Skip to main content
Version: 1.2.0 Last Updated: 2026-03-23 Total Functions: 294 (deployable folders under supabase/functions/, excluding _shared. Refresh count: npm run docs:edge-functions-count from repo root.) Reference for Supabase Edge Functions in this repo: deployment, shared code, env/secrets, and patterns. Functions cover integrations, async work, and backend processing.

Table of Contents

  1. Overview
  2. Architecture
  3. Shared Code
  4. Deployment
  5. Environment Variables & Secrets
  6. Error Handling
  7. Testing
  8. Monitoring & Logging
  9. Function Reference

Overview

Edge functions are Deno-based serverless functions deployed to Supabase that handle:
  • Complex business logic processing
  • External API integrations (email, SMS, AI)
  • Async workflows and automation
  • Scheduled task execution
  • Data transformation and aggregation
  • Testing and development utilities
Key Characteristics:
  • Deno runtime (not Node.js)
  • Serverless execution
  • Automatic scaling
  • CORS support
  • JWT verification (configurable per function)

Architecture

Function Structure

Calling Patterns

1. Direct HTTP Invocation:
2. Database Trigger → Edge Function:
3. Scheduled Task (pg_cron):

Shared Code

Shared utilities are located in supabase/functions/_shared/ to avoid code duplication.

CORS Headers (_shared/cors.ts)

Standard CORS headers for all functions:

Error Handling (_shared/errors.ts)

Standardized error responses with correlation IDs:
Error Categories:
  • CONFIG - Configuration errors
  • VALIDATION - Input validation errors
  • AUTHORIZATION - Permission errors
  • NOT_FOUND - Resource not found
  • RUNTIME - Runtime errors
  • TIMEOUT - Operation timeout
  • EXTERNAL_SERVICE - External API errors

Logging (_shared/logger.ts)

Structured logging with PHI protection:
Never logs PHI/PII - only stable IDs (user_id, org_id, etc.)

Expression Evaluator (_shared/expressionEvaluator.ts)

Expression evaluation for workflow automation:

Deployment

Local Development

Full workflow, debugging with breakpoints (inspect mode), and Deno unit tests: See EDGE_AND_API_TESTING.md.

Production Deployment

JWT Verification

Configure JWT verification in supabase/config.toml:
Functions with verify_jwt = true:
  • execute-report
  • process-entity-mapping
  • ai-assistant
  • workflow-debug-control
  • sandbox-execute
  • test-* functions
  • ai-document-analyze
  • workflow-metrics-aggregate
  • workflow-path-aggregate
  • workflow-version-compare
Functions with verify_jwt = false:
  • Scheduled tasks (cron jobs)
  • Database trigger invocations
  • Batch processing functions

Environment Variables & Secrets

Required Secrets

Supabase (Auto-provided):
  • SUPABASE_URL - Project URL
  • SUPABASE_SERVICE_ROLE_KEY - Service role key
Email (Entra ID or Gmail):
  • ENTRA_CLIENT_SECRET - For Entra/Graph API email (optional)
  • GMAIL_SERVICE_ACCOUNT_JSON - For Gmail API org-level email (optional)
  • Per-org config in Settings → Integrations; send-email-notification and others use shared email-provider
SMS (RingCentral):
  • RINGCENTRAL_CLIENT_ID - RingCentral app client ID (for sms-send)
  • RINGCENTRAL_CLIENT_SECRET - RingCentral app client secret
  • RINGCENTRAL_JWT_TOKEN - RingCentral JWT credential
AI (OpenRouter) - PF-59:
  • OPENROUTER_API_KEY - OpenRouter API key (for ai-assistant, ai-document-analyze, generate-report-narrative)
  • APP_URL - Application URL for OpenRouter HTTP-Referer attribution (defaults to https://encoreos.io)

Setting Secrets

Never commit secrets to version control!

Error Handling

All functions should:
  1. Handle CORS preflight requests
  2. Use standardized error responses
  3. Include correlation IDs for tracing
  4. Never expose PHI/PII in errors
  5. Return appropriate HTTP status codes
Standard Error Response:
Success Response:

Testing

Unit Testing Edge Functions

Tests are co-located with functions, e.g. supabase/functions/<name>/index.test.ts or <name>_test.ts. Examples: generate-templated-pdf/index.test.ts, hr-encrypt-bank-account/index_test.ts. Environment: Set VITE_SUPABASE_URL or SUPABASE_URL to http://localhost:54321 and the anon key (from npx supabase status) when testing against local. Some tests also use VITE_SUPABASE_PUBLISHABLE_KEY or TEST_AUTH_TOKEN. Run from repo root: npm run test:functions (runs deno test for all Edge Function tests). Or run deno test --allow-all from a function directory.
Debugging: Run npm run supabase:functions:serve:inspect, then open Chrome → chrome://inspect → Configure 127.0.0.1:8083 → Open dedicated DevTools for Node. Trigger a function to pause on first line and use breakpoints. See EDGE_AND_API_TESTING.md.

Integration Testing

Test functions with real database:
  • Use test database with seed data
  • Verify RLS policies are enforced
  • Test error scenarios
  • Verify logging output

Troubleshooting (Edge Functions)

  • 401/403 locally: Missing or invalid Authorization header; confirm anon key or user JWT; check verify_jwt if used.
  • Import errors: Use npm: or jsr: specifiers and pin versions.
  • File writes: Only under /tmp.
  • Hanging requests: Unawaited Promises; offload background work with EdgeRuntime.waitUntil(promise).
Full checklist: EDGE_AND_API_TESTING.md.

Monitoring & Logging

Logging Best Practices

  1. Use structured logging:
  2. Never log PHI/PII:
    • logger.info('Processing user', { name: 'John Doe', ssn: '123-45-6789' });
    • logger.info('Processing user', { userId: 'uuid', orgId: 'uuid' });
  3. Include correlation IDs:
    • Generate UUID for each request
    • Include in all log entries
    • Return in response headers
  4. Log levels:
    • debug - Development debugging
    • info - Normal operations
    • warn - Warning conditions
    • error - Error conditions

Monitoring

  • Supabase Dashboard: View function logs and metrics
  • Error Tracking: Integrate with Sentry/LogRocket
  • Performance: Monitor execution time and memory usage
  • Alerts: Set up alerts for error rates > 1%

Function Reference

Platform Foundation Functions

admin-reset-password

Purpose: Admin-initiated password reset for users Input:
Output:
Environment Variables: None (uses Supabase Auth) JWT Verification: true (admin only) Related Tables: auth.users, pf_profiles Error Codes:
  • 400 - Invalid input
  • 403 - Insufficient permissions
  • 404 - User not found
  • 500 - Reset failed

ai-assistant

Purpose: AI chat integration via OpenRouter (PF-59) Model Selection: Automatic based on moduleContext.module:
  • gr, hranthropic/claude-3.5-sonnet (compliance/policy reasoning)
  • fa, fw, rh, pf, ceopenai/gpt-4o (general analysis)
  • lo, fmopenai/gpt-4o-mini (fast summaries)
Input:
Output (Streaming): SSE stream with Content-Type: text/event-stream Output (Non-Streaming):
Environment Variables:
  • OPENROUTER_API_KEY (required)
  • APP_URL (optional, defaults to https://encoreos.io)
JWT Verification: true PHI Protection: Automatically detects and logs PHI patterns in prompts Rate Limiting: Exponential backoff retry on 429 (1s, 2s, 4s, max 30s) Error Codes:
  • 401 - Authentication required
  • 402 - AI credits depleted
  • 403 - User not in organization
  • 429 - Rate limited (auto-retry)
  • 500 - Service error
Shared Utilities: supabase/functions/_shared/ai-utils.ts Related Documentation:
  • specs/pf/PF-27-platform-ai.md
  • specs/pf/PF-59-ai-provider-migration.md
  • src/platform/ai/README.md

ai-document-analyze

Purpose: Analyze documents using AI via OpenRouter (PF-59) Model: openai/gpt-4o (optimized for structured output with tool calling) Input:
Output:
Environment Variables:
  • OPENROUTER_API_KEY (required)
  • APP_URL (optional)
JWT Verification: true Multimodal Support: Images (base64), PDFs, text documents Rate Limiting: Exponential backoff retry on 429 Error Codes:
  • 400 - Missing required fields
  • 402 - AI credits exhausted
  • 429 - Rate limited
  • 500 - Service error
Related Tables: pf_documents, pf_ai_usage_logs Related Documentation: specs/pf/PF-59-ai-provider-migration.md

