Skip to content

fix: integrate PR #481 auth and payload patch into main#490

Merged
BigSimmo merged 3 commits into
mainfrom
codex/pr-481-main-integration
Jul 11, 2026
Merged

fix: integrate PR #481 auth and payload patch into main#490
BigSimmo merged 3 commits into
mainfrom
codex/pr-481-main-integration

Conversation

@BigSimmo

Copy link
Copy Markdown
Owner

Summary

Why

PR #481 merged into its already-merged feature base, so its patch was not reachable from main.

Verification

  • npm run verify:cheap
  • focused proxy, answer-payload, and clinical-safety Vitest: 17/17
  • npm run check:production-readiness:ci
  • formatting and git diff checks

BigSimmo and others added 2 commits July 11, 2026 20:13
… phase 3 — auth) (#481)

* perf: skip the proxy session-refresh getUser for API routes

Round-2 phase 3, auth part (isolated for security review). Every
authenticated request previously paid two serial auth-server round trips:
src/proxy.ts ran supabase.auth.getUser() for every matched path including
/api/*, and the route handler then independently validated the caller via
getOptionalAuthenticatedUser. Nothing consumed the proxy's result on API
routes — the call existed only to keep session cookies fresh.

The proxy now skips only the session-refresh getUser for /api/* paths:

- API handlers keep validating the caller themselves (bearer token and/or
  @supabase/ssr cookie) — no authorization decision moves or weakens, and the
  handlers remain fail-closed exactly as before.
- The CSP nonce header still applies to every matched response including
  /api/* (matcher unchanged).
- Session cookies still refresh on every page navigation, and the browser
  Supabase client refreshes its own token (autoRefreshToken) for bearer-based
  API calls, so long-lived sessions behave as before.

Deliberately NOT done: the trusted-internal-header design (proxy forwards a
validated user id for handlers to trust) was rejected — handlers validating
tokens independently is the stronger defense-in-depth posture. The legacy
cookie-token extraction in supabase/auth.ts was left untouched: tests define
legacy sb-access-token / plain-JSON cookie support as intended behavior.

New tests pin the contract: getUser is skipped for /api/* (CSP still
stamped), runs on page navigations with an sb- cookie, and never runs without
one. Existing CSP nonce tests unchanged and green.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* perf: trim the answer payload to what the client renders (#482)

* fix: preserve cookie refresh and safety evidence

---------

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
@supabase

supabase Bot commented Jul 11, 2026

Copy link
Copy Markdown

This pull request has been ignored for the connected project sjrfecxgysukkwxsowpy because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.


Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

@coderabbitai

coderabbitai Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

The change trims server-only answer-source fields from JSON and SSE responses, adds transformation and proxy session-refresh tests, clarifies proxy comments, and updates branch review ledger records.

Changes

Answer payload boundary

Layer / File(s) Summary
Client payload transformation and response wiring
src/lib/answer-client-payload.ts, src/app/api/answer/route.ts, src/app/api/answer/stream/route.ts, tests/answer-client-payload.test.ts
Adds explicit source-field filtering and normalization, wires it into both answer routes, and tests preservation, immutability, pass-through, safety content, and payload reduction.

Proxy session verification

Layer / File(s) Summary
Session refresh behavior and coverage
src/proxy.ts, tests/proxy-session-refresh.test.ts
Clarifies session-refresh and matcher comments, and tests cookie rotation, CSP headers, and authentication lookup behavior for API, page, and unauthenticated requests.

Review ledger records

Layer / File(s) Summary
Review record updates
docs/branch-review-ledger.md
Updates the PR 485 review record and adds a PR 481 record documenting replay and verification checks.

Estimated code review effort: 3 (Moderate) | ~20 minutes


Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

  • Ignore

❌ Failed checks (1 error)

Check name Status Explanation Resolution
Verification Claims ❌ Error Verification prose lists commands/counts but never says “Ran …: passed” or “Not run: reason”; see PR description and ledger row for bare claims. Rewrite verification bullets to explicit status form, e.g. Ran npm run verify:cheap: passed or Not run: production build skipped because ....
✅ Passed checks (10 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: integrating PR #481's auth and payload patch into main.
Description check ✅ Passed The description covers Summary, Why, and Verification, but it omits the Clinical Governance Preflight section and Notes expected by the template.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Generated And Sensitive Files ✅ Passed Changed files are docs/source/tests only; no disallowed paths or high-confidence secret patterns were found, and token-like strings are synthetic test fixtures.
Risky Git Or Deployment Actions ✅ Passed The diff only updates a ledger row and payload tests; it contains no instructions recommending force-push, resets, destructive cleans, shared-branch rebases, or unsafe deploys.
Supabase Project And Schema Safety ✅ Passed No app/docs/env changes point to a stale or wrong Supabase project, and there are no migrations, RLS, or policy changes in the diff.
Runtime And Package Manager Integrity ✅ Passed PASS: HEAD changes only docs/code/tests; no package.json, lockfile, .npmrc, or runtime config edits. Repo still pins Node 24/npm 11 with engine-strict=true.
Api Route Failure Handling ✅ Passed PASS: The changed answer routes already handle Zod/auth/rate-limit/generic errors, and the new payload helper is pure and no-op on empty sources; no unsafe failure path added.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/pr-481-main-integration
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch codex/pr-481-main-integration

Comment @coderabbitai help to get the list of available commands.

coderabbitai[bot]
coderabbitai Bot previously requested changes Jul 11, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
src/lib/answer-client-payload.ts (1)

17-33: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Denylist trimming risks silently leaking future server-only fields.

trimSourceForClient deletes today's known server-only fields. If SearchResult later gains another server-only field (similar in spirit to adjacent_context/memory_cards), it will pass through to the client by default unless someone remembers to add a delete here — the opposite of what a trust-boundary trim function should guarantee.

Consider inverting to an allowlist (or adding a compile-time exhaustiveness check keyed off keyof SearchResult) so newly added fields must be explicitly classified as client-safe rather than defaulting to "leaked."

♻️ Example exhaustiveness guard
+// Any new key added to SearchResult must be classified here as either
+// client-visible or trimmed — this fails to compile otherwise.
+type _SourceFieldAudit = { [K in keyof SearchResult]: true };
+const _sourceFieldAudit: _SourceFieldAudit = {
+  id: true, document_id: true, title: true, file_name: true, page_number: true,
+  chunk_index: true, section_heading: true, section_path: true, heading_level: true,
+  parent_heading: true, anchor_id: true, content: true, retrieval_synopsis: true,
+  image_ids: true, similarity: true, similarity_origin: true, text_rank: true,
+  hybrid_score: true, lexical_score: true, rrf_score: true, score_explanation: true,
+  source_strength: true, source_metadata: true, document_labels: true,
+  document_summary: true, adjacent_context: true, memory_cards: true,
+  memory_score: true, relevance: true, match_explanation: true, table_facts: true,
+  index_unit: true, indexing_quality: true, images: true,
+};
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/answer-client-payload.ts` around lines 17 - 33, Update
trimSourceForClient to use an explicit allowlist of client-safe SearchResult
fields instead of spreading the full source and deleting known server-only
fields. Ensure newly added SearchResult properties cannot pass through by
default, while preserving content’s empty-string fallback and the existing
toClientAnswerPayload mapping behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/branch-review-ledger.md`:
- Line 49: Update the verification column of the ledger row for PR `#481` to
explicitly include the completed npm run verify:cheap check and replace the
ambiguous “production-readiness CI-safe” wording with the exact
production-readiness verification command or checks that were actually executed.
Preserve the other listed verification results and ensure the row accurately
reflects only completed checks.

In `@tests/proxy-session-refresh.test.ts`:
- Around line 64-70: Add the response-cookie assertion from the API test to the
page-navigation test for proxy(requestWithSessionCookie("/documents/some-id")),
verifying that the rotated session cookie is present on the response while
preserving the existing getUser and CSP assertions.

---

Nitpick comments:
In `@src/lib/answer-client-payload.ts`:
- Around line 17-33: Update trimSourceForClient to use an explicit allowlist of
client-safe SearchResult fields instead of spreading the full source and
deleting known server-only fields. Ensure newly added SearchResult properties
cannot pass through by default, while preserving content’s empty-string fallback
and the existing toClientAnswerPayload mapping behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 948c6ad6-5af9-445d-a001-6801e3d44c42

📥 Commits

Reviewing files that changed from the base of the PR and between 66883b7 and f53ee1c.

📒 Files selected for processing (7)
  • docs/branch-review-ledger.md
  • src/app/api/answer/route.ts
  • src/app/api/answer/stream/route.ts
  • src/lib/answer-client-payload.ts
  • src/proxy.ts
  • tests/answer-client-payload.test.ts
  • tests/proxy-session-refresh.test.ts

Comment thread docs/branch-review-ledger.md Outdated
Comment thread tests/proxy-session-refresh.test.ts
@BigSimmo
BigSimmo dismissed coderabbitai[bot]’s stale review July 11, 2026 12:26

All actionable and nitpick findings fixed in a6a9e02: auditable exact verification commands, page-response cookie assertion, and an exhaustive explicit client-field policy that blocks unclassified runtime fields.

@BigSimmo

Copy link
Copy Markdown
Owner Author

Resolved the full CodeRabbit set in a6a9e0292. The answer-source boundary now uses an exhaustive keyof SearchResult field policy and runtime allowlist, so future/unclassified fields cannot leak by default; the cookie regression and ledger audit were also strengthened. Focused tests pass 18/18 with typecheck and formatting clean.

@BigSimmo
BigSimmo merged commit 7dcea93 into main Jul 11, 2026
19 checks passed
@BigSimmo
BigSimmo deleted the codex/pr-481-main-integration branch July 13, 2026 16:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant