Skip to content

docs: clinical hazard analysis + RAG injection threat model (analysis only)#331

Merged
BigSimmo merged 6 commits into
mainfrom
claude/safety-analysis
Jul 6, 2026
Merged

docs: clinical hazard analysis + RAG injection threat model (analysis only)#331
BigSimmo merged 6 commits into
mainfrom
claude/safety-analysis

Conversation

@BigSimmo

@BigSimmo BigSimmo commented Jul 6, 2026

Copy link
Copy Markdown
Owner

What

Two analysis-only documents for the answer pipeline. No product code is changed; no mitigations are implemented (a later chat will act on them).

  • docs/clinical-hazard-analysis.md — ISO 14971-style hazard analysis. Enumerates every pathway from a system output to patient harm (wrong number, stale guideline presented as current, caveat stripped on copy/export, mis-attributed source, overstated confidence, injection-poisoned content). For each hazard: severity, plausibility, the existing in-code control (named function/gate + file:line), the test/eval that proves it (or its absence), and the gap where no control exists. Uses the 2026-07-01 audit's H1–H4 as evidence the pathways are real, and re-examines those fixes at their current locations. Includes an assessment against the TGA clinical-decision-support (CDSS) exemption criteria and the product requirements that reliance on the exemption implies.
  • docs/rag-injection-threat-model.md — red-team of the ingestion → context → answer chain. Traces exactly what document-derived text reaches the prompt via buildRagSourceBlock, maps neutralize/fence coverage field-by-field, gives BLOCK/MISS verdicts per attack vector, specifies 15 concrete injection eval cases (fixture + query + expected safe behavior + failing assertion) ready to add to the eval suite, and ranks mitigations by effort (including a prompt-level provenance boundary).

How it was produced

Blind multi-agent fan-out — one analyst per harm pathway / attack vector, each unaware of the others — then orchestrator dedupe and adversarial verification of every finding against the live code before it entered a document. Findings that did not survive verification were corrected or dropped (e.g. document-text citation-ID spoofing is blocked by allowedChunkMap; indexing_quality.issues is raw in the prompt but not attacker-controllable; the audit's H4 ward-note fix was verified to sit in dead code).

Headline findings (all verified at cited file:line)

  • Faithfulness ≠ correctness (master residual): the pipeline verifies an answer is faithful to a cited source, never that the source is correct/trustworthy. A document stating a wrong-but-plausible value (malicious or OCR-corrupted) is faithfully surfaced and "verified." No source-authority tier; no cross-source dose-disagreement check.
  • Numeric verification coverage holes: rate denominators (30 mL/hr30 mL/day), dilution ratios (1:1000), and ug/drops/bare-integer frequencies are not extracted, so those wrong values pass as verified.
  • Caveat stripped on export: the shipped copy button (copyText) omits the table body and its low-confidence caveat; the audit's H4-fixed formatters (formatWardNote/formatAnswerForClipboard) are dead code.
  • No prose entailment check: a non-numeric claim cited to a real-but-non-supporting chunk passes every gate; uncited sources can be shown as "best/strong."
  • Raw prompt-facing fields: title, file_name, image caption/tableTitle/tableLabel, and the cross-document fusion brief bypass neutralizePromptInstructions; the <<<SOURCE_EXCERPT>>> fence is never explained to the model, so it is not a trust boundary.

Scope / safety

  • Analysis artifacts only; git diff is exactly the two docs.
  • Injection eval fixtures are defensive test payloads for a future eval harness.
  • Regulatory content is an engineering assessment, not legal advice — confirm classification with counsel per docs/clinical-governance.md.

Draft: open for review of the findings before any remediation work is scoped.

🤖 Generated with Claude Code

Analysis-only deliverables (no product code changed):

- docs/clinical-hazard-analysis.md — ISO 14971-style hazard analysis of
  the answer pipeline. Enumerates six harm pathways (wrong number, stale
  guideline, caveat stripped on export, mis-attributed source, overstated
  confidence, poisoned content) with severity/plausibility, the in-code
  control per hazard (function + file:line), the test that proves it (or
  its absence), and gaps. Links each pathway to the 2026-07-01 audit's
  H1-H4 as evidence. Includes a TGA clinical-decision-support exemption
  assessment and the product requirements it implies.

- docs/rag-injection-threat-model.md — red-team of the ingestion->context
  ->answer chain. Traces exactly what document-derived text reaches the
  prompt via buildRagSourceBlock, maps neutralize/fence coverage, gives
  BLOCK/MISS verdicts per attack vector, and specifies 15 concrete
  injection eval cases (fixture + query + expected safe behavior +
  failing assertion) plus mitigations ranked by effort.

Every finding was adversarially verified against the code at the cited
file:line. No mitigations were implemented.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@supabase

supabase Bot commented Jul 6, 2026

Copy link
Copy Markdown

This pull request has been ignored for the connected project sjrfecxgysukkwxsowpy because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.


Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

@BigSimmo
BigSimmo marked this pull request as ready for review July 6, 2026 14:15
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@BigSimmo
BigSimmo enabled auto-merge July 6, 2026 14:51
BigSimmo and others added 3 commits July 7, 2026 00:01
CI verify failed on format:check for the two new analysis documents.

Co-authored-by: Cursor <cursoragent@cursor.com>
@BigSimmo
BigSimmo merged commit 08dcdb6 into main Jul 6, 2026
5 checks passed
@BigSimmo

BigSimmo commented Jul 6, 2026

Copy link
Copy Markdown
Owner Author

CI fix pushed

Root cause: verify failed at format:check — Prettier reported style issues in the two new docs.

Fix: commit 7092bea — ran Prettier on docs/clinical-hazard-analysis.md and docs/rag-injection-threat-model.md.

CI status: run 28806492131verify ✅, ui-smoke ✅, Gitleaks ✅.


Review (analysis-only PR)

Overall: LGTM for merge as analysis artifacts. Both documents are well-structured, adversarially verified against live code (file:line citations), and correctly scoped as recommendations-only with no product changes.

Strengths

  • Hazard register (H1–H6) maps cleanly to existing audit findings (H1–H4) and names the exact control, test coverage, and gap per pathway.
  • Threat model field-by-field table (buildRagSourceBlock) is immediately actionable for remediation scoping.
  • 15 injection eval cases (INJ-1…15) are ready to drop into a fixture-based harness — each includes expected safe behavior and the failing assertion today.
  • TGA CDSS exemption assessment correctly frames PR-1…PR-6 as product requirements, not legal conclusions.
  • Dead-code finding on formatWardNote/formatAnswerForClipboard vs shipped copyText is high-value and test-backed.

Non-blocking notes

  1. Cross-linking: Consider adding entries to docs/codebase-index.md and docs/process-hardening.md so future agents discover these artifacts (optional for this PR’s scope).
  2. Eval harness gap: Section 3 of the threat model correctly notes RagEvalCase lacks fixtureDocuments — worth tracking as a follow-up issue when remediation starts.
  3. Regulatory disclaimer: The TGA section is appropriately caveated; no change needed.

Risk areas for the next remediation PR (not blockers here)

Priority Finding Suggested first fix
P0 H3a–c: table caveat stripped on shipped copy Wire copyText through tested ward-output formatters
P0 H1a/H1b: rate-denominator & ratio holes Extend NUMERIC_TOKEN_PATTERN
P0 H6a: faithful-but-wrong passes as verified Cross-source dose-disagreement + authority caveat
P1 H6b: raw title/file_name/caption in prompt Neutralize + fence (threat model mitigations 1–2)

No blocking issues for this docs-only PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant