Skip to content

fix(access): merge public production access rollout into main#282

Closed
BigSimmo wants to merge 20 commits into
mainfrom
cursor/merge-access-to-main-5c94
Closed

fix(access): merge public production access rollout into main#282
BigSimmo wants to merge 20 commits into
mainfrom
cursor/merge-access-to-main-5c94

Conversation

@BigSimmo

@BigSimmo BigSimmo commented Jul 5, 2026

Copy link
Copy Markdown
Owner

Summary

Merges the completed content-access review rollout into main, reconciled with setup-status hotfix (#277).

Access & privacy

  • Anonymous public document browse/search without private field leakage
  • Document read rate limits, owner read scope, catalog auth-signal hardening
  • Bearer + cookie auth recovery; signed-url guards; upload local-project guard

RAG retrieval

  • Anonymous/global retrieval scoped to public documents via owner sentinel
  • In-document search RPC owner scope tightened

Follow-up fixes on this PR

  • Added document_upload rate-limit bucket (fixes typecheck)
  • Updated production retrieval scope tests for sentinel behavior
  • Repaired broken $ dollar-quote delimiters in 20260705210000 migration + schema.sql

Verification

  • npm run typecheck — PASS locally on merge branch
  • Focused access tests — PASS (public-access-deep, private-access-routes, owner-scope)
  • npm run check:production-readiness — PASS
  • npm run check:document-label-governance — PASS
  • npm run verify:cheap — CI pending / local blocked by parallel worktree churn
  • Live migration 20260705210000 — apply blocked by RPC return-type drift (see Notes)

Clinical Governance Preflight

  • Source-backed claims still require linked source verification
  • Supabase target: Clinical KB Database (sjrfecxgysukkwxsowpy)
  • Service-role keys remain server-only

Notes

Live migration: 20260705210000_retrieval_owner_filter_sentinel.sql still needs apply. supabase db push --include-all fails at match_document_chunks_text with cannot change return type of existing function — live RPC bodies have drifted from the migration snapshot. Needs a targeted reconcile migration (drop + recreate or no-op repair) before anonymous RAG sentinel is active in production.

Gitleaks: CI flags pre-existing data/medications-snapshot.json entries from upstream history; not introduced by this PR.

Open in Web Open in Cursor 

BigSimmo and others added 16 commits July 3, 2026 21:00
The golden retrieval set was 100% lexical fast-path (embedding_skipped_rate=1.0), so
it could not measure whether a re-index changes vector/embedding retrieval quality.

- forceEmbedding option on searchChunksWithTelemetry (SearchChunksArgs): bypasses every
  lexical text-fast-path so retrieval always exercises the embedding/vector stage.
  Diagnostic/eval-only; folded into the search cache key; never set on production paths.
- eval-retrieval.ts: per-case `forceEmbedding` field + a global `--force-embedding` flag.
- 10 `vector-*` cases (psychiatric monographs: PTSD, OCD, panic, anorexia, GAD, Tourette,
  postnatal, bipolar, ADHD, opioid) with forceEmbedding=true. Each is a clinical query that
  must be answered by vector retrieval of the right monograph — verified live at
  document_recall@5=1.0, content_recall@5=1.0, all via strategy=hybrid (embedding used).

Rationale: forcing embedding is the correct instrument for re-index measurement — you want
to measure the vector index directly, not have a lexical shortcut mask a regression. Wording
alone can't reliably force the vector path (the fast-path is driven by emergent lexical-match
strength), so the flag makes these probes deterministic.

Live golden eval: 34/34 pass (24 existing + 10 new), no regression. verify:cheap green (980).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Wire forceEmbedding through eval runners and retrieval cache keys, bypass coverage/lexical shortcuts when forced, and add golden-case failure metrics so vector regressions cannot hide behind text-fast-path or cache hits.
- Degrade invalid bearer tokens to anonymous scope instead of 401
- Allow public document read routes (list, detail, signed-url, search, images)
- Align registry routes with medications/differentials auth-signal short-circuit
- Let DocumentViewer load public sources without requiring sign-in
- Add regression tests and update access-control expectations
Create missing retrieval-support indexes (trgm, composite btree, partial
miss log) that were absent or only present under legacy names on live.
Update search_schema_health() to accept verified functional equivalents
during rollout. Set search_path for pg_trgm gin_trgm_ops in extensions.

Verified on linked project: search_schema_health() ok=true, missing=[].
…board

Delete post-extraction dead code left in the monolith and trim unused imports. Also fix minor lint issues in favourites-hub, visual-evidence, and services-navigator.
…rdening

fix(access): complete public retrieval scope and production access hardening
@cursor

cursor Bot commented Jul 5, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@supabase

supabase Bot commented Jul 5, 2026

Copy link
Copy Markdown

This pull request has been ignored for the connected project sjrfecxgysukkwxsowpy due to reaching the limit of concurrent preview branches.
Go to Project Integrations Settings ↗︎ if you wish to update this limit.


Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

@cursor

cursor Bot commented Jul 5, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@cursor

cursor Bot commented Jul 5, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@cursor

cursor Bot commented Jul 5, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@BigSimmo
BigSimmo enabled auto-merge July 5, 2026 15:43
@cursor

cursor Bot commented Jul 5, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@BigSimmo

BigSimmo commented Jul 5, 2026

Copy link
Copy Markdown
Owner Author

Superseded by #274 (merged to main). The access rollout stack is already on main; rebase any follow-up work directly onto main.

@BigSimmo BigSimmo closed this Jul 5, 2026
auto-merge was automatically disabled July 5, 2026 17:16

Pull request was closed

@BigSimmo
BigSimmo deleted the cursor/merge-access-to-main-5c94 branch July 9, 2026 13:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant