fix: address review findings across recent PR churn (governance caveat, skeleton hang, owner sentinel, port probe)#321
Merged
Conversation
Since 20260706120000 promoted every indexed document into the public anonymous corpus regardless of clinical_validation_status, and new uploads default to "unverified", answers can be grounded on never-locally-validated guidelines. The unverified_source warning was generated server-side but filtered out of the frontend-visible set, so no caveat ever reached the answer UI. Make it frontend-visible (still non-blocking; review_due stays a hidden routine note). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_011WXsrao2p3qYRuf7P9pkEY
This early-return fires after searchRequestSeqRef is bumped, which gates a superseded in-flight request's finally block out of resetting loading, so the answer skeleton could stay on screen indefinitely — the residual case of the #316 skeleton-hang class. Mirror the sibling early-returns. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_011WXsrao2p3qYRuf7P9pkEY
…fields_text The codification in 20260705230000 kept the legacy (owner_filter is null or d.owner_id = owner_filter) predicate, so this RPC ignores retrieval_owner_matches: the anonymous sentinel would match zero rows and a real owner id would exclude public documents. Latent (only the _hybrid variant is wired into the app) but wrong the moment it is used. Migration is prepared, NOT applied to live — tracked in docs/process-hardening.md. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_011WXsrao2p3qYRuf7P9pkEY
…um executable override canListenOnHost resolved false on any listen error, so in IPv6-less containers EAFNOSUPPORT on ::1/:: disqualified every port and both npm run dev and the Playwright runner died with 'No free port found'. Treat an unsupported address family as unable to hold the port. Also let PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH point the chromium project at a preinstalled browser for sandboxes that block browser downloads; default behavior is unchanged. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_011WXsrao2p3qYRuf7P9pkEY
Aligns the lingering 16.2.9 pin with next 16.2.10 (bumped in #311). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_011WXsrao2p3qYRuf7P9pkEY
|
Updates to Preview Branch (claude/pr-review-issues-2ewx3t) ↗︎
Tasks are run on every commit but only new migration files are pushed.
View logs for this Workflow Run ↗︎. |
BigSimmo
marked this pull request as ready for review
July 6, 2026 12:37
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes from a full review of the ~30 recently merged PRs (search/answer UI churn, mobile fixes, Supabase security/drift hardening, dependency bumps):
20260706120000promoted every indexed document into the public anonymous corpus regardless ofclinical_validation_status, and new uploads default tounverified— but theunverified_sourcewarning was filtered out of the frontend-visible set, so answers grounded on never-locally-validated guidelines showed no caveat at all.unverified_sourceis now frontend-visible (still non-blocking;review_due_sourcestays a hidden routine note). Tests updated to pin the new intent.!canRunSearchearly-return inexecuteSearchfires aftersearchRequestSeqRefis bumped but never clearedloading, and the bump gates the superseded in-flight request'sfinallyout of clearing it either — so the answer skeleton could stay on screen indefinitely. It now resetsloading/answerProgresslike its sibling early-returns.match_document_embedding_fields_text(codified in20260705230000) kept the legacy(owner_filter is null or d.owner_id = owner_filter)predicate and ignores the public-owner sentinel: the anonymous sentinel would match zero rows and a real owner id would exclude public documents. New migration20260706130000recreates it withretrieval_owner_matches(with the fix(db): repair Supabase Preview migration replay failures #305-style replay guard);schema.sqlupdated to match. Latent today (only the_hybridvariant is wired in). Prepared, NOT applied to live — tracked indocs/process-hardening.md.canListenOnHosttreated any listen error as "port busy", so in IPv6-less containersEAFNOSUPPORTon::1/::disqualified every port and bothnpm run devand the Playwright runner died with "No free Playwright server port found". An unsupported address family now no longer disqualifies a port. Also added an opt-inPLAYWRIGHT_CHROMIUM_EXECUTABLE_PATHfor sandboxes that block browser downloads (default behavior unchanged).eslint-config-next16.2.9 pin to 16.2.10, aligning withnext(chore(deps): bump next from 16.2.9 to 16.2.10 #311).Verification
npm run verify:cheap— pass (check:runtime, sitemap:check, lint, typecheck, 1097 vitest tests)npm run verify:ui— pass (103/103 Chromium Playwright, run with the preinstalled sandbox browser via the new env var)npm run verify:release— not run; no release/handoff claimnpm run format:check— passnpm run eval:retrieval:quality— not applicable: no retrieval ranking/selection/chunking/scoring behavior changed (the migration fixes an owner predicate on an RPC that app code does not call; needs live keys regardless)npm run eval:rag/eval:quality— not applicable: answer generation and post-processing unchanged (only warning visibility in the UI)npm run check:production-readiness— run; fails only on missing secrets in this demo-mode sandbox (NEXT_PUBLIC_SUPABASE_URL,SUPABASE_SERVICE_ROLE_KEY,OPENAI_API_KEY), expected per AGENTS.mdnpm run check:deployment-readiness— not applicable: no deployment startup/hosting/rollout changeClinical Governance Preflight
Clinical KB Database(sjrfecxgysukkwxsowpy)Notes
20260706130000_fix_embedding_fields_text_owner_sentinelmust be applied to live with the next approved push; until then the fix exists only in the repo (the RPC is latent — not called by app code).document_chunks.owner_idleft stale by the feat: promote all indexed documents public regardless of validation status #294 promotion (harmless — retrieval and RLS key off the parent document), a duplicatecreate or replaceblock in the applied20260705210000migration (do not rewrite history), and drift in theuniversal-search-command-mockupsroute.Generated by Claude Code
Note
Medium Risk
Touches clinically visible governance warnings and search loading state; the retrieval migration is prepared but not applied live and the RPC is unused by app code today.
Overview
Follow-up fixes from recent search/governance and Supabase drift work.
Clinical governance UI: With the public corpus promotion, answers can cite never-locally-validated guidelines without any visible caveat because
unverified_sourcewas filtered out of frontend-visible warnings. That code is now shown (still non-blocking);review_due_sourcestays hidden as routine metadata. Tests pin the new visibility rules.Search UX: When
executeSearchbails early because!canRunSearchafter bumping the search request id, it now clearsloadingandanswerProgressso the answer skeleton cannot stick indefinitely (superseded in-flightfinallyblocks no longer clear it).Database (prepared, not live):
match_document_embedding_fields_textis updated to useretrieval_owner_matchesinstead of the legacy owner predicate so anonymous/public-owner filtering matches other retrieval RPCs. Migration20260706130000plusschema.sqlsync; documented as latent until the_textRPC is wired in app code.Tooling:
canListenOnHostin dev and Playwright runners no longer treatsEAFNOSUPPORT/EADDRNOTAVAILas “port busy” on IPv6-less containers. Playwright optionally honorsPLAYWRIGHT_CHROMIUM_EXECUTABLE_PATHfor sandboxes with a preinstalled Chromium.eslint-config-nextbumps 16.2.9 → 16.2.10.Reviewed by Cursor Bugbot for commit 6dbd5b4. Configure here.