Skip to content

fix(rag): deploy app-layer public owner sentinel for anonymous search#291

Merged
BigSimmo merged 4 commits into
mainfrom
cursor/reconcile-retrieval-sentinel-5c94
Jul 5, 2026
Merged

fix(rag): deploy app-layer public owner sentinel for anonymous search#291
BigSimmo merged 4 commits into
mainfrom
cursor/reconcile-retrieval-sentinel-5c94

Conversation

@BigSimmo

@BigSimmo BigSimmo commented Jul 5, 2026

Copy link
Copy Markdown
Owner

What this fixes

The Supabase migration for public-only retrieval (retrieval_owner_matches + sentinel UUID) is already live on Clinical KB Database. This PR adds the matching application-layer changes so production anonymous search actually sends that sentinel to hybrid RPCs.

Without this, production RAG either:

  • throws (no ownerId), or
  • would send null owner_filter (searches all owners — unsafe)

With this PR, anonymous global search with allowGlobalSearch: true sends owner_filter = 00000000-0000-0000-0000-000000000000, which the DB interprets as public documents only (owner_id IS NULL).

Changes

  • src/lib/owner-scope.tsPUBLIC_OWNER_FILTER_SENTINEL + retrievalOwnerFilter()
  • src/lib/rag.ts — threads sentinel through all hybrid RPC calls
  • src/lib/deep-memory.ts, src/lib/document-enrichment.ts — same scoping
  • supabase/schema.sql + migration file — repo parity with live DB
  • scripts/check-retrieval-owner-migration.ts + npm run check:retrieval-owner
  • Tests updated in tests/owner-scope.test.ts and tests/public-access-deep.test.ts

Deploy steps

  1. Merge this PR to main
  2. Vercel (or your host) auto-deploys the new app build
  3. Verify: npm run check:retrieval-owner (already passing against live Supabase)

Live corpus status: 1,935 indexed public documents; sentinel search returns results.

Open in Web Open in Cursor 

…tinel

Wire retrievalOwnerFilter through RAG, deep-memory, and document-enrichment so production anonymous search sends the public owner sentinel. Adds live migration check script and updated access tests.
@supabase

supabase Bot commented Jul 5, 2026

Copy link
Copy Markdown

Updates to Preview Branch (cursor/reconcile-retrieval-sentinel-5c94) ↗︎

Deployments Status Updated
Database Sun, 05 Jul 2026 17:51:02 UTC
Services Sun, 05 Jul 2026 17:51:02 UTC
APIs Sun, 05 Jul 2026 17:51:02 UTC

Tasks are run on every commit but only new migration files are pushed.
Close and reopen this PR if you want to apply changes from existing seed or migration files.

Tasks Status Updated
Configurations Sun, 05 Jul 2026 17:51:04 UTC
Migrations Sun, 05 Jul 2026 17:51:06 UTC
Seeding Sun, 05 Jul 2026 17:51:07 UTC
Edge Functions Sun, 05 Jul 2026 17:51:08 UTC

View logs for this Workflow Run ↗︎.
Learn more about Supabase for Git ↗︎.

…d_at

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>
@BigSimmo
BigSimmo marked this pull request as ready for review July 5, 2026 17:46
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

cursoragent and others added 2 commits July 5, 2026 17:48
Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>
Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>
@BigSimmo
BigSimmo enabled auto-merge (squash) July 5, 2026 17:58
@BigSimmo
BigSimmo merged commit a2153f7 into main Jul 5, 2026
5 checks passed
@BigSimmo
BigSimmo deleted the cursor/reconcile-retrieval-sentinel-5c94 branch July 9, 2026 12:35
BigSimmo added a commit that referenced this pull request Jul 9, 2026
* fix(ui): center mobile hero search and harden composer portal

- Hide footer Evidence/Sources chips on phone hero composers; scope stays in + menu
- Suppress bottom-dock composer flash until hero portal slot is ready
- Increase composer action/send touch targets to 44px on phones
- Update Playwright tests for scope menu, Answer home geometry, and stress fallback

* chore: ignore medications snapshot gitleaks false positives for deploy

* fix(access): resolve outstanding P0/P1 security and UX gaps

* fix(rag): scope anonymous retrieval to public documents via owner sentinel

* fix(access): complete forms fallback, signed-url hardening, upload guard

* feat(db): promote locally reviewed documents to public corpus for anonymous RAG

* fix(access): complete forms fallback, signed-url hardening, upload guard

* test: stabilize scope-sources stress flow via answer options menu

* chore: ignore medications snapshot gitleaks false positives for main deploy

* chore: ignore medications snapshot gitleaks false positives for main deploy

* chore: format access rollout files and add batched public document promotion script

* fix: audit P0 RAG cache, synopsis parity, and safety hardening

* fix(access): repair image signed-url route and align access route tests

* Compact answer recommended questions into shared suggestion chips

Replace the answer-mode composer banner and post-answer card with a shared
compact chip row that matches the footer search setup styling.

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* fix(access): add document_upload rate limit bucket and update retrieval scope tests

* Auto-hide answer support chips when content sits below on mobile

* fix: clear merge markers and align tests with local upload guard

* fix(db): repair dollar-quote delimiters in retrieval owner sentinel migration

* fix(db): align schema.sql retrieval_owner_matches dollar quotes

* docs(governance): record public and anonymous API access verification

* fix: unblock production anonymous search and setup-status project warning

* style: format access rollout files for CI

* Polish answer suggestion chips across empty home, mobile composer, and modes

Unify empty-state quick actions with compact chips, move mobile follow-ups
into the footer composer, apply example chips to all search modes, add chip
truncation, update mockups/tests, and trim unused ClinicalDashboard imports.

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* checkpoint before checking out cursor/add-supabase-plugin-6f14

* fix: drop accidental worktree gitlinks blocking CI

Remove nested worktree references from the plugin branch and ignore
.worktrees/ so checkout and required status checks can pass.

Co-authored-by: Cursor <cursoragent@cursor.com>

* style: format CI-flagged sources after main sync

* Fix CI failures from compact suggestion chips rollout

- Run Prettier on new/changed dashboard components
- Update ui-tools tests for Examples chips instead of Searching banner
- Scroll mobile table expand clear of taller footer composer stack
- Increase main bottom margin when composer follow-ups are visible
- Relax touch-target measurement tolerance for subpixel CI variance

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* feat: add public corpus promotion and retrieval-owner verification scripts

Add check:retrieval-owner to validate the live sentinel migration and promote:public-documents with dry-run/--apply for locally reviewed docs.

* Relax touch-target tolerance for full-suite subpixel variance

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* fix(mobile): prevent integrated action menu clipping on mode homes

* Hide cross-mode chip prefix when query is empty

The Examples dropdown section uses chips layout without a query, so
rendering 'Search "" in' was misleading. Only show the prefix when
there is an active query (cross-mode search).

* fix(ui): center mobile hero search and harden composer portal

- Hide footer Evidence/Sources chips on phone hero composers; scope stays in + menu
- Suppress bottom-dock composer flash until hero portal slot is ready
- Increase composer action/send touch targets to 44px on phones
- Update Playwright tests for scope menu, Answer home geometry, and stress fallback

* fix(ui): resolve merge conflicts and restore /applications route

- Remove stray merge conflict markers from master-search-header, ui-stress, globals.css
- Restore standalone /applications page and remove redirect to /?mode=tools
- Re-export ApplicationsLauncherPage for the restored route
- Regenerate docs/site-map.md

* fix(ci): format sources and stabilize scope-menu Playwright helpers

* style: format ui-stress spec for prettier check

* fix(mobile): restore favourites composer slot and stabilize scope smoke tests

* test(ui): fallback to answer options menu for desktop scope stress

* test(ui): open scope via answer options in desktop stress path

* test(ui): relax scope summary copy matcher for stress desktop path

* style: format mode-action-popup for prettier check

* Fix: close evidence sheet on follow-up quote to unblock focus trap

* test(ui): use openDailyActions for mobile stress scope path

* test(ui): force-click scope menuitem in mobile stress path

* fix(ui): clear integrated menu layout on close without effect setState

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(rag): deploy app-layer public owner sentinel for anonymous search (#291)

* fix(rag): scope anonymous retrieval to public documents via owner sentinel

Wire retrievalOwnerFilter through RAG, deep-memory, and document-enrichment so production anonymous search sends the public owner sentinel. Adds live migration check script and updated access tests.

* fix(ci): prettier migration check script and promote migration updated_at

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* fix: unblock PR CI — migration column guard and schema test sentinel

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* style: format supabase-schema sentinel assertions for prettier

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

---------

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* Compact answer recommended questions into shared suggestion chips (#283)

* fix: resolve stale merge conflict markers from fix-all-db-issues integration

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* fix: run prettier on 6 files failing format check

* test(ui): relax mode-dependent selectors in smoke test

* Fix Prettier formatting violations

* test(ui): make mode-options smoke assertion mode-agnostic

* fix(ingestion): R24e — drop ingestion_job_stages.job_id FK (resolve drift #8)

Live evidence, not the backlog's add-the-FK plan: live never had this FK, the
edge agent writes an indexing_v3_agent_jobs id into job_id (never satisfies a FK
to ingestion_jobs), and live carries 253 orphan stage rows that would fail
VALIDATE. Removing the FK makes fresh/preview databases match live and unbreaks
the agent's artifact-repair path there.

- schema.sql: ingestion_job_stages.job_id is a plain not-null column (documented)
- migration 20260708140000: drop constraint if exists (no-op on live; removes it
  on the branch/preview migration chain)
- drift-allowlist: remove the now-obsolete FK entry (schema.sql matches live)
- database-drift-detection.md: mark backlog item #8 resolved with rationale
- supabase-schema.test: assert the FK is absent from schema.sql
- drift manifest regenerated (clean scratch replay)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix(ingestion): suppress agent stage ids from OCR retry targets

Only expose failed_ocr jobId values that resolve to a document ingestion_jobs row so the quality review Retry action does not 404 after dropping the ingestion_job_stages.job_id FK.

* fix: stale search-effect closure, missing effect dep, dead code cleanup

- ClinicalDashboard.tsx: route the URL-bootstrap search effect through refs
  for executeSearch/scopeFilters so it always calls the latest versions
  instead of the ones captured when the narrowly-scoped effect first ran
- DocumentViewer.tsx: add missing canUsePrivateApis effect dependency
- playwright-base-url.ts: accept 127.0.0.1 alongside localhost when
  verifying an existing local server
- Remove the already-unused onPickSample prop from AnswerEmptyState, and
  two now-unused type-only imports (MedicationRecordRow, RegistryRecordRow)

Verified: typecheck clean, lint clean, prettier clean, medications-route
and registry-records-route tests passing (17/17).

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>

* style: format ingestion quality route for CI prettier gate

* chore: trigger CI after prettier fix

* chore: organize pending local changes

* ci: add image-generation remediation workflow

* feat: add image generation metadata re-stamp script

* fix(ci): stub RAG_QUERY_HASH_SECRET in deployment boot smoke

Production instrumentation requires RAG_QUERY_HASH_SECRET (PIA-2) when
next start boots in NODE_ENV=production. The boot smoke already stubs
Supabase and OpenAI keys for the child process; add the same pattern for
the query-hash secret so main CI deployment readiness passes.

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* style: format deployment-boot-smoke for Prettier

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* fix(ci): require RAG_QUERY_HASH_SECRET in deployment boot smoke

Address Codex review: do not stub the query-hash secret with a known
placeholder. Add it to requiredProductionEnv and pass it from the CI
workflow secrets so main/release smoke fails closed when the secret is
absent, matching the Supabase/OpenAI gate pattern.

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* fix(ci): supply RAG_QUERY_HASH_SECRET placeholder for deployment boot smoke

The production instrumentation hook requires a keyed query-hash secret so
logged clinical queries are not reversible. CI boot smoke only checks that
the server starts and reports the correct local project identity, so a
non-production placeholder is sufficient (same pattern as service-role and
OpenAI placeholders).

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* style: run Prettier on deployment-boot-smoke.mjs

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* ci: retrigger checks after Codex feedback fix

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* chore: reconcile ingestion RPC execute privileges, schema.sql and drift manifest

* ci: add db-reset-verify and dependency-review workflows

* ci: remove dependency-review workflow because repository is private without GHAS

* 📝 CodeRabbit Chat: Simplify code implementation (#434)

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* fix(db): rename duplicate migration version 20260708160000 to unique 20260708160001

* fix: run prettier on 19 files to fix CI format:check failure (#436)

* fix: address PR 433 review comments

- Defer embedding until after text/document fast paths and coverage gate
- Rehydrate cached document metadata in attachDocumentRankingMetadata
- Load env-dependent script imports after loadEnvConfig in seed/reindex scripts
- Harden registry corpus: shared identity, medication tags, rollback, detail hrefs
- Route registry citations to detail pages; handle registry rows in signed-url API
- Prioritize safety warnings over registry info; preserve stale registry labels
- Guard OCR repair against dropping isolated single-letter clinical tokens
- Update skill docs, changelog dedup, CI Supabase setup-cli@v3

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* fix: address follow-up PR 433 review comments

- Backfill NULL document_images.index_generation_id during re-stamp
- Count globally forced embedding eval cases in retrieval summaries

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* docs: add Codex review throttling protocol

* fix: format docs/branch-review-ledger.md to pass Prettier check

* fix(docs): tighten ledger skip checks and pure-review exception

Require branch, HEAD, and scope to match before skipping cleanup reviews, and allow ledger appends as the sole edit during pure review runs.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix: throttle Codex auto-resolve reviews

* fix: harden Codex review automation

* fix: prevent repeated Codex auto-resolve requests

* fix: keep Codex auto-resolve permission skips green

* fix: harden Codex auto-resolve GitHub API error handling

Wrap issues.listComments and issues.createComment in explicit try/catch paths that log a clear notice and fail the job deterministically on auth, rate-limit, and client API errors while preserving skip cases.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix: harden Codex auto-resolve dedupe and review guards

Use SHA-scoped PR labels and concurrency to prevent duplicate resolve requests, skip non-actionable reviews, document the auto-resolve confirmation exception, and add CI workflow guard checks.

Co-authored-by: Cursor <cursoragent@cursor.com>

* docs: add Codex resolve follow-up guidance and issue_comment trigger

Document manual re-trigger, add resolve completion checklist, cover top-level PR comments in auto-resolve, and link the review protocol from README.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix: format check-codex-autofix-workflow.mjs with Prettier

* fix: harden Codex auto-resolve label and retrigger guards

Queue PR/head workflow runs, create SHA labels before applying them, post the resolve comment before the label lock, and skip resolve completion summaries on issue_comment events.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix: soft-skip Codex auto-resolve on comment read 403

Treat issues.get and listComments permission failures as warnings so the workflow stays green when the token cannot read PR metadata.

Co-authored-by: Cursor <cursoragent@cursor.com>

* archive: document obsolete branch preservation

---------

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants