docs: clinical hazard analysis + RAG injection threat model (analysis only)#331
Conversation
Analysis-only deliverables (no product code changed): - docs/clinical-hazard-analysis.md — ISO 14971-style hazard analysis of the answer pipeline. Enumerates six harm pathways (wrong number, stale guideline, caveat stripped on export, mis-attributed source, overstated confidence, poisoned content) with severity/plausibility, the in-code control per hazard (function + file:line), the test that proves it (or its absence), and gaps. Links each pathway to the 2026-07-01 audit's H1-H4 as evidence. Includes a TGA clinical-decision-support exemption assessment and the product requirements it implies. - docs/rag-injection-threat-model.md — red-team of the ingestion->context ->answer chain. Traces exactly what document-derived text reaches the prompt via buildRagSourceBlock, maps neutralize/fence coverage, gives BLOCK/MISS verdicts per attack vector, and specifies 15 concrete injection eval cases (fixture + query + expected safe behavior + failing assertion) plus mitigations ranked by effort. Every finding was adversarially verified against the code at the cited file:line. No mitigations were implemented. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
This pull request has been ignored for the connected project Preview Branches by Supabase. |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
CI verify failed on format:check for the two new analysis documents. Co-authored-by: Cursor <cursoragent@cursor.com>
CI fix pushedRoot cause: Fix: commit CI status: run 28806492131 — Review (analysis-only PR)Overall: LGTM for merge as analysis artifacts. Both documents are well-structured, adversarially verified against live code ( Strengths
Non-blocking notes
Risk areas for the next remediation PR (not blockers here)
No blocking issues for this docs-only PR. |
What
Two analysis-only documents for the answer pipeline. No product code is changed; no mitigations are implemented (a later chat will act on them).
docs/clinical-hazard-analysis.md— ISO 14971-style hazard analysis. Enumerates every pathway from a system output to patient harm (wrong number, stale guideline presented as current, caveat stripped on copy/export, mis-attributed source, overstated confidence, injection-poisoned content). For each hazard: severity, plausibility, the existing in-code control (named function/gate +file:line), the test/eval that proves it (or its absence), and the gap where no control exists. Uses the 2026-07-01 audit's H1–H4 as evidence the pathways are real, and re-examines those fixes at their current locations. Includes an assessment against the TGA clinical-decision-support (CDSS) exemption criteria and the product requirements that reliance on the exemption implies.docs/rag-injection-threat-model.md— red-team of the ingestion → context → answer chain. Traces exactly what document-derived text reaches the prompt viabuildRagSourceBlock, maps neutralize/fence coverage field-by-field, gives BLOCK/MISS verdicts per attack vector, specifies 15 concrete injection eval cases (fixture + query + expected safe behavior + failing assertion) ready to add to the eval suite, and ranks mitigations by effort (including a prompt-level provenance boundary).How it was produced
Blind multi-agent fan-out — one analyst per harm pathway / attack vector, each unaware of the others — then orchestrator dedupe and adversarial verification of every finding against the live code before it entered a document. Findings that did not survive verification were corrected or dropped (e.g. document-text citation-ID spoofing is blocked by
allowedChunkMap;indexing_quality.issuesis raw in the prompt but not attacker-controllable; the audit's H4 ward-note fix was verified to sit in dead code).Headline findings (all verified at cited
file:line)30 mL/hr≡30 mL/day), dilution ratios (1:1000), andug/drops/bare-integer frequencies are not extracted, so those wrong values pass as verified.copyText) omits the table body and its low-confidence caveat; the audit's H4-fixed formatters (formatWardNote/formatAnswerForClipboard) are dead code.title,file_name, imagecaption/tableTitle/tableLabel, and the cross-document fusion brief bypassneutralizePromptInstructions; the<<<SOURCE_EXCERPT>>>fence is never explained to the model, so it is not a trust boundary.Scope / safety
git diffis exactly the two docs.docs/clinical-governance.md.Draft: open for review of the findings before any remediation work is scoped.
🤖 Generated with Claude Code