event-consumer

Purpose: Route domain events to appropriate handlers Input:
Output:
JWT Verification: false (called by database triggers) Event Handlers:
  • leave_approved → Updates leave balances
  • leave_cancelled → Reverses leave balance changes
  • Future: credential_expired, onboarding_completed
Related Documentation: docs/architecture/integrations/EVENT_CONTRACTS.md

execute-report

Purpose: Execute report definitions and return results Input:
Output:
JWT Verification: true Related Tables: pf_report_definitions, pf_report_history

send-email-notification

Purpose: Send email notifications via org-configured provider (Entra or Gmail) Input:
Output:
Environment Variables:
  • ENTRA_CLIENT_SECRET or GMAIL_SERVICE_ACCOUNT_JSON (per org config; see EMAIL_SMS_SETUP.md)
JWT Verification: false (called by notification system) Error Codes:
  • 400 - Invalid email or template
  • 500 - Email provider (Entra/Gmail) API error
Related Tables: pf_notifications

send-sms-notification (removed)

Status: Removed. The deprecated forwarder was deleted during the Twilio teardown. Use sms-send directly with body { organizationId, toNumber, body, mergeData? } (RingCentral).

send-pending-notifications

Purpose: Batch process pending notifications (email and SMS) Input:
Output:
JWT Verification: false (scheduled task) Scheduled: Daily via pg_cron Related Tables: pf_notifications

Forms & Workflow Functions

aggregate-form-analytics

Purpose: Aggregate form submission analytics Input:
Output:
JWT Verification: false Related Tables: fw_form_submissions, fw_form_analytics

automation-executor

Purpose: Execute automation rules and workflows (FW-03, FW-06, FW-18) Input:
Output:
JWT Verification: false (called by database triggers) Features:
  • Condition evaluation
  • Action execution (email, notification, update, webhook)
  • Workflow graph execution (FW-06)
  • Variable management (FW-18)
  • Retry logic
  • Circuit breaker
Idempotency (R7): When invoked with execution_id or event_id, the executor MUST check if that id has already been processed (e.g. in fw_workflow_executions or a processed-events store) and skip duplicate execution. Use exponential backoff (1s, 2s, 4s) on transient failures; handlers must be safe when invoked more than once. Related Tables: fw_automation_rules, fw_workflows, fw_automation_logs Related Documentation: specs/fw/specs/FW-03-automation-engine.md, specs/fw/specs/FW-06-visual-workflows.md

process-entity-mapping

Purpose: Create/update entity records from form submissions (FW-03/PF-16) Input:
Output:
JWT Verification: true Features:
  • Maps form fields to entity columns
  • Supports custom_fields JSONB mapping
  • Handles create/update/upsert operations
  • Template variable resolution
Related Tables: All entity tables with custom_fields Related Documentation: specs/fw/specs/FW-03-automation-engine.md

validate-form-submission

Purpose: Validate form submissions before processing Input:
Output:
JWT Verification: false Related Tables: fw_forms, fw_form_submissions

workflow-debug-control

Purpose: Debug workflow execution (enable/disable, step through) Input:
Output:
JWT Verification: true (admin only) Related Tables: fw_workflows, fw_workflow_runs

workflow-metrics-aggregate

Purpose: Aggregate workflow performance metrics Input:
Output:
JWT Verification: true Related Tables: fw_workflow_runs, fw_workflow_metrics

workflow-notification-trigger

Purpose: Trigger notifications from workflow nodes Input:
Output:
JWT Verification: false (called by workflow executor) Related Tables: fw_workflow_runs, pf_notifications

workflow-path-aggregate

Purpose: Aggregate workflow execution paths for analytics Input:
Output:
JWT Verification: true Related Tables: fw_workflow_runs

workflow-version-compare

Purpose: Compare workflow versions for changes Input:
Output:
JWT Verification: true Related Tables: fw_workflows, fw_workflow_versions

HR Functions

export-employee-list

Purpose: Export employee list to CSV/Excel Input:
Output:
JWT Verification: true Related Tables: hr_employees, pf_departments

export-payroll-data

Purpose: Export payroll data for external payroll systems Input:
Output:
JWT Verification: true (admin only) Related Tables: hr_timesheets, hr_employees, hr_payroll_exports

generate-schedule

Purpose: Generate shift schedules based on templates and availability Input:
Output:
JWT Verification: false (scheduled task) Related Tables: hr_shift_templates, hr_shifts, hr_employee_availability

generate-timesheets

Purpose: Generate timesheets for pay period Input:
Output:
JWT Verification: false (scheduled task) Scheduled: Weekly (Sunday) via pg_cron Related Tables: hr_timesheets, hr_time_entries, hr_employees Database Function: calculate_timesheet_hours()

process-leave-accruals

Purpose: Process leave accruals for all employees Input:
Output:
JWT Verification: false (scheduled task) Scheduled: Monthly (1st of month) via pg_cron Related Tables: hr_leave_balances, hr_leave_policies, hr_employees

process-swap-request

Purpose: Process shift swap requests and approvals Input:
Output:
JWT Verification: false (called by application) Related Tables: hr_shift_swaps, hr_shifts

send-credential-alerts

Purpose: Send alerts for expiring credentials Input:
Output:
JWT Verification: false (scheduled task) Scheduled: Daily via pg_cron Related Tables: hr_employee_credentials, hr_employees, pf_notifications

validate-shift-assignment

Purpose: Validate shift assignments (credentials, availability, conflicts) Input:
Output:
JWT Verification: false (called by application) Validation Checks:
  • Employee has required credentials
  • Employee is available (no conflicts)
  • Shift doesn’t exceed max hours
  • Site access permissions
Related Tables: hr_shifts, hr_employees, hr_employee_credentials

Finance Functions

check-budget-alerts

Purpose: Check budgets and create alerts for threshold breaches Input:
Output:
JWT Verification: false (scheduled task) Scheduled: Daily via pg_cron Database Function: fa_check_budget_alerts() Related Tables: fa_budgets, fa_budget_alerts, pf_organizations

FA scheduled reports (via execute-scheduled-reports)

Purpose: Execute scheduled Finance & Accounting reports. Use the unified execute-scheduled-reports function with body { module: 'fa' }. Input: Same as execute-scheduled-reports with module: 'fa' in the request body. Cron callers should invoke execute-scheduled-reports with { "module": "fa" }. Related Tables: fa_report_schedules, fa_report_runs, fa_get_due_scheduled_reports (RPC)

generate-fa-report-export

Purpose: Generate Finance report exports (PDF, Excel, CSV) Input:
Output:
JWT Verification: false Related Tables: fa_reports, pf_documents

parse-bank-statement

Purpose: Parse bank statement files (CSV, OFX, QIF) and extract transactions Input:
Output:
JWT Verification: false Related Tables: fa_bank_accounts, fa_transactions

query-payment-status

Purpose: Query payment status from payment processors Input:
Output:
JWT Verification: false Related Tables: fa_payments, fa_invoices

trigger-invoice-creation

Purpose: Trigger invoice creation from resident charges or other events Input:
Output:
JWT Verification: false (called by database triggers) Related Tables: fa_invoices, rh_resident_charges, rh_residents

Recovery Housing Functions

rh-charge-invoice

Purpose: Create invoices from resident charges Input:
Output:
JWT Verification: false Related Tables: fa_invoices, rh_resident_charges, rh_residents

Facilities Functions

check-overdue-pms

Purpose: Check for overdue preventive maintenance tasks Input:
Output:
JWT Verification: false (scheduled task) Scheduled: Daily via pg_cron Related Tables: fm_pm_schedules, fm_work_orders

check-vendor-certifications

Purpose: Check vendor certifications for expiration Input:
Output:
JWT Verification: false (scheduled task) Scheduled: Daily via pg_cron Related Tables: fm_vendors, fm_vendor_certifications, pf_notifications

generate-pm-work-orders

Purpose: Generate work orders from PM schedules Input:
Output:
JWT Verification: false (scheduled task) Scheduled: Daily via pg_cron Related Tables: fm_pm_schedules, fm_work_orders

Testing Functions

calculate-test-coverage

Purpose: Calculate test coverage metrics Input:
Output:
JWT Verification: true (admin only) Related Tables: Test results database

sandbox-execute

Purpose: Execute code in sandboxed environment for testing Input:
Output:
JWT Verification: true (admin only) Security: Sandboxed execution, no file system access

test-cases-run

Purpose: Run test cases and return results Input:
Output:
JWT Verification: true (admin only)

test-datasets-import

Purpose: Import test datasets for testing Input:
Output:
JWT Verification: true (admin only) Note: Only works in development/staging environments

