Skip to content

fix: harden Domain 2 document and auth workflows#533

Merged
BigSimmo merged 9 commits into
mainfrom
codex/domain2-remediation
Jul 12, 2026
Merged

fix: harden Domain 2 document and auth workflows#533
BigSimmo merged 9 commits into
mainfrom
codex/domain2-remediation

Conversation

@BigSimmo

Copy link
Copy Markdown
Owner

Summary

  • bind client requests and async state commits to the current authentication epoch, including uploads, document work, answer generation, and private scope restoration
  • replace fixture-backed production document search/source routes with live scoped flows while retaining clearly labelled mockups
  • add typed API/upload errors, abortable retry handling, explicit answer cancellation states, faithful table copy output, and accessible indexing status
  • move the production shell to a production-named module, document frontend ownership boundaries, and enforce production/mockup imports
  • repair the local verification workflow: named type-scale tokens and working verify:pr-local --dry-run --files/--extended selection with tests

Why

The Domain 2 audit confirmed production fixture leakage, stale authenticated async commits, unsafe private-scope restoration, ambiguous cancellation/upload outcomes, and copy/export gaps. These changes fail closed on auth or scope loss while preserving server-enforced public/private document access.

Verification

  • git diff --check — passed
  • npm run format:check — passed
  • npm run check:type-scale — passed
  • npm run lint — passed
  • npm run typecheck — passed
  • focused Domain 2/verification Vitest set — 8 files, 16 tests passed
  • full Vitest aggregate — 1,658 passed, 1 skipped; two graph scans timed out at 30 seconds under aggregate contention, then passed 10/10 when rerun together in isolation
  • npm run build — passed; client bundle secret scan passed
  • npm run eval:rag:offline — 36 fixture cases and 58 production-contract tests passed
  • npm run test:e2e:critical — 8/8 Chromium tests passed
  • focused document, cancellation, table/modal, viewport, reduced-motion, forced-colours, and zoom journeys passed during implementation
  • npm run check:production-readiness:ci with provider variables removed — READY with expected missing-provider warnings

Checks not run / limitations

  • the 136-test single-worker Chromium aggregate continued beyond the local command window; a two-worker experiment overloaded the shared dev server and was discarded. Focused and critical suites are green.
  • no live Supabase/OpenAI checks, hosted CI reruns, release gate, deployment, or production data changes were run

Risk and governance

This touches authentication, private document scope, uploads, answer generation, source rendering, and clinical UI. Private scope references remain opaque, owner-bound, session-only, expiring, and fail closed. Production search continues to rely on server-side access enforcement rather than client filtering.

@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: e9725053-08f1-48e3-aedc-982128c74adb

📥 Commits

Reviewing files that changed from the base of the PR and between d781395 and 7ea33b2.

📒 Files selected for processing (1)
  • src/lib/answer-render-policy.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/lib/answer-render-policy.ts

📝 Walkthrough

Summary by CodeRabbit

  • New Features

    • Introduced route-aware global and documents search with canonical document viewer redirects.
    • Added table evidence to copied answer text.
    • Improved private-document scope restore with clearer recovery when scope is unavailable.
    • Enhanced upload flow with queued/duplicate/failed outcomes and improved accessibility.
  • Bug Fixes

    • Improved rate-limit and API error messaging with retry timing.
    • Prevented stale UI updates after authentication/session changes.
    • Better “generation stopped” handling and safer document navigation.
  • Documentation

    • Updated frontend architecture and routing/site documentation.

Walkthrough

The PR updates document routing and mockup boundaries, introduces a canonical search shell, adds auth-epoch request cancellation, persists private search scopes, standardizes API errors, models answer and upload lifecycles, and expands local verification and UI coverage.

Changes

Frontend platform changes

Layer / File(s) Summary
Document routes and mockup boundaries
docs/*, src/app/documents/..., src/app/mockups/..., src/lib/document-flow-routes.ts, src/components/*mockups*
Legacy document source routes redirect to the canonical viewer, while mockup routes and helpers use isolated mockup paths.
Canonical search shell
src/components/clinical-dashboard/global-search-shell.tsx, src/components/clinical-dashboard/global-mockup-search-shell.tsx
The route-aware production shell owns dashboard dispatch and standalone search presentation; the mockup module re-exports it for compatibility.
Auth-scoped async state
src/lib/auth-request-lifecycle.ts, src/lib/supabase/client.tsx, src/components/ClinicalDashboard.tsx, src/components/DocumentViewer.tsx, src/components/DocumentManagementActions.tsx
Auth epochs abort stale requests and prevent late responses from committing state across dashboard, viewer, management, and upload flows.
Search scope and API error contracts
src/lib/private-search-scope.ts, src/lib/search-navigation-context.ts, src/lib/api-client-error.ts, src/lib/api-rate-limit.ts, src/components/clinical-dashboard/search-utils.ts
Private scope references round-trip through validated URLs, storage restores fail closed, and API failures expose structured retry metadata.
Answer and upload state
src/lib/answer-lifecycle.ts, src/lib/answer-render-policy.ts, src/lib/ward-output.ts, src/components/clinical-dashboard/DocumentManagerPanel.tsx
Answer cancellation and completion use reducer state, visual evidence is included in clipboard output, and uploads return structured outcomes with accessible progress messaging.
Verification and local checks
scripts/*, tests/*
PR-local checks gain scoped dry runs and gated extended plans, with tests covering routing, auth epochs, scopes, errors, uploads, answer cancellation, accessibility, and UI behavior.

Estimated code review effort: 5 (Critical) | ~120 minutes

Possibly related PRs

  • BigSimmo/Database#421: Reworks overlapping mockup search-shell layout and mobile scroll behavior in the module now retained as a compatibility re-export.

Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

  • Ignore

❌ Failed checks (1 error, 2 warnings)

Check name Status Explanation Resolution
Verification Claims ❌ Error PR description includes unqualified verification claims like “focused Domain 2/verification Vitest set … passed” and “client bundle secret scan passed” without exact commands. Rewrite each verification note as Ran <exact command>: passed or Not run: reason, including focused and aggregate browser/test/build/security checks.
Description check ⚠️ Warning The description covers the main changes, but it does not follow the required template sections/checklists or include the requested verification and governance checkboxes. Rewrite it to match the template: add the required checkbox lists for Verification and Clinical Governance Preflight, and fill in the missing readiness and eval items.
Docstring Coverage ⚠️ Warning Docstring coverage is 5.06% which is insufficient. The required threshold is 70.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (8 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main change set: hardening document and auth workflows in Domain 2.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Generated And Sensitive Files ✅ Passed The only changed file is src/lib/answer-render-policy.ts; no .env, keys, tokens, logs, caches, node_modules, or build artifacts appear in the commit.
Risky Git Or Deployment Actions ✅ Passed Changed docs/scripts only add safe route/verification guidance; no force-push, hard reset, destructive clean, branch deletion, or unconfirmed deployment steps found.
Supabase Project And Schema Safety ✅ Passed PR diff vs origin/main touches app/docs only; no supabase/, .env.example, migrations, RLS, or policy files changed. Supabase client change is auth-epoch logic only.
Runtime And Package Manager Integrity ✅ Passed No package-manager or runtime pins changed: package.json still requires npm@11.17.0/Node 24.x, .npmrc keeps engine-strict=true, and verify-pr-local only adds dry-run/extended selection.
Api Route Failure Handling ✅ Passed The changed API/search paths validate input, return deterministic JSON/SSE errors, and epoch-guard or abort stale auth/retry flows instead of crashing.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/domain2-remediation
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch codex/domain2-remediation

Comment @coderabbitai help to get the list of available commands.

@supabase

supabase Bot commented Jul 12, 2026

Copy link
Copy Markdown

This pull request has been ignored for the connected project sjrfecxgysukkwxsowpy because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.


Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

@BigSimmo

Copy link
Copy Markdown
Owner Author

@copilot resolve the merge conflicts in this pull request

@BigSimmo
BigSimmo marked this pull request as ready for review July 12, 2026 18:31
@BigSimmo
BigSimmo enabled auto-merge (squash) July 12, 2026 18:34
auto-merge was automatically disabled July 12, 2026 18:34

Head branch was pushed to by a user without write access

Copilot AI commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

@copilot resolve the merge conflicts in this pull request

Merge conflicts resolved in commit fix: resolve merge conflicts with origin/main.

docs/codebase-index.md — kept the Frontend architecture → docs/frontend-architecture.md row from this branch and added the Capacity / scale-up rows from main. Dropped origin/main's Frontend refactor row since docs/frontend-architecture-refactor-plan.md doesn't exist.

src/components/mode-home-template.tsx — adopted main's text-hero fluid token and simplified heading/paragraph classes (landed in #512), removing the stale inline compact-conditional approach. The compact prop had already been dropped from the function signature in main's version.

coderabbitai[bot]
coderabbitai Bot previously requested changes Jul 12, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🧹 Nitpick comments (4)
tests/ui-accessibility.spec.ts (1)

98-108: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Consider exercising the scope popover under 200% zoom too.

The forced-colors test right above (lines 89-96) opens the scope command popover and checks overflow, but this new zoom test only checks the base dashboard layout. Popover/menu positioning is a common failure point at high zoom levels, so this leaves a coverage gap for the exact scenario this test is meant to protect.

♻️ Suggested addition
     await expectDashboardUsable(page);
+    await openScopeControl(page);
     await expectNoPageHorizontalOverflow(page);
   });
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/ui-accessibility.spec.ts` around lines 98 - 108, Extend the “dashboard
remains usable at 200 percent zoom” test to open the scope command popover using
the existing interaction pattern from the nearby forced-colors test, then verify
the popover remains usable without horizontal overflow. Keep the existing
base-dashboard assertions and perform the popover checks after applying the 200%
zoom.
src/lib/ward-output.ts (1)

638-666: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Duplicate table-rendering logic vs clinicalTableToTextRows.

The markdown header/separator/body-slice(6) rendering block here is copy/pasted from clinicalTableToTextRows (lines 612-636 in this file). Consider extracting a shared helper that takes a NormalizedAccessibleTable (plus a low-confidence message string) and returns the markdown lines, then have both functions call it with their own caption/source wrapping.

♻️ Suggested extraction
function renderNormalizedTableLines(
  normalized: NormalizedAccessibleTable,
  lowConfidenceMessage: string,
) {
  if (normalized.lowConfidence) return [lowConfidenceMessage];
  return [
    normalized.header.length ? `| ${normalized.header.join(" | ")} |` : "",
    normalized.header.length ? `| ${normalized.header.map(() => "---").join(" | ")} |` : "",
    ...normalized.body.slice(0, 6).map((row) => `| ${row.join(" | ")} |`),
  ].filter(Boolean);
}

Both clinicalTableToTextRows and formatDisplayedVisualEvidenceForClipboard can then call this and prepend/append their own caption/source lines.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/ward-output.ts` around lines 638 - 666, Extract the duplicated
normalized-table markdown rendering from clinicalTableToTextRows and
formatDisplayedVisualEvidenceForClipboard into a shared helper that accepts
NormalizedAccessibleTable and a low-confidence message, returning the
appropriate markdown lines. Update both functions to use the helper while
preserving their existing caption, source, and surrounding output lines.
src/lib/supabase/client.tsx (1)

106-106: 🚀 Performance & Scalability | 🔵 Trivial | 💤 Low value

useRef initializer re-evaluated every render.

useRef(createAuthRequestLifecycle()) constructs a new lifecycle object (with its own Set) on every render; only the first result is kept, so subsequent constructions are wasted. Use lazy initialization to avoid the redundant allocation.

