pf_ai_template_gen_enabled must NOT be enabled until pf.templates.manage permission seed is deployed. Hard guardrail: requires enforced RBAC and edge function authentication.
Overview
PF-64 Phase 2 adds AI-generated template suggestions: users describe a template in natural language and receive suggested structure (sections, placeholders) that can be saved as an organization document template. It also adds section suggestions for policy/procedure/letter types. All AI calls go through an edge function; no PHI/PII in prompts or logs (constitution §4.3).Integration Points (from Spec)
API / Edge Function Contracts
- Edge function:
ai-generate-template(supabase/functions/ai-generate-template/index.ts) accepts org-scoped requests withaction: 'generate_template'oraction: 'suggest_sections'. Uses Lovable AI Gateway with tool calling for structured output. Authentication/Authorization Chain: Requires valid JWT,pf.templates.managepermission, andverifyOrgAccess()invocation before handling actions.organization_idis validated server-side viaverifyOrgAccess()and request body schema validation.- Generate template:
{ action: 'generate_template', organization_id, description }→{ success: true, data: { name, category, sections } } - Suggest sections:
{ action: 'suggest_sections', organization_id, templateType }→{ success: true, data: { sections } }
- Generate template:
- CORS: Uses
getCorsHeaders(req.headers.get('origin'))from_shared/cors.ts. - Logging: Uses
createLoggerfrom_shared/logger.ts; no PHI/PII in logs.
Security and Tenant Isolation
- No PHI/PII in prompts, logs, or generation payloads (constitution §4.3).
- Org-scoped: All generation and section suggestions are scoped to the current organization.
- Permission:
pf.templates.managegates all AI entry points. Note: Must be seeded inpf_module_permissions(not yet deployed). - Feature flag:
pf_ai_template_gen_enabledonpf_module_settings(per-org) controls visibility of AI entry points.