Skip to main content
All AI content system functions are PostgreSQL RPCs called via the Supabase client. They are grouped by access level.

App-Facing RPCs

These are callable by authenticated users (tenant members or MSP partners).

rpc_get_or_request_narrative

Fetches the cached gap narrative for a tenant. If the cache is stale or missing, enqueues a regeneration job.
p_tenant_id
UUID
required
The tenant to get the narrative for. Caller must be a member or linked MSP partner.
p_force_refresh
BOOLEAN
default:"false"
Set to true to enqueue a new generation job regardless of cache state.
Returns: JSONB
narrative
string | null
The generated narrative text, or null if none exists yet.
generated_at
string | null
ISO timestamp of when the narrative was generated.
provider
string | null
Which provider generated this content (e.g. anthropic, openai).
fallback_used
boolean
Whether a fallback provider was used instead of the primary.
freshness
string
One of none (no content exists), fresh (content hash matches current data), or stale (content exists but data has changed).
pending_regen
boolean
Whether a regeneration job is currently queued or running.
const { data } = await supabase.rpc('rpc_get_or_request_narrative', {
  p_tenant_id: '550e8400-e29b-41d4-a716-446655440000',
  p_force_refresh: false,
});
Example response: 
{
  "narrative": "Your organization's risk posture is Moderate (score: 42/100)...",
  "generated_at": "2026-04-16T03:30:45Z",
  "provider": "anthropic",
  "fallback_used": false,
  "freshness": "fresh",
  "pending_regen": false
}

rpc_get_or_request_playbook

Fetches the cached remediation playbook for a control + cloud provider combination.
p_control_id
UUID
required
The control to get the playbook for.
p_cloud_provider
TEXT
required
Cloud provider context (e.g. aws, azure, gcp).
p_tenant_id
UUID
required
The requesting tenant (for auth and budget tracking).
p_force_refresh
BOOLEAN
default:"false"
Set to true to force regeneration.
Returns: JSONB — same structure as narrative response, with playbook instead of narrative. 
const { data } = await supabase.rpc('rpc_get_or_request_playbook', {
  p_control_id: '660e8400-e29b-41d4-a716-446655440001',
  p_cloud_provider: 'azure',
  p_tenant_id: '550e8400-e29b-41d4-a716-446655440000',
  p_force_refresh: false,
});

rpc_get_ai_health_summary

Returns the overall health of the AI content system. No parameters required. Returns: JSONB
queue_depth
number
Number of jobs currently in queued status.
active_providers
number
Number of providers with closed circuits (available for use).
total_providers
number
Total configured providers.
circuits_open
number
Number of providers with open circuits.
last_generation_at
string | null
Timestamp of the most recent successful generation.
const { data } = await supabase.rpc('rpc_get_ai_health_summary');

rpc_enqueue_ai_job

Low-level job enqueue. Prefer the get_or_request_* helpers which handle caching, dedup, and enqueue automatically.
p_content_type
TEXT
required
One of gap_narrative, remediation_playbook, evidence_suggestion, policy_suggestion.
p_tenant_id
UUID
required
The tenant this job is for.
p_target_id
UUID
The specific entity ID (control_id, evidence_item_id, policy_version_id). Not required for gap_narrative.
p_cloud_provider
TEXT
Required for remediation_playbook.
Returns: UUID — the job ID.

compute_gap_narrative_hash

Utility function that computes the content hash for a tenant’s gap narrative inputs. Mostly used internally by the worker.
p_tenant_id
UUID
required
The tenant to compute the hash for.
Returns: TEXT — the computed hash string.

Worker-Only RPCs

These require the service_role key and are called by the ai_content_worker Edge Function.
RPCPurpose
rpc_claim_ai_jobsAtomically claim up to N queued jobs (sets status to running)
rpc_complete_ai_jobMark a job as completed, store the generated content
rpc_fail_ai_jobMark a job as failed, record error message, update circuit breaker
rpc_record_provider_callRecord token usage and cost for a provider call
rpc_get_available_providersGet providers ordered by priority with closed circuits
These RPCs bypass RLS and should never be exposed to the client. They are only called from the Edge Function using the SUPABASE_SERVICE_ROLE_KEY.

Admin-Only RPCs

rpc_test_enqueue_narrative

Manually enqueue a narrative generation job for testing.
p_tenant_id
UUID
required
The tenant to generate a test narrative for.
SELECT rpc_test_enqueue_narrative('550e8400-e29b-41d4-a716-446655440000'::uuid);
This is useful for verifying the pipeline end-to-end without waiting for a cron trigger.