docs(privacy): scope PIA-3 closure to the durable rag_queries.answer log#535
Conversation
Review fix: the earlier PIA-3 wording overclaimed that generated answer text is "dropped at rest by default." The durable rag_queries.answer log is gated by RAG_PERSIST_ANSWER_TEXT, but rag_response_cache.payload still holds the full answer (owner-scoped, ~5-min TTL). Tighten the register/APP-11/recommendation wording to the durable log and add an explicit "Residual (scoped out)" note for the short-lived response cache, which is intentionally not gated (nulling its payload would defeat caching). No behaviour change; documentation accuracy only. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
This pull request has been ignored for the connected project Preview Branches by Supabase. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughSummary by CodeRabbit
WalkthroughThe privacy assessment updates distinguish durable answer omission from response-cache retention, document PIA-3 closure and PIA-5 progress, preserve PIA-2 and PIA-4 gaps, and revise recommendations for remaining privacy work. ChangesPrivacy impact assessment
Estimated code review effort: 1 (Trivial) | ~5 minutes 🚥 Pre-merge checks | ✅ 10 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (10 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Comment |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 56627c6610
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/privacy-impact-assessment.md`:
- Around line 311-317: Reconcile the APP 1/5 status in the assessment matrix and
the “Overall” summary with the PIA-1 progress section, which states the notice
and privacy-policy fixes are live and APP 1/5 is met. Remove APP 1/5 from the
current material-shortfalls wording or explicitly label that statement as
historical, while preserving the remaining accurate shortfalls.
🪄 Autofix (Beta)
✅ Autofix completed
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 26213ad5-ee3d-4c32-8164-702e62ab7034
📒 Files selected for processing (1)
docs/privacy-impact-assessment.md
|
Note Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it. Fixes Applied SuccessfullyFixed 1 file(s) based on 1 unresolved review comment. Files modified:
Commit: The changes have been pushed to the Time taken: |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2c5b387ed2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Fixed 1 file(s) based on 1 unresolved review comment. Co-authored-by: CodeRabbit <noreply@coderabbit.ai>
|
@copilot resolve the merge conflicts in this pull request |
Head branch was pushed to by a user without write access
Combine updated PIA-2 HMAC wording from main (#532) with this branch's scoped PIA-3 closure wording (durable rag_queries.answer log rather than answer text broadly).
Head branch was pushed to by a user without write access
Resolved. The only conflict was in §11 Recommendation — the PIA-2 HMAC wording from main (#532: "the mandatory HMAC secret is now enforced in code…") clashed with this branch's PIA-3 wording. The fix keeps both: updated PIA-2 text from main and the scoped PIA-3 closure ("durable |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/privacy-impact-assessment.md`:
- Around line 424-431: Resolve the conflict in the recommendation section by
removing all merge-conflict markers and preserving both substantive edits:
retain the updated PIA-2 wording that the HMAC secret is enforced in code with
deployment-host secret-store placement remaining, and retain the narrowed PIA-3
wording that the durable `rag_queries.answer` log is disabled by default and
gated by `RAG_PERSIST_ANSWER_TEXT`.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 360d1008-7f4a-4c1c-b539-48a40b4f44d7
📒 Files selected for processing (1)
docs/privacy-impact-assessment.md
…cile Resolves the leftover merge-conflict markers in §11 (kept main's PIA-2 "enforced in code" language alongside the PIA-3 durable-log scoping). Codex (P2): rag_response_cache TTL gates reads only — sharedCacheSelector filters on expires_at, replaceSharedCacheRow overwrites only the same key, and there is no purge cron (per §8). Reword the residual/data-table/APP-11/Overall entries so they no longer describe a read-TTL as a retention bound; the row persists at rest until a same-key overwrite or manual flush. CodeRabbit (Major): finish the APP 1/5 reconciliation the autofix started — align the §1 register (PIA-1, PIA-5) and the PIA-5 detail (add a Progress note) with the §9 matrix, so the whole doc reflects the live privacy page + composer notice (PR #513). Residual is the APP 8 DPA/ZDR basis plus broader data-handling docs. Docs only; no behaviour change. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4494a830df
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| | ------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------- | | ||
| | Clinical reference corpus (documents, chunks, embeddings, images, tables) | Supabase (Sydney) + storage buckets | Low–Medium | Published guidelines are not PHI; **uploaded** docs _could_ contain PHI. | | ||
| | Free-text clinical queries | Transient in request; hashed into `rag_queries` / `rag_query_misses` / `rag_retrieval_logs`; sent to OpenAI (US) | **High (potential PHI)** | The primary incidental-PHI vector. | | ||
| | Generated answers | `rag_queries.answer` (not persisted unless `RAG_PERSIST_ANSWER_TEXT`); `rag_response_cache.payload` (read-TTL, no purge cron) | **High (derived from PHI query + corpus)** | Durable answer log dropped at rest by default (PIA-3); cache row persists until same-key overwrite (TTL gates reads only). | |
There was a problem hiding this comment.
Document anonymous answer-cache sharing
Fresh evidence at this head is that the new cache residual documents rag_response_cache.payload but still treats the risk as only retention. For unauthenticated /api/answer, publicAccessContext returns ownerId: undefined, answerQuestionWithScope passes that through, and sharedCacheSelector/replaceSharedCacheRow read and write the owner_id IS NULL row; during the TTL, another anonymous caller with the same query/scope receives the cached PHI-derived answer. Either document this shared anonymous partition in the PIA or disable shared answer caching when ownerId is absent.
Useful? React with 👍 / 👎.
Summary
Fix-forward for PIA-3 (#531, merged as
db3948d2d). The doc-accuracy commit raced the repo's auto-merge on #531 and was left offmain; this lands it.Issue: #531's PIA wording overclaimed that generated answer text is "dropped at rest by default." The durable
rag_queries.answerlog is now gated byRAG_PERSIST_ANSWER_TEXT, butrag_response_cache.payloadstill holds the full answer (owner-scoped,RAG_ANSWER_CACHE_TTL_MSdefault ~5 min). In a privacy-impact assessment, claiming a mitigation is broader than it is could mislead a reviewer.Fix (docs only, no behaviour change):
rag_queries.answerlog rather than "answer text" broadly.≤5-min TTL).rag_response_cache.payload: it is a functional owner-scoped cache with a short TTL, intentionally not gated because nulling its payload would defeat caching — a bounded, short-lived exposure distinct from the 30-day durable log.Verification
prettier --check docs/privacy-impact-assessment.md— clean🤖 Generated with Claude Code