♻️ Lazy-init suggestion
-  const authRequestsRef = useRef(createAuthRequestLifecycle());
+  const authRequestsRef = useRef<ReturnType<typeof createAuthRequestLifecycle>>();
+  if (!authRequestsRef.current) authRequestsRef.current = createAuthRequestLifecycle();
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/supabase/client.tsx` at line 106, Update the authRequestsRef
initialization in the client component to lazily create the lifecycle object
only when the ref has no current value, avoiding createAuthRequestLifecycle() on
subsequent renders while preserving the existing ref instance.
src/lib/private-search-scope.ts (1)

11-32: 🚀 Performance & Scalability | 🔵 Trivial | 💤 Low value

Optional: orphaned scope entries accumulate within a session.

persistPrivateSearchScope mints a fresh scopeRef key on every call, and callers (executeSearch/ask) invoke it on each search that has a document selection. Previous entries are never removed until they're individually read back (or the tab closes), so a long session with many scoped searches leaves stale keys in sessionStorage. Consider pruning expired/oldest entries under storagePrefix when persisting.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/private-search-scope.ts` around lines 11 - 32, Update
persistPrivateSearchScope to prune stale entries under storagePrefix before or
while writing a new scope, removing expired entries and, if necessary, the
oldest entries so repeated scoped searches do not accumulate orphaned
sessionStorage keys. Preserve valid active scopes and the existing
maxDocumentIds and scopeRef validation behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/components/clinical-dashboard/DocumentManagerPanel.tsx`:
- Around line 357-374: Update the batch completion logic around the
failures.length === 0 branch so input.value is cleared and onUploaded() is
invoked whenever queued.length is greater than zero, including partial-failure
batches. Preserve the existing success and failure status messages, and avoid
refreshing when no documents were queued successfully.

In `@src/components/ClinicalDashboard.tsx`:
- Line 3575: Add aria-hidden="true" to the decorative RefreshCw icon in the “Run
again” button, matching the existing accessible RefreshCw usages in
ClinicalDashboard.

In `@src/lib/answer-render-policy.ts`:
- Around line 544-546: Update the visual evidence clipboard assembly around
formatDisplayedVisualEvidenceForClipboard to first compute the formatted rows
and add the "Displayed table evidence" heading only when that formatted output
is non-empty. Preserve the existing output for evidence containing parsable
table data and omit the heading for image-only or otherwise unparseable
evidence.

In `@src/lib/supabase/client.tsx`:
- Around line 286-296: Update the auth fingerprint in the useEffect to exclude
accessToken, keying it only on status and session?.user.id. Remove accessToken
from the effect dependencies if it is no longer referenced, while preserving
invalidateAuthRequests for genuine session changes and leaving 401
token-expiration handling unchanged.

---

Nitpick comments:
In `@src/lib/private-search-scope.ts`:
- Around line 11-32: Update persistPrivateSearchScope to prune stale entries
under storagePrefix before or while writing a new scope, removing expired
entries and, if necessary, the oldest entries so repeated scoped searches do not
accumulate orphaned sessionStorage keys. Preserve valid active scopes and the
existing maxDocumentIds and scopeRef validation behavior.

In `@src/lib/supabase/client.tsx`:
- Line 106: Update the authRequestsRef initialization in the client component to
lazily create the lifecycle object only when the ref has no current value,
avoiding createAuthRequestLifecycle() on subsequent renders while preserving the
existing ref instance.

In `@src/lib/ward-output.ts`:
- Around line 638-666: Extract the duplicated normalized-table markdown
rendering from clinicalTableToTextRows and
formatDisplayedVisualEvidenceForClipboard into a shared helper that accepts
NormalizedAccessibleTable and a low-confidence message, returning the
appropriate markdown lines. Update both functions to use the helper while
preserving their existing caption, source, and surrounding output lines.

In `@tests/ui-accessibility.spec.ts`:
- Around line 98-108: Extend the “dashboard remains usable at 200 percent zoom”
test to open the scope command popover using the existing interaction pattern
from the nearby forced-colors test, then verify the popover remains usable
without horizontal overflow. Keep the existing base-dashboard assertions and
perform the popover checks after applying the 200% zoom.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 112684a6-20cb-430e-8f61-dd010d7bd88b

📥 Commits

Reviewing files that changed from the base of the PR and between aa93c43 and d505a6c.

