docs: 2026-07-14 audit remediation plan#673
Conversation
Sequence every major and sub finding from the multi-skill repo audit into owner-tagged waves with files, acceptance criteria, and verification. Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>
|
This pull request has been ignored for the connected project Preview Branches by Supabase. |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds a dated audit handover and remediation plan covering findings, execution rules, Waves A–J, priorities, scope, and tracking. Links both artifacts from the operator backlog and records the documentation review in the branch ledger. ChangesAudit findings handover
Remediation plan and delivery waves
Operational tracking updates
Estimated code review effort: 2 (Simple) | ~10 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
CI triageCI failed on this PR. Automated classification of the 2 failed job(s):
Heuristic only — a main-side or flake label is a starting point, not a verdict. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d061beec41
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/audit-remediation-plan-2026-07-14.md`:
- Around line 1-458: Format the documentation with the repository-configured
Prettier command to resolve all reported formatting differences in the audit
remediation plan, then commit the resulting documentation-only changes.
- Line 106: Update the commands in the remediation plan entries around the
Address step and the referenced line 424 to use executable npm run syntax for
both evaluation commands: npm run eval:retrieval:quality and npm run
eval:quality -- --rag-only. Keep the existing command order and verification
step unchanged.
- Around line 3-5: Update the remediation plan’s “every finding” scope statement
and sequencing to explicitly cover the ledger’s P3 findings for duplicated
src/lib/client-env.ts environment logic and retained mockup-named production
component files, including a disposition, owner, and proof step for each;
alternatively narrow the claim so it does not promise coverage of those
findings.
🪄 Autofix (Beta)
❌ Autofix failed (check again to retry)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 2360f60b-417a-45a2-ac93-a6e499210920
📒 Files selected for processing (2)
docs/audit-remediation-plan-2026-07-14.mddocs/operator-backlog.md
|
@codex resolve actionable Codex review findings for this pull request and current head using the repository instructions. This is the pull request's single automatic repair pass: do not perform a fresh review, create new standalone findings, or request another review. Work only the existing unresolved Codex threads on the current head. Always fix P0 and P1 findings. For P2 and lower findings, fix only clear, scoped, low-risk issues; otherwise disposition them with a concise reason. After fixing or dispositioning a thread, reply in that thread with as the first line, followed by a concise summary; that marker authorizes the workflow to close that exact thread. If human input or new authorization is required, do not use the marker and leave the thread open with the blocker. Finish only after every actionable thread is fixed or dispositioned and closed, or explicitly left open for a human decision. Do not update the branch from main, address unrelated reviews, broaden scope, or create more than one scoped fix commit. Do not use external APIs, paid services, credentials, dependency changes, or broad refactors unless explicitly authorized. Add targeted tests where behavior changes and run the narrowest relevant validation. |
|
Codex Review: Didn't find any major issues. Hooray! Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Align scrub/prove steps, isolate staging query-hash secret, cover structural P3 findings, and use executable npm run eval commands. Co-authored-by: Cursor <cursoragent@cursor.com>
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/branch-review-ledger.md`:
- Line 495: Correct the command prefix in the documentation row from “pm run
prefixes” to “npm run prefixes,” preserving the rest of the recorded command and
row content unchanged.
- Line 493: Update the 2026-07-15 ledger row to use a branch name matching the
supported claude/... or codex/... prefixes recognized by
scripts/sweep-branch-ledger.mjs, and correct the command typo from “pm run” to
“npm run”.
🪄 Autofix (Beta)
✅ Autofix completed
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: a9b28a91-9ef4-4d32-a270-f830b9b797f7
📒 Files selected for processing (2)
docs/audit-remediation-plan-2026-07-14.mddocs/branch-review-ledger.md
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d9ceeaf9c8
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
Note Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it. Fixes Applied SuccessfullyFixed 1 file(s) based on 2 unresolved review comments. Files modified:
Commit: The changes have been pushed to the Time taken: |
|
Note Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it. Autofix skipped. No unresolved CodeRabbit review comments with fix instructions found. |
Fixed 1 file(s) based on 2 unresolved review comments. Co-authored-by: CodeRabbit <noreply@coderabbit.ai>
|
@copilot resolve the merge conflicts on this branch. |
Resolved. The only conflict was in |
Consolidate major and sub findings, skills run, checks, and next-step checklists into a single handover artifact linked from the remediation plan. Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/audit-handover-2026-07-14.md`:
- Around line 20-23: Update the “No confirmed P0/P1 defects” statement in the
audit handover to explicitly limit the verdict to cross-tenant breach and
clinical-governance bypass defects, while preserving that M4 is a code P1
availability defect. Ensure the adjacent “Active majors” summary reinforces that
M4 must not be under-prioritized.
- Around line 144-147: Update the audit handover’s finding references and
next-actions checklist labels to distinguish issue IDs from remediation-wave
IDs, using explicit qualifiers such as “Finding C1” versus “Wave C1” and
applying the same treatment to D1. Preserve the existing IDs and checklist
content while removing ambiguity in every affected reference.
- Line 220: Update the “After each wave” instruction to update the existing
ledger row by default, appending a new row only when the branch/ref, reviewed
HEAD, or scope changes, or when a fresh review is explicitly requested.
🪄 Autofix (Beta)
✅ Autofix completed
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 7a18c510-cacc-4d2a-aa0c-c446927b5fd4
📒 Files selected for processing (4)
docs/audit-handover-2026-07-14.mddocs/audit-remediation-plan-2026-07-14.mddocs/branch-review-ledger.mddocs/operator-backlog.md
🚧 Files skipped from review as they are similar to previous changes (3)
- docs/operator-backlog.md
- docs/branch-review-ledger.md
- docs/audit-remediation-plan-2026-07-14.md
|
Note Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it. Fixes Applied SuccessfullyFixed 1 file(s) based on 3 unresolved review comments. Files modified:
Commit: The changes have been pushed to the Time taken: |
Fixed 1 file(s) based on 3 unresolved review comments. Co-authored-by: CodeRabbit <noreply@coderabbit.ai>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 03fe72683d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 07761b2a38
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| | ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| | **Finding** | M3 leftovers — canary not yet “two greens”; staging soak pending | | ||
| | **Owner** | OWNER:OPS | | ||
| | **Address** | Provision staging if absent ([`staging-setup.md`](staging-setup.md)); soak (`scripts/soak-test.ts --confirm-staging`, answer p95 ≤ 25 s); run two consecutive Eval Canary greens from `main`. | |
There was a problem hiding this comment.
Use the actual soak-test command
When an operator follows Wave B4's inline soak step, scripts/soak-test.ts --confirm-staging omits both the required npx tsx runner and the required --target <staging-url> argument; the script's own usage at scripts/soak-test.ts:43-47 requires npx tsx scripts/soak-test.ts --target <staging-url> --confirm-staging. Copying this snippet will fail before exercising staging, so the release-confidence soak proof can be skipped or blocked; make the inline command match the runbook usage or remove the abbreviated command in favor of the linked runbook.
Useful? React with 👍 / 👎.
Summary
Adds the 2026-07-14 multi-skill audit artifacts:
docs/operator-backlog.mdFiles
docs/audit-handover-2026-07-14.md(new) — handover inventorydocs/audit-remediation-plan-2026-07-14.md(new) — how to fixdocs/operator-backlog.md— links to bothNo application code changes.
Related
570e6baChecks
Docs-only. Provider/live checks not applicable.
Summary by CodeRabbit