Skip to content

docs(privacy): scope PIA-3 closure to the durable rag_queries.answer log#535

Merged
BigSimmo merged 6 commits into
mainfrom
claude/pia3-doc-residual-cache
Jul 12, 2026
Merged

docs(privacy): scope PIA-3 closure to the durable rag_queries.answer log#535
BigSimmo merged 6 commits into
mainfrom
claude/pia3-doc-residual-cache

Conversation

@BigSimmo

Copy link
Copy Markdown
Owner

Summary

Fix-forward for PIA-3 (#531, merged as db3948d2d). The doc-accuracy commit raced the repo's auto-merge on #531 and was left off main; this lands it.

Issue: #531's PIA wording overclaimed that generated answer text is "dropped at rest by default." The durable rag_queries.answer log is now gated by RAG_PERSIST_ANSWER_TEXT, but rag_response_cache.payload still holds the full answer (owner-scoped, RAG_ANSWER_CACHE_TTL_MS default ~5 min). In a privacy-impact assessment, claiming a mitigation is broader than it is could mislead a reviewer.

Fix (docs only, no behaviour change):

  • Register / APP-11 / recommendation wording tightened to the durable rag_queries.answer log rather than "answer text" broadly.
  • Data-category row now distinguishes the durable log (dropped by default) from the ephemeral cache (≤5-min TTL).
  • Added an explicit "Residual (scoped out)" note under PIA-3 for rag_response_cache.payload: it is a functional owner-scoped cache with a short TTL, intentionally not gated because nulling its payload would defeat caching — a bounded, short-lived exposure distinct from the 30-day durable log.

Verification

  • prettier --check docs/privacy-impact-assessment.md — clean
  • Docs-only change; no code, tests, or behaviour touched.

🤖 Generated with Claude Code

Review fix: the earlier PIA-3 wording overclaimed that generated answer text is
"dropped at rest by default." The durable rag_queries.answer log is gated by
RAG_PERSIST_ANSWER_TEXT, but rag_response_cache.payload still holds the full
answer (owner-scoped, ~5-min TTL). Tighten the register/APP-11/recommendation
wording to the durable log and add an explicit "Residual (scoped out)" note for
the short-lived response cache, which is intentionally not gated (nulling its
payload would defeat caching).

No behaviour change; documentation accuracy only.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@supabase

supabase Bot commented Jul 12, 2026

Copy link
Copy Markdown

This pull request has been ignored for the connected project sjrfecxgysukkwxsowpy because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.


Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

@BigSimmo
BigSimmo enabled auto-merge (squash) July 12, 2026 18:37
@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 18a87b29-10be-4b8c-b54e-59b384f28f20

📥 Commits

Reviewing files that changed from the base of the PR and between 5aabda1 and 4494a83.

📒 Files selected for processing (1)
  • docs/privacy-impact-assessment.md
🚧 Files skipped from review as they are similar to previous changes (1)
  • docs/privacy-impact-assessment.md

📝 Walkthrough

Summary by CodeRabbit

  • Documentation
    • Updated the privacy impact assessment to reflect current answer storage and caching behavior.
    • Clarified privacy compliance progress, remaining governance gaps, and launch-blocking items.
    • Documented answer persistence controls, offline evaluation behavior, and recommended follow-up actions.
    • Removed outdated recommendation text and added guidance for retention, purge processes, and data-handling evidence.

Walkthrough

The privacy assessment updates distinguish durable answer omission from response-cache retention, document PIA-3 closure and PIA-5 progress, preserve PIA-2 and PIA-4 gaps, and revise recommendations for remaining privacy work.

Changes

Privacy impact assessment

Layer / File(s) Summary
Data handling classifications
docs/privacy-impact-assessment.md
Clarifies that durable rag_queries.answer storage is disabled by default while rag_response_cache.payload uses a short read TTL without a purge cron.
PIA-3 assessment and closure
docs/privacy-impact-assessment.md
Updates the APP matrix and narrative, documents RAG_PERSIST_ANSWER_TEXT behavior and evaluation handling, records PIA-5 progress and remaining PIA-2/PIA-4 gaps, and revises the recommendations.

Estimated code review effort: 1 (Trivial) | ~5 minutes

🚥 Pre-merge checks | ✅ 10 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The summary and verification are present, but the required Clinical Governance Preflight section and most checklist items are missing. Add the missing Clinical Governance Preflight section and complete the required verification checklist items, including verify:pr-local.
✅ Passed checks (10 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the docs-only PIA-3 wording change around the durable rag_queries.answer log.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Generated And Sensitive Files ✅ Passed Only docs/privacy-impact-assessment.md changed; no secrets, credentials, tokens, keys, dumps, caches, or build artifacts were committed.
Verification Claims ✅ Passed The PR’s verification note names the exact check (prettier --check docs/privacy-impact-assessment.md) and result (clean).
Risky Git Or Deployment Actions ✅ Passed The doc only notes safe operator follow-ups (e.g. secret-store config, purge crons) and contains no force-push, reset, destructive clean, or unsafe deploy guidance.
Supabase Project And Schema Safety ✅ Passed Docs-only patch; it doesn’t touch app/scripts/migrations/env/schema files or introduce any new Supabase project refs, RLS, or destructive DB changes.
Runtime And Package Manager Integrity ✅ Passed PR diff touches only docs/privacy-impact-assessment.md; no package/runtime files changed, and repo still pins npm@11.17.0, Node 24.x, npm 11.x with engine-strict.
Api Route Failure Handling ✅ Passed PR changes only docs/privacy-impact-assessment.md; no API/server/RAG/provider code was touched, so failure-handling checks are not applicable.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/pia3-doc-residual-cache
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch claude/pia3-doc-residual-cache

Comment @coderabbitai help to get the list of available commands.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 56627c6610

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread docs/privacy-impact-assessment.md Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/privacy-impact-assessment.md`:
- Around line 311-317: Reconcile the APP 1/5 status in the assessment matrix and
the “Overall” summary with the PIA-1 progress section, which states the notice
and privacy-policy fixes are live and APP 1/5 is met. Remove APP 1/5 from the
current material-shortfalls wording or explicitly label that statement as
historical, while preserving the remaining accurate shortfalls.
🪄 Autofix (Beta)

✅ Autofix completed


ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 26213ad5-ee3d-4c32-8164-702e62ab7034

📥 Commits

Reviewing files that changed from the base of the PR and between d7e1d16 and 56627c6.

📒 Files selected for processing (1)
  • docs/privacy-impact-assessment.md

Comment thread docs/privacy-impact-assessment.md Outdated
@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

Fixes Applied Successfully

Fixed 1 file(s) based on 1 unresolved review comment.

Files modified:

  • docs/privacy-impact-assessment.md

Commit: d39730e6dc454ca25dc12d73574d8a46b0a0fe13

The changes have been pushed to the claude/pia3-doc-residual-cache branch.

Time taken: 4m 21s

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2c5b387ed2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread docs/privacy-impact-assessment.md Outdated
Fixed 1 file(s) based on 1 unresolved review comment.

Co-authored-by: CodeRabbit <noreply@coderabbit.ai>
@BigSimmo

Copy link
Copy Markdown
Owner Author

@copilot resolve the merge conflicts in this pull request

auto-merge was automatically disabled July 12, 2026 18:54

Head branch was pushed to by a user without write access

@BigSimmo
BigSimmo enabled auto-merge (squash) July 12, 2026 18:55
Combine updated PIA-2 HMAC wording from main (#532) with this
branch's scoped PIA-3 closure wording (durable rag_queries.answer
log rather than answer text broadly).
auto-merge was automatically disabled July 12, 2026 18:56

Head branch was pushed to by a user without write access

Copilot AI commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

@copilot resolve the merge conflicts in this pull request

Resolved. The only conflict was in §11 Recommendation — the PIA-2 HMAC wording from main (#532: "the mandatory HMAC secret is now enforced in code…") clashed with this branch's PIA-3 wording. The fix keeps both: updated PIA-2 text from main and the scoped PIA-3 closure ("durable rag_queries.answer log") from this branch.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/privacy-impact-assessment.md`:
- Around line 424-431: Resolve the conflict in the recommendation section by
removing all merge-conflict markers and preserving both substantive edits:
retain the updated PIA-2 wording that the HMAC secret is enforced in code with
deployment-host secret-store placement remaining, and retain the narrowed PIA-3
wording that the durable `rag_queries.answer` log is disabled by default and
gated by `RAG_PERSIST_ANSWER_TEXT`.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 360d1008-7f4a-4c1c-b539-48a40b4f44d7

📥 Commits

Reviewing files that changed from the base of the PR and between 56627c6 and 6ed606b.

📒 Files selected for processing (1)
  • docs/privacy-impact-assessment.md

Comment thread docs/privacy-impact-assessment.md Outdated
…cile

Resolves the leftover merge-conflict markers in §11 (kept main's PIA-2
"enforced in code" language alongside the PIA-3 durable-log scoping).

Codex (P2): rag_response_cache TTL gates reads only — sharedCacheSelector filters
on expires_at, replaceSharedCacheRow overwrites only the same key, and there is no
purge cron (per §8). Reword the residual/data-table/APP-11/Overall entries so they
no longer describe a read-TTL as a retention bound; the row persists at rest until
a same-key overwrite or manual flush.

CodeRabbit (Major): finish the APP 1/5 reconciliation the autofix started — align
the §1 register (PIA-1, PIA-5) and the PIA-5 detail (add a Progress note) with the
§9 matrix, so the whole doc reflects the live privacy page + composer notice
(PR #513). Residual is the APP 8 DPA/ZDR basis plus broader data-handling docs.

Docs only; no behaviour change.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@BigSimmo
BigSimmo enabled auto-merge (squash) July 12, 2026 19:05
@BigSimmo
BigSimmo merged commit 4cf4702 into main Jul 12, 2026
15 checks passed

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4494a830df

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

| ------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------- |
| Clinical reference corpus (documents, chunks, embeddings, images, tables) | Supabase (Sydney) + storage buckets | Low–Medium | Published guidelines are not PHI; **uploaded** docs _could_ contain PHI. |
| Free-text clinical queries | Transient in request; hashed into `rag_queries` / `rag_query_misses` / `rag_retrieval_logs`; sent to OpenAI (US) | **High (potential PHI)** | The primary incidental-PHI vector. |
| Generated answers | `rag_queries.answer` (not persisted unless `RAG_PERSIST_ANSWER_TEXT`); `rag_response_cache.payload` (read-TTL, no purge cron) | **High (derived from PHI query + corpus)** | Durable answer log dropped at rest by default (PIA-3); cache row persists until same-key overwrite (TTL gates reads only). |

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Document anonymous answer-cache sharing

Fresh evidence at this head is that the new cache residual documents rag_response_cache.payload but still treats the risk as only retention. For unauthenticated /api/answer, publicAccessContext returns ownerId: undefined, answerQuestionWithScope passes that through, and sharedCacheSelector/replaceSharedCacheRow read and write the owner_id IS NULL row; during the TTL, another anonymous caller with the same query/scope receives the cached PHI-derived answer. Either document this shared anonymous partition in the PIA or disable shared answer caching when ownerId is absent.

Useful? React with 👍 / 👎.

@BigSimmo
BigSimmo deleted the claude/pia3-doc-residual-cache branch July 13, 2026 16:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants