Context / Problem

The client's physical security platform (Gallagher Command Centre) generates critical events (door forced, access denied, alarm triggered) but has no native SMS notification capability. Operators needed real-time alerts on mobile devices, with intelligent filtering to prevent alert fatigue. The requirement was for a middleware bridge that could poll, process, and deliver notifications reliably without introducing new security risk.

Constraints

• •Physical security environment. No tolerance for missed events or false negatives.
• •Gallagher API requires mutual TLS client certificate authentication.
• •Telstra Messaging API v3 requires OAuth2 bearer token management with automatic refresh.
• •Minimal PII handling. Event metadata only, no personal data in transit.
• •Solution must be operable by non-technical staff after handover.

Solution Approach

Designed and built an event-driven middleware bridge. The system polls Gallagher's REST API over mutual TLS, processes and deduplicates events through a configurable rules engine, composes human-readable notification messages, and delivers via Telstra's Messaging API v3.

Architecture

Automation & Integration

• •Event polling. Scheduled polling of Gallagher REST API with configurable intervals and checkpoint tracking.
• •Rules engine. Configurable event filtering, deduplication, and alert routing. Operators can adjust thresholds without code changes.
• •Message composition. Events are transformed into human-readable SMS notifications with contextual detail.
• •Rate limiting and queuing. Message delivery is rate-limited and queued to comply with Telstra API constraints and prevent notification storms.

Governance & Controls

• •Identity. Gallagher API authenticated via mutual TLS client certificates. Telstra API via OAuth2 bearer tokens with automatic refresh. No shared secrets.
• •Data boundaries. Event metadata only is processed. No PII is stored or transmitted beyond what the notification requires. Message content is ephemeral.
• •Audit logging. Every event received, every rule evaluation, every notification sent is logged with timestamps and correlation identifiers.
• •Operator controls. Non-technical operators manage filtering rules, certificate renewal, and system configuration through a dashboard. No direct API or database access required.

Security

All communication uses TLS 1.2+. Gallagher API access is authenticated via mutual TLS client certificates. Telstra API uses OAuth2 bearer tokens with automatic refresh. API keys are hashed with PBKDF2 and stored with AES-256 encryption. The system handles minimal personal data, event metadata only, no PII in transit.

AI-Assisted Engineering

AI tooling was used during the build phase to accelerate scaffolding, improve edge-case analysis, and assist with documentation generation. All AI-generated outputs were manually reviewed and validated before integration. AI was not used for operational decision-making. The rules engine and notification logic are deterministic. AI assisted build velocity; it did not replace engineering judgement.

Delivery Notes

• •Delivered as a complete working system: middleware, operator dashboard, certificate management tooling, and audit logging.
• •Zero-touch deployment capability designed for non-technical operators.
• •Full documentation and operational runbooks provided for handover.
• •Deployment pending customer rollout scheduling.

Outcomes

• •Working middleware with operator dashboard, certificate lifecycle management, and comprehensive audit logging.
• •Configurable rules engine enabling non-technical staff to manage alert filtering without developer intervention.
• •Architecture designed for zero-touch deployment in customer environments.

Extensibility / Next Steps

Architecture supports additional notification channels (email, Microsoft Teams webhooks), configurable multi-tenant deployment, and integration with additional event sources. Rate limiting and message queuing patterns are reusable across notification pipelines.