📒 Files selected for processing (45)
  • docs/codebase-index.md
  • docs/frontend-architecture.md
  • docs/site-map.md
  • scripts/generate-site-map.ts
  • scripts/verify-pr-local.mjs
  • src/app/api/answer/stream/route.ts
  • src/app/documents/search/page.tsx
  • src/app/documents/source/evidence/page.tsx
  • src/app/documents/source/page.tsx
  • src/app/mockups/document-search/search/page.tsx
  • src/app/mockups/document-search/source/page.tsx
  • src/components/ClinicalDashboard.tsx
  • src/components/DocumentManagementActions.tsx
  • src/components/DocumentViewer.tsx
  • src/components/clinical-dashboard/DocumentManagerPanel.tsx
  • src/components/clinical-dashboard/global-mockup-search-shell.tsx
  • src/components/clinical-dashboard/global-search-shell.tsx
  • src/components/clinical-dashboard/search-utils.ts
  • src/components/document-search-mockups.tsx
  • src/components/master-document-flow-mockups.tsx
  • src/lib/answer-lifecycle.ts
  • src/lib/answer-render-policy.ts
  • src/lib/api-client-error.ts
  • src/lib/api-rate-limit.ts
  • src/lib/auth-request-lifecycle.ts
  • src/lib/document-flow-routes.ts
  • src/lib/http.ts
  • src/lib/private-search-scope.ts
  • src/lib/search-navigation-context.ts
  • src/lib/supabase/client.tsx
  • src/lib/ward-output.ts
  • tests/answer-lifecycle.test.ts
  • tests/answer-render-policy.test.ts
  • tests/api-client-error.test.ts
  • tests/auth-request-lifecycle.test.ts
  • tests/clinical-dashboard-merge-artifacts.test.ts
  • tests/private-access-routes.test.ts
  • tests/private-search-scope.test.ts
  • tests/production-mockup-boundary.test.ts
  • tests/search-navigation-context.test.ts
  • tests/ui-accessibility.spec.ts
  • tests/ui-smoke.spec.ts
  • tests/upload-outcome.test.ts
  • tests/upload-size-contract.test.ts
  • tests/verify-pr-local.test.ts

Comment thread src/components/clinical-dashboard/DocumentManagerPanel.tsx
Comment thread src/components/ClinicalDashboard.tsx Outdated
Comment thread src/lib/answer-render-policy.ts
Comment thread src/lib/supabase/client.tsx

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 96de116426

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/components/ClinicalDashboard.tsx
Comment thread src/components/ClinicalDashboard.tsx
Comment thread src/lib/document-flow-routes.ts

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
src/components/DocumentViewer.tsx (2)

2332-2360: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Guard the debounce callback after auth invalidation.

The timer at Line [2334] unconditionally sets searchingDocument(true) and starts fetch. If the epoch is invalidated during the 220ms delay, the signal is already aborted; the request rejects, the handlers return, and finally does not clear the flag. Reset the state during cleanup and guard the timer with both signal.aborted and isAuthEpochCurrent(...).

Proposed fix
 const timeout = window.setTimeout(() => {
+  if (controller.signal.aborted || !isAuthEpochCurrent(authRequest.epoch)) {
+    setSearchingDocument(false);
+    return;
+  }
   setSearchingDocument(true);
   fetch(...);
 }, 220);

 return () => {
   window.clearTimeout(timeout);
   controller.abort();
+  setSearchingDocument(false);
   authRequest.release();
 };
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/components/DocumentViewer.tsx` around lines 2332 - 2360, Update the
debounce timer around the document search request to first guard on both
controller.signal.aborted and isAuthEpochCurrent(authRequest.epoch), returning
without setting searchingDocument or starting fetch when invalidated. Ensure the
associated cleanup resets searchingDocument during abort/auth invalidation so
the loading state cannot remain stuck.

2059-2066: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Bind the remaining viewer mutations to the auth lifecycle.

These hooks only protect document loading and source search. The summarize() and reviewTableFact() paths beginning at Line [2389] and Line [2520] still use bare fetch calls and commit state after authentication changes. A request started under one session can publish stale private data into the next session; reuse an auth-bound controller/fetch and skip success, error, and finally updates when aborted or stale.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/components/DocumentViewer.tsx` around lines 2059 - 2066, Update the
summarize() and reviewTableFact() mutation paths to use the existing auth-bound
request controller/fetch utilities from useAuthSession instead of bare fetch.
Before committing success, error, or finally state, verify the request was not
aborted and its auth epoch remains current; otherwise skip all updates,
including for requests superseded by authentication changes.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@src/components/DocumentViewer.tsx`:
- Around line 2332-2360: Update the debounce timer around the document search
request to first guard on both controller.signal.aborted and
isAuthEpochCurrent(authRequest.epoch), returning without setting
searchingDocument or starting fetch when invalidated. Ensure the associated
cleanup resets searchingDocument during abort/auth invalidation so the loading
state cannot remain stuck.
- Around line 2059-2066: Update the summarize() and reviewTableFact() mutation
paths to use the existing auth-bound request controller/fetch utilities from
useAuthSession instead of bare fetch. Before committing success, error, or
finally state, verify the request was not aborted and its auth epoch remains
current; otherwise skip all updates, including for requests superseded by
authentication changes.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 281b35df-66b9-4e5f-bc5d-362b6f943fff

📥 Commits

Reviewing files that changed from the base of the PR and between d505a6c and 96de116.

📒 Files selected for processing (3)
  • docs/site-map.md
  • src/components/DocumentViewer.tsx
  • src/components/master-document-flow-mockups.tsx
🚧 Files skipped from review as they are similar to previous changes (1)
  • docs/site-map.md

@BigSimmo BigSimmo left a comment

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

@BigSimmo

Copy link
Copy Markdown
Owner Author

@copilot resolve the merge conflicts in this pull request

Copilot AI commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

@copilot resolve the merge conflicts in this pull request

Merge conflicts resolved in commit fix: resolve merge conflicts in answer-render-policy and tests.

src/lib/answer-render-policy.ts — combined both sides: copyAnswerText (strips ** bold markers from the copy draft, landed in main) and visualEvidence (includes displayed table evidence in the copy output, from this branch).

tests/answer-render-policy.test.ts — kept both test cases: the table copy test from this branch and the bold-stripping test from main.

@BigSimmo
BigSimmo enabled auto-merge (squash) July 12, 2026 19:19
@BigSimmo

Copy link
Copy Markdown
Owner Author

@codex fix all active comments and resolve and mark resolved please

auto-merge was automatically disabled July 12, 2026 19:24

Head branch was pushed to by a user without write access

@BigSimmo
BigSimmo enabled auto-merge (squash) July 12, 2026 19:27

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d781395541

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/lib/supabase/client.tsx
Comment thread src/lib/private-search-scope.ts
@BigSimmo

Copy link
Copy Markdown
Owner Author

@codex please resolve all comments, logically fix them please and resolve

@BigSimmo
BigSimmo merged commit c523cab into main Jul 12, 2026
15 of 17 checks passed
@chatgpt-codex-connector

Copy link
Copy Markdown

Summary

Testing

  • PATH="$HOME/.nvm/versions/node/v24.15.0/bin:$PATH" corepack npm ci
  • PATH="$HOME/.nvm/versions/node/v24.15.0/bin:$PATH" corepack npm run typecheck
  • PATH="$HOME/.nvm/versions/node/v24.15.0/bin:$PATH" corepack npm run test -- tests/private-search-scope.test.ts tests/answer-render-policy.test.ts tests/upload-outcome.test.ts tests/auth-request-lifecycle.test.ts
  • PATH="$HOME/.nvm/versions/node/v24.15.0/bin:$PATH" corepack npm run lint
  • npx prettier --check src/components/clinical-dashboard/DocumentManagerPanel.tsx src/lib/answer-render-policy.ts src/lib/supabase/client.tsx src/lib/private-search-scope.ts src/lib/ward-output.ts tests/ui-accessibility.spec.ts tests/private-search-scope.test.ts src/components/DocumentViewer.tsx src/proxy.ts src/components/ClinicalDashboard.tsx
  • git diff --check
  • ⚠️ npm run typecheck initially failed before switching PATH because the shell defaulted to Node v20.20.2 and dependencies were not installed; reran successfully with Node v24.15.0 via Corepack.

View task →

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants