdP)
+                         ┌─────┴──────┐
+                         │ IdP SCIM   │
+                         │ Connector  │
+                         └────────────┘
+```
+
+### Data Model
+
+The SSO feature introduces two new entities and extends an existing one:
+
+| Entity | Purpose |
+| --- | --- |
+| `DepartmentSsoConfig` | Stores the IdP connection settings, attribute mapping, and SCIM configuration per department |
+| `DepartmentSecurityPolicy` | Stores compliance-oriented security rules (MFA, session limits, IP restrictions, password policies) per department |
+| `DepartmentMember` (extended) | Adds `ExternalSsoId`, `SsoLinkedOn`, and `LastSsoLoginOn` fields to link external identities to Resgrid membership |
+
+### Authentication Flow
+
+1. The mobile or web app calls `GET /api/v4/connect/sso-config?departmentToken={encryptedToken}` to discover the SSO configuration (falls back to `departmentCode=DEPT` for backward compatibility)
+2. The app redirects the user to the IdP for authentication (OIDC authorization code + PKCE, or SAML redirect)
+3. After successful IdP authentication, the app receives a token or assertion
+4. The app calls `POST /api/v4/connect/external-token` with the external token, provider type, and department code
+5. Resgrid validates the token/assertion against the department's SSO configuration
+6. If `AutoProvisionUsers` is enabled, a new user is created; otherwise, an existing user is linked by email
+7. The department's security policy is enforced (IP check, MFA requirement, session limits)
+8. Resgrid issues an OpenIddict access token to the app
+
+### Audit Logging
+
+All SSO and SCIM operations are logged to the Resgrid audit system:
+
+| Audit Event | Trigger |
+| --- | --- |
+| `SsoConfigCreated` | A new SSO configuration is created |
+| `SsoConfigUpdated` | An SSO configuration is modified |
+| `SsoLoginSucceeded` | A user successfully authenticates via SSO |
+| `SsoLoginFailed` | An SSO authentication attempt fails |
+| `SsoUserProvisioned` | A new user is auto-provisioned from an SSO login |
+| `ScimUserCreated` | A user is created via SCIM push |
+| `ScimUserUpdated` | A user is updated via SCIM push |
+| `ScimUserDeactivated` | A user is deactivated via SCIM push |
+
+## Next Steps
+
+- [SSO Setup Guide](sso-setup) — step-by-step instructions to configure SSO via the web UI or API, with IdP-specific walkthroughs
+- [SCIM Provisioning](scim-provisioning) — configure automated user lifecycle management with tabbed IdP guides
+- [Security Policies](security-policies) — enforce compliance controls with preset templates for Government/CUI and Enterprise environments
+- [SSO API Reference](sso-api-reference) — complete API endpoint documentation including encrypted department token parameters
diff --git a/docs/enterprise/sso-setup.md b/docs/enterprise/sso-setup.md
new file mode 100644
index 0000000..9b5b2c7
--- /dev/null
+++ b/docs/enterprise/sso-setup.md
@@ -0,0 +1,356 @@
+---
+sidebar_position: 2
+---
+
+# SSO Setup Guide
+
+This guide walks department administrators through the complete process of configuring Single Sign-On for their Resgrid department. SSO can be managed through the **web application** (recommended for most administrators) or through the **REST API**.
+
+:::tip Web UI vs API
+The web application provides a wizard-style setup experience with built-in IdP documentation, inline field hints, and quick-fill attribute mapping presets. The API is available for automation and programmatic configuration. Both approaches are documented side-by-side below.
+:::
+
+## Prerequisites
+
+- A Resgrid department with an active administrator account
+- An identity provider (IdP) that supports OIDC or SAML 2.0
+- Administrative access to your IdP to register a new application
+
+## Quick-Start Checklist
+
+1. **Decide your protocol** — OIDC (Microsoft Entra, Okta, Google, Auth0) or SAML 2.0 (most enterprise IdPs)
+2. **Register Resgrid** as an application in your IdP
+3. **Create the SSO configuration** — via the web UI wizard or `POST /api/v4/SsoAdmin/CreateSsoConfig`
+4. **Enable** the configuration (`isEnabled: true`)
+5. **Optionally** configure SCIM via the web UI SCIM Setup page or `POST /api/v4/SsoAdmin/RotateScimToken`
+6. **Optionally** harden access via the web UI Security Policy page or `POST /api/v4/SsoAdmin/SaveSecurityPolicy`
+7. **Test** SSO login from the mobile app or via the SSO discovery URL shown on the SSO index page
+
+---
+
+## Step 1 — Register Resgrid in Your Identity Provider
+
+### OIDC (Microsoft Entra ID / Okta / Auth0 / Google)
+
+When registering Resgrid as an OIDC application in your identity provider, use these values:
+
+| IdP Field | Value to Enter |
+| --- | --- |
+| Application type | Public client / Single-page app (PKCE, no client secret required for mobile) |
+| Redirect URI | `resgrid://auth/callback` (mobile) and `https://app.resgrid.com/auth/callback` (web) |
+| Allowed grant types | `authorization_code`, `refresh_token` |
+| Scopes | `openid`, `email`, `profile`, `offline_access` |
+
+After registration, copy these values from your IdP:
+
+- **Client ID** (e.g. `a1b2c3d4-...`)
+- **Authority / Issuer URL** (e.g. `https://login.microsoftonline.com/{tenant-id}/v2.0`)
+
+### SAML 2.0
+
+When registering Resgrid as a SAML service provider in your identity provider, use these values:
+
+| IdP Field | Value to Enter |
+| --- | --- |
+| SP Entity ID | Choose a unique URI, e.g. `https://app.resgrid.com/saml/{departmentCode}` |
+| ACS URL (Assertion Consumer Service) | `https://{your-api-host}/api/v4/connect/saml-mobile-callback?departmentToken={encryptedToken}` (shown on the SSO setup page; falls back to `departmentCode={DEPT}` for backward compatibility) |
+| Name ID format | `emailAddress` or `persistent` |
+| Attribute statements | Map `email`, `givenname`, `surname` to your directory attributes |
+
+After registration, copy these values from your IdP:
+
+- **Metadata URL** (e.g. `https://idp.example.com/metadata.xml`)
+- **IdP Signing Certificate** (PEM format)
+
+---
+
+## Step 2 — Create the SSO Configuration
+
+### Using the Web Application
+
+1. Navigate to **Department Settings** → **Security** → **SSO & SCIM**
+2. Click **New SSO Configuration**
+3. The wizard guides you through three steps:
+   - **Step 1 — Provider & Basics**: Select OIDC or SAML 2.0, enable/disable the configuration, and set local login and auto-provisioning preferences
+   - **Step 2 — Connection Details**: The form adapts based on your provider selection:
+     - *OIDC*: Enter Client ID, Client Secret (optional), and Authority URL
+     - *SAML 2.0*: Enter Entity ID, Metadata URL, ACS URL, and IdP Certificate. Each field includes inline hints with example values for major IdPs
+   - **Step 3 — Attribute Mapping**: Configure how IdP claims map to Resgrid fields. Use the **quick-fill preset buttons** to auto-populate correct mappings for Microsoft Entra ID, Okta, Google Workspace, or ADFS
+4. Click **Save** to create the configuration
+
+:::tip Quick-Fill Presets
+The attribute mapping step includes one-click preset buttons for common identity providers. Clicking a preset (e.g., "Microsoft Entra ID") populates the mapping JSON with the correct claim URIs for that provider. You can modify the values after applying a preset.
+:::
+
+### Using the API
+
+All API requests must include the Resgrid admin bearer token as `Authorization: Bearer <token>`.
+
+### OIDC Example
+
+```bash
+POST /api/v4/SsoAdmin/CreateSsoConfig
+Content-Type: application/json
+Authorization: Bearer <admin-token>
+```
+
+```json
+{
+  "providerType": "oidc",
+  "isEnabled": true,
+  "clientId": "a1b2c3d4-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+  "authority": "https://login.microsoftonline.com/{tenant-id}/v2.0",
+  "allowLocalLogin": true,
+  "autoProvisionUsers": true,
+  "scimEnabled": false,
+  "attributeMappingJson": "{\"email\":\"email\",\"firstName\":\"given_name\",\"lastName\":\"family_name\"}"
+}
+```
+
+**Response:**
+
+```json
+{
+  "status": "created",
+  "departmentSsoConfigId": "3f7a1c2b-...",
+  ...
+}
+```
+
+:::tip
+Save the `departmentSsoConfigId` from the response — you'll need it to update or delete this configuration later.
+:::
+
+### SAML 2.0 Example
+
+```bash
+POST /api/v4/SsoAdmin/CreateSsoConfig
+Content-Type: application/json
+Authorization: Bearer <admin-token>
+```
+
+```json
+{
+  "providerType": "saml2",
+  "isEnabled": true,
+  "entityId": "https://app.resgrid.com/saml/FIRE123",
+  "metadataUrl": "https://idp.example.com/metadata.xml",
+  "assertionConsumerServiceUrl": "https://api.resgrid.com/api/v4/connect/saml-mobile-callback?departmentCode=FIRE123",
+  "idpCertificate": "-----BEGIN CERTIFICATE-----\nMIID...\n-----END CERTIFICATE-----",
+  "allowLocalLogin": false,
+  "autoProvisionUsers": true,
+  "scimEnabled": false,
+  "attributeMappingJson": "{\"email\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\",\"firstName\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\",\"lastName\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\"}"
+}
+```
+
+:::warning Security Note
+`idpCertificate` and `signingCertificate` are accepted as plaintext on input only. They are encrypted with your department-specific key before storage and are **never returned** by any GET endpoint. The response only contains boolean flags like `hasIdpCertificate: true`.
+
+In the web UI, secret fields (Client Secret, IdP Certificate, Signing Certificate) are **never pre-filled** when editing. A "Secret stored" badge is shown when a value exists, with hint text "Leave blank to keep current value." Submitting a blank secret field does not overwrite the stored value.
+:::
+
+---
+
+## Step 3 — View and Update Your Configuration
+
+### Using the Web Application
+
+All SSO configurations are listed on the **SSO & SCIM** index page (**Department Settings** → **Security** → **SSO & SCIM**). The page shows:
+
+- An **overview panel** with your department's SSO discovery URL (using the encrypted department token)
+- A **configuration table** listing each SSO config with provider type, status, and action buttons
+- **Edit** and **Delete** buttons for each configuration
+
+To edit, click the **Edit** button to reopen the wizard with your current values pre-filled (except secrets). To delete, click **Delete** and confirm in the modal dialog.
+
+### Using the API
+
+#### List All SSO Configs
+
+```bash
+GET /api/v4/SsoAdmin/GetSsoConfigs
+Authorization: Bearer <admin-token>
+```
+
+### Get a Single Config (No Secrets)
+
+```bash
+GET /api/v4/SsoAdmin/GetSsoConfig/{departmentSsoConfigId}
+Authorization: Bearer <admin-token>
+```
+
+### Update a Config
+
+Omit secret fields (`clientSecret`, `idpCertificate`, `signingCertificate`) or send `null` to leave them unchanged. Only provide a value when you need to overwrite the stored secret. This matches the web UI behavior where blank secret fields are not overwritten.
+
+```bash
+PUT /api/v4/SsoAdmin/UpdateSsoConfig/{departmentSsoConfigId}
+Content-Type: application/json
+Authorization: Bearer <admin-token>
+```
+
+```json
+{
+  "providerType": "oidc",
+  "isEnabled": true,
+  "clientId": "new-client-id",
+  "authority": "https://login.microsoftonline.com/{tenant-id}/v2.0",
+  "allowLocalLogin": true,
+  "autoProvisionUsers": true,
+  "scimEnabled": false
+}
+```
+
+### Delete a Configuration
+
+```bash
+DELETE /api/v4/SsoAdmin/DeleteSsoConfig/oidc
+Authorization: Bearer <admin-token>
+```
+
+---
+
+## Step 4 — Test the SSO Login
+
+Once your configuration is saved and enabled, test the SSO flow.
+
+### Using the Web Application
+
+The SSO index page displays your department's **SSO Discovery URL** with the encrypted department token. Copy this URL and open it in a browser or share it with your IdP administrator to verify the configuration returns the expected values.
+
+### Using the API
+
+Test the SSO discovery endpoint that mobile and web apps use:
+
+```bash
+GET /api/v4/connect/sso-config?departmentToken={encryptedToken}
+```
+
+Or with the plain department code (backward-compatible):
+
+```bash
+GET /api/v4/connect/sso-config?departmentCode=YOUR_DEPT_CODE
+```
+
+This returns the public SSO configuration (provider type, authority, client ID) that clients need to initiate the SSO flow. No authentication is required for this endpoint.
+
+### Token Exchange
+
+After a user authenticates with your IdP, the app exchanges the external token for a Resgrid access token:
+
+```bash
+POST /api/v4/connect/external-token
+Content-Type: application/x-www-form-urlencoded
+```
+
+| Field | Description |
+| --- | --- |
+| `grant_type` | `external_token` |
+| `provider` | `oidc` or `saml2` |
+| `external_token` | The token or assertion received from the IdP |
+| `department_code` | Your Resgrid department code |
+
+The response follows the same format as the standard `/connect/token` endpoint, returning an `access_token`, `refresh_token`, and `expires_in`.
+
+---
+
+## Attribute Mapping Reference
+
+The `attributeMappingJson` field is a JSON object mapping Resgrid field names (keys) to the claim URI or name your IdP emits (values).
+
+### Resgrid Fields
+
+| Resgrid Field Key | What It Maps To |
+| --- | --- |
+| `email` | User's email address |
+| `firstName` | User's given name |
+| `lastName` | User's surname / family name |
+| `subject` | The unique IdP subject identifier (used for SSO account linking) |
+
+### IdP-Specific Examples
+
+The web UI's wizard provides **quick-fill preset buttons** that auto-populate these mappings. When using the API, use the JSON values below.
+
+**Microsoft Entra ID (Azure AD):**
+
+```json
+{
+  "email": "email",
+  "firstName": "given_name",
+  "lastName": "family_name",
+  "subject": "sub"
+}
+```
+
+**Okta (SAML):**
+
+```json
+{
+  "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
+  "firstName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
+  "lastName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
+  "subject": "nameidentifier"
+}
+```
+
+**Google Workspace (OIDC):**
+
+```json
+{
+  "email": "email",
+  "firstName": "given_name",
+  "lastName": "family_name",
+  "subject": "sub"
+}
+```
+
+---
+
+## Configuration Fields Reference
+
+### DepartmentSsoConfig Fields
+
+| Field | Type | Description |
+| --- | --- | --- |
+| `providerType` | string | `oidc` or `saml2` |
+| `isEnabled` | bool | Whether this SSO configuration is active |
+| `clientId` | string | OIDC client/application ID |
+| `clientSecret` | string | OIDC client secret (encrypted at rest, write-only) |
+| `authority` | string | OIDC issuer/authority URL |
+| `metadataUrl` | string | SAML IdP metadata URL |
+| `entityId` | string | SAML SP entity ID |
+| `assertionConsumerServiceUrl` | string | SAML ACS URL |
+| `idpCertificate` | string | SAML IdP signing certificate in PEM format (encrypted at rest, write-only) |
+| `signingCertificate` | string | SAML SP signing certificate (encrypted at rest, write-only) |
+| `attributeMappingJson` | string | JSON mapping of IdP claims to Resgrid fields |
+| `allowLocalLogin` | bool | Whether password-based login is still permitted (default: `true`) |
+| `autoProvisionUsers` | bool | Automatically create Resgrid users on first SSO login |
+| `defaultRankId` | int? | Default rank assigned to auto-provisioned users |
+| `scimEnabled` | bool | Whether SCIM provisioning is enabled (default: `false`) |
+
+## Troubleshooting
+
+### SSO login fails with "invalid_token"
+
+- Verify the `authority` or `metadataUrl` is correct and accessible from the Resgrid API server
+- For OIDC, ensure the `clientId` matches exactly what is registered in your IdP
+- For SAML, ensure the `entityId` matches the SP entity ID configured in your IdP
+- Check that the IdP certificate has not expired
+
+### User is not auto-provisioned
+
+- Confirm `autoProvisionUsers` is set to `true` in the SSO configuration
+- Verify the `attributeMappingJson` includes at least the `email` mapping
+- Check that the email claim is being sent by your IdP
+
+### "SSO required" error when trying to log in with password
+
+- A department administrator has set `requireSso: true` in the security policy
+- Set `allowLocalLogin: true` in the SSO config or `requireSso: false` in the security policy to re-enable password login
+
+### Mobile app does not show SSO option
+
+- Ensure the SSO configuration `isEnabled` is `true`
+- Verify the department code used in the app matches the department's code in Resgrid
+- Test the SSO discovery endpoint: `GET /api/v4/connect/sso-config?departmentCode=YOUR_CODE`