Reporting Functions

execute-scheduled-reports

Purpose: Execute scheduled reports for Platform (PF) or Finance (FA). Single function with request body module to route. Input:
For PF: queries pf_report_schedules, runs reports, emails via send-email-notification. For FA: calls fa_get_due_scheduled_reports, creates fa_report_runs, updates fa_report_schedules. Output:
JWT Verification: false (scheduled task) Scheduled: Daily/Weekly/Monthly via pg_cron Related Tables: pf_report_definitions, pf_report_history

generate-compliance-report

Purpose: Generate compliance reports (HR credentials, RH incidents, etc.) Input:
Output:
JWT Verification: false Related Tables: hr_employee_credentials, rh_significant_events, pf_reports

generate-report-narrative

Purpose: Generate AI-powered narrative summaries for reports via OpenRouter (PF-59) Model: openai/gpt-4o (for detailed analysis and recommendations) Input:
Output:
Environment Variables:
  • OPENROUTER_API_KEY (required)
  • APP_URL (optional)
JWT Verification: false (called by scheduled reports) Rate Limiting: Exponential backoff retry on 429 Error Codes:
  • 400 - Missing required fields
  • 402 - AI credits exhausted
  • 429 - Rate limited
  • 500 - Service error
Related Tables: pf_reports, pf_report_narratives, pf_ai_usage_logs Related Documentation: specs/pf/PF-59-ai-provider-migration.md

System Functions

process-alert-escalations

Purpose: Process alert escalations based on time and severity Input:
Output:
JWT Verification: false (scheduled task) Scheduled: Hourly via pg_cron Related Tables: pf_alerts, pf_notifications

Function Categories Summary

Note: Some functions may serve multiple purposes. Count reflects primary categorization. AI Functions (PF-59): The functions ai-assistant, ai-document-analyze, and generate-report-narrative use OpenRouter for AI capabilities with module-specific model selection. See supabase/functions/_shared/ai-utils.ts for model configuration.

Best Practices

1. Error Handling

  • Always use _shared/errors.ts for consistent error responses
  • Include correlation IDs for tracing
  • Never expose PHI/PII in error messages
  • Return appropriate HTTP status codes

2. Logging

  • Use _shared/logger.ts for structured logging
  • Include correlation IDs in all log entries
  • Never log PHI/PII (only stable IDs)
  • Use appropriate log levels

3. Security

  • Validate all inputs
  • Enforce JWT verification where appropriate
  • Use service role key only when necessary
  • Never expose secrets in responses

4. Performance

  • Keep execution time under 60 seconds (Supabase limit)
  • Use database functions for complex queries
  • Batch operations when possible
  • Handle timeouts gracefully

5. Testing

  • Test with real database (staging)
  • Verify RLS policies are enforced
  • Test error scenarios
  • Verify logging output

Troubleshooting

Common Issues

1. Function Timeout
  • Symptom: Function returns 504 after 60 seconds
  • Solution: Break into smaller functions, use database functions for heavy processing
2. CORS Errors
  • Symptom: Browser blocks requests
  • Solution: Ensure CORS headers are included in all responses
3. JWT Verification Failures
  • Symptom: 401 Unauthorized
  • Solution: Check verify_jwt setting in config.toml, ensure valid JWT in request
4. Missing Environment Variables
  • Symptom: Function fails with “not configured” error
  • Solution: Set secrets via supabase secrets set KEY=value
5. Database Connection Issues
  • Symptom: Function can’t connect to database
  • Solution: Verify SUPABASE_URL and SUPABASE_SERVICE_ROLE_KEY are set

  • Constitution: constitution.md §5.8-5.9 (Edge Function Patterns)
  • AI Guide: AI_GUIDE.md (Edge Function Patterns)
  • Integration Contracts: docs/architecture/integrations/EVENT_CONTRACTS.md
  • Supabase Setup: docs/integrations/SUPABASE_SETUP.md (when created)

Document Owner: Platform Team
Review Frequency: Quarterly
Last Updated: 2026-02-01