fix: remediate repository review and reconcile Supabase drift#540
Conversation
Harden database concurrency, privacy, request limits, source governance, document scope, and accessibility. Regenerate the drift manifest after local schema replay and retain provider reconciliation as a follow-up against current main.
…ew-remediation # Conflicts: # docs/branch-review-ledger.md # docs/deployment-architecture.md # src/app/api/setup-status/route.ts # src/components/AccessibleTable.tsx # src/components/document-search-live-opener.tsx # src/lib/rag.ts
Codify production migration history and live-ahead definitions, preserve service-role ACLs, and make fresh migration replay deterministic. The four forward remediation migrations remain unapplied to live pending explicit write approval. Verified with scratch schema replay, full local migration reset, lint, typecheck, unit tests, build, and targeted Chromium QA.
…ew-remediation # Conflicts: # src/components/ClinicalDashboard.tsx
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (80)
📝 WalkthroughSummary by CodeRabbit
WalkthroughThe change set hardens upload and JSON ingress, restricts unauthenticated data exposure, queues enrichment through Supabase, tightens RAG evidence and cache behavior, adds database governance objects and reconciliation updates, scopes client persistence by owner, and removes unsafe worker fallback paths. ChangesRepository remediation
Estimated code review effort: 5 (Critical) | ~120 minutes Possibly related PRs
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
✨ Simplify code
Comment |
|
Updates to Preview Branch (codex/repository-review-remediation) ↗︎
Tasks are run on every commit but only new migration files are pushed.
View logs for this Workflow Run ↗︎. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4522758242
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| function sourceStrengthFor(candidate: SourceCandidate) { | ||
| if (candidate.sourceStrength) return candidate.sourceStrength; | ||
| return candidate.citation.source_metadata?.document_status === "current" ? "strong" : "none"; | ||
| return "none"; |
There was a problem hiding this comment.
Preserve source strength for cited sources
For generated answers where answer.citations identify the same chunks as options.sources, citation candidates are collected before search-result candidates and dedupeSourceLinks keeps the first one. Since plain citations do not carry sourceStrength, this fallback now turns those cited sources into "none", so the UI/copy text labels otherwise strong/current cited evidence as “Unsupported” instead of using the SearchResult.source_strength available later in the candidate list. A focused render-model test with one citation plus the matching strong SearchResult would catch this.
Useful? React with 👍 / 👎.
| revoke execute on function public.commit_document_index_generation( | ||
| uuid, uuid, text, integer, integer, integer, jsonb, jsonb, jsonb | ||
| ) from public, anon, authenticated, service_role; |
There was a problem hiding this comment.
Remove the legacy commit RPC grant from schema
This fence is undone in the checked-in supabase/schema.sql: the old unfenced commit_document_index_generation(uuid, uuid, ...) overload is granted back to service_role later in the same snapshot, and the schema test still expects that grant. In any environment replaying or validating from schema.sql rather than the chronological migrations, a stale worker or service-role caller can still call the old overload without p_job_id/p_worker_id, bypassing the lease check this block adds. Searching schema.sql for the old signature grant is the smallest proof.
Useful? React with 👍 / 👎.
Summary
Clinical KB DatabaseLive migrations applied
20260713062107_restore_text_fallback_lexical_score20260713062125_fence_index_generation_commit20260713062132_purge_expired_rag_response_cache20260713062139_route_enrichment_through_agentThe generation fence removes
service_roleaccess from the legacy unfenced commit overload and exposes only the lease-validated overload to the worker. Enrichment claims exclude documents with active ingestion jobs.Verification
npm run check:drift— no unexpected live schema driftnpm run check:production-readiness— READYnpm run drift:manifestschema replay — passedsearch_schema_health— passedservice_role, legacy overload not executableNotes
The full provider retrieval-quality aggregate exceeded the local command wrapper window. Its process completed without leaving a result artifact; deterministic live retrieval, schema-health, ownership, ACL, concurrency, and offline golden checks all passed.
Supabase performance advisor still reports INFO-only unused-index candidates and the Auth absolute-connection setting. No indexes were removed because usage counters alone are insufficient evidence for destructive cleanup.