Skip to content

fix(ci): require RAG_QUERY_HASH_SECRET for deployment boot smoke#429

Merged
BigSimmo merged 4 commits into
mainfrom
cursor/fix-ci-boot-smoke-hash-4142
Jul 9, 2026
Merged

fix(ci): require RAG_QUERY_HASH_SECRET for deployment boot smoke#429
BigSimmo merged 4 commits into
mainfrom
cursor/fix-ci-boot-smoke-hash-4142

Conversation

@BigSimmo

@BigSimmo BigSimmo commented Jul 9, 2026

Copy link
Copy Markdown
Owner

Summary

Fixes the main CI verify failure after production instrumentation began requiring RAG_QUERY_HASH_SECRET (PIA-2).

After #426 merged, deployment boot smoke failed with:

Missing RAG_QUERY_HASH_SECRET. It is required in production so logged clinical-query hashes are keyed HMAC-SHA256 pseudonyms...

Changes

  • scripts/deployment-boot-smoke.mjs: add RAG_QUERY_HASH_SECRET to requiredProductionEnv (no placeholder fallback — fails closed when absent).
  • .github/workflows/ci.yml: pass secrets.RAG_QUERY_HASH_SECRET into the boot-smoke step alongside the other production secrets.
  • Docs: list RAG_QUERY_HASH_SECRET among required GitHub repo secrets for boot smoke.

Review feedback addressed

ChatGPT P1: require the real query-hash secret in boot smoke instead of defaulting a placeholder that would let a missing production secret slip through CI.

CodeRabbit: keep observability-slos.md eval-canary secret list aligned with eval-canary.yml preflight (boot smoke only needs RAG_QUERY_HASH_SECRET).

Verification

  • SUPABASE_SERVICE_ROLE_KEY=… OPENAI_API_KEY=… RAG_QUERY_HASH_SECRET=… npm run check:deployment-readiness — pass
  • Missing RAG_QUERY_HASH_SECRET — explicit missing-env error
  • CI verify — pass

Ops note

Ensure RAG_QUERY_HASH_SECRET (min 16 chars) is configured as a GitHub Actions repository secret before merging to main.

Open in Web Open in Cursor 

Production instrumentation now requires a query-hash secret (PIA-2). The
deployment boot smoke starts next start in production mode but only
stubbed Supabase/OpenAI placeholders, so main CI verify failed after the
privacy guard landed. Add a matching placeholder so the smoke can still
verify /api/local-project-id without a real secret.

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>
@supabase

supabase Bot commented Jul 9, 2026

Copy link
Copy Markdown

This pull request has been ignored for the connected project sjrfecxgysukkwxsowpy because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.


Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0827b687c0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread scripts/deployment-boot-smoke.mjs Outdated
Address Codex review: wire the query-hash secret through CI as a required
repository secret instead of stubbing a placeholder in the smoke script.
Also document the secret alongside the other boot-smoke GitHub secrets.

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Adds RAG_QUERY_HASH_SECRET as a required deployment boot smoke secret, wires it into the CI workflow, and updates deployment and observability documentation to list it as a required secret.

Changes

RAG_QUERY_HASH_SECRET requirement

Layer / File(s) Summary
Boot smoke script enforcement
scripts/deployment-boot-smoke.mjs
requiredProductionEnv now includes RAG_QUERY_HASH_SECRET, causing the preflight check to fail if it's missing; the accompanying comment explains it must be supplied without a placeholder in CI.
CI wiring and documentation
.github/workflows/ci.yml, docs/deployment-architecture.md, docs/observability-slos.md
CI's "Deployment boot smoke" step env block passes RAG_QUERY_HASH_SECRET from repo secrets; deployment architecture and observability docs list it as a required, high-sensitivity secret.

Estimated code review effort: 1 (Trivial) | ~5 minutes


Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

  • Ignore

❌ Failed checks (1 error, 1 warning)

Check name Status Explanation Resolution
Verification Claims ❌ Error PR body says “CI verify — pass” and a missing-secret check without exact command/check wording. Rewrite verification claims to name the exact command/check and result, e.g. “Ran npm run check:deployment-readiness: passed” or “Not run: reason.”
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 70.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (9 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately and concisely describes the main change: requiring RAG_QUERY_HASH_SECRET for deployment boot smoke.
Description check ✅ Passed The description is detailed and mostly matches the template, but it omits the Clinical Governance Preflight and Notes sections.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Generated And Sensitive Files ✅ Passed Touched files are workflow/docs/scripts only; scans found no committed secrets, tokens, private keys, or generated/local artifact files.
Risky Git Or Deployment Actions ✅ Passed No force-push/reset/destructive cleanup or unsafe deploy guidance was added; the diff is UI/test tweaks and replaces forced clicks with safer actions.
Supabase Project And Schema Safety ✅ Passed PR only updates CI env, docs, and the smoke script to require one extra secret; no migrations, RLS/policy, or Supabase project-ref changes were introduced.
Runtime And Package Manager Integrity ✅ Passed Only secret/env additions in workflow and smoke script; no package-lock/package.json changes, no package-manager flags, and Node 24/npm 11 pins remain intact.
Api Route Failure Handling ✅ Passed PASS: The PR only updates CI/docs and the deployment smoke script, which now fails closed on missing RAG_QUERY_HASH_SECRET; no unsafe API/server-action/provider changes were introduced.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch cursor/fix-ci-boot-smoke-hash-4142
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch cursor/fix-ci-boot-smoke-hash-4142

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
docs/deployment-architecture.md (1)

187-187: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Annotation omits eval canary, inconsistent with observability-slos.md.

The SUPABASE_SERVICE_ROLE_KEY row (Line 183) notes "CI boot smoke + eval canary", but this new row only says "(CI boot smoke)" even though docs/observability-slos.md (Lines 149-152, same PR) lists RAG_QUERY_HASH_SECRET as required for the eval canary too.

📝 Proposed fix
-| `RAG_QUERY_HASH_SECRET`                          | high             | runtime               | host secret store; GitHub repo secret (CI boot smoke)               |
+| `RAG_QUERY_HASH_SECRET`                          | high             | runtime               | host secret store; GitHub repo secret (CI boot smoke + eval canary) |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/deployment-architecture.md` at line 187, The RAG_QUERY_HASH_SECRET row
is missing the eval canary annotation, making it inconsistent with the related
secret requirements. Update the annotation in the deployment-architecture table
for RAG_QUERY_HASH_SECRET to match the usage described in observability-slos.md,
using the same style as the SUPABASE_SERVICE_ROLE_KEY entry so it clearly
indicates both CI boot smoke and eval canary.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/observability-slos.md`:
- Around line 149-153: The required-secret list in the observability SLOs doc is
out of sync with eval-canary’s actual preflight checks. Update the doc to match
the current `eval-canary.yml` behavior by listing only the secrets it really
validates via its preflight, or first add the missing `RAG_QUERY_HASH_SECRET`
and eval owner wiring to the workflow and then keep the doc aligned. Use the
`eval-canary.yml` workflow and the required-repo-secrets section in this doc as
the sources of truth.

---

Nitpick comments:
In `@docs/deployment-architecture.md`:
- Line 187: The RAG_QUERY_HASH_SECRET row is missing the eval canary annotation,
making it inconsistent with the related secret requirements. Update the
annotation in the deployment-architecture table for RAG_QUERY_HASH_SECRET to
match the usage described in observability-slos.md, using the same style as the
SUPABASE_SERVICE_ROLE_KEY entry so it clearly indicates both CI boot smoke and
eval canary.
🪄 Autofix (Beta)

❌ Autofix failed (check again to retry)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 2559fa20-6733-4e3a-96af-b5ad1954ad06

📥 Commits

Reviewing files that changed from the base of the PR and between 8163549 and eb91e14.

📒 Files selected for processing (4)
  • .github/workflows/ci.yml
  • docs/deployment-architecture.md
  • docs/observability-slos.md
  • scripts/deployment-boot-smoke.mjs

Comment thread docs/observability-slos.md Outdated
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

⚠️ Branch updated during autofix.

The branch was updated while autofix was in progress. Please try again.

The observability SLO doc incorrectly listed RAG_QUERY_HASH_SECRET as
required for eval-canary.yml; only boot smoke needs it. Trim the doc to
match the workflow's actual preflight checks.

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>
@cursor cursor Bot changed the title fix(ci): stub RAG_QUERY_HASH_SECRET in deployment boot smoke fix(ci): require RAG_QUERY_HASH_SECRET for deployment boot smoke Jul 9, 2026
@BigSimmo
BigSimmo enabled auto-merge (squash) July 9, 2026 06:34
@BigSimmo
BigSimmo disabled auto-merge July 9, 2026 06:35
@BigSimmo
BigSimmo enabled auto-merge (squash) July 9, 2026 06:35
@BigSimmo
BigSimmo merged commit 4f4838a into main Jul 9, 2026
8 checks passed
@BigSimmo
BigSimmo deleted the cursor/fix-ci-boot-smoke-hash-4142 branch July 9, 2026 12:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants