๐ Drive
Practice file storage with HIPAA-grade isolation. Documents, spreadsheets, presentations, and patient-linked attachments โ searchable, share-controlled, audit-logged. Lives at synalux.ai/driveย .
๐ Three Native File Types
- Doc โ rich-text document (collaborative editing via the Collaborative Editors module).
- Sheet โ spreadsheet with formula support.
- Presentation โ slide deck.
Each file is RLS-scoped to its workspace and (optionally) to a patient. A new file is created with one click and opens in the in-app editor โ no external app, no provider OAuth.
๐ค Upload, Share, Delete (In-Place)
- Upload โ drag-drop or browse; 50MB per-file boundary (hardened against partial-upload state).
- Share โ link or per-user invite. Emails sent via the Mail module; recipient name HTML-escaped in the invite body (closed stored XSS).
- Permission tiers โ viewer / editor / owner; revocable.
- Delete โ soft-delete by default with 30-day recovery window; hard-delete on admin override.
๐ฉบ Patient-Linked Files
Attach a file to a patient record so it appears under their chart automatically.
- Browse from patient view โ Documents tab shows everything filed for that patient.
- Filter โ by file type, date, uploader, tag.
- HIPAA: patient_id is part of the RLS predicate, so a clinician can never see another workspaceโs patient files.
๐ Security & HIPAA
- RLS-scoped client โ every list/read uses
createRlsClient(session); the database denies cross-workspace queries even if the API code has a bug. storage_pathvalidation โ uploads are written to a controlled prefix; path-traversal attempts (../, absolute paths) rejected.withAudit({ module: 'drive' })โ every list / upload / share / delete writes an audit row with operation type, user_id, file_id, IP.- Workspace isolation guard โ double-locks at API layer in case RLS is misconfigured.
- 50MB boundary โ hardened with a storage rollback transaction so a partial upload never leaves orphan bytes in object storage.
๐๏ธ Architecture
GET /api/v1/drive List files (RLS-scoped, filter by type/patient/search)
POST /api/v1/drive Create new doc/sheet/presentation
GET /api/v1/drive/:id Read file metadata + content
PATCH /api/v1/drive/:id Update content / rename / move
DELETE /api/v1/drive/:id Soft-delete (or hard-delete with admin override)
POST /api/v1/drive/upload Direct file upload (50MB cap, storage_path validated)| Layer | Tech |
|---|---|
| Frontend | Next.js 15 App Router, in-app editors |
| Storage | Supabase Storage (object) + Postgres metadata table drive_files |
| Auth | NextAuth + RLS per-workspace |
| Encryption | At-rest via Supabase Storage; TLS 1.3 in transit |
| Audit | withAudit({ module: 'drive' }) |
| Sync conflict resolution | CRDT-based (collaborative editors) |
๐ณ Plans
| Free | Standard | Advanced | Enterprise | |
|---|---|---|---|---|
| 1 GB storage | โ | โ 10 GB | โ 100 GB | โ 1 TB |
| Doc / Sheet / Presentation | โ | โ | โ | โ |
| Patient-linked files | โ | โ | โ | โ |
| Share by link | โ | โ | โ | โ |
| Per-user share permissions | โ | โ | โ | โ |
| Real-time collaborative editing | โ | โ | โ | โ |
| Bulk export | โ | โ | โ | โ |
| Custom retention policies | โ | โ | โ | โ |
| BAA-grade encryption keys (BYOK) | โ | โ | โ | โ |
๐ Inter-Module Integration
- Mail โ attachments uploaded via Drive; storage_path validated.
- Patients โ Documents tab on every patient record reads filtered Drive list.
- Telehealth โ meeting recordings stored in Drive when consented.
- SOAP / Clinical Notes โ exported as Doc files when finalized.
- No-Code Dashboard Builder โ Drive widgets surface recent / patient-filtered files.